mirror of
https://github.com/SELinuxProject/selinux
synced 2025-01-30 17:32:17 +00:00
f830d96a48
Email: method@manicmethod.com Subject: libsepol: Add support for multiple target OSes Date: Tue, 13 Oct 2009 15:56:39 -0400 Paul Nuzzi wrote: > On Wed, 2009-09-16 at 09:58 -0400, Joshua Brindle wrote: >> I'd rather have separate ocontext structs for each system. That way it >> is very easy to understand which ones apply to which system and you >> don't get a crazy out of context ocontext struct. >> > > I looked into having separate ocontext structs but that would involve > changing a lot of files making the patch much larger and more intrusive. > >>> } u; >>> union { >>> uint32_t sclass; /* security class for genfs */ >>> @@ -313,6 +323,17 @@ typedef struct genfs { >>> #define OCON_NODE6 6 /* IPv6 nodes */ >>> #define OCON_NUM 7 >>> >>> +/* object context array indices for Xen */ >>> +#define OCON_ISID 0 /* initial SIDs */ >>> +#define OCON_PIRQ 1 /* physical irqs */ >>> +#define OCON_IOPORT 2 /* io ports */ >>> +#define OCON_IOMEM 3 /* io memory */ >>> +#define OCON_DEVICE 4 /* pci devices */ >>> +#define OCON_DUMMY1 5 /* reserved */ >>> +#define OCON_DUMMY2 6 /* reserved */ >>> +#define OCON_NUM 7 >>> + >>> + >>> >> Should these be namespaced? What if<random other system> has io port >> objects? You'd have to align them with each other and you have a mess of >> keeping the numbers the same (you already do this with OCON_ISID) > > Variables have been namespaced and there is no more overlap with > OCON_ISID. > >> Also we are relying on having the same number of OCON's which isn't good >> I don't think. As much as I hate the policydb_compat_info (read: alot) >> why aren't we using that to say how many ocons a xen policy really has? > > OCON_NUM is now dynamically read through policydb_compat_info. > > >> This is messy, why not an ocontext_selinux_free() and >> ocontext_xen_free() (note: I realize the xen_free() one won't do >> anything except freep the ocontext_t) >> > > done. > >>> len = buf[1]; >>> - if (len != strlen(target_str)&& >>> - (!alt_target_str || len != strlen(alt_target_str))) { >>> - ERR(fp->handle, "policydb string length %zu does not match " >>> - "expected length %zu", len, strlen(target_str)); >>> + if (len> 32) { >>> >> magic number 32? > > #defined. > > Thanks for your input. Below is the updated patch for libsepol. > Acked-by: Joshua Brindle <method@manicmethod.com> for the entire patchset with the following diff on top: diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c index 76d8ed3..e76bb1a 100644 --- a/checkpolicy/checkpolicy.c +++ b/checkpolicy/checkpolicy.c @@ -100,8 +100,8 @@ unsigned int policyvers = POLICYDB_VERSION_MAX; void usage(char *progname) { printf - ("usage: %s [-b] [-d] [-U handle_unknown (allow,deny,reject) [-M]" - "[-c policyvers (%d-%d)] [-o output_file] [-t platform]" + ("usage: %s [-b] [-d] [-U handle_unknown (allow,deny,reject)] [-M]" + "[-c policyvers (%d-%d)] [-o output_file] [-t target_platform (selinux,xen)]" "[input_file]\n", progname, POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX); exit(1); Signed-off-by: Joshua Brindle <method@manicmethod.com> |
||
|---|---|---|
| .. | ||
| test | ||
| ChangeLog | ||
| checkmodule.8 | ||
| checkmodule.c | ||
| checkpolicy.8 | ||
| checkpolicy.c | ||
| checkpolicy.h | ||
| COPYING | ||
| Makefile | ||
| module_compiler.c | ||
| module_compiler.h | ||
| parse_util.c | ||
| parse_util.h | ||
| policy_define.c | ||
| policy_define.h | ||
| policy_parse.y | ||
| policy_scan.l | ||
| queue.c | ||
| queue.h | ||
| VERSION | ||