Jason Tang jtang@tresys.com
Brandon Whalen bwhalen@tresys.com
This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
Definition in file policy.c.
#include <config.h>
#include "qpol_internal.h"
#include <assert.h>
#include <byteswap.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <limits.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <asm/types.h>
#include <sepol/debug.h>
#include <sepol/handle.h>
#include <sepol/policydb/flask_types.h>
#include <sepol/policydb/policydb.h>
#include <sepol/policydb/conditional.h>
#include <sepol/policydb.h>
#include <sepol/module.h>
#include <sepol/policydb/module.h>
#include <stdbool.h>
#include <qpol/iterator.h>
#include <qpol/policy.h>
#include <qpol/policy_extend.h>
#include "expand.h"
#include "queue.h"
#include "iterator_internal.h"
Go to the source code of this file.
Classes | |
| struct | fbuf |
| struct | mod_state |
Defines | |
| #define | cpu_to_le16(x) (x) |
| #define | le16_to_cpu(x) (x) |
| #define | cpu_to_le32(x) (x) |
| #define | le32_to_cpu(x) (x) |
| #define | cpu_to_le64(x) (x) |
| #define | le64_to_cpu(x) (x) |
Typedefs | |
| typedef fbuf | qpol_fbuf_t |
| typedef mod_state | mod_state_t |
Functions | |
| void | init_scanner (void) |
| int | yyparse (void) |
| void | init_parser (int, int) |
| void | qpol_handle_route_to_callback (void *varg __attribute__((unused)), const qpol_policy_t *p, int level, const char *fmt, va_list va_args) |
| void | sepol_handle_route_to_callback (void *varg, sepol_handle_t *sh, const char *fmt,...) |
| void | qpol_handle_msg (const qpol_policy_t *p, int level, const char *fmt,...) |
| void | qpol_handle_default_callback (void *varg __attribute__((unused)), const qpol_policy_t *p __attribute__((unused)), int level, const char *fmt, va_list va_args) |
| int | read_source_policy (qpol_policy_t *qpolicy, char *progname, int options) |
| int | qpol_init_fbuf (qpol_fbuf_t **fb) |
| void | qpol_free_fbuf (qpol_fbuf_t **fb) |
| void * | qpol_read_fbuf (qpol_fbuf_t *fb, size_t bytes, FILE *fp) |
| int | qpol_binpol_version (FILE *fp) |
| Returns the version number of the binary policy. | |
| int | qpol_is_file_binpol (FILE *fp) |
| int | qpol_is_file_mod_pkg (FILE *fp) |
| int | infer_policy_version (qpol_policy_t *policy) |
| void | qpol_extended_image_destroy (struct qpol_extended_image **ext) |
| int | qpol_policy_rebuild_opt (qpol_policy_t *policy, const int options) |
| Internal version of qpol_policy_rebuild() version 1.3. | |
| int | qpol_policy_rebuild (qpol_policy_t *policy, int options) |
| Rebuild the policy. | |
| int | qpol_policy_rebuild_old (qpol_policy_t *policy) |
| Internal version of qpol_policy_rebuild() version 1.2 or earlier. | |
| int | qpol_policy_open_from_file_opt (const char *path, qpol_policy_t **policy, qpol_callback_fn_t fn, void *varg, const int options) |
| Internal version of qpol_policy_open_from_file() version 1.3. | |
| int | qpol_policy_open_from_file (const char *path, qpol_policy_t **policy, qpol_callback_fn_t fn, void *varg, const int options) |
| Open a policy from a passed in file path. | |
| int | qpol_policy_open_from_file_no_rules (const char *path, qpol_policy_t **policy, qpol_callback_fn_t fn, void *varg) |
| Open a policy from a passed in file path but do not load any rules. | |
| int | qpol_policy_open_from_memory_opt (qpol_policy_t **policy, const char *filedata, size_t size, qpol_callback_fn_t fn, void *varg, const int options) |
| Internal version of qpol_policy_open_from_memory() version 1.3. | |
| int | qpol_policy_open_from_memory (qpol_policy_t **policy, const char *filedata, size_t size, qpol_callback_fn_t fn, void *varg, const int options) |
| Open a policy from a passed in buffer. | |
| int | qpol_policy_open_from_file_old (const char *path, qpol_policy_t **policy, qpol_callback_fn_t fn, void *varg) |
| Internal version of qpol_policy_open_from_file() version 1.2 or earlier. | |
| int | qpol_policy_open_from_memory_old (qpol_policy_t **policy, const char *filedata, size_t size, qpol_callback_fn_t fn, void *varg) |
| Internal version of qpol_policy_open_from_memory() version 1.2 or earlier. | |
| void | qpol_policy_destroy (qpol_policy_t **policy) |
| Close a policy and deallocate its memory. | |
| int | qpol_policy_reevaluate_conds (qpol_policy_t *policy) |
| Re-evaluate all conditionals in the policy updating the state and setting the appropriate rule list as emabled for each. | |
| int | qpol_policy_append_module (qpol_policy_t *policy, qpol_module_t *module) |
| Append a module to a policy. | |
| int | mod_state_end (const qpol_iterator_t *iter) |
| void * | mod_state_get_cur (const qpol_iterator_t *iter) |
| int | mod_state_next (qpol_iterator_t *iter) |
| size_t | mod_state_size (const qpol_iterator_t *iter) |
| int | qpol_policy_get_module_iter (const qpol_policy_t *policy, qpol_iterator_t **iter) |
| Get an iterator of all modules in a policy. | |
| int | is_mls_policy (const qpol_policy_t *policy) |
| int | qpol_policy_is_mls_enabled (qpol_policy_t *policy) |
| int | qpol_policy_get_policy_version (const qpol_policy_t *policy, unsigned int *version) |
| Get the version number of the policy. | |
| int | qpol_policy_get_type (const qpol_policy_t *policy, int *type) |
| Get the type of policy (source, binary, or module). | |
| int | qpol_policy_has_capability (const qpol_policy_t *policy, qpol_capability_e cap) |
| Determine if a policy has support for a specific capability. | |
Variables | |
| char * | qpol_src_originalinput |
| char * | qpol_src_input |
| char * | qpol_src_inputptr |
| char * | qpol_src_inputlim |
| queue_t | id_queue |
| unsigned int | policydb_errors |
| unsigned long | policydb_lineno |
| char | source_file [] |
| policydb_t * | policydbp |
| int | mlspol |
|
|
|
|
|
|
|
|
|
|
|
Definition at line 78 of file policy.c. Referenced by qpol_binpol_version(), qpol_is_file_binpol(), and qpol_is_file_mod_pkg(). |
|
|
|
|
|
|
|
|
Referenced by qpol_binpol_version(), qpol_free_fbuf(), qpol_init_fbuf(), and qpol_read_fbuf(). |
|
|
Referenced by mod_state_end(), mod_state_get_cur(), mod_state_next(), mod_state_size(), and qpol_policy_get_module_iter(). |
|
|
Referenced by read_source_policy(). |
|
|
Definition at line 1932 of file policy_parse.c. References begin_optional(), begin_optional_else(), define_attrib(), define_av_perms(), define_bool(), define_category(), define_cexpr(), define_class(), define_common_perms(), define_compute_type(), define_cond_compute_type(), define_cond_expr(), define_cond_pol_list(), define_cond_te_avtab(), define_conditional(), define_constraint(), define_dominance(), define_fs_context(), define_fs_use(), define_genfs_context(), define_initial_sid(), define_initial_sid_context(), define_ipv4_node_context(), define_ipv6_node_context(), define_level(), define_mls(), define_netif_context(), define_polcap(), define_policy(), define_port_context(), define_range_trans(), define_role_allow(), define_role_dom(), define_role_trans(), define_role_types(), define_sens(), define_te_avtab(), define_type(), define_typealias(), define_typeattribute(), define_user(), define_validatetrans(), end_avrule_block(), end_optional(), FALSE, insert_id(), insert_separator(), merge_roles_dom(), pass, policydbp, YYSTYPE::ptr, require_class(), YYSTYPE::require_func, SECURITY_FS_USE_PSIDS, TRUE, YYSTYPE::val, YYSTYPE::valptr, YY_, YY_REDUCE_PRINT, YY_STACK_PRINT, YY_SYMBOL_PRINT, yyalloc(), yychar, yycheck, yydefact, yydefgoto, yydestruct(), YYDPRINTF, YYEOF, yyerror(), YYID, YYLAST, yylval, YYMAXDEPTH, yynerrs, yypact, yypgoto, YYPOPSTACK, yyr1, yyr2, YYSIZE_T, YYSTACK_ALLOC, YYSTACK_BYTES, YYSTACK_FREE, YYSTACK_RELOCATE, yystos, yytable, yytext, YYTRANSLATE, and yytype_int16. Referenced by read_source_policy(). 01939 {
01940
01941 int yystate;
01942 int yyn;
01943 int yyresult;
01944 /* Number of tokens to shift before error messages enabled. */
01945 int yyerrstatus;
01946 /* Look-ahead token as an internal (translated) token number. */
01947 int yytoken = 0;
01948 #if YYERROR_VERBOSE
01949 /* Buffer for error messages, and its allocated size. */
01950 char yymsgbuf[128];
01951 char *yymsg = yymsgbuf;
01952 YYSIZE_T yymsg_alloc = sizeof yymsgbuf;
01953 #endif
01954
01955 /* Three stacks and their tools:
01956 `yyss': related to states,
01957 `yyvs': related to semantic values,
01958 `yyls': related to locations.
01959
01960 Refer to the stacks thru separate pointers, to allow yyoverflow
01961 to reallocate them elsewhere. */
01962
01963 /* The state stack. */
01964 yytype_int16 yyssa[YYINITDEPTH];
01965 yytype_int16 *yyss = yyssa;
01966 yytype_int16 *yyssp;
01967
01968 /* The semantic value stack. */
01969 YYSTYPE yyvsa[YYINITDEPTH];
01970 YYSTYPE *yyvs = yyvsa;
01971 YYSTYPE *yyvsp;
01972
01973
01974
01975 #define YYPOPSTACK(N) (yyvsp -= (N), yyssp -= (N))
01976
01977 YYSIZE_T yystacksize = YYINITDEPTH;
01978
01979 /* The variables used to return semantic value and location from the
01980 action routines. */
01981 YYSTYPE yyval;
01982
01983
01984 /* The number of symbols on the RHS of the reduced rule.
01985 Keep to zero when no symbol should be popped. */
01986 int yylen = 0;
01987
01988 YYDPRINTF ((stderr, "Starting parse\n"));
01989
01990 yystate = 0;
01991 yyerrstatus = 0;
01992 yynerrs = 0;
01993 yychar = YYEMPTY; /* Cause a token to be read. */
01994
01995 /* Initialize stack pointers.
01996 Waste one element of value and location stack
01997 so that they stay on the same level as the state stack.
01998 The wasted elements are never initialized. */
01999
02000 yyssp = yyss;
02001 yyvsp = yyvs;
02002
02003 goto yysetstate;
02004
02005 /*------------------------------------------------------------.
02006 | yynewstate -- Push a new state, which is found in yystate. |
02007 `------------------------------------------------------------*/
02008 yynewstate:
02009 /* In all cases, when you get here, the value and location stacks
02010 have just been pushed. So pushing a state here evens the stacks. */
02011 yyssp++;
02012
02013 yysetstate:
02014 *yyssp = yystate;
02015
02016 if (yyss + yystacksize - 1 <= yyssp)
02017 {
02018 /* Get the current used size of the three stacks, in elements. */
02019 YYSIZE_T yysize = yyssp - yyss + 1;
02020
02021 #ifdef yyoverflow
02022 {
02023 /* Give user a chance to reallocate the stack. Use copies of
02024 these so that the &'s don't force the real ones into
02025 memory. */
02026 YYSTYPE *yyvs1 = yyvs;
02027 yytype_int16 *yyss1 = yyss;
02028
02029
02030 /* Each stack pointer address is followed by the size of the
02031 data in use in that stack, in bytes. This used to be a
02032 conditional around just the two extra args, but that might
02033 be undefined if yyoverflow is a macro. */
02034 yyoverflow (YY_("memory exhausted"),
02035 &yyss1, yysize * sizeof (*yyssp),
02036 &yyvs1, yysize * sizeof (*yyvsp),
02037
02038 &yystacksize);
02039
02040 yyss = yyss1;
02041 yyvs = yyvs1;
02042 }
02043 #else /* no yyoverflow */
02044 # ifndef YYSTACK_RELOCATE
02045 goto yyexhaustedlab;
02046 # else
02047 /* Extend the stack our own way. */
02048 if (YYMAXDEPTH <= yystacksize)
02049 goto yyexhaustedlab;
02050 yystacksize *= 2;
02051 if (YYMAXDEPTH < yystacksize)
02052 yystacksize = YYMAXDEPTH;
02053
02054 {
02055 yytype_int16 *yyss1 = yyss;
02056 union yyalloc *yyptr =
02057 (union yyalloc *) YYSTACK_ALLOC (YYSTACK_BYTES (yystacksize));
02058 if (! yyptr)
02059 goto yyexhaustedlab;
02060 YYSTACK_RELOCATE (yyss);
02061 YYSTACK_RELOCATE (yyvs);
02062
02063 # undef YYSTACK_RELOCATE
02064 if (yyss1 != yyssa)
02065 YYSTACK_FREE (yyss1);
02066 }
02067 # endif
02068 #endif /* no yyoverflow */
02069
02070 yyssp = yyss + yysize - 1;
02071 yyvsp = yyvs + yysize - 1;
02072
02073
02074 YYDPRINTF ((stderr, "Stack size increased to %lu\n",
02075 (unsigned long int) yystacksize));
02076
02077 if (yyss + yystacksize - 1 <= yyssp)
02078 YYABORT;
02079 }
02080
02081 YYDPRINTF ((stderr, "Entering state %d\n", yystate));
02082
02083 goto yybackup;
02084
02085 /*-----------.
