Space should be allowed for file trans names
This commit is contained in:
Dan Walsh
parent
02cf4abf2d
commit
7a5e44fa80
@ -1,165 +1,13 @@
|
||||
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
|
||||
index 2c12447..5db1bca 100644
|
||||
--- a/checkpolicy/policy_define.c
|
||||
+++ b/checkpolicy/policy_define.c
|
||||
@@ -415,6 +415,38 @@ int define_default_role(int which)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+int define_default_type(int which)
|
||||
+{
|
||||
+ char *id;
|
||||
+ class_datum_t *cladatum;
|
||||
+
|
||||
+ if (pass == 1) {
|
||||
+ while ((id = queue_remove(id_queue)))
|
||||
+ free(id);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ while ((id = queue_remove(id_queue))) {
|
||||
+ if (!is_id_in_scope(SYM_CLASSES, id)) {
|
||||
+ yyerror2("class %s is not within scope", id);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ cladatum = hashtab_search(policydbp->p_classes.table, id);
|
||||
+ if (!cladatum) {
|
||||
+ yyerror2("unknown class %s", id);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ if (cladatum->default_type && cladatum->default_type != which) {
|
||||
+ yyerror2("conflicting default type information for class %s", id);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ cladatum->default_type = which;
|
||||
+ free(id);
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
int define_default_range(int which)
|
||||
{
|
||||
char *id;
|
||||
@@ -2777,6 +2809,7 @@ int define_constraint(constraint_expr_t * expr)
|
||||
}
|
||||
if (!node->expr) {
|
||||
yyerror("out of memory");
|
||||
+ free(node);
|
||||
return -1;
|
||||
}
|
||||
node->permissions = 0;
|
||||
@@ -3068,13 +3101,11 @@ uintptr_t define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2)
|
||||
ebitmap_destroy(&negset);
|
||||
return (uintptr_t) expr;
|
||||
default:
|
||||
- yyerror("invalid constraint expression");
|
||||
- constraint_expr_destroy(expr);
|
||||
- return 0;
|
||||
+ break;
|
||||
}
|
||||
|
||||
yyerror("invalid constraint expression");
|
||||
- free(expr);
|
||||
+ constraint_expr_destroy(expr);
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -3281,6 +3312,7 @@ cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void *arg2)
|
||||
return expr;
|
||||
default:
|
||||
yyerror("illegal conditional expression");
|
||||
+ free(expr);
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
@@ -4627,7 +4659,10 @@ int define_range_trans(int class_specified)
|
||||
goto out;
|
||||
}
|
||||
|
||||
- ebitmap_set_bit(&rule->tclasses, cladatum->s.value - 1, TRUE);
|
||||
+ if (ebitmap_set_bit(&rule->tclasses, cladatum->s.value - 1, TRUE)) {
|
||||
+ yyerror("out of memory");
|
||||
+ goto out;
|
||||
+ }
|
||||
}
|
||||
|
||||
id = (char *)queue_remove(id_queue);
|
||||
diff --git a/checkpolicy/policy_define.h b/checkpolicy/policy_define.h
|
||||
index ccbe56f..8bfd8f6 100644
|
||||
--- a/checkpolicy/policy_define.h
|
||||
+++ b/checkpolicy/policy_define.h
|
||||
@@ -26,6 +26,7 @@ int define_category(void);
|
||||
int define_class(void);
|
||||
int define_default_user(int which);
|
||||
int define_default_role(int which);
|
||||
+int define_default_type(int which);
|
||||
int define_default_range(int which);
|
||||
int define_common_perms(void);
|
||||
int define_compute_type(int which);
|
||||
diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y
|
||||
index d92cc32..b40f413 100644
|
||||
--- a/checkpolicy/policy_parse.y
|
||||
+++ b/checkpolicy/policy_parse.y
|
||||
@@ -143,7 +143,7 @@ typedef int (* require_func_t)();
|
||||
%token POLICYCAP
|
||||
%token PERMISSIVE
|
||||
%token FILESYSTEM
|
||||
-%token DEFAULT_USER DEFAULT_ROLE DEFAULT_RANGE
|
||||
+%token DEFAULT_USER DEFAULT_ROLE DEFAULT_TYPE DEFAULT_RANGE
|
||||
