From b67bd76e0c3bd74db132e8f82246f591e6080c35 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Tue, 10 Feb 2015 11:43:31 -0500 Subject: [PATCH] Move libqpol parser further in line with checkpolicy. * Especially remove buggy conditional branch verification -- keep the same behavior as checkpolicy. * No-rules-loading logic no longer needed --- libqpol/policy_define.c | 161 ++-------------------------------------- libqpol/policy_define.h | 5 -- libqpol/policy_parse.y | 4 - libqpol/policy_scan.l | 4 - 4 files changed, 6 insertions(+), 168 deletions(-) diff --git a/libqpol/policy_define.c b/libqpol/policy_define.c index 080a23b..af5a6e6 100644 --- a/libqpol/policy_define.c +++ b/libqpol/policy_define.c @@ -57,12 +57,8 @@ #include #include /* Required for SETools libqpol */ -#ifdef HAVE_SEPOL_POLICYCAPS #include -#endif -#ifdef HAVE_SEPOL_ERRCODES #include -#endif #include "queue.h" /* Required for SETools libqpol - Removed #include "checkpolicy.h"*/ @@ -91,17 +87,12 @@ static int id_has_dot(const char *id); static int parse_security_context(context_struct_t *c); /* initialize all of the state variables for the scanner/parser */ -/* Modified for SETools libqpol */ -static int load_rules; -static unsigned int num_rules = 0; -void init_parser(int pass_number, int do_rules) +void init_parser(int pass_number) { policydb_lineno = 1; source_lineno = 1; policydb_errors = 0; pass = pass_number; - load_rules = do_rules; - num_rules = 0; } __attribute__ ((format(printf, 1, 2))) @@ -123,34 +114,6 @@ int define_mls(void) return 0; } -/* Required for SETools libqpol */ -/* Add a rule onto an avtab hash table only if it does not already - * exist. (Note that the avtab is discarded afterwards; it will be - * regenerated during expansion.) Return 1 if rule was added (or - * otherwise handled successfully), 0 if it conflicted with something, - * 2 if the rule is not to be added, or -1 on error. - */ -static int insert_check_type_rule(avrule_t * rule, avtab_t * avtab, cond_av_list_t ** list, cond_av_list_t ** other) -{ - int ret; - - if (num_rules && !load_rules) - return 2; - -#ifdef SEPOL_DYNAMIC_AVTAB - if (!avtab->htable) - if (avtab_alloc(avtab, MAX_AVTAB_SIZE)) - return -1; -#endif - - ret = expand_rule(NULL, policydbp, rule, avtab, list, other, 0); - - if (ret < 0) { - yyerror("Failed on expanding rule"); - } - return ret; -} - int insert_separator(int push) { int error; @@ -1651,9 +1614,8 @@ int define_compute_type(int which) { char *id; avrule_t *avrule; - int retval; - if (pass == 1 || (num_rules && !load_rules)) { /* Required for SETools libqpol */ + if (pass == 1) { while ((id = queue_remove(id_queue))) free(id); while ((id = queue_remove(id_queue))) @@ -1665,42 +1627,19 @@ int define_compute_type(int which) return 0; } - num_rules++; - if (define_compute_type_helper(which, &avrule)) return -1; - retval = insert_check_type_rule(avrule, &policydbp->te_avtab, NULL, NULL); - switch (retval) { - case 1:{ - /* append this avrule to the end of the current rules list */ append_avrule(avrule); return 0; } - case 2: /* FALLTHROUGH */ - case 0:{ - /* rule conflicted, so don't actually add this rule */ - avrule_destroy(avrule); - free(avrule); - return 0; - } - case -1:{ - avrule_destroy(avrule); - free(avrule); - return -1; - } - default:{ - abort(); /* should never get here */ - } - } -} avrule_t *define_cond_compute_type(int which) { char *id; avrule_t *avrule; - if (pass == 1 || (num_rules && !load_rules)) { /* Required for SETools libqpol */ + if (pass == 1) { while ((id = queue_remove(id_queue))) free(id); while ((id = queue_remove(id_queue))) @@ -1712,8 +1651,6 @@ avrule_t *define_cond_compute_type(int which) return (avrule_t *) 1; } - num_rules++; - if (define_compute_type_helper(which, &avrule)) return COND_ERR; @@ -1792,7 +1729,7 @@ int define_bool_tunable(int is_tunable) avrule_t *define_cond_pol_list(avrule_t * avlist, avrule_t * sl) { - if (pass == 1 || (num_rules && !load_rules)) { /* Required for SETools libqpol */ + if (pass == 1) { /* return something so we get through pass 1 */ return (avrule_t *) 1; } @@ -1950,7 +1887,7 @@ avrule_t *define_cond_te_avtab(int which) avrule_t *avrule; int i; - if (pass == 1 || (num_rules && !load_rules)) { /* Required for SETools libqpol */ + if (pass == 1) { for (i = 0; i < 4; i++) { while ((id = queue_remove(id_queue))) free(id); @@ -1958,8 +1895,6 @@ avrule_t *define_cond_te_avtab(int which) return (avrule_t *) 1; /* any non-NULL value */ } - num_rules++; - if (define_te_avtab_helper(which, &avrule)) return COND_ERR; @@ -1972,7 +1907,7 @@ int define_te_avtab(int which) avrule_t *avrule; int i; - if (pass == 1 || (num_rules && !load_rules)) { /* Required for SETools libqpol */ + if (pass == 1) { for (i = 0; i < 4; i++) { while ((id = queue_remove(id_queue))) free(id); @@ -1980,8 +1915,6 @@ int define_te_avtab(int which) return 0; } - num_rules++; - if (define_te_avtab_helper(which, &avrule)) return -1; @@ -3296,88 +3229,6 @@ int define_conditional(cond_expr_t * expr, avrule_t * t, avrule_t * f) return -1; } - /* Required for SETools libqpol */ - avrule_t *tmp, *last_tmp; - int retval; - /* verify te rules -- both true and false branches of conditional */ - tmp = cn.avtrue_list; - last_tmp = NULL; - while (tmp) { - if (!(tmp->specified & AVRULE_TRANSITION)) - continue; - retval = insert_check_type_rule(tmp, &policydbp->te_cond_avtab, &cn_old->true_list, &cn_old->false_list); - switch (retval) { - case 1:{ - last_tmp = tmp; - tmp = tmp->next; - break; - } - case 0:{ - /* rule conflicted, so remove it from consideration */ - if (last_tmp == NULL) { - cn.avtrue_list = cn.avtrue_list->next; - avrule_destroy(tmp); - free(tmp); - tmp = cn.avtrue_list; - } else { - last_tmp->next = tmp->next; - avrule_destroy(tmp); - free(tmp); - tmp = last_tmp->next; - } - break; - } - case -1:{ - return -1; - } - case 2:{ - return 0; - } - default:{ - abort(); /* should never get here */ - } - } - } - - tmp = cn.avfalse_list; - last_tmp = NULL; - while (tmp) { - if (!(tmp->specified & AVRULE_TRANSITION)) - continue; - retval = insert_check_type_rule(tmp, &policydbp->te_cond_avtab, &cn_old->false_list, &cn_old->true_list); - switch (retval) { - case 1:{ - last_tmp = tmp; - tmp = tmp->next; - break; - } - case 0:{ - /* rule conflicted, so remove it from consideration */ - if (last_tmp == NULL) { - cn.avfalse_list = cn.avfalse_list->next; - avrule_destroy(tmp); - free(tmp); - tmp = cn.avfalse_list; - } else { - last_tmp->next = tmp->next; - avrule_destroy(tmp); - free(tmp); - tmp = last_tmp->next; - } - break; - } - case -1:{ - return -1; - } - case 2:{ - return 0; - } - default:{ - abort(); /* should never get here */ - } - } - } - append_cond_list(&cn); /* note that there is no check here for duplicate rules, nor diff --git a/libqpol/policy_define.h b/libqpol/policy_define.h index 73f7e0e..6dfbb87 100644 --- a/libqpol/policy_define.h +++ b/libqpol/policy_define.h @@ -18,11 +18,6 @@ #define TRUE 1 #define FALSE 0 - -/* Used by SETools libqpol */ -/** parser used to support fs_use_psid declarations, so revert that bit - * of code here */ -#define SECURITY_FS_USE_PSIDS 6 /* Used by SETools to determine if source MLS or not */ int define_mls(void); diff --git a/libqpol/policy_parse.y b/libqpol/policy_parse.y index f021220..63a07d7 100644 --- a/libqpol/policy_parse.y +++ b/libqpol/policy_parse.y @@ -58,11 +58,7 @@ #include #include #include -/* Add for SETools libqpol */ -#ifdef HAVE_SEPOL_POLICYCAPS #include -#endif - #include "queue.h" /* #include "checkpolicy.h" - Remove for setools and replace with: */ diff --git a/libqpol/policy_scan.l b/libqpol/policy_scan.l index bc0c497..9ce4c4b 100644 --- a/libqpol/policy_scan.l +++ b/libqpol/policy_scan.l @@ -39,11 +39,7 @@ typedef int (* require_func_t)(int pass); /* For SETools libqpol services leave this as policy_parse.h */ -/* #ifdef ANDROID */ #include "policy_parse.h" -/*#else -#include "y.tab.h" -#endif */ static char linebuf[2][255]; static unsigned int lno = 0;