mirror of
https://github.com/topjohnwu/selinux.git
synced 2024-12-04 01:20:52 +00:00
Merge remote-tracking branch 'aosp/upstream-master' into mymerge
Pull on upstream selinux project. Bug: 28819676
This commit is contained in:
Jeff Vander Stoep
commit
a4b569d608
2
README
2
README
@ -2,7 +2,7 @@ Please submit all bug reports and patches to selinux@tycho.nsa.gov.
|
||||
Subscribe via selinux-join@tycho.nsa.gov.
|
||||
|
||||
Build dependencies on Fedora:
|
||||
yum install audit-libs-devel bison bzip2-devel dbus-devel dbus-glib-devel flex flex-devel flex-static glib2-devel libcap-devel libcap-ng-devel pam-devel pcre-devel python-devel setools-devel swig ustr-devel
|
||||
yum install audit-libs-devel bison bzip2-devel dbus-devel dbus-glib-devel flex flex-devel flex-static glib2-devel libcap-devel libcap-ng-devel pam-devel pcre-devel python-devel setools-devel swig ustr-devel xmlto redhat-rpm-config
|
||||
|
||||
To build and install everything under a private directory, run:
|
||||
make DESTDIR=~/obj install install-pywrap
|
||||
|
||||
@ -1,6 +1,9 @@
|
||||
* Set flex as default lexer, from Julien Pivotto.
|
||||
* Fix checkmodule output message, from Petr Lautrbach.
|
||||
* Build policy on systems not supporting DCCP protocol, from Richard Haines.
|
||||
* Fail if module name different than output base filename, from James Carter
|
||||
* Add support for portcon dccp protocol, from Richard Haines
|
||||
|
||||
2.5 2016-02-23
|
||||
* Add neverallow support for ioctl extended permissions, from Jeff Vander Stoep.
|
||||
* fix double free on name-based type transitions, from Stephen Smalley.
|
||||
|
||||
@ -8,6 +8,7 @@ LIBDIR ?= $(PREFIX)/lib
|
||||
INCLUDEDIR ?= $(PREFIX)/include
|
||||
TARGETS = checkpolicy checkmodule
|
||||
|
||||
LEX = flex
|
||||
YACC = bison -y
|
||||
|
||||
CFLAGS ?= -g -Wall -Werror -Wshadow -O2 -pipe -fno-strict-aliasing
|
||||
|
||||
@ -314,7 +314,7 @@ int main(int argc, char **argv)
|
||||
|
||||
if (!cil) {
|
||||
printf("%s: writing binary representation (version %d) to %s\n",
|
||||
argv[0], policyvers, file);
|
||||
argv[0], policyvers, outfile);
|
||||
|
||||
if (write_binary_policy(&modpolicydb, outfp) != 0) {
|
||||
fprintf(stderr, "%s: error writing %s\n", argv[0], outfile);
|
||||
|
||||
@ -1,3 +1,5 @@
|
||||
* Respect CC and PKG_CONFIG environment variable, from Julien Pivotto.
|
||||
* Avoid mounting /proc outside of selinux_init_load_policy(), from Stephen Smalley.
|
||||
* Fix multiple spelling errors, from Laurent Bigonville.
|
||||
* Fix typo in sefcontext_compile.8, from Petr Lautrbach and Milos Malik
|
||||
* Fix location of selinuxfs mount point, from Dan Walsh.
|
||||
|
||||
@ -5,6 +5,7 @@ PYTHON ?= python
|
||||
PYPREFIX ?= $(notdir $(PYTHON))
|
||||
RUBY ?= ruby
|
||||
RUBYPREFIX ?= $(notdir $(RUBY))
|
||||
PKG_CONFIG ?= pkg-config
|
||||
|
||||
# Installation directories.
|
||||
PREFIX ?= $(DESTDIR)/usr
|
||||
@ -12,11 +13,11 @@ LIBDIR ?= $(PREFIX)/lib
|
||||
SHLIBDIR ?= $(DESTDIR)/lib
|
||||
INCLUDEDIR ?= $(PREFIX)/include
|
||||
PYLIBVER ?= $(shell $(PYTHON) -c 'import sys;print("python%d.%d" % sys.version_info[0:2])')
|
||||
PYINC ?= $(shell pkg-config --cflags $(PYPREFIX))
|
||||
PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX))
|
||||
PYLIBDIR ?= $(LIBDIR)/$(PYLIBVER)
|
||||
RUBYLIBVER ?= $(shell $(RUBY) -e 'print RUBY_VERSION.split(".")[0..1].join(".")')