%token LOW_HIGH LOW HIGH
|
||||
|
||||
%left OR
|
||||
@@ -202,9 +202,11 @@ opt_default_rules : default_rules
|
||||
;
|
||||
default_rules : default_user_def
|
||||
| default_role_def
|
||||
+ | default_type_def
|
||||
| default_range_def
|
||||
| default_rules default_user_def
|
||||
| default_rules default_role_def
|
||||
+ | default_rules default_type_def
|
||||
| default_rules default_range_def
|
||||
;
|
||||
default_user_def : DEFAULT_USER names SOURCE ';'
|
||||
@@ -217,6 +219,11 @@ default_role_def : DEFAULT_ROLE names SOURCE ';'
|
||||
| DEFAULT_ROLE names TARGET ';'
|
||||
{if (define_default_role(DEFAULT_TARGET)) return -1; }
|
||||
;
|
||||
+default_type_def : DEFAULT_TYPE names SOURCE ';'
|
||||
+ {if (define_default_type(DEFAULT_SOURCE)) return -1; }
|
||||
+ | DEFAULT_TYPE names TARGET ';'
|
||||
+ {if (define_default_type(DEFAULT_TARGET)) return -1; }
|
||||
+ ;
|
||||
default_range_def : DEFAULT_RANGE names SOURCE LOW ';'
|
||||
{if (define_default_range(DEFAULT_SOURCE_LOW)) return -1; }
|
||||
| DEFAULT_RANGE names SOURCE HIGH ';'
|
||||
diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
|
||||
index 62d03f0..bba7667 100644
|
||||
index bba7667..f82c93b 100644
|
||||
--- a/checkpolicy/policy_scan.l
|
||||
+++ b/checkpolicy/policy_scan.l
|
||||
@@ -229,6 +229,8 @@ default_user |
|
||||
DEFAULT_USER { return(DEFAULT_USER); }
|
||||
default_role |
|
||||
DEFAULT_ROLE { return(DEFAULT_ROLE); }
|
||||
+default_type |
|
||||
+DEFAULT_TYPE { return(DEFAULT_TYPE); }
|
||||
default_range |
|
||||
DEFAULT_RANGE { return(DEFAULT_RANGE); }
|
||||
low-high |
|
||||
diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c
|
||||
index 6a951f6..96ef047 100644
|
||||
--- a/checkpolicy/test/dismod.c
|
||||
+++ b/checkpolicy/test/dismod.c
|
||||
@@ -844,7 +844,10 @@ int main(int argc, char **argv)
|
||||
|
||||
/* read the binary policy */
|
||||
fprintf(out_fp, "Reading policy...\n");
|
||||
- policydb_init(&policydb);
|
||||
+ if (policydb_init(&policydb)) {
|
||||
+ fprintf(stderr, "%s: Out of memory!\n", __FUNCTION__);
|
||||
+ exit(1);
|
||||
+ }
|
||||
if (read_policy(argv[1], &policydb)) {
|
||||
fprintf(stderr,
|
||||
"%s: error(s) encountered while loading policy\n",
|
||||
@@ -240,7 +240,7 @@ HIGH { return(HIGH); }
|
||||
low |
|
||||
LOW { return(LOW); }
|
||||
"/"({alnum}|[_\.\-/])* { return(PATH); }
|
||||
-\"({alnum}|[_\.\-\+\~])+\" { return(FILENAME); }
|
||||
+\"({alnum}|[_\.\-\+\~ ])+\" { return(FILENAME); }
|
||||
{letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); }
|
||||
{alnum}*{letter}{alnum}* { return(FILESYSTEM); }
|
||||
{digit}+|0x{hexval}+ { return(NUMBER); }
|
||||
|
||||
@ -3,10 +3,11 @@
|
||||
Summary: SELinux policy compiler
|
||||
Name: checkpolicy
|
||||
Version: 2.1.12
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: GPLv2
|
||||
Group: Development/System
|
||||
Source: http://www.nsa.gov/selinux/archives/%{name}-%{version}.tgz
|
||||
Patch: checkpolicy-rhat.patch
|
||||
|
||||
BuildRoot: %{_tmppath}/%{name}-buildroot
|
||||
BuildRequires: byacc bison flex flex-static libsepol-static >= %{libsepolver} libselinux-devel >= %{libselinuxver}
|
||||
@ -27,6 +28,7 @@ Only required for building policies.
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%patch -p2 -b .rhat
|
||||
|
||||
%build
|
||||
make clean
|
||||
@ -54,6 +56,9 @@ rm -rf ${RPM_BUILD_ROOT}
|
||||
%{_bindir}/sedispol
|
||||
|
||||
%changelog
|
||||
* Tue Mar 12 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-2
|
||||
- Space should be allowed for file trans names
|
||||
|
||||
* Thu Feb 7 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-1
|
||||
- Update to upstream
|
||||
* Fix errors found by coverity
|
||||
|
||||
Loading…
Reference in New Issue
Block a user