02086 | yybackup. |
02087 `-----------*/
02088 yybackup:
02089
02090 /* Do appropriate processing given the current state. Read a
02091 look-ahead token if we need one and don't already have one. */
02092
02093 /* First try to decide what to do without reference to look-ahead token. */
02094 yyn = yypact[yystate];
02095 if (yyn == YYPACT_NINF)
02096 goto yydefault;
02097
02098 /* Not known => get a look-ahead token if don't already have one. */
02099
02100 /* YYCHAR is either YYEMPTY or YYEOF or a valid look-ahead symbol. */
02101 if (yychar == YYEMPTY)
02102 {
02103 YYDPRINTF ((stderr, "Reading a token: "));
02104 yychar = YYLEX;
02105 }
02106
02107 if (yychar <= YYEOF)
02108 {
02109 yychar = yytoken = YYEOF;
02110 YYDPRINTF ((stderr, "Now at end of input.\n"));
02111 }
02112 else
02113 {
02114 yytoken = YYTRANSLATE (yychar);
02115 YY_SYMBOL_PRINT ("Next token is", yytoken, &yylval, &yylloc);
02116 }
02117
02118 /* If the proper action on seeing token YYTOKEN is to reduce or to
02119 detect an error, take that action. */
02120 yyn += yytoken;
02121 if (yyn < 0 || YYLAST < yyn || yycheck[yyn] != yytoken)
02122 goto yydefault;
02123 yyn = yytable[yyn];
02124 if (yyn <= 0)
02125 {
02126 if (yyn == 0 || yyn == YYTABLE_NINF)
02127 goto yyerrlab;
02128 yyn = -yyn;
02129 goto yyreduce;
02130 }
02131
02132 if (yyn == YYFINAL)
02133 YYACCEPT;
02134
02135 /* Count tokens shifted since error; after three, turn off error
02136 status. */
02137 if (yyerrstatus)
02138 yyerrstatus--;
02139
02140 /* Shift the look-ahead token. */
02141 YY_SYMBOL_PRINT ("Shifting", yytoken, &yylval, &yylloc);
02142
02143 /* Discard the shifted token unless it is eof. */
02144 if (yychar != YYEOF)
02145 yychar = YYEMPTY;
02146
02147 yystate = yyn;
02148 *++yyvsp = yylval;
02149
02150 goto yynewstate;
02151
02152
02153 /*-----------------------------------------------------------.
02154 | yydefault -- do the default action for the current state. |
02155 `-----------------------------------------------------------*/
02156 yydefault:
02157 yyn = yydefact[yystate];
02158 if (yyn == 0)
02159 goto yyerrlab;
02160 goto yyreduce;
02161
02162
02163 /*-----------------------------.
02164 | yyreduce -- Do a reduction. |
02165 `-----------------------------*/
02166 yyreduce:
02167 /* yyn is the number of a rule to reduce with. */
02168 yylen = yyr2[yyn];
02169
02170 /* If YYLEN is nonzero, implement the default value of the action:
02171 `$$ = $1'.
02172
02173 Otherwise, the following line sets YYVAL to garbage.
02174 This behavior is undocumented and Bison
02175 users should not rely upon it. Assigning to YYVAL
02176 unconditionally makes the parser a bit smaller, and it avoids a
02177 GCC warning that YYVAL may be used uninitialized. */
02178 yyval = yyvsp[1-yylen];
02179
02180
02181 YY_REDUCE_PRINT (yyn);
02182 switch (yyn)
02183 {
02184 case 4:
02185 #line 165 "policy_parse.y"
02186 { if (define_policy(pass, 0) == -1) return -1; }
02187 break;
02188
02189 case 5:
02190 #line 167 "policy_parse.y"
02191 { if (pass == 1) { if (policydb_index_classes(policydbp)) return -1; }
02192 else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1; }}
02193 break;
02194
02195 case 6:
02196 #line 170 "policy_parse.y"
02197 { if (pass == 1) { if (policydb_index_bools(policydbp)) return -1;}
02198 else if (pass == 2) { if (policydb_index_others(NULL, policydbp, 0)) return -1;}}
02199 break;
02200
02201 case 10:
02202 #line 178 "policy_parse.y"
02203 {if (define_class()) return -1;}
02204 break;
02205
02206 case 13:
02207 #line 184 "policy_parse.y"
02208 {if (define_initial_sid()) return -1;}
02209 break;
02210
02211 case 19:
02212 #line 195 "policy_parse.y"
02213 {if (define_common_perms()) return -1;}
02214 break;
02215
02216 case 22:
02217 #line 201 "policy_parse.y"
02218 {if (define_av_perms(FALSE)) return -1;}
02219 break;
02220
02221 case 23:
02222 #line 203 "policy_parse.y"
02223 {if (define_av_perms(TRUE)) return -1;}
02224 break;
02225
02226 case 24:
02227 #line 205 "policy_parse.y"
02228 {if (define_av_perms(TRUE)) return -1;}
02229 break;
02230
02231 case 30:
02232 #line 216 "policy_parse.y"
02233 {if (define_mls() | define_sens()) return -1;}
02234 break;
02235
02236 case 31:
02237 #line 218 "policy_parse.y"
02238 {if (define_mls() | define_sens()) return -1;}
02239 break;
02240
02241 case 33:
02242 #line 223 "policy_parse.y"
02243 {if (define_dominance()) return -1;}
02244 break;
02245
02246 case 34:
02247 #line 225 "policy_parse.y"
02248 {if (define_dominance()) return -1;}
02249 break;
02250
02251 case 39:
02252 #line 234 "policy_parse.y"
02253 {if (define_category()) return -1;}
02254 break;
02255
02256 case 40:
02257 #line 236 "policy_parse.y"
02258 {if (define_category()) return -1;}
02259 break;
02260
02261 case 43:
02262 #line 242 "policy_parse.y"
02263 {if (define_level()) return -1;}
02264 break;
02265
02266 case 44:
02267 #line 244 "policy_parse.y"
02268 {if (define_level()) return -1;}
02269 break;
02270
02271 case 49:
02272 #line 253 "policy_parse.y"
02273 { if (define_constraint((constraint_expr_t*)(yyvsp[(4) - (5)].valptr))) return -1; }
02274 break;
02275
02276 case 50:
02277 #line 256 "policy_parse.y"
02278 { if (define_validatetrans((constraint_expr_t*)(yyvsp[(3) - (4)].valptr))) return -1; }
02279 break;
02280
02281 case 71:
02282 #line 283 "policy_parse.y"
02283 { if (define_attrib()) return -1;}
02284 break;
02285
02286 case 72:
02287 #line 286 "policy_parse.y"
02288 {if (define_type(1)) return -1;}
02289 break;
02290
02291 case 73:
02292 #line 288 "policy_parse.y"
02293 {if (define_type(0)) return -1;}
02294 break;
02295
02296 case 74:
02297 #line 291 "policy_parse.y"
02298 {if (define_typealias()) return -1;}
02299 break;
02300
02301 case 75:
02302 #line 294 "policy_parse.y"
02303 {if (define_typeattribute()) return -1;}
02304 break;
02305
02306 case 78:
02307 #line 300 "policy_parse.y"
02308 {if (define_bool()) return -1;}
02309 break;
02310
02311 case 79:
02312 #line 303 "policy_parse.y"
02313 { if (insert_id("T",0)) return -1; }
02314 break;
02315
02316 case 80:
02317 #line 305 "policy_parse.y"
02318 { if (insert_id("F",0)) return -1; }
02319 break;
02320
02321 case 81:
02322 #line 308 "policy_parse.y"
02323 { if (pass == 2) { if (define_conditional((cond_expr_t*)(yyvsp[(2) - (6)].ptr), (avrule_t*)(yyvsp[(4) - (6)].ptr), (avrule_t*)(yyvsp[(6) - (6)].ptr)) < 0) return -1; }}
02324 break;
02325
02326 case 82:
02327 #line 311 "policy_parse.y"
02328 { (yyval.ptr) = (yyvsp[(3) - (4)].ptr); }
02329 break;
02330
02331 case 83:
02332 #line 313 "policy_parse.y"
02333 { (yyval.ptr) = NULL; }
02334 break;
02335
02336 case 84:
02337 #line 315 "policy_parse.y"
02338 { (yyval.ptr) = (yyvsp[(2) - (3)].ptr);}
02339 break;
02340
02341 case 85:
02342 #line 317 "policy_parse.y"
02343 { (yyval.ptr) = define_cond_expr(COND_NOT, (yyvsp[(2) - (2)].ptr), 0);
02344 if ((yyval.ptr) == 0) return -1; }
02345 break;
02346
02347 case 86:
02348 #line 320 "policy_parse.y"
02349 { (yyval.ptr) = define_cond_expr(COND_AND, (yyvsp[(1) - (3)].ptr), (yyvsp[(3) - (3)].ptr));
02350 if ((yyval.ptr) == 0) return -1; }
02351 break;
02352
02353 case 87:
02354 #line 323 "policy_parse.y"
02355 { (yyval.ptr) = define_cond_expr(COND_OR, (yyvsp[(1) - (3)].ptr), (yyvsp[(3) - (3)].ptr));
02356 if ((yyval.ptr) == 0) return -1; }
02357 break;
02358
02359 case 88:
02360 #line 326 "policy_parse.y"
02361 { (yyval.ptr) = define_cond_expr(COND_XOR, (yyvsp[(1) - (3)].ptr), (yyvsp[(3) - (3)].ptr));
02362 if ((yyval.ptr) == 0) return -1; }
02363 break;
02364
02365 case 89:
02366 #line 329 "policy_parse.y"
02367 { (yyval.ptr) = define_cond_expr(COND_EQ, (yyvsp[(1) - (3)].ptr), (yyvsp[(3) - (3)].ptr));
02368 if ((yyval.ptr) == 0) return -1; }
02369 break;
02370
02371 case 90:
02372 #line 332 "policy_parse.y"
02373 { (yyval.ptr) = define_cond_expr(COND_NEQ, (yyvsp[(1) - (3)].ptr), (yyvsp[(3) - (3)].ptr));
02374 if ((yyval.ptr) == 0) return -1; }
02375 break;
02376
02377 case 91:
02378 #line 335 "policy_parse.y"
02379 { (yyval.ptr) = (yyvsp[(1) - (1)].ptr); }
02380 break;
02381
02382 case 92:
02383 #line 338 "policy_parse.y"
02384 { (yyval.ptr) = define_cond_expr(COND_BOOL,0, 0);
02385 if ((yyval.ptr) == COND_ERR) return -1; }
02386 break;
02387
02388 case 93:
02389 #line 342 "policy_parse.y"
02390 { (yyval.ptr) = define_cond_pol_list((avrule_t *)(yyvsp[(1) - (2)].ptr), (avrule_t *)(yyvsp[(2) - (2)].ptr)); }
02391 break;
02392
02393 case 94:
02394 #line 344 "policy_parse.y"
02395 { (yyval.ptr) = NULL; }
02396 break;
02397
02398 case 95:
02399 #line 347 "policy_parse.y"
02400 { (yyval.ptr) = (yyvsp[(1) - (1)].ptr); }
02401 break;
02402
02403 case 96:
02404 #line 349 "policy_parse.y"
02405 { (yyval.ptr) = (yyvsp[(1) - (1)].ptr); }
02406 break;
02407
02408 case 97:
02409 #line 351 "policy_parse.y"
02410 { (yyval.ptr) = NULL; }
02411 break;
02412
02413 case 98:
02414 #line 354 "policy_parse.y"
02415 { (yyval.ptr) = define_cond_compute_type(AVRULE_TRANSITION) ;
02416 if ((yyval.ptr) == COND_ERR) return -1;}
02417 break;
02418
02419 case 99:
02420 #line 357 "policy_parse.y"
02421 { (yyval.ptr) = define_cond_compute_type(AVRULE_MEMBER) ;
02422 if ((yyval.ptr) == COND_ERR) return -1;}
02423 break;
02424
02425 case 100:
02426 #line 360 "policy_parse.y"
02427 { (yyval.ptr) = define_cond_compute_type(AVRULE_CHANGE) ;
02428 if ((yyval.ptr) == COND_ERR) return -1;}
02429 break;
02430
02431 case 101:
02432 #line 364 "policy_parse.y"
02433 { (yyval.ptr) = (yyvsp[(1) - (1)].ptr); }
02434 break;
02435
02436 case 102:
02437 #line 366 "policy_parse.y"
02438 { (yyval.ptr) = (yyvsp[(1) - (1)].ptr); }
02439 break;
02440
02441 case 103:
02442 #line 368 "policy_parse.y"
02443 { (yyval.ptr) = (yyvsp[(1) - (1)].ptr); }
02444 break;
02445
02446 case 104:
02447 #line 370 "policy_parse.y"
02448 { (yyval.ptr) = (yyvsp[(1) - (1)].ptr); }
02449 break;
02450
02451 case 105:
02452 #line 373 "policy_parse.y"
02453 { (yyval.ptr) = define_cond_te_avtab(AVRULE_ALLOWED) ;
02454 if ((yyval.ptr) == COND_ERR) return -1; }
02455 break;
02456
02457 case 106:
02458 #line 377 "policy_parse.y"
02459 { (yyval.ptr) = define_cond_te_avtab(AVRULE_AUDITALLOW) ;