|
||||
RUBYPLATFORM ?= $(shell $(RUBY) -e 'print RUBY_PLATFORM')
|
||||
RUBYINC ?= $(shell pkg-config --cflags ruby)
|
||||
RUBYINC ?= $(shell $(PKG_CONFIG) --cflags ruby)
|
||||
RUBYINSTALL ?= $(LIBDIR)/ruby/site_ruby/$(RUBYLIBVER)/$(RUBYPLATFORM)
|
||||
LIBBASE ?= $(shell basename $(LIBDIR))
|
||||
|
||||
|
||||
@ -15,6 +15,6 @@ echo "
|
||||
;;
|
||||
esac
|
||||
}
|
||||
gcc -x c -c -I../include - -aux-info temp.aux < ../include/selinux/selinux.h
|
||||
${CC:-gcc} -x c -c -I../include - -aux-info temp.aux < ../include/selinux/selinux.h
|
||||
for i in `awk '/<stdin>.*extern int/ { print $6 }' temp.aux`; do except $i ; done
|
||||
rm -f -- temp.aux -.o
|
||||
|
||||
@ -11,8 +11,6 @@
|
||||
#include <sys/vfs.h>
|
||||
#include <stdint.h>
|
||||
#include <limits.h>
|
||||
#include <sys/mount.h>
|
||||
#include <linux/magic.h>
|
||||
|
||||
#include "dso.h"
|
||||
#include "policy.h"
|
||||
@ -58,26 +56,15 @@ static int verify_selinuxmnt(const char *mnt)
|
||||
|
||||
int selinuxfs_exists(void)
|
||||
{
|
||||
int exists = 0, mnt_rc = -1, rc;
|
||||
struct statfs sb;
|
||||
int exists = 0;
|
||||
FILE *fp = NULL;
|
||||
char *buf = NULL;
|
||||
size_t len;
|
||||
ssize_t num;
|
||||
|
||||
do {
|
||||
rc = statfs("/proc", &sb);
|
||||
} while (rc < 0 && errno == EINTR);
|
||||
|
||||
if (rc == 0 && ((uint32_t)sb.f_type != (uint32_t)PROC_SUPER_MAGIC))
|
||||
mnt_rc = mount("proc", "/proc", "proc", 0, 0);
|
||||
|
||||
fp = fopen("/proc/filesystems", "r");
|
||||
if (!fp) {
|
||||
exists = 1; /* Fail as if it exists */
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (!fp)
|
||||
return 1; /* Fail as if it exists */
|
||||
__fsetlocking(fp, FSETLOCKING_BYCALLER);
|
||||
|
||||
num = getline(&buf, &len, fp);
|
||||
@ -91,14 +78,6 @@ int selinuxfs_exists(void)
|
||||
|
||||
free(buf);
|
||||
fclose(fp);
|
||||
|
||||
out:
|
||||
#ifndef MNT_DETACH
|
||||
#define MNT_DETACH 2
|
||||
#endif
|
||||
if (mnt_rc == 0)
|
||||
umount2("/proc", MNT_DETACH);
|
||||
|
||||
return exists;
|
||||
}
|
||||
hidden_def(selinuxfs_exists)
|
||||
|
||||
@ -17,6 +17,10 @@
|
||||
#include "policy.h"
|
||||
#include <limits.h>
|
||||
|
||||
#ifndef MNT_DETACH
|
||||
#define MNT_DETACH 2
|
||||
#endif
|
||||
|
||||
int security_load_policy(void *data, size_t len)
|
||||
{
|
||||
char path[PATH_MAX];
|
||||
@ -348,11 +352,6 @@ int selinux_init_load_policy(int *enforce)
|
||||
fclose(cfg);
|
||||
free(buf);
|
||||
}
|
||||
#ifndef MNT_DETACH
|
||||
#define MNT_DETACH 2
|
||||
#endif
|
||||
if (rc == 0)
|
||||
umount2("/proc", MNT_DETACH);
|
||||
|
||||
/*
|
||||
* Determine the final desired mode.
|
||||
@ -400,11 +399,17 @@ int selinux_init_load_policy(int *enforce)
|
||||
/* Only emit this error if selinux was not disabled */
|
||||
fprintf(stderr, "Mount failed for selinuxfs on %s: %s\n", SELINUXMNT, strerror(errno));
|
||||
}
|
||||
|
||||
if (rc == 0)
|
||||
umount2("/proc", MNT_DETACH);
|
||||
|
||||
goto noload;
|
||||
}
|
||||
set_selinuxmnt(mntpoint);
|
||||
|
||||
if (rc == 0)
|
||||
umount2("/proc", MNT_DETACH);
|
||||
|
||||
/*
|
||||
* Note: The following code depends on having selinuxfs
|
||||
* already mounted and selinuxmnt set above.
|
||||
|
||||
5
libselinux/utils/.gitignore
vendored
5
libselinux/utils/.gitignore
vendored
@ -14,7 +14,12 @@ getseuser
|
||||
matchpathcon
|
||||
policyvers
|
||||
sefcontext_compile
|
||||
selabel_digest
|
||||
selabel_lookup
|
||||
selabel_lookup_best_match
|
||||
selabel_partial_match
|
||||
selinux_check_securetty_context
|
||||
selinux_restorecon
|
||||
selinuxenabled
|
||||
selinuxexeccon
|
||||
setenforce
|
||||
|
||||
@ -1,3 +1,5 @@
|
||||
* Support overriding Makefile RANLIB, from Julien Pivotto.
|
||||
* Respect CC and PKG_CONFIG environment variable, from Julien Pivotto.
|
||||
* Fix multiple spelling errors, from Laurent Bigonville.
|
||||
* genhomedircon: %{USERID} and %{USERNAME} support and code cleanups, from Jason Zaman.
|
||||
|
||||
|
||||
@ -5,6 +5,7 @@ PYTHON ?= python
|
||||
PYPREFIX ?= $(notdir $(PYTHON))
|
||||
RUBY ?= ruby
|
||||
RUBYPREFIX ?= $(notdir $(RUBY))
|
||||
PKG_CONFIG ?= pkg-config
|
||||
|
||||
# Installation directories.
|
||||
PREFIX ?= $(DESTDIR)/usr
|
||||
@ -12,11 +13,11 @@ LIBDIR ?= $(PREFIX)/lib
|
||||
SHLIBDIR ?= $(DESTDIR)/lib
|
||||
INCLUDEDIR ?= $(PREFIX)/include
|
||||
PYLIBVER ?= $(shell $(PYTHON) -c 'import sys;print("python%d.%d" % sys.version_info[0:2])')
|
||||
PYINC ?= $(shell pkg-config --cflags $(PYPREFIX))
|
||||
PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX))
|
||||
PYLIBDIR ?= $(LIBDIR)/$(PYLIBVER)
|
||||
RUBYLIBVER ?= $(shell $(RUBY) -e 'print RUBY_VERSION.split(".")[0..1].join(".")')
|
||||
RUBYPLATFORM ?= $(shell $(RUBY) -e 'print RUBY_PLATFORM')
|
||||
RUBYINC ?= $(shell pkg-config --cflags ruby-$(RUBYLIBVER))
|
||||
RUBYINC ?= $(shell $(PKG_CONFIG) --cflags ruby-$(RUBYLIBVER))
|
||||
RUBYINSTALL ?= $(LIBDIR)/ruby/site_ruby/$(RUBYLIBVER)/$(RUBYPLATFORM)
|
||||
|
||||
LIBBASE=$(shell basename $(LIBDIR))
|
||||
@ -61,7 +62,7 @@ SWIG_CFLAGS += -Wno-error -Wno-unused-but-set-variable -Wno-unused-variable -Wno
|
||||
-Wno-unused-parameter
|
||||
|
||||
override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE
|
||||
RANLIB=ranlib
|
||||
RANLIB ?= ranlib
|
||||
|
||||
SWIG = swig -Wall -python -o $(SWIGCOUT) -outdir ./
|
||||
|
||||
|
||||
@ -9,6 +9,6 @@ echo "
|
||||
}
|
||||
"
|
||||
}
|
||||
gcc -x c -c -I../include - -aux-info temp.aux < ../include/semanage/semanage.h
|
||||
${CC:-gcc} -x c -c -I../include - -aux-info temp.aux < ../include/semanage/semanage.h
|
||||
for i in `awk '/extern int/ { print $6 }' temp.aux`; do except $i ; done
|
||||
rm -f -- temp.aux -.o
|
||||
|
||||
1
libsemanage/tests/.gitignore
vendored
Normal file
1
libsemanage/tests/.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
||||
libsemanage-tests
|
||||
@ -1,3 +1,7 @@
|
||||
* Fix neverallowxperm checking on attributes, from Jeff Vander Stoep.
