checkpolicy: libsepol: implement default type policy syntax

We currently have a mechanism in which the default user, role, and range
can be picked up from the source or the target object.  This implements
the same thing for types.  The kernel will override this with type
transition rules and similar.  This is just the default if nothing
specific is given.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This commit is contained in:
Eric Paris 2012-12-18 11:41:25 -05:00
parent e9759ea7af
commit 693f5241fd
9 changed files with 103 additions and 3 deletions

View File

@ -415,6 +415,38 @@ int define_default_role(int which)
return 0;
}
int define_default_type(int which)
{
char *id;
class_datum_t *cladatum;
if (pass == 1) {
while ((id = queue_remove(id_queue)))
free(id);
return 0;
}
while ((id = queue_remove(id_queue))) {
if (!is_id_in_scope(SYM_CLASSES, id)) {
yyerror2("class %s is not within scope", id);
return -1;
}
cladatum = hashtab_search(policydbp->p_classes.table, id);
if (!cladatum) {
yyerror2("unknown class %s", id);
return -1;
}
if (cladatum->default_type && cladatum->default_type != which) {
yyerror2("conflicting default type information for class %s", id);
return -1;
}
cladatum->default_type = which;
free(id);
}
return 0;
}
int define_default_range(int which)
{
char *id;

View File

@ -26,6 +26,7 @@ int define_category(void);
int define_class(void);
int define_default_user(int which);
int define_default_role(int which);
int define_default_type(int which);
int define_default_range(int which);
int define_common_perms(void);
int define_compute_type(int which);

View File

@ -143,7 +143,7 @@ typedef int (* require_func_t)();
%token POLICYCAP
%token PERMISSIVE
%token FILESYSTEM
%token DEFAULT_USER DEFAULT_ROLE DEFAULT_RANGE
%token DEFAULT_USER DEFAULT_ROLE DEFAULT_TYPE DEFAULT_RANGE
%token LOW_HIGH LOW HIGH
%left OR
@ -202,9 +202,11 @@ opt_default_rules : default_rules
;
default_rules : default_user_def
| default_role_def
| default_type_def
| default_range_def
| default_rules default_user_def
| default_rules default_role_def
| default_rules default_type_def
| default_rules default_range_def
;
default_user_def : DEFAULT_USER names SOURCE ';'
@ -217,6 +219,11 @@ default_role_def : DEFAULT_ROLE names SOURCE ';'
| DEFAULT_ROLE names TARGET ';'
{if (define_default_role(DEFAULT_TARGET)) return -1; }
;
default_type_def : DEFAULT_TYPE names SOURCE ';'
{if (define_default_type(DEFAULT_SOURCE)) return -1; }
| DEFAULT_TYPE names TARGET ';'
{if (define_default_type(DEFAULT_TARGET)) return -1; }
;
default_range_def : DEFAULT_RANGE names SOURCE LOW ';'
{if (define_default_range(DEFAULT_SOURCE_LOW)) return -1; }
| DEFAULT_RANGE names SOURCE HIGH ';'

View File

@ -229,6 +229,8 @@ default_user |
DEFAULT_USER { return(DEFAULT_USER); }
default_role |
DEFAULT_ROLE { return(DEFAULT_ROLE); }
default_type |
DEFAULT_TYPE { return(DEFAULT_TYPE); }
default_range |
DEFAULT_RANGE { return(DEFAULT_RANGE); }
low-high |

View File

@ -116,6 +116,7 @@ typedef struct class_datum {
#define DEFAULT_TARGET 2
char default_user;
char default_role;
char default_type;
/* Options how a new object range should be decided */
#define DEFAULT_SOURCE_LOW 1
#define DEFAULT_SOURCE_HIGH 2
@ -681,10 +682,11 @@ extern int policydb_set_target_platform(policydb_t *p, int platform);
#define POLICYDB_VERSION_FILENAME_TRANS 25
#define POLICYDB_VERSION_ROLETRANS 26
#define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 27
#define POLICYDB_VERSION_DEFAULT_TYPE 28
/* Range of policy versions we understand*/
#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
#define POLICYDB_VERSION_MAX POLICYDB_VERSION_NEW_OBJECT_DEFAULTS
#define POLICYDB_VERSION_MAX POLICYDB_VERSION_DEFAULT_TYPE
/* Module versions and specific changes*/
#define MOD_POLICYDB_VERSION_BASE 4
@ -701,9 +703,10 @@ extern int policydb_set_target_platform(policydb_t *p, int platform);
#define MOD_POLICYDB_VERSION_ROLEATTRIB 13
#define MOD_POLICYDB_VERSION_TUNABLE_SEP 14
#define MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 15
#define MOD_POLICYDB_VERSION_DEFAULT_TYPE 16
#define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE
#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS
#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_DEFAULT_TYPE
#define POLICYDB_CONFIG_MLS 1