02460 if ((yyval.ptr) == COND_ERR) return -1; }
02461 break;
02462
02463 case 107:
02464 #line 381 "policy_parse.y"
02465 { (yyval.ptr) = define_cond_te_avtab(AVRULE_AUDITDENY) ;
02466 if ((yyval.ptr) == COND_ERR) return -1; }
02467 break;
02468
02469 case 108:
02470 #line 385 "policy_parse.y"
02471 { (yyval.ptr) = define_cond_te_avtab(AVRULE_DONTAUDIT);
02472 if ((yyval.ptr) == COND_ERR) return -1; }
02473 break;
02474
02475 case 109:
02476 #line 389 "policy_parse.y"
02477 {if (define_compute_type(AVRULE_TRANSITION)) return -1;}
02478 break;
02479
02480 case 110:
02481 #line 391 "policy_parse.y"
02482 {if (define_compute_type(AVRULE_MEMBER)) return -1;}
02483 break;
02484
02485 case 111:
02486 #line 393 "policy_parse.y"
02487 {if (define_compute_type(AVRULE_CHANGE)) return -1;}
02488 break;
02489
02490 case 112:
02491 #line 396 "policy_parse.y"
02492 { if (define_range_trans(0)) return -1; }
02493 break;
02494
02495 case 113:
02496 #line 398 "policy_parse.y"
02497 { if (define_range_trans(1)) return -1; }
02498 break;
02499
02500 case 119:
02501 #line 407 "policy_parse.y"
02502 {if (define_te_avtab(AVRULE_ALLOWED)) return -1; }
02503 break;
02504
02505 case 120:
02506 #line 410 "policy_parse.y"
02507 {if (define_te_avtab(AVRULE_AUDITALLOW)) return -1; }
02508 break;
02509
02510 case 121:
02511 #line 413 "policy_parse.y"
02512 {if (define_te_avtab(AVRULE_AUDITDENY)) return -1; }
02513 break;
02514
02515 case 122:
02516 #line 416 "policy_parse.y"
02517 {if (define_te_avtab(AVRULE_DONTAUDIT)) return -1; }
02518 break;
02519
02520 case 123:
02521 #line 419 "policy_parse.y"
02522 {if (define_te_avtab(AVRULE_NEVERALLOW)) return -1; }
02523 break;
02524
02525 case 124:
02526 #line 422 "policy_parse.y"
02527 {if (define_role_types()) return -1;}
02528 break;
02529
02530 case 125:
02531 #line 424 "policy_parse.y"
02532 {if (define_role_types()) return -1;}
02533 break;
02534
02535 case 127:
02536 #line 429 "policy_parse.y"
02537 {if (define_role_trans()) return -1; }
02538 break;
02539
02540 case 128:
02541 #line 432 "policy_parse.y"
02542 {if (define_role_allow()) return -1; }
02543 break;
02544
02545 case 129:
02546 #line 435 "policy_parse.y"
02547 { (yyval.ptr) = (yyvsp[(1) - (1)].ptr); }
02548 break;
02549
02550 case 130:
02551 #line 437 "policy_parse.y"
02552 { (yyval.ptr) = merge_roles_dom((role_datum_t*)(yyvsp[(1) - (2)].ptr), (role_datum_t*)(yyvsp[(2) - (2)].ptr)); if ((yyval.ptr) == 0) return -1;}
02553 break;
02554
02555 case 131:
02556 #line 440 "policy_parse.y"
02557 {(yyval.ptr) = define_role_dom(NULL); if ((yyval.ptr) == 0) return -1;}
02558 break;
02559
02560 case 132:
02561 #line 442 "policy_parse.y"
02562 {(yyval.ptr) = define_role_dom((role_datum_t*)(yyvsp[(4) - (5)].ptr)); if ((yyval.ptr) == 0) return -1;}
02563 break;
02564
02565 case 139:
02566 #line 454 "policy_parse.y"
02567 { if (define_constraint((constraint_expr_t*)(yyvsp[(4) - (5)].valptr))) return -1; }
02568 break;
02569
02570 case 140:
02571 #line 457 "policy_parse.y"
02572 { if (define_validatetrans((constraint_expr_t*)(yyvsp[(3) - (4)].valptr))) return -1; }
02573 break;
02574
02575 case 141:
02576 #line 460 "policy_parse.y"
02577 { (yyval.valptr) = (yyvsp[(2) - (3)].valptr); }
02578 break;
02579
02580 case 142:
02581 #line 462 "policy_parse.y"
02582 { (yyval.valptr) = define_cexpr(CEXPR_NOT, (yyvsp[(2) - (2)].valptr), 0);
02583 if ((yyval.valptr) == 0) return -1; }
02584 break;
02585
02586 case 143:
02587 #line 465 "policy_parse.y"
02588 { (yyval.valptr) = define_cexpr(CEXPR_AND, (yyvsp[(1) - (3)].valptr), (yyvsp[(3) - (3)].valptr));
02589 if ((yyval.valptr) == 0) return -1; }
02590 break;
02591
02592 case 144:
02593 #line 468 "policy_parse.y"
02594 { (yyval.valptr) = define_cexpr(CEXPR_OR, (yyvsp[(1) - (3)].valptr), (yyvsp[(3) - (3)].valptr));
02595 if ((yyval.valptr) == 0) return -1; }
02596 break;
02597
02598 case 145:
02599 #line 471 "policy_parse.y"
02600 { (yyval.valptr) = (yyvsp[(1) - (1)].valptr); }
02601 break;
02602
02603 case 146:
02604 #line 474 "policy_parse.y"
02605 { (yyval.valptr) = define_cexpr(CEXPR_ATTR, CEXPR_USER, (yyvsp[(2) - (3)].valptr));
02606 if ((yyval.valptr) == 0) return -1; }
02607 break;
02608
02609 case 147:
02610 #line 477 "policy_parse.y"
02611 { (yyval.valptr) = define_cexpr(CEXPR_ATTR, CEXPR_ROLE, (yyvsp[(2) - (3)].valptr));
02612 if ((yyval.valptr) == 0) return -1; }
02613 break;
02614
02615 case 148:
02616 #line 480 "policy_parse.y"
02617 { (yyval.valptr) = define_cexpr(CEXPR_ATTR, CEXPR_TYPE, (yyvsp[(2) - (3)].valptr));
02618 if ((yyval.valptr) == 0) return -1; }
02619 break;
02620
02621 case 149:
02622 #line 482 "policy_parse.y"
02623 { if (insert_separator(1)) return -1; }
02624 break;
02625
02626 case 150:
02627 #line 483 "policy_parse.y"
02628 { (yyval.valptr) = define_cexpr(CEXPR_NAMES, CEXPR_USER, (yyvsp[(2) - (4)].valptr));
02629 if ((yyval.valptr) == 0) return -1; }
02630 break;
02631
02632 case 151:
02633 #line 485 "policy_parse.y"
02634 { if (insert_separator(1)) return -1; }
02635 break;
02636
02637 case 152:
02638 #line 486 "policy_parse.y"
02639 { (yyval.valptr) = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_TARGET), (yyvsp[(2) - (4)].valptr));
02640 if ((yyval.valptr) == 0) return -1; }
02641 break;
02642
02643 case 153:
02644 #line 488 "policy_parse.y"
02645 { if (insert_separator(1)) return -1; }
02646 break;
02647
02648 case 154:
02649 #line 489 "policy_parse.y"
02650 { (yyval.valptr) = define_cexpr(CEXPR_NAMES, (CEXPR_USER | CEXPR_XTARGET), (yyvsp[(2) - (4)].valptr));
02651 if ((yyval.valptr) == 0) return -1; }
02652 break;
02653
02654 case 155:
02655 #line 491 "policy_parse.y"
02656 { if (insert_separator(1)) return -1; }
02657 break;
02658
02659 case 156:
02660 #line 492 "policy_parse.y"
02661 { (yyval.valptr) = define_cexpr(CEXPR_NAMES, CEXPR_ROLE, (yyvsp[(2) - (4)].valptr));
02662 if ((yyval.valptr) == 0) return -1; }
02663 break;
02664
02665 case 157:
02666 #line 494 "policy_parse.y"
02667 { if (insert_separator(1)) return -1; }
02668 break;
02669
02670 case 158:
02671 #line 495 "policy_parse.y"
02672 { (yyval.valptr) = define_cexpr(CEXPR_NAMES, (CEXPR_ROLE | CEXPR_TARGET), (yyvsp[(2) - (4)].valptr));
02673 if ((yyval.valptr) == 0) return -1; }
02674 break;
02675
02676 case 159:
02677 #line 497 "policy_parse.y"
02678 { if (insert_separator(1)) return -1; }
02679 break;
02680
02681 case 160:
02682 #line 498 "policy_parse.y"
02683 { (yyval.valptr) = define_cexpr(CEXPR_NAMES, (CEXPR_ROLE | CEXPR_XTARGET), (yyvsp[(2) - (4)].valptr));
02684 if ((yyval.valptr) == 0) return -1; }
02685 break;
02686
02687 case 161:
02688 #line 500 "policy_parse.y"
02689 { if (insert_separator(1)) return -1; }
02690 break;
02691
02692 case 162:
02693 #line 501 "policy_parse.y"
02694 { (yyval.valptr) = define_cexpr(CEXPR_NAMES, CEXPR_TYPE, (yyvsp[(2) - (4)].valptr));
02695 if ((yyval.valptr) == 0) return -1; }
02696 break;
02697
02698 case 163:
02699 #line 503 "policy_parse.y"
02700 { if (insert_separator(1)) return -1; }
02701 break;
02702
02703 case 164:
02704 #line 504 "policy_parse.y"
02705 { (yyval.valptr) = define_cexpr(CEXPR_NAMES, (CEXPR_TYPE | CEXPR_TARGET), (yyvsp[(2) - (4)].valptr));
02706 if ((yyval.valptr) == 0) return -1; }
02707 break;
02708
02709 case 165:
02710 #line 506 "policy_parse.y"
02711 { if (insert_separator(1)) return -1; }
02712 break;
02713
02714 case 166:
02715 #line 507 "policy_parse.y"
02716 { (yyval.valptr) = define_cexpr(CEXPR_NAMES, (CEXPR_TYPE | CEXPR_XTARGET), (yyvsp[(2) - (4)].valptr));
02717 if ((yyval.valptr) == 0) return -1; }
02718 break;
02719
02720 case 167:
02721 #line 510 "policy_parse.y"
02722 { (yyval.valptr) = define_cexpr(CEXPR_ATTR, CEXPR_USER, CEXPR_EQ);
02723 if ((yyval.valptr) == 0) return -1; }
02724 break;
02725
02726 case 168:
02727 #line 512 "policy_parse.y"
02728 { if (insert_separator(1)) return -1; }
02729 break;
02730
02731 case 169:
02732 #line 513 "policy_parse.y"
02733 { (yyval.valptr) = define_cexpr(CEXPR_NAMES, CEXPR_ROLE, CEXPR_EQ);
02734 if ((yyval.valptr) == 0) return -1; }
02735 break;
02736
02737 case 170:
02738 #line 515 "policy_parse.y"
02739 { if (insert_separator(1)) return -1; }
02740 break;
02741
02742 case 171:
02743 #line 516 "policy_parse.y"
02744 { (yyval.valptr) = define_cexpr(CEXPR_NAMES, (CEXPR_ROLE | CEXPR_TARGET), CEXPR_EQ);
02745 if ((yyval.valptr) == 0) return -1; }
02746 break;
02747
02748 case 172:
02749 #line 519 "policy_parse.y"
02750 { (yyval.valptr) = define_cexpr(CEXPR_ATTR, CEXPR_ROLE, (yyvsp[(2) - (2)].valptr));
02751 if ((yyval.valptr) == 0) return -1; }
02752 break;
02753
02754 case 173:
02755 #line 521 "policy_parse.y"
02756 { if (insert_separator(1)) return -1; }
02757 break;
02758
02759 case 174:
02760 #line 522 "policy_parse.y"
02761 { (yyval.valptr) = define_cexpr(CEXPR_NAMES, CEXPR_TYPE, CEXPR_EQ);
02762 if ((yyval.valptr) == 0) return -1; }
02763 break;
02764
02765 case 175:
02766 #line 524 "policy_parse.y"
02767 { if (insert_separator(1)) return -1; }
02768 break;
02769
02770 case 176:
02771 #line 525 "policy_parse.y"
02772 { (yyval.valptr) = define_cexpr(CEXPR_NAMES, (CEXPR_TYPE | CEXPR_TARGET), CEXPR_EQ);
02773 if ((yyval.valptr) == 0) return -1; }
02774 break;
02775
02776 case 177:
02777 #line 528 "policy_parse.y"
02778 { (yyval.valptr) = define_cexpr(CEXPR_ATTR, CEXPR_L1L2, (yyvsp[(2) - (3)].valptr));
02779 if ((yyval.valptr) == 0) return -1; }
02780 break;
02781
02782 case 178:
02783 #line 531 "policy_parse.y"
02784 { (yyval.valptr) = define_cexpr(CEXPR_ATTR, CEXPR_L1H2, (yyvsp[(2) - (3)].valptr));
02785 if ((yyval.valptr) == 0) return -1; }
02786 break;
02787
02788 case 179:
02789 #line 534 "policy_parse.y"
02790 { (yyval.valptr) = define_cexpr(CEXPR_ATTR, CEXPR_H1L2, (yyvsp[(2) - (3)].valptr));
02791 if ((yyval.valptr) == 0) return -1; }
02792 break;
02793
02794 case 180:
02795 #line 537 "policy_parse.y"
02796 { (yyval.valptr) = define_cexpr(CEXPR_ATTR, CEXPR_H1H2, (yyvsp[(2) - (3)].valptr));
02797 if ((yyval.valptr) == 0) return -1; }
02798 break;
02799
02800 case 181:
02801 #line 540 "policy_parse.y"
02802 { (yyval.valptr) = define_cexpr(CEXPR_ATTR, CEXPR_L1H1, (yyvsp[(2) - (3)].valptr));
02803 if ((yyval.valptr) == 0) return -1; }
02804 break;