|
||||
* Remove libsepol.map when cleaning, from Nicolas Iooss.
|
||||
* Add high-level language line marking support to CIL, from James Carter.
|
||||
* Change logic of bounds checking to match change in kernel, from James Carter.
|
||||
* Fix multiple spelling errors, from Laurent Bigonville.
|
||||
* Only apply bounds checking to source types in rules, from Stephen Smalley.
|
||||
* Fix CIL and not add an attribute as a type in the attr_type_map, from James Carter
|
||||
|
||||
@ -233,6 +233,9 @@ static void cil_init_keys(void)
|
||||
CIL_KEY_PERMISSIONX = cil_strpool_add("permissionx");
|
||||
CIL_KEY_IOCTL = cil_strpool_add("ioctl");
|
||||
CIL_KEY_UNORDERED = cil_strpool_add("unordered");
|
||||
CIL_KEY_SRC_INFO = cil_strpool_add("<src_info>");
|
||||
CIL_KEY_SRC_CIL = cil_strpool_add("<src_cil>");
|
||||
CIL_KEY_SRC_HLL = cil_strpool_add("<src_hll>");
|
||||
}
|
||||
|
||||
void cil_db_init(struct cil_db **db)
|
||||
@ -757,6 +760,9 @@ void cil_destroy_data(void **data, enum cil_flavor flavor)
|
||||
case CIL_MLS:
|
||||
cil_destroy_mls(*data);
|
||||
break;
|
||||
case CIL_SRC_INFO:
|
||||
cil_destroy_src_info(*data);
|
||||
break;
|
||||
case CIL_OP:
|
||||
case CIL_CONS_OPERAND:
|
||||
break;
|
||||
@ -764,8 +770,8 @@ void cil_destroy_data(void **data, enum cil_flavor flavor)
|
||||
cil_log(CIL_INFO, "Unknown data flavor: %d\n", flavor);
|
||||
break;
|
||||
}
|
||||
|
||||
*data = NULL;
|
||||
|
||||
*data = NULL;
|
||||
}
|
||||
|
||||
int cil_flavor_to_symtab_index(enum cil_flavor flavor, enum cil_sym_index *sym_index)
|
||||
@ -1109,6 +1115,8 @@ const char * cil_node_to_string(struct cil_tree_node *node)
|
||||
return CIL_KEY_HANDLEUNKNOWN;
|
||||
case CIL_MLS:
|
||||
return CIL_KEY_MLS;
|
||||
case CIL_SRC_INFO:
|
||||
return CIL_KEY_SRC_INFO;
|
||||
case CIL_ALL:
|
||||
return CIL_KEY_ALL;
|
||||
case CIL_RANGE:
|
||||
@ -1756,8 +1764,7 @@ int cil_get_symtab(struct cil_tree_node *ast_node, symtab_t **symtab, enum cil_s
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Failed to get symtab from node at line %d of %s\n",
|
||||
ast_node->line, ast_node->path);
|
||||
cil_tree_log(ast_node, CIL_ERR, "Failed to get symtab from node");
|
||||
return SEPOL_ERR;
|
||||
}
|
||||
|
||||
@ -2554,3 +2561,10 @@ void cil_mls_init(struct cil_mls **mls)
|
||||
*mls = cil_malloc(sizeof(**mls));
|
||||
(*mls)->value = 0;
|
||||
}
|
||||
|
||||
void cil_src_info_init(struct cil_src_info **info)
|
||||
{
|
||||
*info = cil_malloc(sizeof(**info));
|
||||
(*info)->is_cil = 0;
|
||||
(*info)->path = NULL;
|
||||
}
|
||||
|
||||
@ -1775,13 +1775,12 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu
|
||||
cil_typetrans = (struct cil_nametypetransition*)node->data;
|
||||
if (DATUM(cil_typetrans->name)->fqn != CIL_KEY_STAR) {
|
||||
cil_log(CIL_ERR, "typetransition with file name not allowed within a booleanif block.\n");
|
||||
cil_log(CIL_ERR,"Invalid typetransition statement at line %d of %s\n",
|
||||
node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR,"Invalid typetransition statement");
|
||||
goto exit;
|
||||
}
|
||||
rc = __cil_typetransition_to_avtab(pdb, db, cil_typetrans, cond_node, cond_flavor, filename_trans_table);
|
||||
if (rc != SEPOL_OK) {
|
||||
cil_log(CIL_ERR, "Failed to insert type transition into avtab at line %d of %s\n", node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "Failed to insert type transition into avtab");
|
||||
goto exit;
|
||||
}
|
||||
break;
|
||||
@ -1789,7 +1788,7 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu
|
||||
cil_type_rule = node->data;
|
||||
rc = __cil_type_rule_to_avtab(pdb, db, cil_type_rule, cond_node, cond_flavor);
|
||||
if (rc != SEPOL_OK) {
|
||||
cil_log(CIL_ERR, "Failed to insert typerule into avtab at line %d of %s\n", node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "Failed to insert typerule into avtab");
|
||||
goto exit;
|
||||
}
|
||||
break;
|
||||
@ -1797,7 +1796,7 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu
|
||||
cil_avrule = node->data;
|
||||
rc = __cil_avrule_to_avtab(pdb, db, cil_avrule, cond_node, cond_flavor);
|
||||
if (rc != SEPOL_OK) {
|
||||
cil_log(CIL_ERR, "Failed to insert avrule into avtab at line %d of %s\n", node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "Failed to insert avrule into avtab");
|
||||
goto exit;
|
||||
}
|
||||
break;
|
||||
@ -1805,8 +1804,7 @@ int __cil_cond_to_policydb_helper(struct cil_tree_node *node, __attribute__((unu
|
||||
case CIL_TUNABLEIF:
|
||||
break;
|
||||
default:
|
||||
cil_log(CIL_ERR, "Invalid statement within booleanif at line %d of %s\n",
|
||||
node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "Invalid statement within booleanif");
|
||||
goto exit;
|
||||
}
|
||||
|
||||
@ -2065,14 +2063,13 @@ int cil_booleanif_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c
|
||||
tmp_cond = cond_node_create(pdb, NULL);
|
||||
if (tmp_cond == NULL) {
|
||||
rc = SEPOL_ERR;
|
||||
cil_log(CIL_INFO, "Failed to create sepol conditional node at line %d of %s\n",
|
||||
node->line, node->path);
|
||||
cil_tree_log(node, CIL_INFO, "Failed to create sepol conditional node");
|
||||
goto exit;
|
||||
}
|
||||
|
||||
rc = __cil_cond_expr_to_sepol_expr(pdb, cil_boolif->datum_expr, &tmp_cond->expr);
|
||||
if (rc != SEPOL_OK) {
|
||||
cil_log(CIL_INFO, "Failed to convert CIL conditional expression to sepol expression at line %d of %s\n", node->line, node->path);
|
||||
cil_tree_log(node, CIL_INFO, "Failed to convert CIL conditional expression to sepol expression");
|
||||
goto exit;
|
||||
}
|
||||
|
||||
@ -2128,7 +2125,7 @@ int cil_booleanif_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c
|
||||
bool_args.cond_flavor = CIL_CONDTRUE;
|
||||
rc = cil_tree_walk(true_node, __cil_cond_to_policydb_helper, NULL, NULL, &bool_args);
|
||||
if (rc != SEPOL_OK) {
|
||||
cil_log(CIL_ERR, "Failure while walking true conditional block at line %d of %s\n", true_node->line, true_node->path);
|
||||
cil_tree_log(true_node, CIL_ERR, "Failure while walking true conditional block");
|
||||
goto exit;
|
||||
}
|
||||
}
|
||||
