checkpolicy: drop global policyvers variable

Drop the global variable policyvers.  The variable is only used within
checkpolicy.c and checkmodule.c, but never in any shared code.

Since the variable declaration is the only content of checkpolicy.h drop
it.

Also set the policy version before calls to read_source_policy(), so the
parser can access the requested version for checks this way.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>

checkpolicy/checkmodule.c

@@ -31,7 +31,6 @@
 #include <sepol/policydb/sidtab.h>
 
 #include "queue.h"
-#include "checkpolicy.h"
 #include "parse_util.h"
 
 static sidtab_t sidtab;
@@ -43,9 +42,6 @@ static int handle_unknown = SEPOL_DENY_UNKNOWN;
 static const char *txtfile = "policy.conf";
 static const char *binfile = "policy";
 
-static unsigned int policy_type = POLICY_BASE;
-unsigned int policyvers = MOD_POLICYDB_VERSION_MAX;
-
 static int read_binary_policy(policydb_t * p, const char *file, const char *progname)
 {
 	int fd;
@@ -107,7 +103,7 @@ static int read_binary_policy(policydb_t * p, const char *file, const char *prog
 	return 0;
 }
 
-static int write_binary_policy(policydb_t * p, FILE *outfp)
+static int write_binary_policy(policydb_t * p, FILE *outfp, unsigned int policy_type, unsigned int policyvers)
 {
 	struct policy_file pf;
 
@@ -150,6 +146,8 @@ int main(int argc, char **argv)
 {
 	const char *file = txtfile, *outfile = NULL;
 	unsigned int binary = 0, cil = 0, disable_neverallow = 0;
+	unsigned int policy_type = POLICY_BASE;
+	unsigned int policyvers = MOD_POLICYDB_VERSION_MAX;
 	int ch;
 	int show_version = 0;
 	policydb_t modpolicydb;
@@ -279,6 +277,7 @@ int main(int argc, char **argv)
 		modpolicydb.policy_type = policy_type;
 		modpolicydb.mls = mlspol;
 		modpolicydb.handle_unknown = handle_unknown;
+		modpolicydb.policyvers = policyvers;
 
 		if (read_source_policy(&modpolicydb, file, argv[0]) == -1) {
 			exit(1);
@@ -343,7 +342,7 @@ int main(int argc, char **argv)
 		}
 
 		if (!cil) {
-			if (write_binary_policy(&modpolicydb, outfp) != 0) {
+			if (write_binary_policy(&modpolicydb, outfp, policy_type, policyvers) != 0) {
 				fprintf(stderr, "%s:  error writing %s\n", argv[0], outfile);
 				exit(1);
 			}

checkpolicy/checkpolicy.c

@@ -89,7 +89,6 @@
 #include <sepol/policydb/link.h>
 
 #include "queue.h"
-#include "checkpolicy.h"
 #include "parse_util.h"
 
 static policydb_t policydb;
@@ -103,8 +102,6 @@ static int handle_unknown = SEPOL_DENY_UNKNOWN;
 static const char *txtfile = "policy.conf";
 static const char *binfile = "policy";
 
-unsigned int policyvers = 0;
-
 static __attribute__((__noreturn__)) void usage(const char *progname)
 {
 	printf
@@ -395,6 +392,7 @@ int main(int argc, char **argv)
 	unsigned int binary = 0, debug = 0, sort = 0, cil = 0, conf = 0, optimize = 0, disable_neverallow = 0;
 	struct val_to_name v;
 	int ret, ch, fd, target = SEPOL_TARGET_SELINUX;
+	unsigned int policyvers = 0;
 	unsigned int nel, uret;
 	struct stat sb;
 	void *map;
@@ -613,6 +611,7 @@ int main(int argc, char **argv)
 		/* Let sepol know if we are dealing with MLS support */
 		parse_policy.mls = mlspol;
 		parse_policy.handle_unknown = handle_unknown;
+		parse_policy.policyvers = policyvers ? policyvers : POLICYDB_VERSION_MAX;
 
 		policydbp = &parse_policy;
 
@@ -637,11 +636,10 @@ int main(int argc, char **argv)
 				fprintf(stderr, "Error while expanding policy\n");
 				exit(1);
 			}
+			policydb.policyvers = policyvers ? policyvers : POLICYDB_VERSION_MAX;
 			policydb_destroy(policydbp);
 			policydbp = &policydb;
 		}
-
-		policydbp->policyvers = policyvers ? policyvers : POLICYDB_VERSION_MAX;
 	}
 
 	if (policydb_load_isids(&policydb, &sidtab))

checkpolicy/checkpolicy.h

@@ -1,6 +0,0 @@
-#ifndef _CHECKPOLICY_H_
-#define _CHECKPOLICY_H_
-
-extern unsigned int policyvers;
-
-#endif

checkpolicy/fuzz/checkpolicy-fuzzer.c

@@ -200,6 +200,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 	parsepolicydb.policy_type = POLICY_BASE;
 	parsepolicydb.mls = mls;
 	parsepolicydb.handle_unknown = DENY_UNKNOWN;
+	parsepolicydb.policyvers = policyvers;
 	policydb_set_target_platform(&parsepolicydb, platform);
 
 	if (read_source_policy(&parsepolicydb, data, size))

checkpolicy/policy_define.c

@@ -55,7 +55,6 @@
 #include <sepol/policydb/hierarchy.h>
 #include <sepol/policydb/polcaps.h>
 #include "queue.h"
-#include "checkpolicy.h"
 #include "module_compiler.h"
 #include "policy_define.h"
 

checkpolicy/policy_parse.y

@@ -49,7 +49,6 @@
 #include <sepol/policydb/hierarchy.h>
 #include <sepol/policydb/polcaps.h>
 #include "queue.h"
-#include "checkpolicy.h"
 #include "module_compiler.h"
 #include "policy_define.h"