02805
02806 case 182:
02807 #line 543 "policy_parse.y"
02808 { (yyval.valptr) = define_cexpr(CEXPR_ATTR, CEXPR_L2H2, (yyvsp[(2) - (3)].valptr));
02809 if ((yyval.valptr) == 0) return -1; }
02810 break;
02811
02812 case 183:
02813 #line 547 "policy_parse.y"
02814 { (yyval.valptr) = CEXPR_EQ; }
02815 break;
02816
02817 case 184:
02818 #line 549 "policy_parse.y"
02819 { (yyval.valptr) = CEXPR_NEQ; }
02820 break;
02821
02822 case 185:
02823 #line 552 "policy_parse.y"
02824 { (yyval.valptr) = (yyvsp[(1) - (1)].valptr); }
02825 break;
02826
02827 case 186:
02828 #line 554 "policy_parse.y"
02829 { (yyval.valptr) = CEXPR_DOM; }
02830 break;
02831
02832 case 187:
02833 #line 556 "policy_parse.y"
02834 { (yyval.valptr) = CEXPR_DOMBY; }
02835 break;
02836
02837 case 188:
02838 #line 558 "policy_parse.y"
02839 { (yyval.valptr) = CEXPR_INCOMP; }
02840 break;
02841
02842 case 191:
02843 #line 564 "policy_parse.y"
02844 {if (define_user()) return -1;}
02845 break;
02846
02847 case 196:
02848 #line 573 "policy_parse.y"
02849 {if (define_initial_sid_context()) return -1;}
02850 break;
02851
02852 case 201:
02853 #line 582 "policy_parse.y"
02854 {if (define_fs_context((yyvsp[(2) - (5)].val),(yyvsp[(3) - (5)].val))) return -1;}
02855 break;
02856
02857 case 207:
02858 #line 593 "policy_parse.y"
02859 {if (define_port_context((yyvsp[(3) - (4)].val),(yyvsp[(3) - (4)].val))) return -1;}
02860 break;
02861
02862 case 208:
02863 #line 595 "policy_parse.y"
02864 {if (define_port_context((yyvsp[(3) - (6)].val),(yyvsp[(5) - (6)].val))) return -1;}
02865 break;
02866
02867 case 213:
02868 #line 604 "policy_parse.y"
02869 {if (define_netif_context()) return -1;}
02870 break;
02871
02872 case 218:
02873 #line 613 "policy_parse.y"
02874 {if (define_ipv4_node_context()) return -1;}
02875 break;
02876
02877 case 219:
02878 #line 615 "policy_parse.y"
02879 {if (define_ipv6_node_context()) return -1;}
02880 break;
02881
02882 case 224:
02883 #line 624 "policy_parse.y"
02884 {if (define_fs_use(SECURITY_FS_USE_XATTR)) return -1;}
02885 break;
02886
02887 case 225:
02888 #line 626 "policy_parse.y"
02889 {if (define_fs_use(SECURITY_FS_USE_TASK)) return -1;}
02890 break;
02891
02892 case 226:
02893 #line 628 "policy_parse.y"
02894 {if (define_fs_use(SECURITY_FS_USE_TRANS)) return -1;}
02895 break;
02896
02897 case 227:
02898 #line 630 "policy_parse.y"
02899 {if (define_fs_use(SECURITY_FS_USE_PSIDS)) return -1;}
02900 break;
02901
02902 case 232:
02903 #line 639 "policy_parse.y"
02904 {if (define_genfs_context(1)) return -1;}
02905 break;
02906
02907 case 233:
02908 #line 640 "policy_parse.y"
02909 {insert_id("-", 0);}
02910 break;
02911
02912 case 234:
02913 #line 641 "policy_parse.y"
02914 {if (define_genfs_context(1)) return -1;}
02915 break;
02916
02917 case 235:
02918 #line 643 "policy_parse.y"
02919 {if (define_genfs_context(0)) return -1;}
02920 break;
02921
02922 case 236:
02923 #line 646 "policy_parse.y"
02924 { if (insert_id(yytext,0)) return -1; }
02925 break;
02926
02927 case 240:
02928 #line 654 "policy_parse.y"
02929 {if (insert_separator(0)) return -1;}
02930 break;
02931
02932 case 241:
02933 #line 656 "policy_parse.y"
02934 {if (insert_separator(0)) return -1;}
02935 break;
02936
02937 case 242:
02938 #line 659 "policy_parse.y"
02939 {if (insert_separator(0)) return -1;}
02940 break;
02941
02942 case 243:
02943 #line 661 "policy_parse.y"
02944 {if (insert_separator(0)) return -1;}
02945 break;
02946
02947 case 248:
02948 #line 671 "policy_parse.y"
02949 { if (insert_separator(0)) return -1; }
02950 break;
02951
02952 case 249:
02953 #line 673 "policy_parse.y"
02954 { if (insert_separator(0)) return -1; }
02955 break;
02956
02957 case 250:
02958 #line 675 "policy_parse.y"
02959 { if (insert_id("*", 0)) return -1;
02960 if (insert_separator(0)) return -1; }
02961 break;
02962
02963 case 251:
02964 #line 678 "policy_parse.y"
02965 { if (insert_id("~", 0)) return -1;
02966 if (insert_separator(0)) return -1; }
02967 break;
02968
02969 case 252:
02970 #line 681 "policy_parse.y"
02971 { if (insert_id("~", 0)) return -1;
02972 if (insert_separator(0)) return -1; }
02973 break;
02974
02975 case 253:
02976 #line 683 "policy_parse.y"
02977 { if (insert_id("-", 0)) return -1; }
02978 break;
02979
02980 case 254:
02981 #line 684 "policy_parse.y"
02982 { if (insert_separator(0)) return -1; }
02983 break;
02984
02985 case 255:
02986 #line 687 "policy_parse.y"
02987 { if (insert_id("~", 1)) return -1; }
02988 break;
02989
02990 case 256:
02991 #line 690 "policy_parse.y"
02992 { if (insert_id("*", 1)) return -1; }
02993 break;
02994
02995 case 264:
02996 #line 702 "policy_parse.y"
02997 { if (insert_id(yytext, 1)) return -1; }
02998 break;
02999
03000 case 271:
03001 #line 711 "policy_parse.y"
03002 { if (insert_id("-", 0)) return -1; }
03003 break;
03004
03005 case 274:
03006 #line 714 "policy_parse.y"
03007 { if (insert_id(yytext,0)) return -1; }
03008 break;
03009
03010 case 275:
03011 #line 717 "policy_parse.y"
03012 { if (insert_id(yytext,0)) return -1; }
03013 break;
03014
03015 case 276:
03016 #line 720 "policy_parse.y"
03017 { (yyval.val) = strtoul(yytext,NULL,0); }
03018 break;
03019
03020 case 277:
03021 #line 723 "policy_parse.y"
03022 { if (insert_id(yytext,0)) return -1; }
03023 break;
03024
03025 case 278:
03026 #line 726 "policy_parse.y"
03027 {if (define_polcap()) return -1;}
03028 break;
03029
03030 case 279:
03031 #line 732 "policy_parse.y"
03032 { if (end_avrule_block(pass) == -1) return -1;
03033 if (policydb_index_others(NULL, policydbp, 0)) return -1;
03034 }
03035 break;
03036
03037 case 280:
03038 #line 737 "policy_parse.y"
03039 { if (define_policy(pass, 1) == -1) return -1; }
03040 break;
03041
03042 case 281:
03043 #line 740 "policy_parse.y"
03044 { if (insert_id(yytext,0)) return -1; }
03045 break;
03046
03047 case 296:
03048 #line 763 "policy_parse.y"
03049 { if (require_class(pass)) return -1; }
03050 break;
03051
03052 case 297:
03053 #line 765 "policy_parse.y"
03054 { (yyval.require_func) = require_role; }
03055 break;
03056
03057 case 298:
03058 #line 766 "policy_parse.y"
03059 { (yyval.require_func) = require_type; }
03060 break;
03061
03062 case 299:
03063 #line 767 "policy_parse.y"
03064 { (yyval.require_func) = require_attribute; }
03065 break;
03066
03067 case 300:
03068 #line 768 "policy_parse.y"
03069 { (yyval.require_func) = require_user; }
03070 break;
03071
03072 case 301:
03073 #line 769 "policy_parse.y"
03074 { (yyval.require_func) = require_bool; }
03075 break;
03076
03077 case 302:
03078 #line 770 "policy_parse.y"
03079 { (yyval.require_func) = require_sens; }
03080 break;
03081
03082 case 303:
03083 #line 771 "policy_parse.y"
03084 { (yyval.require_func) = require_cat; }
03085 break;
03086
03087 case 304:
03088 #line 774 "policy_parse.y"
03089 { if ((yyvsp[(0) - (1)].require_func) (pass)) return -1; }
03090 break;
03091
03092 case 305:
03093 #line 776 "policy_parse.y"
03094 { if ((yyvsp[(0) - (3)].require_func) (pass)) return -1; }
03095 break;
03096
03097 case 306:
03098 #line 779 "policy_parse.y"
03099 { if (end_avrule_block(pass) == -1) return -1; }
03100 break;
03101
03102 case 307:
03103 #line 781 "policy_parse.y"
03104 { if (end_optional(pass) == -1) return -1; }
03105 break;
03106
03107 case 308:
03108 #line 784 "policy_parse.y"
03109 { if (end_avrule_block(pass) == -1) return -1; }
03110 break;
03111
03112 case 310:
03113 #line 788 "policy_parse.y"
03114 { if (begin_optional(pass) == -1) return -1; }
03115 break;
03116
03117 case 311:
03118 #line 791 "policy_parse.y"
03119 { if (begin_optional_else(pass) == -1) return -1; }
03120 break;
03121
03122
03123 /* Line 1267 of yacc.c. */
03124 #line 3125 "policy_parse.c"
03125 default: break;
03126 }
03127 YY_SYMBOL_PRINT ("-> $$ =", yyr1[yyn], &yyval, &yyloc);
03128
03129 YYPOPSTACK (yylen);
03130 yylen = 0;
03131 YY_STACK_PRINT (yyss, yyssp);
03132
03133 *++yyvsp = yyval;
03134
03135
03136 /* Now `shift' the result of the reduction. Determine what state
03137 that goes to, based on the state we popped back to and the rule
03138 number reduced by. */
03139
03140 yyn = yyr1[yyn];
03141
03142 yystate = yypgoto[yyn - YYNTOKENS] + *yyssp;
03143 if (0 <= yystate && yystate <= YYLAST && yycheck[yystate] == *yyssp)
03144 yystate = yytable[yystate];
03145 else
03146 yystate = yydefgoto[yyn - YYNTOKENS];
03147
03148 goto yynewstate;
03149
03150
03151 /*------------------------------------.
03152 | yyerrlab -- here on detecting error |
03153 `------------------------------------*/
03154 yyerrlab:
03155 /* If not already recovering from an error, report this error. */
03156 if (!yyerrstatus)
03157 {
03158 ++yynerrs;
03159 #if ! YYERROR_VERBOSE
03160 yyerror (YY_("syntax error"));
03161 #else
03162 {
03163 YYSIZE_T yysize = yysyntax_error (0, yystate, yychar);
03164 if (yymsg_alloc < yysize && yymsg_alloc < YYSTACK_ALLOC_MAXIMUM)
03165 {
03166 YYSIZE_T yyalloc = 2 * yysize;
03167 if (! (yysize <= yyalloc && yyalloc <= YYSTACK_ALLOC_MAXIMUM))
03168 yyalloc = YYSTACK_ALLOC_MAXIMUM;
03169 if (yymsg != yymsgbuf)
03170 YYSTACK_FREE (yymsg);
03171 yymsg = (char *) YYSTACK_ALLOC (yyalloc);
03172 if (yymsg)
03173 yymsg_alloc = yyalloc;
03174 else
03175 {
03176 yymsg = yymsgbuf;
03177 yymsg_alloc = sizeof yymsgbuf;
03178 }
03179 }
03180
03181 if (0 < yysize && yysize <= yymsg_alloc)
03182 {
03183 (void) yysyntax_error (yymsg, yystate, yychar);
03184 yyerror (yymsg);
03185 }
03186 else
03187 {
03188 yyerror (YY_("syntax error"));
03189 if (yysize != 0)
03190 goto yyexhaustedlab;
03191 }
03192 }
03193 #endif
03194 }
03195
03196
03197
03198 if (yyerrstatus == 3)
03199 {
03200 /* If just tried and failed to reuse look-ahead token after an
03201 error, discard it. */
03202
03203 if (yychar <= YYEOF)
03204 {
03205 /* Return failure if at end of input. */
03206 if (yychar == YYEOF)
03207 YYABORT;
03208 }
03209 else
03210 {
03211 yydestruct ("Error: discarding",
03212 yytoken, &yylval);
03213 yychar = YYEMPTY;
03214 }
03215 }
03216
03217 /* Else will try to reuse look-ahead token after shifting the error
03218 token. */
03219 goto yyerrlab1;
03220
03221
03222 /*---------------------------------------------------.