@ -2137,7 +2134,7 @@ int cil_booleanif_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c
|
||||
bool_args.cond_flavor = CIL_CONDFALSE;
|
||||
rc = cil_tree_walk(false_node, __cil_cond_to_policydb_helper, NULL, NULL, &bool_args);
|
||||
if (rc != SEPOL_OK) {
|
||||
cil_log(CIL_ERR, "Failure while walking false conditional block at line %d of %s\n", false_node->line, false_node->path);
|
||||
cil_tree_log(false_node, CIL_ERR, "Failure while walking false conditional block");
|
||||
goto exit;
|
||||
}
|
||||
}
|
||||
@ -3591,7 +3588,7 @@ int __cil_node_to_policydb(struct cil_tree_node *node, void *extra_args)
|
||||
|
||||
exit:
|
||||
if (rc != SEPOL_OK) {
|
||||
cil_log(CIL_ERR, "Binary policy creation failed at line %d of %s\n", node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "Binary policy creation failed");
|
||||
}
|
||||
return rc;
|
||||
}
|
||||
@ -4235,6 +4232,9 @@ exit:
|
||||
static avrule_t *__cil_init_sepol_avrule(uint32_t kind, struct cil_tree_node *node)
|
||||
{
|
||||
avrule_t *avrule;
|
||||
struct cil_tree_node *source_node;
|
||||
char *source_path;
|
||||
int is_cil;
|
||||
|
||||
avrule = cil_malloc(sizeof(avrule_t));
|
||||
avrule->specified = kind;
|
||||
@ -4243,8 +4243,17 @@ static avrule_t *__cil_init_sepol_avrule(uint32_t kind, struct cil_tree_node *no
|
||||
__cil_init_sepol_type_set(&avrule->ttypes);
|
||||
avrule->perms = NULL;
|
||||
avrule->line = node->line;
|
||||
avrule->source_filename = node->path;
|
||||
|
||||
avrule->source_filename = NULL;
|
||||
avrule->source_line = node->line;
|
||||
source_node = cil_tree_get_next_path(node, &source_path, &is_cil);
|
||||
if (source_node) {
|
||||
avrule->source_filename = source_path;
|
||||
if (!is_cil) {
|
||||
avrule->source_line = node->hll_line;
|
||||
}
|
||||
}
|
||||
|
||||
avrule->next = NULL;
|
||||
return avrule;
|
||||
}
|
||||
@ -4271,10 +4280,8 @@ static void __cil_print_parents(const char *pad, struct cil_tree_node *n)
|
||||
|
||||
__cil_print_parents(pad, n->parent);
|
||||
|
||||
if (!n->path) {
|
||||
cil_log(CIL_ERR,"%s%s\n", pad, cil_node_to_string(n));
|
||||
} else {
|
||||
cil_log(CIL_ERR,"%s%s at line %d of %s\n", pad, cil_node_to_string(n), n->line, n->path);
|
||||
if (n->flavor != CIL_SRC_INFO) {
|
||||
cil_tree_log(n, CIL_ERR,"%s%s", pad, cil_node_to_string(n));
|
||||
}
|
||||
}
|
||||
|
||||
@ -4365,7 +4372,7 @@ static int __cil_print_neverallow_failure(const struct cil_db *db, struct cil_tr
|
||||
allow_str = CIL_KEY_ALLOWX;
|
||||
avrule_flavor = CIL_AVRULEX;
|
||||
}
|
||||
cil_log(CIL_ERR, "%s check failed at line %d of %s\n", neverallow_str, node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "%s check failed", neverallow_str);
|
||||
__cil_print_rule(" ", neverallow_str, cil_rule);
|
||||
cil_list_init(&matching, CIL_NODE);
|
||||
rc = cil_find_matching_avrule_in_ast(db->ast->root, avrule_flavor, &target, matching, CIL_FALSE);
|
||||
|
||||
@ -108,8 +108,7 @@ int cil_gen_node(__attribute__((unused)) struct cil_db *db, struct cil_tree_node
|
||||
if (cil_symtab_get_datum(symtab, key, &datum) == SEPOL_OK) {
|
||||
if (sflavor == CIL_SYM_BLOCKS) {
|
||||
struct cil_tree_node *node = datum->nodes->head->data;
|
||||
cil_log(CIL_ERR, "Previous declaration at line %d of %s\n",
|
||||
node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "Previous declaration");
|
||||
}
|
||||
}
|
||||
goto exit;
|
||||
@ -186,8 +185,7 @@ int cil_gen_block(struct cil_db *db, struct cil_tree_node *parse_current, struct
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad block declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad block declaration");
|
||||
cil_destroy_block(block);
|
||||
cil_clear_node(ast_node);
|
||||
return rc;
|
||||
@ -236,8 +234,7 @@ int cil_gen_blockinherit(struct cil_db *db, struct cil_tree_node *parse_current,
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad blockinherit declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad blockinherit declaration");
|
||||
cil_destroy_blockinherit(inherit);
|
||||
return rc;
|
||||
}
|
||||
@ -281,8 +278,7 @@ int cil_gen_blockabstract(struct cil_db *db, struct cil_tree_node *parse_current
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad blockabstract declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad blockabstract declaration");
|
||||
cil_destroy_blockabstract(abstract);
|
||||
return rc;
|
||||
}
|
||||
@ -326,8 +322,7 @@ int cil_gen_in(struct cil_db *db, struct cil_tree_node *parse_current, struct ci
|
||||
|
||||
return SEPOL_OK;
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad in statement at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad in statement");
|
||||
cil_destroy_in(in);
|
||||
return rc;
|
||||
}
|
||||
@ -387,8 +382,7 @@ int cil_gen_class(struct cil_db *db, struct cil_tree_node *parse_current, struct
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad class declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad class declaration");
|
||||
cil_destroy_class(class);
|
||||
cil_clear_node(ast_node);
|
||||
return rc;
|
||||
@ -456,8 +450,7 @@ int cil_gen_classorder(struct cil_db *db, struct cil_tree_node *parse_current, s
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad classorder declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad classorder declaration");
|
||||
cil_destroy_classorder(classorder);
|
||||
return rc;
|
||||
}
|
||||
@ -527,7 +520,7 @@ int cil_gen_perm_nodes(struct cil_db *db, struct cil_tree_node *current_perm, st
|
||||
cil_tree_node_init(&new_ast);
|
||||
new_ast->parent = ast_node;
|
||||
new_ast->line = current_perm->line;
|
||||
new_ast->path = current_perm->path;
|
||||
new_ast->hll_line = current_perm->hll_line;
|
||||
|
||||
rc = cil_gen_perm(db, current_perm, new_ast, flavor, num_perms);
|
||||
if (rc != SEPOL_OK) {
|
||||
@ -738,8 +731,7 @@ int cil_gen_classpermission(struct cil_db *db, struct cil_tree_node *parse_curre
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad classpermission declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad classpermission declaration");
|
||||
cil_destroy_classpermission(cp);
|
||||