View File

@ -453,6 +453,13 @@ static int class_copy_default_new_object(expand_state_t *state,
}
newdatum->default_role = olddatum->default_role;
}
if (olddatum->default_type) {
if (newdatum->default_type && olddatum->default_type != newdatum->default_type) {
ERR(state->handle, "Found conflicting default type definitions");
return SEPOL_ENOTSUP;
}
newdatum->default_type = olddatum->default_type;
}
if (olddatum->default_range) {
if (newdatum->default_range && olddatum->default_range != newdatum->default_range) {
ERR(state->handle, "Found conflicting default range definitions");

View File

@ -223,6 +223,13 @@ static int class_copy_default_new_object(link_state_t *state,
}
newdatum->default_role = olddatum->default_role;
}
if (olddatum->default_type) {
if (newdatum->default_type && olddatum->default_type != newdatum->default_type) {
ERR(state->handle, "Found conflicting default type definitions");
return SEPOL_ENOTSUP;
}
newdatum->default_type = olddatum->default_type;
}
if (olddatum->default_range) {
if (newdatum->default_range && olddatum->default_range != newdatum->default_range) {
ERR(state->handle, "Found conflicting default range definitions");

View File

@ -157,6 +157,13 @@ static struct policydb_compat_info policydb_compat[] = {
.ocon_num = OCON_NODE6 + 1,
.target_platform = SEPOL_TARGET_SELINUX,
},
{
.type = POLICY_KERN,
.version = POLICYDB_VERSION_DEFAULT_TYPE,
.sym_num = SYM_NUM,
.ocon_num = OCON_NODE6 + 1,
.target_platform = SEPOL_TARGET_SELINUX,
},
{
.type = POLICY_BASE,
.version = MOD_POLICYDB_VERSION_BASE,
@ -241,6 +248,13 @@ static struct policydb_compat_info policydb_compat[] = {
.ocon_num = OCON_NODE6 + 1,
.target_platform = SEPOL_TARGET_SELINUX,
},
{
.type = POLICY_BASE,
.version = MOD_POLICYDB_VERSION_DEFAULT_TYPE,
.sym_num = SYM_NUM,
.ocon_num = OCON_NODE6 + 1,
.target_platform = SEPOL_TARGET_SELINUX,
},
{
.type = POLICY_MOD,
.version = MOD_POLICYDB_VERSION_BASE,
@ -325,6 +339,13 @@ static struct policydb_compat_info policydb_compat[] = {
.ocon_num = 0,
.target_platform = SEPOL_TARGET_SELINUX,
},
{
.type = POLICY_MOD,
.version = MOD_POLICYDB_VERSION_DEFAULT_TYPE,
.sym_num = SYM_NUM,
.ocon_num = 0,
.target_platform = SEPOL_TARGET_SELINUX,
},
};
#if 0
@ -2097,6 +2118,16 @@ static int class_read(policydb_t * p, hashtab_t h, struct policy_file *fp)
cladatum->default_range = le32_to_cpu(buf[2]);
}
if ((p->policy_type == POLICY_KERN &&
p->policyvers >= POLICYDB_VERSION_DEFAULT_TYPE) ||
(p->policy_type == POLICY_BASE &&
p->policyvers >= MOD_POLICYDB_VERSION_DEFAULT_TYPE)) {
rc = next_entry(buf, fp, sizeof(uint32_t));
if (rc < 0)
goto bad;
cladatum->default_type = le32_to_cpu(buf[0]);
}
if (hashtab_insert(h, key, cladatum))
goto bad;

View File

@ -988,6 +988,16 @@ static int class_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr)
return POLICYDB_ERROR;
}
if ((p->policy_type == POLICY_KERN &&
p->policyvers >= POLICYDB_VERSION_DEFAULT_TYPE) ||
(p->policy_type == POLICY_BASE &&
p->policyvers >= MOD_POLICYDB_VERSION_DEFAULT_TYPE)) {
buf[0] = cpu_to_le32(cladatum->default_type);
items = put_entry(buf, sizeof(uint32_t), 1, fp);
if (items != 1)
return POLICYDB_ERROR;
}
return POLICYDB_SUCCESS;
}