03223 | yyerrorlab -- error raised explicitly by YYERROR. |
03224 `---------------------------------------------------*/
03225 yyerrorlab:
03226
03227 /* Pacify compilers like GCC when the user code never invokes
03228 YYERROR and the label yyerrorlab therefore never appears in user
03229 code. */
03230 if (/*CONSTCOND*/ 0)
03231 goto yyerrorlab;
03232
03233 /* Do not reclaim the symbols of the rule which action triggered
03234 this YYERROR. */
03235 YYPOPSTACK (yylen);
03236 yylen = 0;
03237 YY_STACK_PRINT (yyss, yyssp);
03238 yystate = *yyssp;
03239 goto yyerrlab1;
03240
03241
03242 /*-------------------------------------------------------------.
03243 | yyerrlab1 -- common code for both syntax error and YYERROR. |
03244 `-------------------------------------------------------------*/
03245 yyerrlab1:
03246 yyerrstatus = 3; /* Each real token shifted decrements this. */
03247
03248 for (;;)
03249 {
03250 yyn = yypact[yystate];
03251 if (yyn != YYPACT_NINF)
03252 {
03253 yyn += YYTERROR;
03254 if (0 <= yyn && yyn <= YYLAST && yycheck[yyn] == YYTERROR)
03255 {
03256 yyn = yytable[yyn];
03257 if (0 < yyn)
03258 break;
03259 }
03260 }
03261
03262 /* Pop the current state because it cannot handle the error token. */
03263 if (yyssp == yyss)
03264 YYABORT;
03265
03266
03267 yydestruct ("Error: popping",
03268 yystos[yystate], yyvsp);
03269 YYPOPSTACK (1);
03270 yystate = *yyssp;
03271 YY_STACK_PRINT (yyss, yyssp);
03272 }
03273
03274 if (yyn == YYFINAL)
03275 YYACCEPT;
03276
03277 *++yyvsp = yylval;
03278
03279
03280 /* Shift the error token. */
03281 YY_SYMBOL_PRINT ("Shifting", yystos[yyn], yyvsp, yylsp);
03282
03283 yystate = yyn;
03284 goto yynewstate;
03285
03286
03287 /*-------------------------------------.
03288 | yyacceptlab -- YYACCEPT comes here. |
03289 `-------------------------------------*/
03290 yyacceptlab:
03291 yyresult = 0;
03292 goto yyreturn;
03293
03294 /*-----------------------------------.
03295 | yyabortlab -- YYABORT comes here. |
03296 `-----------------------------------*/
03297 yyabortlab:
03298 yyresult = 1;
03299 goto yyreturn;
03300
03301 #ifndef yyoverflow
03302 /*-------------------------------------------------.
03303 | yyexhaustedlab -- memory exhaustion comes here. |
03304 `-------------------------------------------------*/
03305 yyexhaustedlab:
03306 yyerror (YY_("memory exhausted"));
03307 yyresult = 2;
03308 /* Fall through. */
03309 #endif
03310
03311 yyreturn:
03312 if (yychar != YYEOF && yychar != YYEMPTY)
03313 yydestruct ("Cleanup: discarding lookahead",
03314 yytoken, &yylval);
03315 /* Do not reclaim the symbols of the rule which action triggered
03316 this YYABORT or YYACCEPT. */
03317 YYPOPSTACK (yylen);
03318 YY_STACK_PRINT (yyss, yyssp);
03319 while (yyssp != yyss)
03320 {
03321 yydestruct ("Cleanup: popping",
03322 yystos[*yyssp], yyvsp);
03323 YYPOPSTACK (1);
03324 }
03325 #ifndef yyoverflow
03326 if (yyss != yyssa)
03327 YYSTACK_FREE (yyss);
03328 #endif
03329 #if YYERROR_VERBOSE
03330 if (yymsg != yymsgbuf)
03331 YYSTACK_FREE (yymsg);
03332 #endif
03333 /* Make sure YYID is used. */
03334 return YYID (yyresult);
03335 }
|
|
||||||||||||
|
Definition at line 88 of file policy_define.c. References load_rules, num_rules, pass, policydb_errors, policydb_lineno, and source_lineno. Referenced by read_source_policy(). 00089 {
00090 policydb_lineno = 1;
00091 source_lineno = 1;
00092 policydb_errors = 0;
00093 pass = pass_number;
00094 load_rules = do_rules;
00095 num_rules = 0;
00096 }
|
|
||||||||||||||||||||||||
|
Definition at line 98 of file policy.c. References fmt, qpol_policy::fn, level, qpol_policy_t, and qpol_policy::varg. Referenced by qpol_handle_msg(), and sepol_handle_route_to_callback(). 00101 {
00102 if (!p || !(p->fn)) {
00103 vfprintf(stderr, fmt, va_args);
00104 fprintf(stderr, "\n");
00105 return;
00106 }
00107
00108 p->fn(p->varg, p, level, fmt, va_args);
00109 }
|
|
||||||||||||||||||||
|
Definition at line 111 of file policy.c. References fmt, qpol_handle_route_to_callback(), and qpol_policy_t. Referenced by qpol_policy_open_from_file_opt(), and qpol_policy_open_from_memory_opt(). 00112 {
00113 va_list ap;
00114 qpol_policy_t *p = varg;
00115
00116 if (!sh) {
00117 va_start(ap, fmt);
00118 vfprintf(stderr, fmt, ap);
00119 va_end(ap);
00120 fprintf(stderr, "\n");
00121 return;
00122 }
00123
00124 va_start(ap, fmt);
00125 qpol_handle_route_to_callback(NULL, p, sepol_msg_get_level(sh), fmt, ap);
00126 va_end(ap);
00127 }
|
|
||||||||||||||||||||
|
Definition at line 129 of file policy.c. References fmt, level, qpol_handle_route_to_callback(), qpol_policy_t, and qpol_policy::varg. 00130 {
00131 va_list ap;
00132
00133 if (!p) {
00134 va_start(ap, fmt);
00135 vfprintf(stderr, fmt, ap);
00136 va_end(ap);
00137 fprintf(stderr, "\n");
00138 return;
00139 }
00140
00141 va_start(ap, fmt);
00142 /* explicit cast here to remove const for sepol handle */
00143 qpol_handle_route_to_callback((void *)p->varg, p, level, fmt, ap);
00144 va_end(ap);
00145 }
|
|
||||||||||||||||||||||||
|
Definition at line 147 of file policy.c. References fmt, QPOL_MSG_ERR, QPOL_MSG_INFO, QPOL_MSG_WARN, and qpol_policy_t. 00149 {
00150 switch (level) {
00151 case QPOL_MSG_INFO:
00152 {
00153 /* by default ignore info messages */
00154 return;
00155 }
00156 case QPOL_MSG_WARN:
00157 {
00158 fprintf(stderr, "WARNING: ");
00159 break;
00160 }
00161 case QPOL_MSG_ERR:
00162 default:
00163 {
00164 fprintf(stderr, "ERROR: ");
00165 break;
00166 }
00167 }
00168
00169 vfprintf(stderr, fmt, va_args);
00170 fprintf(stderr, "\n");
00171 }
|
|
||||||||||||||||
|
Definition at line 173 of file policy.c. References ERR, id_queue, INFO, init_parser(), init_scanner(), mlspol, qpol_policy::p, policydbp, qpol_policy_t, qpol_src_inputptr, queue_create(), queue_destroy(), source_file, and yyparse(). Referenced by qpol_policy_open_from_file_opt(), qpol_policy_open_from_memory_opt(), and qpol_policy_rebuild_opt(). 00174 {
00175 int load_rules = 1;
00176 if (options & QPOL_POLICY_OPTION_NO_RULES)
00177 load_rules = 0;
00178 if ((id_queue = queue_create()) == NULL) {
00179 ERR(qpolicy, "%s", strerror(ENOMEM));
00180 return -1;
00181 }
00182
00183 policydbp = &qpolicy->p->p;
00184 mlspol = policydbp->mls;
00185
00186 INFO(qpolicy, "%s", "Parsing policy. (Step 1 of 5)");
00187 init_scanner();
00188 init_parser(1, load_rules);
00189 if (yyparse() || policydb_errors) {
00190 ERR(qpolicy, "%s: error(s) encountered while parsing configuration\n", progname);
00191 queue_destroy(id_queue);
00192 id_queue = NULL;
00193 errno = EIO;
00194 return -1;
00195 }
00196 /* rewind the pointer */
00197 qpol_src_inputptr = qpol_src_originalinput;
00198 init_parser(2, load_rules);
00199 source_file[0] = '\0';
00200 if (yyparse() || policydb_errors) {
00201 ERR(qpolicy, "%s: error(s) encountered while parsing configuration\n", progname);
00202 queue_destroy(id_queue);
00203 id_queue = NULL;
00204 errno = EIO;
00205 return -1;
00206 }
00207 queue_destroy(id_queue);
00208 id_queue = NULL;
00209 if (policydb_errors) {
00210 errno = EIO;
00211 return -1;
00212 }
00213 return 0;
00214 }
|
|
|
Definition at line 216 of file policy.c. References fbuf::buf, fbuf::err, qpol_fbuf_t, and fbuf::sz. Referenced by qpol_binpol_version(). 00217 {
00218 if (fb == NULL)
00219 return -1;
00220 *fb = (qpol_fbuf_t *) malloc(sizeof(qpol_fbuf_t));
00221 if (*fb == NULL)
00222 return -1;
00223 (*fb)->buf = NULL;
00224 (*fb)->sz = 0;
00225 (*fb)->err = 0;
00226 return 0;
00227 }
|
|
|
Definition at line 229 of file policy.c. References qpol_fbuf_t. Referenced by qpol_binpol_version(). 00230 {
00231 if (*fb == NULL)
00232 return;
00233 if ((*fb)->sz > 0 && (*fb)->buf != NULL)
00234 free((*fb)->buf);
00235 free(*fb);
00236 return;
00237 }
|
|
||||||||||||||||
|
Definition at line 239 of file policy.c. References fbuf::buf, fbuf::err, qpol_fbuf_t, and fbuf::sz. Referenced by qpol_binpol_version(). 00240 {
00241 size_t sz;
00242
00243 assert(fb != NULL && fp != NULL);
00244 assert(!(fb->sz > 0 && fb->buf == NULL));
00245
00246 if (fb->sz == 0) {
00247 fb->buf = (char *)malloc(bytes + 1);
00248 fb->sz = bytes + 1;
00249 } else if (bytes + 1 > fb->sz) {
00250 fb->buf = (char *)realloc(fb->buf, bytes + 1);
00251 fb->sz = bytes + 1;
00252 }
00253
00254 if (fb->buf == NULL) {
00255 fb->err = -1;
00256 return NULL;
00257 }
00258
00259 sz = fread(fb->buf, bytes, 1, fp);
00260 if (sz != 1) {
00261 fb->err = -3;
00262 return NULL;
00263 }
00264 fb->err = 0;
00265 return fb->buf;
00266 }
|
|
|
Returns the version number of the binary policy. Note that this will rewind the file pointer.