cil_clear_node(ast_node);
|
||||
return rc;
|
||||
@ -800,8 +792,7 @@ int cil_gen_classpermissionset(struct cil_db *db, struct cil_tree_node *parse_cu
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad classpermissionset at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad classpermissionset");
|
||||
cil_destroy_classpermissionset(cps);
|
||||
return rc;
|
||||
}
|
||||
@ -852,8 +843,7 @@ int cil_gen_map_class(struct cil_db *db, struct cil_tree_node *parse_current, st
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad map class declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad map class declaration");
|
||||
cil_destroy_class(map);
|
||||
cil_clear_node(ast_node);
|
||||
return rc;
|
||||
@ -897,8 +887,7 @@ int cil_gen_classmapping(struct cil_db *db, struct cil_tree_node *parse_current,
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad classmapping declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad classmapping declaration");
|
||||
cil_destroy_classmapping(mapping);
|
||||
return rc;
|
||||
}
|
||||
@ -954,8 +943,7 @@ int cil_gen_common(struct cil_db *db, struct cil_tree_node *parse_current, struc
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad common declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad common declaration");
|
||||
cil_destroy_class(common);
|
||||
cil_clear_node(ast_node);
|
||||
return rc;
|
||||
@ -994,8 +982,7 @@ int cil_gen_classcommon(struct cil_db *db, struct cil_tree_node *parse_current,
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad classcommon declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad classcommon declaration");
|
||||
cil_destroy_classcommon(clscom);
|
||||
return rc;
|
||||
|
||||
@ -1043,8 +1030,7 @@ int cil_gen_sid(struct cil_db *db, struct cil_tree_node *parse_current, struct c
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad sid declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad sid declaration");
|
||||
cil_destroy_sid(sid);
|
||||
cil_clear_node(ast_node);
|
||||
return rc;
|
||||
@ -1102,8 +1088,7 @@ int cil_gen_sidcontext(struct cil_db *db, struct cil_tree_node *parse_current, s
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad sidcontext declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad sidcontext declaration");
|
||||
cil_destroy_sidcontext(sidcon);
|
||||
return rc;
|
||||
}
|
||||
@ -1163,8 +1148,7 @@ int cil_gen_sidorder(struct cil_db *db, struct cil_tree_node *parse_current, str
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad sidorder declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad sidorder declaration");
|
||||
cil_destroy_sidorder(sidorder);
|
||||
return rc;
|
||||
}
|
||||
@ -1215,8 +1199,7 @@ int cil_gen_user(struct cil_db *db, struct cil_tree_node *parse_current, struct
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad user declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad user declaration");
|
||||
cil_destroy_user(user);
|
||||
cil_clear_node(ast_node);
|
||||
return rc;
|
||||
@ -1265,8 +1248,7 @@ int cil_gen_userattribute(struct cil_db *db, struct cil_tree_node *parse_current
|
||||
|
||||
return SEPOL_OK;
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad userattribute declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad userattribute declaration");
|
||||
cil_destroy_userattribute(attr);
|
||||
cil_clear_node(ast_node);
|
||||
return rc;
|
||||
@ -1336,8 +1318,7 @@ int cil_gen_userattributeset(struct cil_db *db, struct cil_tree_node *parse_curr
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad userattributeset declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad userattributeset declaration");
|
||||
cil_destroy_userattributeset(attrset);
|
||||
|
||||
return rc;
|
||||
@ -1397,8 +1378,7 @@ int cil_gen_userlevel(struct cil_db *db, struct cil_tree_node *parse_current, st
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad userlevel declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad userlevel declaration");
|
||||
cil_destroy_userlevel(usrlvl);
|
||||
return rc;
|
||||
}
|
||||
@ -1458,8 +1438,7 @@ int cil_gen_userrange(struct cil_db *db, struct cil_tree_node *parse_current, st
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad userrange declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad userrange declaration");
|
||||
cil_destroy_userrange(userrange);
|
||||
return rc;
|
||||
}
|
||||
@ -1508,8 +1487,7 @@ int cil_gen_userprefix(struct cil_db *db, struct cil_tree_node *parse_current, s
|
||||
|
||||
return SEPOL_OK;
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad userprefix declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad userprefix declaration");
|
||||
cil_destroy_userprefix(userprefix);
|
||||
return rc;
|
||||
}
|
||||
@ -1566,8 +1544,7 @@ int cil_gen_selinuxuser(struct cil_db *db, struct cil_tree_node *parse_current,
|
||||
|
||||
return SEPOL_OK;
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad selinuxuser declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad selinuxuser declaration");
|
||||
cil_destroy_selinuxuser(selinuxuser);
|
||||
return rc;
|
||||
}
|
||||
@ -1614,8 +1591,7 @@ int cil_gen_selinuxuserdefault(struct cil_db *db, struct cil_tree_node *parse_cu
|
||||
|
||||
return SEPOL_OK;
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad selinuxuserdefault declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad selinuxuserdefault declaration");
|
||||
cil_destroy_selinuxuser(selinuxuser);
|
||||
return rc;
|
||||
}
|
||||
@ -1666,8 +1642,7 @@ int cil_gen_role(struct cil_db *db, struct cil_tree_node *parse_current, struct
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad role declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad role declaration");
|
||||
cil_destroy_role(role);
|
||||
cil_clear_node(ast_node);
|
||||
return rc;
|
||||
@ -1717,8 +1692,7 @@ int cil_gen_roletype(struct cil_db *db, struct cil_tree_node *parse_current, str
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad roletype declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad roletype declaration");
|
||||
cil_destroy_roletype(roletype);
|
||||
return rc;
|
||||
}
|
||||
@ -1764,8 +1738,7 @@ int cil_gen_userrole(struct cil_db *db, struct cil_tree_node *parse_current, str
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad userrole declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad userrole declaration");
|
||||
cil_destroy_userrole(userrole);
|
||||
return rc;
|
||||
}
|
||||
@ -1815,8 +1788,7 @@ int cil_gen_roletransition(struct cil_tree_node *parse_current, struct cil_tree_
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad roletransition rule at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad roletransition rule");
|
||||
cil_destroy_roletransition(roletrans);
|
||||
return rc;
|
||||
}
|
||||
@ -1862,8 +1834,7 @@ int cil_gen_roleallow(struct cil_db *db, struct cil_tree_node *parse_current, st
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad roleallow rule at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad roleallow rule");
|
||||
cil_destroy_roleallow(roleallow);
|
||||
return rc;
|
||||
}
|
||||
@ -1914,8 +1885,7 @@ int cil_gen_roleattribute(struct cil_db *db, struct cil_tree_node *parse_current
|
||||
|
||||
return SEPOL_OK;
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad roleattribute declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad roleattribute declaration");
|
||||
cil_destroy_roleattribute(attr);
|
||||
cil_clear_node(ast_node);
|
||||
return rc;
|
||||
@ -1982,8 +1952,7 @@ int cil_gen_roleattributeset(struct cil_db *db, struct cil_tree_node *parse_curr
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad roleattributeset declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad roleattributeset declaration");
|
||||
cil_destroy_roleattributeset(attrset);
|
||||
|
||||
return rc;
|
||||
@ -2042,8 +2011,7 @@ int cil_gen_avrule(struct cil_tree_node *parse_current, struct cil_tree_node *as
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad allow rule at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad allow rule");
|
||||
cil_destroy_avrule(rule);
|
||||
return rc;
|
||||
}
|
||||
@ -2099,8 +2067,7 @@ int cil_fill_permissionx(struct cil_tree_node *parse_current, struct cil_permiss
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad permissionx content at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad permissionx content");
|
||||
return rc;
|
||||
}
|
||||
|
||||
@ -2143,8 +2110,7 @@ int cil_gen_permissionx(struct cil_db *db, struct cil_tree_node *parse_current,
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad permissionx statement at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad permissionx statement");
|
||||
cil_destroy_permissionx(permx);
|
||||
cil_clear_node(ast_node);
|
||||
return rc;
|
||||
@ -2210,8 +2176,7 @@ int cil_gen_avrulex(struct cil_tree_node *parse_current, struct cil_tree_node *a
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad allowx rule at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad allowx rule");
|
||||
cil_destroy_avrule(rule);
|
||||
return rc;
|
||||
}
|
||||
@ -2253,8 +2218,7 @@ int cil_gen_type_rule(struct cil_tree_node *parse_current, struct cil_tree_node
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad type rule at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad type rule");
|
||||
cil_destroy_type_rule(rule);
|
||||
return rc;
|
||||
}
|
||||
@ -2306,8 +2270,7 @@ int cil_gen_type(struct cil_db *db, struct cil_tree_node *parse_current, struct
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad type declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad type declaration");
|
||||
cil_destroy_type(type);
|
||||
cil_clear_node(ast_node);
|
||||
return rc;
|
||||
@ -2361,8 +2324,7 @@ int cil_gen_typeattribute(struct cil_db *db, struct cil_tree_node *parse_current
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad typeattribute declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad typeattribute declaration");
|
||||
cil_destroy_typeattribute(attr);
|
||||
cil_clear_node(ast_node);
|
||||
return rc;
|
||||
@ -2439,11 +2401,9 @@ int cil_gen_bool(struct cil_db *db, struct cil_tree_node *parse_current, struct
|
||||
|
||||
exit:
|
||||
if (tunableif) {
|
||||
cil_log(CIL_ERR, "Bad tunable (treated as a boolean due to preserve-tunables) declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad tunable (treated as a boolean due to preserve-tunables) declaration");
|
||||
} else {
|
||||
cil_log(CIL_ERR, "Bad boolean declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad boolean declaration");
|
||||
}
|
||||
cil_destroy_bool(boolean);
|
||||
cil_clear_node(ast_node);
|
||||
@ -2504,8 +2464,7 @@ int cil_gen_tunable(struct cil_db *db, struct cil_tree_node *parse_current, stru
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad tunable declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad tunable declaration");
|
||||
cil_destroy_tunable(tunable);
|
||||
cil_clear_node(ast_node);
|
||||
return rc;
|
||||
@ -2880,11 +2839,9 @@ int cil_gen_boolif(struct cil_db *db, struct cil_tree_node *parse_current, struc
|
||||
|
||||
exit:
|
||||
if (tunableif) {
|
||||
cil_log(CIL_ERR, "Bad tunableif (treated as a booleanif due to preserve-tunables) declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad tunableif (treated as a booleanif due to preserve-tunables) declaration");
|
||||
} else {
|
||||
cil_log(CIL_ERR, "Bad booleanif declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad booleanif declaration");
|
||||
}
|
||||
cil_destroy_boolif(bif);
|
||||
return rc;
|
||||
@ -2964,8 +2921,7 @@ int cil_gen_tunif(struct cil_db *db, struct cil_tree_node *parse_current, struct
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad tunableif declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad tunableif declaration");
|
||||
cil_destroy_tunif(tif);
|
||||
return rc;
|
||||
}
|
||||
@ -3018,8 +2974,8 @@ int cil_gen_condblock(struct cil_db *db, struct cil_tree_node *parse_current, st
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad %s condition declaration at line %d of %s\n",
|
||||