Definition at line 268 of file policy.c. References fbuf::err, le32_to_cpu, qpol_fbuf_t, qpol_free_fbuf(), qpol_init_fbuf(), and qpol_read_fbuf(). Referenced by get_binpol_version(). 00269 {
00270 __u32 *buf;
00271 int rt, len;
00272 qpol_fbuf_t *fb;
00273
00274 if (fp == NULL)
00275 return -1;
00276
00277 if (qpol_init_fbuf(&fb) != 0)
00278 return -1;
00279
00280 /* magic # and sz of policy string */
00281 buf = qpol_read_fbuf(fb, sizeof(__u32) * 2, fp);
00282 if (buf == NULL) {
00283 rt = fb->err;
00284 goto err_return;
00285 }
00286 buf[0] = le32_to_cpu(buf[0]);
00287 if (buf[0] != SELINUX_MAGIC) {
00288 rt = -2;
00289 goto err_return;
00290 }
00291
00292 len = le32_to_cpu(buf[1]);
00293 if (len < 0) {
00294 rt = -3;
00295 goto err_return;
00296 }
00297 /* skip over the policy string */
00298 if (fseek(fp, sizeof(char) * len, SEEK_CUR) != 0) {
00299 rt = -3;
00300 goto err_return;
00301 }
00302
00303 /* Read the version, config, and table sizes. */
00304 buf = qpol_read_fbuf(fb, sizeof(__u32) * 1, fp);
00305 if (buf == NULL) {
00306 rt = fb->err;
00307 goto err_return;
00308 }
00309 buf[0] = le32_to_cpu(buf[0]);
00310
00311 rt = buf[0];
00312 err_return:
00313 rewind(fp);
00314 qpol_free_fbuf(&fb);
00315 return rt;
00316 }
|
|
|
Definition at line 318 of file policy.c. References le32_to_cpu. Referenced by get_binpol_version(), and qpol_policy_open_from_file_opt(). 00319 {
00320 int rt;
00321 size_t sz;
00322 __u32 ubuf;
00323
00324 sz = fread(&ubuf, sizeof(__u32), 1, fp);
00325 if (sz != 1)
00326 rt = 0;
00327
00328 ubuf = le32_to_cpu(ubuf);
00329 if (ubuf == SELINUX_MAGIC)
00330 rt = 1;
00331 else
00332 rt = 0;
00333 rewind(fp);
00334 return rt;
00335 }
|
|
|
Definition at line 337 of file policy.c. References le32_to_cpu. Referenced by qpol_module_create_from_file(), and qpol_policy_open_from_file_opt(). 00338 {
00339 size_t sz;
00340 __u32 ubuf;
00341 int rt;
00342
00343 sz = fread(&ubuf, sizeof(__u32), 1, fp);
00344
00345 if (sz != 1)
00346 rt = 0; /* problem reading file */
00347
00348 ubuf = le32_to_cpu(ubuf);
00349 if (ubuf == SEPOL_MODULE_PACKAGE_MAGIC)
00350 rt = 1;
00351 else
00352 rt = 0;
00353 rewind(fp);
00354 return rt;
00355 }
|
|
|
Definition at line 357 of file policy.c. References ERR, qpol_policy::p, qpol_class_get_name(), qpol_class_t, qpol_fs_use_get_behavior(), qpol_fs_use_t, qpol_iterator_destroy(), qpol_iterator_end(), qpol_iterator_get_item(), qpol_iterator_get_size(), qpol_iterator_next(), qpol_iterator_t, qpol_policy_get_fs_use_iter(), qpol_policy_get_range_trans_iter(), qpol_policy_get_validatetrans_iter(), qpol_policy_t, qpol_range_trans_get_target_class(), and qpol_range_trans_t. Referenced by qpol_policy_open_from_file_opt(), and qpol_policy_rebuild_opt(). 00358 {
00359 policydb_t *db = NULL;
00360 const qpol_class_t *obj_class = NULL;
00361 qpol_iterator_t *iter = NULL;
00362 qpol_fs_use_t *fsuse = NULL;
00363 qpol_range_trans_t *rangetrans = NULL;
00364 uint32_t behavior = 0;
00365 size_t nvtrans = 0, fsusexattr = 0;
00366 const char *obj_name = NULL;
00367
00368 if (!policy) {
00369 ERR(policy, "%s", strerror(EINVAL));
00370 errno = EINVAL;
00371 return STATUS_ERR;
00372 }
00373
00374 db = &policy->p->p;
00375
00376 if (db->policyvers) {
00377 /* version already set */
00378 return STATUS_SUCCESS;
00379 }
00380
00381 /* check fs_use for xattr and psid */
00382 qpol_policy_get_fs_use_iter(policy, &iter);
00383 for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
00384 qpol_iterator_get_item(iter, (void **)&fsuse);
00385 qpol_fs_use_get_behavior(policy, fsuse, &behavior);
00386 /* not possible to have xattr and psid in same policy */
00387 if (behavior == QPOL_FS_USE_XATTR) {
00388 fsusexattr = 1;
00389 break;
00390 } else if (behavior == QPOL_FS_USE_PSID) {
00391 qpol_iterator_destroy(&iter);
00392 db->policyvers = 12;
00393 return STATUS_SUCCESS;
00394 }
00395 }
00396 qpol_iterator_destroy(&iter);
00397
00398 /* 22 : there exists at least one policy capability */
00399 #ifdef HAVE_SEPOL_POLICYCAPS
00400 ebitmap_node_t *node = NULL;
00401 unsigned int i = 0;
00402 ebitmap_for_each_bit(&db->policycaps, node, i) {
00403 if (ebitmap_get_bit(&db->policycaps, i)) {
00404 db->policyvers = 22;
00405 return STATUS_SUCCESS;
00406 }
00407 }
00408 #endif
00409
00410 /* 21 : object classes other than process for range_transitions */
00411 qpol_policy_get_range_trans_iter(policy, &iter);
00412 for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
00413 qpol_iterator_get_item(iter, (void **)&rangetrans);
00414 qpol_range_trans_get_target_class(policy, rangetrans, &obj_class);
00415 qpol_class_get_name(policy, obj_class, &obj_name);
00416 if (strcmp(obj_name, "process")) {
00417 db->policyvers = 21;
00418 qpol_iterator_destroy(&iter);
00419 return STATUS_SUCCESS;
00420 }
00421 }
00422 qpol_iterator_destroy(&iter);
00423
00424 /* 19 & 20 : mls and validatetrans statements added */
00425 qpol_policy_get_validatetrans_iter(policy, &iter);
00426 qpol_iterator_get_size(iter, &nvtrans);
00427 qpol_iterator_destroy(&iter);
00428 if (db->mls || nvtrans) {
00429 db->policyvers = 19;
00430 }
00431
00432 /* 18 : the netlink_audit_socket class added */
00433 else if (hashtab_search(db->p_classes.table, (const hashtab_key_t)"netlink_audit_socket")) {
00434 db->policyvers = 18;
00435 }
00436
00437 /* 17 : IPv6 nodecon statements added */
00438 else if (db->ocontexts[OCON_NODE6]) {
00439 db->policyvers = 17;
00440 }
00441
00442 /* 16 : conditional policy added */
00443 else if (db->p_bool_val_to_name && db->p_bool_val_to_name[0]) {
00444 db->policyvers = 16;
00445
00446 }
00447 /* 15 */
00448 else if (fsusexattr) {
00449 db->policyvers = 15;
00450 }
00451
00452 /* 12 */
00453 else {
00454 db->policyvers = 12;
00455 }
00456
00457 return STATUS_SUCCESS;
00458 }
|
|
|
|
|
||||||||||||
|
Internal version of qpol_policy_rebuild() version 1.3. Implementation of the exported function qpol_policy_rebuild() for version 1.3; this symbol name is not exported.
Definition at line 480 of file policy.c. References ERR, qpol_policy::ext, qpol_policy::file_data, qpol_policy::file_data_sz, infer_policy_version(), INFO, qpol_policy::modified, qpol_policy::modules, qpol_policy::num_modules, qpol_policy::options, qpol_module::p, qpol_policy::p, policy_extend(), qpol_expand_module(), qpol_extended_image_destroy(), qpol_module_create_from_file(), qpol_module_destroy(), qpol_module_t, QPOL_POLICY_OPTION_NO_NEVERALLOWS, qpol_policy_t, qpol_src_input, qpol_src_inputlim, qpol_src_inputptr, qpol_src_originalinput, read_source_policy(), qpol_policy::sh, and qpol_policy::type. Referenced by qpol_policy_open_from_file_opt(), qpol_policy_rebuild(), and qpol_policy_rebuild_old(). 00481 {
00482 sepol_policydb_t *old_p = NULL;
00483 sepol_policydb_t **modules = NULL;
00484 qpol_module_t *base = NULL;
00485 size_t num_modules = 0, i;
00486 int error = 0, old_otions;
00487
00488 if (!policy) {
00489 ERR(NULL, "%s", strerror(EINVAL));
00490 errno = EINVAL;
00491 return STATUS_ERR;
00492 }
00493
00494 /* if kernel binary do nothing */
00495 if (policy->type == QPOL_POLICY_KERNEL_BINARY)
00496 return STATUS_SUCCESS;
00497
00498 /* if options are the same and the modules were not modified, do nothing */
00499 if (options == policy->options && policy->modified == 0)
00500 return STATUS_SUCCESS;
00501
00502 /* cache old policy in case of failure */
00503 old_p = policy->p;
00504 policy->p = NULL;
00505 struct qpol_extended_image *ext = policy->ext;
00506 policy->ext = NULL;
00507 old_otions = policy->options;
00508 policy->options = options;
00509
00510 /* QPOL_POLICY_OPTION_NO_RULES implies QPOL_POLICY_OPTION_NO_NEVERALLOWS */
00511 if (policy->options & QPOL_POLICY_OPTION_NO_RULES)
00512 policy->options |= QPOL_POLICY_OPTION_NO_NEVERALLOWS;
00513
00514 if (policy->type == QPOL_POLICY_MODULE_BINARY) {
00515 /* allocate enough space for all modules then fill with list of enabled ones only */
00516 if (!(modules = calloc(policy->num_modules, sizeof(sepol_policydb_t *)))) {
00517 error = errno;
00518 ERR(policy, "%s", strerror(error));
00519 goto err;
00520 }
00521 /* first module is base and cannot be disabled */
00522 for (i = 1; i < policy->num_modules; i++) {
00523 if ((policy->modules[i])->enabled) {
00524 modules[num_modules++] = (policy->modules[i])->p;
00525 }
00526 }
00527 /* have to reopen the base since link alters it */
00528 if (qpol_module_create_from_file((policy->modules[0])->path, &base)) {
00529 error = errno;
00530 ERR(policy, "%s", strerror(error));
00531 goto err;
00532 }
00533 /* take the policy from base and use as new base into which to link */
00534 policy->p = base->p;
00535 base->p = NULL;
00536 qpol_module_destroy(&base);
00537 if (sepol_link_modules(policy->sh, policy->p, modules, num_modules, 0)) {
00538 error = EIO;
00539 goto err;
00540 }
00541 free(modules);
00542 } else {
00543 /* repeat open process as if qpol_policy_open_from_memory() */
00544 if (sepol_policydb_create(&(policy->p))) {
00545 error = errno;
00546 goto err;
00547 }
00548
00549 qpol_src_input = policy->file_data;
00550 qpol_src_inputptr = qpol_src_input;
00551 qpol_src_inputlim = qpol_src_inputptr + policy->file_data_sz - 1;
00552 qpol_src_originalinput = qpol_src_input;
00553
00554 /* read in source */
00555 policy->p->p.policy_type = POLICY_BASE;
00556 if (read_source_policy(policy, "parse", policy->options) < 0) {
00557 error = errno;
00558 goto err;
00559 }
00560
00561 /* link the source */
00562 INFO(policy, "%s", "Linking source policy. (Step 2 of 5)");
00563 if (sepol_link_modules(policy->sh, policy->p, NULL, 0, 0)) {
00564 error = EIO;
00565 goto err;
00566 }
00567 avtab_destroy(&(policy->p->p.te_avtab));
00568 avtab_destroy(&(policy->p->p.te_cond_avtab));
00569 avtab_init(&(policy->p->p.te_avtab));
00570 avtab_init(&(policy->p->p.te_cond_avtab));
00571 }
00572
00573 if (qpol_expand_module(policy, !(options & (QPOL_POLICY_OPTION_NO_NEVERALLOWS)))) {
00574 error = errno;
00575 goto err;
00576 }
00577
00578 if (infer_policy_version(policy)) {
00579 error = errno;
00580 goto err;
00581 }
00582
00583 if (policy_extend(policy)) {
00584 error = errno;
00585 goto err;
00586 }
00587 qpol_extended_image_destroy(&ext);
00588
00589 sepol_policydb_free(old_p);
00590
00591 return STATUS_SUCCESS;
00592
00593 err:
00594 free(modules);
00595
00596 policy->p = old_p;
00597 policy->ext = ext;
00598 policy->options = old_otions;
00599 errno = error;
00600 return STATUS_ERR;
00601 }
|
|
||||||||||||
|
Rebuild the policy. If the options provided are the same as those provied to the last call to rebuild or open and the modules were not changed, this function does nothing; otherwise, re-link all enabled modules with the base and then call expand. If the syntactic rule table was previously built, the caller should call qpol_policy_build_syn_rule_table() after calling this function.
Definition at line 604 of file policy.c. References qpol_policy_rebuild_opt(), and qpol_policy_t. Referenced by apol_policy_create_from_policy_path(), avrule_default(), and poldiff_run(). 00605 {
00606 return qpol_policy_rebuild_opt(policy, options);
00607 }
|
|
|
Internal version of qpol_policy_rebuild() version 1.2 or earlier.
Definition at line 615 of file policy.c. References ERR, qpol_policy::modified, qpol_policy::options, qpol_policy_rebuild_opt(), qpol_policy_t, and qpol_policy::type. 00616 {
00617 if (!policy) {
00618 ERR(NULL, "%s", strerror(EINVAL));
00619 errno = EINVAL;
00620 return STATUS_ERR;
00621 }
00622
00623 /* fail if not a modular policy */
00624 if (policy->type != QPOL_POLICY_MODULE_BINARY) {
00625 ERR(policy, "%s", strerror(ENOTSUP));
00626 errno = ENOTSUP;
00627 return STATUS_ERR;
00628 }
00629
00630 if (!policy->modified)
00631 return STATUS_SUCCESS;
00632
00633 return qpol_policy_rebuild_opt(policy, policy->options);
00634 }
|
|
||||||||||||||||||||||||
|
Internal version of qpol_policy_open_from_file() version 1.3. Implementation of the exported function qpol_policy_open_from_file() for version 1.3; this symbol name is not exported.
Definition at line 643 of file policy.c. References ERR, qpol_policy::fn, infer_policy_version(), INFO, qpol_policy::options, qpol_module::p, policy_extend(), qpol_expand_module(), qpol_is_file_binpol(), qpol_is_file_mod_pkg(), qpol_module_create_from_file(), qpol_module_destroy(), qpol_module_t, qpol_policy_append_module(), qpol_policy_destroy(), QPOL_POLICY_OPTION_NO_NEVERALLOWS, qpol_policy_rebuild_opt(), qpol_policy_t, qpol_src_input, qpol_src_inputlim, qpol_src_inputptr, qpol_src_originalinput, read_source_policy(), sepol_handle_route_to_callback(), qpol_policy::sh, qpol_module::type, qpol_policy::type, and qpol_policy::varg. Referenced by qpol_policy_open_from_file(), and qpol_policy_open_from_file_no_rules(). 00644 {
00645 int error = 0, retv = -1;
00646 FILE *infile = NULL;
00647 sepol_policy_file_t *pfile = NULL;
00648 qpol_module_t *mod = NULL;
00649 int fd = 0;
00650 struct stat sb;
00651
00652 if (policy != NULL)
00653 *policy = NULL;
00654
00655 if (path == NULL || policy == NULL) {
00656 /* handle passed as NULL here as it has yet to be created */
00657 ERR(NULL, "%s", strerror(EINVAL));
00658 errno = EINVAL;
00659 return -1;
00660 }
00661
00662 if (!(*policy = calloc(1, sizeof(qpol_policy_t)))) {
00663 error = errno;
00664 ERR(NULL, "%s", strerror(error));
00665 goto err;
00666 }
00667 (*policy)->options = options;
00668
00669 /* QPOL_POLICY_OPTION_NO_RULES implies QPOL_POLICY_OPTION_NO_NEVERALLOWS */
00670 if ((*policy)->options & QPOL_POLICY_OPTION_NO_RULES)
00671 (*policy)->options |= QPOL_POLICY_OPTION_NO_NEVERALLOWS;
00672
00673 (*policy)->sh = sepol_handle_create();
00674 if ((*policy)->sh == NULL) {
00675 error = errno;
00676 ERR(*policy, "%s", strerror(error));
00677 errno = error;
00678 return -1;
00679 }
00680
00681 if (fn) {
00682 (*policy)->fn = fn;
00683 (*policy)->varg = varg;
00684 } else {
00685 (*policy)->fn = qpol_handle_default_callback;
00686 }
00687 sepol_msg_set_callback((*policy)->sh, sepol_handle_route_to_callback, (*policy));
00688
00689 if (sepol_policydb_create(&((*policy)->p))) {
00690 error = errno;
00691 goto err;
00692 }
00693
00694 if (sepol_policy_file_create(&pfile)) {
00695 error = errno;
00696 goto err;
00697 }
00698
00699 infile = fopen(path, "rb");
00700 if (infile == NULL) {
00701 error = errno;
00702 goto err;
00703 }
00704
00705 sepol_policy_file_set_handle(pfile, (*policy)->sh);
00706
00707 if (qpol_is_file_binpol(infile)) {
00708 (*policy)->type = retv = QPOL_POLICY_KERNEL_BINARY;
00709 sepol_policy_file_set_fp(pfile, infile);
00710 if (sepol_policydb_read((*policy)->p, pfile)) {
00711 error = EIO;
00712 goto err;
00713 }
00714 /* By definition, binary policy cannot have neverallow rules and all other rules are always loaded. */
00715 (*policy)->options |= QPOL_POLICY_OPTION_NO_NEVERALLOWS;
00716 (*policy)->options &= ~(QPOL_POLICY_OPTION_NO_RULES);
00717 if (policy_extend(*policy)) {
00718 error = errno;
00719 goto err;
00720 }
00721 } else if (qpol_is_file_mod_pkg(infile)) {
00722 (*policy)->type = retv = QPOL_POLICY_MODULE_BINARY;
00723 if (qpol_module_create_from_file(path, &mod)) {
00724 error = errno;
00725 ERR(*policy, "%s", strerror(error));
00726 goto err;
00727 }
00728 if (qpol_policy_append_module(*policy, mod)) {
00729 error = errno;
00730 goto err;
00731 }
00732 /* *policy now owns mod */
00733 mod = NULL;
00734 if (qpol_policy_rebuild_opt(*policy, options)) {
00735 error = errno;
00736 goto err;
00737 }
00738 } else {
00739 (*policy)->type = retv = QPOL_POLICY_KERNEL_SOURCE;
00740 fd = fileno(infile);
00741 if (fd < 0) {
00742 error = errno;
00743 goto err;
00744 }
00745 if (fstat(fd, &sb) < 0) {
00746 error = errno;
00747 ERR(*policy, "Can't stat '%s': %s\n", path, strerror(errno));
00748 goto err;
00749 }
00750 qpol_src_input = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
00751 if (qpol_src_input == MAP_FAILED) {
00752 error = errno;
00753 ERR(*policy, "Can't map '%s': %s\n", path, strerror(errno));
00754
00755 goto err;
00756 }
00757 qpol_src_inputptr = qpol_src_input;
00758 qpol_src_inputlim = &qpol_src_inputptr[sb.st_size - 1];
00759 qpol_src_originalinput = qpol_src_input;
00760
00761 /* store mmaped version for rebuild() */
00762 (*policy)->file_data = qpol_src_originalinput;
00763 (*policy)->file_data_sz = sb.st_size;
00764 (*policy)->file_data_type = QPOL_POLICY_FILE_DATA_TYPE_MMAP;
00765
00766 (*policy)->p->p.policy_type = POLICY_BASE;
00767 if (read_source_policy(*policy, "libqpol", (*policy)->options) < 0) {
00768 error = errno;
00769 goto err;
00770 }
00771
00772 /* link the source */
00773 INFO(*policy, "%s", "Linking source policy. (Step 2 of 5)");
00774 if (sepol_link_modules((*policy)->sh, (*policy)->p, NULL, 0, 0)) {
00775 error = EIO;
00776 goto err;
00777 }
00778 avtab_destroy(&((*policy)->p->p.te_avtab));
00779 avtab_destroy(&((*policy)->p->p.te_cond_avtab));
00780 avtab_init(&((*policy)->p->p.te_avtab));
00781 avtab_init(&((*policy)->p->p.te_cond_avtab));
00782
00783 /* expand */
00784 if (qpol_expand_module(*policy, !(options & (QPOL_POLICY_OPTION_NO_NEVERALLOWS)))) {
00785 error = errno;
00786 goto err;
00787 }
00788
00789 if (infer_policy_version(*policy)) {
00790 error = errno;
00791 goto err;
00792 }
00793 if (policy_extend(*policy)) {
00794 error = errno;
00795 goto err;
00796 }
00797 }
00798
00799 fclose(infile);
00800 sepol_policy_file_free(pfile);
00801 return retv;
00802
00803 err:
00804 qpol_policy_destroy(policy);
00805 qpol_module_destroy(&mod);
00806 sepol_policy_file_free(pfile);
00807 if (infile)
00808 fclose(infile);
00809 errno = error;
00810 return -1;
00811 }
|
|
||||||||||||||||||||||||
|
Open a policy from a passed in file path.
Definition at line 814 of file policy.c. References qpol_policy_open_from_file_opt(), and qpol_policy_t. Referenced by apol_policy_create_from_policy_path(), capability_test(), iterators_init(), policy_features_invalid_alias(), policy_features_nogenfscon_iter(), and qpol_policy_open_from_file_old(). 00815 {
00816 return qpol_policy_open_from_file_opt(path, policy, fn, varg, options);
00817 }
|
|
||||||||||||||||||||
|
Open a policy from a passed in file path but do not load any rules.
Definition at line 820 of file policy.c. References qpol_policy_open_from_file_opt(), QPOL_POLICY_OPTION_NO_RULES, and qpol_policy_t. 00821 {
00822 return qpol_policy_open_from_file_opt(path, policy, fn, varg, QPOL_POLICY_OPTION_NO_RULES);
00823 }
|
|
||||||||||||||||||||||||||||
|
Internal version of qpol_policy_open_from_memory() version 1.3. Implementation of the exported function qpol_policy_open_from_memory() for version 1.3; this symbol name is not exported.
Definition at line 832 of file policy.c. References ERR, qpol_policy::file_data_sz, qpol_policy::file_data_type, qpol_policy::fn, INFO, qpol_policy::options, qpol_policy::p, qpol_expand_module(), qpol_policy_destroy(), QPOL_POLICY_OPTION_NO_NEVERALLOWS, qpol_policy_t, qpol_src_input, qpol_src_inputlim, qpol_src_inputptr, qpol_src_originalinput, read_source_policy(), sepol_handle_route_to_callback(), qpol_policy::sh, and qpol_policy::varg. Referenced by qpol_policy_open_from_memory(), and qpol_policy_open_from_memory_old(). 00834 {
00835 int error = 0;
00836 if (policy == NULL || filedata == NULL)
00837 return -1;
00838 *policy = NULL;
00839
00840 if (!(*policy = calloc(1, sizeof(qpol_policy_t)))) {
00841 error = errno;
00842 goto err;
00843 }
00844 (*policy)->options = options;
00845
00846 /* QPOL_POLICY_OPTION_NO_RULES implies QPOL_POLICY_OPTION_NO_NEVERALLOWS */
00847 if ((*policy)->options & QPOL_POLICY_OPTION_NO_RULES)
00848 (*policy)->options |= QPOL_POLICY_OPTION_NO_NEVERALLOWS;
00849
00850 (*policy)->sh = sepol_handle_create();
00851 if ((*policy)->sh == NULL) {
00852 error = errno;
00853 ERR(*policy, "%s", strerror(error));
00854 errno = error;
00855 return -1;
00856 }
00857
00858 sepol_msg_set_callback((*policy)->sh, sepol_handle_route_to_callback, (*policy));
00859 if (fn) {
00860 (*policy)->fn = fn;
00861 (*policy)->varg = varg;
00862 } else {
00863 (*policy)->fn = qpol_handle_default_callback;
00864 }
00865
00866 if (sepol_policydb_create(&((*policy)->p))) {
00867 error = errno;
00868 goto err;
00869 }
00870
00871 qpol_src_input = (char *)filedata;
00872 qpol_src_inputptr = qpol_src_input;
00873 qpol_src_inputlim = qpol_src_inputptr + size - 1;
00874 qpol_src_originalinput = qpol_src_input;
00875
00876 /* store filedata for rebuild() */
00877 if (!((*policy)->file_data = malloc(size))) {
00878 error = errno;
00879 goto err;
00880 }
00881 memcpy((*policy)->file_data, filedata, size);
00882 (*policy)->file_data_sz = size;
00883 (*policy)->file_data_type = QPOL_POLICY_FILE_DATA_TYPE_MEM;
00884
00885 /* read in source */
00886 (*policy)->p->p.policy_type = POLICY_BASE;
00887 if (read_source_policy(*policy, "parse", (*policy)->options) < 0)
00888 exit(1);
00889
00890 /* link the source */
00891 INFO(*policy, "%s", "Linking source policy. (Step 2 of 5)");
00892 if (sepol_link_modules((*policy)->sh, (*policy)->p, NULL, 0, 0)) {
00893 error = EIO;
00894 goto err;
00895 }
00896 avtab_destroy(&((*policy)->p->p.te_avtab));
00897 avtab_destroy(&((*policy)->p->p.te_cond_avtab));
00898 avtab_init(&((*policy)->p->p.te_avtab));
00899 avtab_init(&((*policy)->p->p.te_cond_avtab));
00900
00901 /* expand :) */
00902 if (qpol_expand_module(*policy, !(options & (QPOL_POLICY_OPTION_NO_NEVERALLOWS)))) {
00903 error = errno;
00904 goto err;
00905 }
00906
00907 return 0;
00908 err:
00909 qpol_policy_destroy(policy);
00910 errno = error;
00911 return -1;
00912
00913 }
|
|
||||||||||||||||||||||||||||
|
Open a policy from a passed in buffer.
Definition at line 916 of file policy.c. References qpol_policy_open_from_memory_opt(), and qpol_policy_t. 00918 {
00919 return qpol_policy_open_from_memory_opt(policy, filedata, size, fn, varg, options);
00920 }
|
|
||||||||||||||||||||
|
Internal version of qpol_policy_open_from_file() version 1.2 or earlier.
Definition at line 928 of file policy.c. References qpol_policy_open_from_file(), and qpol_policy_t. 00929 {
00930 return qpol_policy_open_from_file(path, policy, fn, varg, 0);
00931 }
|
|
||||||||||||||||||||||||
|
Internal version of qpol_policy_open_from_memory() version 1.2 or earlier.
Definition at line 938 of file policy.c. References qpol_policy_open_from_memory_opt(), and qpol_policy_t. 00939 {
00940 return qpol_policy_open_from_memory_opt(policy, filedata, size, fn, varg, 0);
00941 }
|
|
|
Close a policy and deallocate its memory. Does nothing if it is already NULL.
Definition at line 943 of file policy.c. References qpol_extended_image_destroy(), qpol_module_destroy(), and qpol_policy_t. Referenced by apol_policy_destroy(), capability_test(), iterators_cleanup(), policy_features_invalid_alias(), policy_features_nogenfscon_iter(), qpol_policy_open_from_file_opt(), and qpol_policy_open_from_memory_opt(). 00944 {
00945 if (policy != NULL && *policy != NULL) {
00946 sepol_policydb_free((*policy)->p);
00947 sepol_handle_destroy((*policy)->sh);
00948 qpol_extended_image_destroy(&((*policy)->ext));
00949 if ((*policy)->modules) {
00950 size_t i = 0;
00951 for (i = 0; i < (*policy)->num_modules; i++) {
00952 qpol_module_destroy(&((*policy)->modules[i]));
00953 }
00954 free((*policy)->modules);
00955 }
00956 if ((*policy)->file_data_type == QPOL_POLICY_FILE_DATA_TYPE_MEM) {
00957 free((*policy)->file_data);
00958 } else if ((*policy)->file_data_type == QPOL_POLICY_FILE_DATA_TYPE_MMAP) {
00959 munmap((*policy)->file_data, (*policy)->file_data_sz);
00960 }
00961 free(*policy);
00962 *policy = NULL;
00963 }
00964 }
|
|
|
Re-evaluate all conditionals in the policy updating the state and setting the appropriate rule list as emabled for each. This call modifies the policy.