(char*)parse_current->data, parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad %s condition declaration",
|
||||
(char*)parse_current->data);
|
||||
cil_destroy_condblock(cb);
|
||||
return rc;
|
||||
}
|
||||
@ -3079,8 +3035,7 @@ int cil_gen_alias(struct cil_db *db, struct cil_tree_node *parse_current, struct
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad %s declaration at line %d of %s\n",
|
||||
(char*)parse_current->data, parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad %s declaration", (char*)parse_current->data);
|
||||
cil_destroy_alias(alias);
|
||||
cil_clear_node(ast_node);
|
||||
return rc;
|
||||
@ -3137,8 +3092,7 @@ int cil_gen_aliasactual(struct cil_db *db, struct cil_tree_node *parse_current,
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad %s association at line %d of %s\n",
|
||||
cil_node_to_string(parse_current),parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad %s association", cil_node_to_string(parse_current));
|
||||
cil_clear_node(ast_node);
|
||||
return rc;
|
||||
}
|
||||
@ -3187,8 +3141,7 @@ int cil_gen_typeattributeset(struct cil_db *db, struct cil_tree_node *parse_curr
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad typeattributeset statement at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad typeattributeset statement");
|
||||
cil_destroy_typeattributeset(attrset);
|
||||
return rc;
|
||||
}
|
||||
@ -3235,8 +3188,7 @@ int cil_gen_typepermissive(struct cil_db *db, struct cil_tree_node *parse_curren
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad typepermissive declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad typepermissive declaration");
|
||||
cil_destroy_typepermissive(typeperm);
|
||||
return rc;
|
||||
}
|
||||
@ -3319,8 +3271,7 @@ int cil_gen_typetransition(struct cil_db *db, struct cil_tree_node *parse_curren
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad typetransition declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad typetransition declaration");
|
||||
return rc;
|
||||
}
|
||||
|
||||
@ -3391,8 +3342,7 @@ int cil_gen_rangetransition(struct cil_db *db, struct cil_tree_node *parse_curre
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad rangetransition declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad rangetransition declaration");
|
||||
cil_destroy_rangetransition(rangetrans);
|
||||
return rc;
|
||||
}
|
||||
@ -3443,8 +3393,7 @@ int cil_gen_sensitivity(struct cil_db *db, struct cil_tree_node *parse_current,
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad sensitivity declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad sensitivity declaration");
|
||||
cil_destroy_sensitivity(sens);
|
||||
cil_clear_node(ast_node);
|
||||
return rc;
|
||||
@ -3496,8 +3445,7 @@ int cil_gen_category(struct cil_db *db, struct cil_tree_node *parse_current, str
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad category declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad category declaration");
|
||||
cil_destroy_category(cat);
|
||||
cil_clear_node(ast_node);
|
||||
return rc;
|
||||
@ -3552,8 +3500,7 @@ int cil_gen_catset(struct cil_db *db, struct cil_tree_node *parse_current, struc
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad categoryset declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad categoryset declaration");
|
||||
cil_destroy_catset(catset);
|
||||
cil_clear_node(ast_node);
|
||||
return rc;
|
||||
@ -3614,8 +3561,7 @@ int cil_gen_catorder(struct cil_db *db, struct cil_tree_node *parse_current, str
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad categoryorder declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad categoryorder declaration");
|
||||
cil_destroy_catorder(catorder);
|
||||
return rc;
|
||||
}
|
||||
@ -3675,8 +3621,7 @@ int cil_gen_sensitivityorder(struct cil_db *db, struct cil_tree_node *parse_curr
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad sensitivityorder declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad sensitivityorder declaration");
|
||||
cil_destroy_sensitivityorder(sensorder);
|
||||
return rc;
|
||||
}
|
||||
@ -3730,8 +3675,7 @@ int cil_gen_senscat(struct cil_db *db, struct cil_tree_node *parse_current, stru
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad sensitivitycategory declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad sensitivitycategory declaration");
|
||||
cil_destroy_senscat(senscat);
|
||||
return rc;
|
||||
}
|
||||
@ -3786,8 +3730,7 @@ int cil_gen_level(struct cil_db *db, struct cil_tree_node *parse_current, struct
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad level declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad level declaration");
|
||||
cil_destroy_level(level);
|
||||
cil_clear_node(ast_node);
|
||||
return rc;
|
||||
@ -3893,8 +3836,7 @@ int cil_gen_levelrange(struct cil_db *db, struct cil_tree_node *parse_current, s
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad levelrange declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad levelrange declaration");
|
||||
cil_destroy_levelrange(lvlrange);
|
||||
cil_clear_node(ast_node);
|
||||
return rc;
|
||||
@ -3958,8 +3900,7 @@ int cil_gen_constrain(struct cil_db *db, struct cil_tree_node *parse_current, st
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad constrain declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad constrain declaration");
|
||||
cil_destroy_constrain(cons);
|
||||
return rc;
|
||||
}
|
||||
@ -4013,8 +3954,7 @@ int cil_gen_validatetrans(struct cil_db *db, struct cil_tree_node *parse_current
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad validatetrans declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad validatetrans declaration");
|
||||
cil_destroy_validatetrans(validtrans);
|
||||
return rc;
|
||||
|
||||
@ -4118,8 +4058,7 @@ int cil_gen_context(struct cil_db *db, struct cil_tree_node *parse_current, stru
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad context declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad context declaration");
|
||||
cil_destroy_context(context);
|
||||