Definition at line 966 of file policy.c. References ERR, qpol_policy::p, and qpol_policy_t. Referenced by avrule_get_items(), qpol_bool_set_state(), and terule_get_items(). 00967 {
00968 policydb_t *db = NULL;
00969 cond_node_t *cond = NULL;
00970 cond_av_list_t *list_ptr = NULL;
00971
00972 if (!policy) {
00973 ERR(policy, "%s", strerror(EINVAL));
00974 errno = EINVAL;
00975 return STATUS_ERR;
00976 }
00977
00978 db = &policy->p->p;
00979
00980 for (cond = db->cond_list; cond; cond = cond->next) {
00981 /* evaluate cond */
00982 cond->cur_state = cond_evaluate_expr(db, cond->expr);
00983 if (cond->cur_state < 0) {
00984 ERR(policy, "Error evaluating conditional: %s", strerror(EILSEQ));
00985 errno = EILSEQ;
00986 return STATUS_ERR;
00987 }
00988
00989 /* walk true list */
00990 for (list_ptr = cond->true_list; list_ptr; list_ptr = list_ptr->next) {
00991 /* field not used (except by write),
00992 * now storing list and enabled flags */
00993 if (cond->cur_state)
00994 list_ptr->node->merged |= QPOL_COND_RULE_ENABLED;
00995 else
00996 list_ptr->node->merged &= ~(QPOL_COND_RULE_ENABLED);
00997 }
00998
00999 /* walk false list */
01000 for (list_ptr = cond->false_list; list_ptr; list_ptr = list_ptr->next) {
01001 /* field not used (except by write),
01002 * now storing list and enabled flags */
01003 if (!cond->cur_state)
01004 list_ptr->node->merged |= QPOL_COND_RULE_ENABLED;
01005 else
01006 list_ptr->node->merged &= ~(QPOL_COND_RULE_ENABLED);
01007 }
01008 }
01009
01010 return STATUS_SUCCESS;
01011 }
|
|
||||||||||||
|
Append a module to a policy. The policy now owns the module. Note that the caller must still invoke qpol_policy_rebuild() to update the policy.
Definition at line 1013 of file policy.c. References ERR, qpol_policy::modified, qpol_policy::modules, qpol_policy::num_modules, qpol_module::parent, qpol_module_t, and qpol_policy_t. Referenced by apol_policy_create_from_policy_path(), and qpol_policy_open_from_file_opt(). 01014 {
01015 qpol_module_t **tmp = NULL;
01016 int error = 0;
01017
01018 if (!policy || !module) {
01019 ERR(policy, "%s", strerror(EINVAL));
01020 errno = EINVAL;
01021 return STATUS_ERR;
01022 }
01023
01024 if (!(tmp = realloc(policy->modules, (1 + policy->num_modules) * sizeof(qpol_module_t *)))) {
01025 error = errno;
01026 ERR(policy, "%s", strerror(error));
01027 errno = error;
01028 return STATUS_ERR;
01029 }
01030
01031 policy->modules = tmp;
01032 policy->modules[policy->num_modules] = module;
01033 policy->num_modules++;
01034 policy->modified = 1;
01035 module->parent = policy;
01036
01037 return STATUS_SUCCESS;
01038 }
|
|
|
Definition at line 1047 of file policy.c. References mod_state::cur, mod_state::end, mod_state_t, qpol_iterator_state(), and qpol_iterator_t. Referenced by qpol_policy_get_module_iter(). 01048 {
01049 mod_state_t *ms;
01050
01051 if (!iter || !(ms = qpol_iterator_state(iter))) {
01052 errno = EINVAL;
01053 return 1;
01054 }
01055
01056 return (ms->cur >= ms->end);
01057 }
|
|
|
Definition at line 1059 of file policy.c. References mod_state::cur, mod_state::list, mod_state_t, qpol_iterator_end(), qpol_iterator_state(), and qpol_iterator_t. Referenced by qpol_policy_get_module_iter(). 01060 {
01061 mod_state_t *ms;
01062
01063 if (!iter || !(ms = qpol_iterator_state(iter)) || qpol_iterator_end(iter)) {
01064 errno = EINVAL;
01065 return NULL;
01066 }
01067
01068 return ms->list[ms->cur];
01069 }
|
|
|
Definition at line 1071 of file policy.c. References mod_state::cur, mod_state_t, qpol_iterator_end(), qpol_iterator_state(), and qpol_iterator_t. Referenced by qpol_policy_get_module_iter(). 01072 {
01073 mod_state_t *ms;
01074
01075 if (!iter || !(ms = qpol_iterator_state(iter))) {
01076 errno = EINVAL;
01077 return STATUS_ERR;
01078 }
01079 if (qpol_iterator_end(iter)) {
01080 errno = ERANGE;
01081 return STATUS_ERR;
01082 }
01083
01084 ms->cur++;
01085
01086 return STATUS_SUCCESS;
01087 }
|
|
|
Definition at line 1089 of file policy.c. References mod_state::end, mod_state_t, qpol_iterator_state(), and qpol_iterator_t. Referenced by qpol_policy_get_module_iter(). 01090 {
01091 mod_state_t *ms;
01092
01093 if (!iter || !(ms = qpol_iterator_state(iter))) {
01094 errno = EINVAL;
01095 return 0;
01096 }
01097
01098 return ms->end;
01099 }
|
|
||||||||||||
|
Get an iterator of all modules in a policy.
Definition at line 1101 of file policy.c. References mod_state::end, ERR, mod_state_end(), mod_state_get_cur(), mod_state_next(), mod_state_size(), mod_state_t, qpol_policy::modules, qpol_policy::num_modules, qpol_iterator_create(), qpol_iterator_t, and qpol_policy_t. 01102 {
01103 mod_state_t *ms = NULL;
01104 int error = 0;
01105
01106 if (!policy || !iter) {
01107 ERR(policy, "%s", strerror(EINVAL));
01108 errno = EINVAL;
01109 return STATUS_ERR;
01110 }
01111
01112 if (!(ms = calloc(1, sizeof(mod_state_t)))) {
01113 error = errno;
01114 ERR(policy, "%s", strerror(error));
01115 errno = error;
01116 return STATUS_ERR;
01117 }
01118
01119 if (qpol_iterator_create(policy, (void *)ms, mod_state_get_cur, mod_state_next, mod_state_end, mod_state_size, free, iter)) {
01120 error = errno;
01121 ERR(policy, "%s", strerror(error));
01122 free(ms);
01123 errno = error;
01124 return STATUS_ERR;
01125 }
01126
01127 ms->end = policy->num_modules;
01128 ms->list = policy->modules;
01129
01130 return STATUS_SUCCESS;
01131 }
|
|
|
Definition at line 1133 of file policy.c. References ERR, qpol_policy::p, and qpol_policy_t. Referenced by qpol_policy_has_capability(), and qpol_policy_is_mls_enabled(). 01134 {
01135 policydb_t *db = NULL;
01136
01137 if (policy == NULL) {
01138 ERR(policy, "%s", strerror(EINVAL));
01139 errno = EINVAL;
01140 return STATUS_ERR;
01141 }
01142
01143 db = &policy->p->p;
01144
01145 if (db->mls != 0)
01146 return 1;
01147 else
01148 return 0;
01149 }
|
|
|
Definition at line 1151 of file policy.c. References is_mls_policy(), and qpol_policy_t. 01152 {
01153 return is_mls_policy(policy);
01154 }
|
|
||||||||||||
|
Get the version number of the policy.
Definition at line 1156 of file policy.c. References ERR, qpol_policy::p, and qpol_policy_t. Referenced by apol_policy_get_version_type_mls_str(), capability_test(), qpol_policy_has_capability(), and requires_setexec_or_type_trans(). 01157 {
01158 policydb_t *db;
01159
01160 if (version != NULL)
01161 *version = 0;
01162
01163 if (policy == NULL || version == NULL) {
01164 ERR(policy, "%s", strerror(EINVAL));
01165 errno = EINVAL;
01166 return STATUS_ERR;
01167 }
01168
01169 db = &policy->p->p;
01170
01171 *version = db->policyvers;
01172
01173 return STATUS_SUCCESS;
01174 }
|
|
||||||||||||
|
Get the type of policy (source, binary, or module).
Definition at line 1176 of file policy.c. References ERR, qpol_policy_t, and qpol_policy::type. Referenced by result_item_avrule_policy_changed(). 01177 {
01178 if (!policy || !type) {
01179 ERR(policy, "%s", strerror(EINVAL));
01180 errno = EINVAL;
01181 return STATUS_ERR;
01182 }
01183
01184 *type = policy->type;
01185
01186 return STATUS_SUCCESS;
01187 }
|
|
||||||||||||
|
Determine if a policy has support for a specific capability.
Definition at line 1189 of file policy.c. References ERR, is_mls_policy(), qpol_policy::options, QPOL_CAP_ATTRIB_NAMES, QPOL_CAP_CONDITIONALS, QPOL_CAP_LINE_NUMBERS, QPOL_CAP_MLS, QPOL_CAP_MODULES, QPOL_CAP_NEVERALLOW, QPOL_CAP_POLCAPS, QPOL_CAP_RULES_LOADED, QPOL_CAP_SOURCE, QPOL_CAP_SYN_RULES, qpol_policy_get_policy_version(), QPOL_POLICY_KERNEL_SOURCE, qpol_policy_t, and qpol_policy::type. Referenced by apol_avrule_get_by_query(), apol_context_create_from_qpol_context(), apol_policy_create_from_policy_path(), apol_policy_get_version_type_mls_str(), apol_policy_is_mls(), apol_query_create_candidate_syn_type_list(), apol_syn_avrule_get_by_query(), apol_syn_terule_get_by_query(), avrule_add_to_bst(), avrule_deep_diff(), avrule_get_items(), avrule_new_diff(), capability_test(), main(), perform_av_query(), perform_te_query(), policy_view_display_avrule_results(), policy_view_find_terules_runner(), policy_view_load_policy_source(), policy_view_source_update(), print_stats(), print_user_roles(), qpol_policy_get_avrule_iter(), qpol_policy_get_cond_iter(), qpol_policy_get_terule_iter(), qpol_user_get_dfltlevel(), qpol_user_get_range(), requires_setexec_or_type_trans(), result_item_attribute_policy_changed(), result_item_boolean_policy_changed(), result_item_level_policy_changed(), result_item_multi_policy_changed(), result_item_type_policy_changed(), sechk_lib_check_requirement(), terule_add_to_bst(), terule_deep_diff(), terule_new_diff(), and type_deep_diff(). 01190 {
01191 unsigned int version = 0;
01192
01193 if (!policy) {
01194 ERR(policy, "%s", strerror(EINVAL));
01195 errno = EINVAL;
01196 return 0;
01197 }
01198
01199 qpol_policy_get_policy_version(policy, &version);
01200
01201 switch (cap) {
01202 case QPOL_CAP_ATTRIB_NAMES:
01203 {
01204 if (policy->type == QPOL_POLICY_KERNEL_SOURCE || policy->type == QPOL_POLICY_MODULE_BINARY)
01205 return 1;
01206 break;
01207 }
01208 case QPOL_CAP_SYN_RULES:
01209 {
01210 if (policy->type == QPOL_POLICY_KERNEL_SOURCE || policy->type == QPOL_POLICY_MODULE_BINARY)
01211 return 1;
01212 break;
01213 }
01214 case QPOL_CAP_LINE_NUMBERS:
01215 {
01216 if (policy->type == QPOL_POLICY_KERNEL_SOURCE)
01217 return 1;
01218 break;
01219 }
01220 case QPOL_CAP_CONDITIONALS:
01221 {
01222 if (version >= 16 || policy->type == QPOL_POLICY_MODULE_BINARY)
01223 return 1;
01224 break;
01225 }
01226 case QPOL_CAP_MLS:
01227 {
01228 return is_mls_policy(policy);
01229 }
01230 case QPOL_CAP_MODULES:
01231 {
01232 if (policy->type == QPOL_POLICY_MODULE_BINARY)
01233 return 1;
01234 break;
01235 }
01236 case QPOL_CAP_POLCAPS:
01237 {
01238 if (version >= 22 && policy->type != QPOL_POLICY_MODULE_BINARY)
01239 return 1;
01240 break;
01241 }
01242 case QPOL_CAP_RULES_LOADED:
01243 {
01244 if (!(policy->options & QPOL_POLICY_OPTION_NO_RULES))
01245 return 1;
01246 break;
01247 }
01248 case QPOL_CAP_SOURCE:
01249 {
01250 if (policy->type == QPOL_POLICY_KERNEL_SOURCE)
01251 return 1;
01252 break;
01253 }
01254 case QPOL_CAP_NEVERALLOW:
01255 {
01256 if (!(policy->options & QPOL_POLICY_OPTION_NO_NEVERALLOWS) && policy->type != QPOL_POLICY_KERNEL_BINARY)
01257 return 1;
01258 break;
01259 }
01260 default:
01261 {
01262 ERR(policy, "%s", "Unknown capability");
01263 errno = EDOM;
01264 break;
01265 }
01266 }
01267 return 0;
01268 }
|
|
|
Definition at line 59 of file policy.c. Referenced by qpol_policy_open_from_file_opt(), qpol_policy_open_from_memory_opt(), and qpol_policy_rebuild_opt(). |
|
|
Definition at line 60 of file policy.c. Referenced by qpol_policy_open_from_file_opt(), qpol_policy_open_from_memory_opt(), and qpol_policy_rebuild_opt(). |
|
|
Definition at line 61 of file policy.c. Referenced by qpol_policy_open_from_file_opt(), qpol_policy_open_from_memory_opt(), qpol_policy_rebuild_opt(), and read_source_policy(). |
|
|
Definition at line 62 of file policy.c. Referenced by qpol_policy_open_from_file_opt(), qpol_policy_open_from_memory_opt(), and qpol_policy_rebuild_opt(). |
|
|
Definition at line 67 of file policy_define.c. |
|
|
Definition at line 1183 of file policy_scan.c. Referenced by init_parser(). |
|
|
Definition at line 1181 of file policy_scan.c. Referenced by init_parser(). |
|
|
Definition at line 1178 of file policy_scan.c. Referenced by read_source_policy(). |
|
|
Definition at line 66 of file policy_define.c. |
|
|
Definition at line 72 of file policy_define.c. Referenced by define_mls(), and read_source_policy(). |