cil_clear_node(ast_node);
|
||||
return SEPOL_ERR;
|
||||
@ -4211,8 +4150,7 @@ int cil_gen_filecon(struct cil_db *db, struct cil_tree_node *parse_current, stru
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad filecon declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad filecon declaration");
|
||||
cil_destroy_filecon(filecon);
|
||||
return rc;
|
||||
}
|
||||
@ -4313,8 +4251,7 @@ int cil_gen_portcon(struct cil_db *db, struct cil_tree_node *parse_current, stru
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad portcon declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad portcon declaration");
|
||||
cil_destroy_portcon(portcon);
|
||||
return rc;
|
||||
}
|
||||
@ -4395,8 +4332,7 @@ int cil_gen_nodecon(struct cil_db *db, struct cil_tree_node *parse_current, stru
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad nodecon declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad nodecon declaration");
|
||||
cil_destroy_nodecon(nodecon);
|
||||
return rc;
|
||||
}
|
||||
@ -4466,8 +4402,7 @@ int cil_gen_genfscon(struct cil_db *db, struct cil_tree_node *parse_current, str
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad genfscon declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad genfscon declaration");
|
||||
cil_destroy_genfscon(genfscon);
|
||||
return SEPOL_ERR;
|
||||
}
|
||||
@ -4540,8 +4475,7 @@ int cil_gen_netifcon(struct cil_db *db, struct cil_tree_node *parse_current, str
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad netifcon declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad netifcon declaration");
|
||||
cil_destroy_netifcon(netifcon);
|
||||
return SEPOL_ERR;
|
||||
}
|
||||
@ -4608,8 +4542,7 @@ int cil_gen_pirqcon(struct cil_db *db, struct cil_tree_node *parse_current, stru
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad pirqcon declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad pirqcon declaration");
|
||||
cil_destroy_pirqcon(pirqcon);
|
||||
return rc;
|
||||
}
|
||||
@ -4694,8 +4627,7 @@ int cil_gen_iomemcon(struct cil_db *db, struct cil_tree_node *parse_current, str
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad iomemcon declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad iomemcon declaration");
|
||||
cil_destroy_iomemcon(iomemcon);
|
||||
return rc;
|
||||
}
|
||||
@ -4780,8 +4712,7 @@ int cil_gen_ioportcon(struct cil_db *db, struct cil_tree_node *parse_current, st
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad ioportcon declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad ioportcon declaration");
|
||||
cil_destroy_ioportcon(ioportcon);
|
||||
return rc;
|
||||
}
|
||||
@ -4844,8 +4775,7 @@ int cil_gen_pcidevicecon(struct cil_db *db, struct cil_tree_node *parse_current,
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad pcidevicecon declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad pcidevicecon declaration");
|
||||
cil_destroy_pcidevicecon(pcidevicecon);
|
||||
return rc;
|
||||
}
|
||||
@ -4905,8 +4835,7 @@ int cil_gen_devicetreecon(struct cil_db *db, struct cil_tree_node *parse_current
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad devicetreecon declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad devicetreecon declaration");
|
||||
cil_destroy_devicetreecon(devicetreecon);
|
||||
return rc;
|
||||
}
|
||||
@ -4981,8 +4910,7 @@ int cil_gen_fsuse(struct cil_db *db, struct cil_tree_node *parse_current, struct
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad fsuse declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad fsuse declaration");
|
||||
cil_destroy_fsuse(fsuse);
|
||||
return SEPOL_ERR;
|
||||
}
|
||||
@ -5139,8 +5067,7 @@ int cil_gen_macro(struct cil_db *db, struct cil_tree_node *parse_current, struct
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad macro declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad macro declaration");
|
||||
cil_destroy_macro(macro);
|
||||
cil_clear_node(ast_node);
|
||||
return SEPOL_ERR;
|
||||
@ -5198,8 +5125,7 @@ int cil_gen_call(struct cil_db *db, struct cil_tree_node *parse_current, struct
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad macro call at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad macro call");
|
||||
cil_destroy_call(call);
|
||||
return rc;
|
||||
}
|
||||
@ -5301,8 +5227,7 @@ int cil_gen_optional(struct cil_db *db, struct cil_tree_node *parse_current, str
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad optional at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad optional");
|
||||
cil_destroy_optional(optional);
|
||||
cil_clear_node(ast_node);
|
||||
return rc;
|
||||
@ -5350,8 +5275,7 @@ int cil_gen_policycap(struct cil_db *db, struct cil_tree_node *parse_current, st
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad policycap statement at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad policycap statement");
|
||||
cil_destroy_policycap(polcap);
|
||||
cil_clear_node(ast_node);
|
||||
return rc;
|
||||
@ -5406,8 +5330,7 @@ int cil_gen_ipaddr(struct cil_db *db, struct cil_tree_node *parse_current, struc
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad ipaddr statement at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad ipaddr statement");
|
||||
cil_destroy_ipaddr(ipaddr);
|
||||
cil_clear_node(ast_node);
|
||||
return rc;
|
||||
@ -5611,8 +5534,7 @@ int cil_gen_bounds(struct cil_db *db, struct cil_tree_node *parse_current, struc
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad bounds declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad bounds declaration");
|
||||
cil_destroy_bounds(bounds);
|
||||
return rc;
|
||||
}
|
||||
@ -5673,8 +5595,7 @@ int cil_gen_default(struct cil_tree_node *parse_current, struct cil_tree_node *a
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad %s declaration at line %d of %s\n",
|
||||
cil_node_to_string(parse_current), parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad %s declaration", cil_node_to_string(parse_current));
|
||||
cil_destroy_default(def);
|
||||
return rc;
|
||||
}
|
||||
@ -5760,8 +5681,7 @@ int cil_gen_defaultrange(struct cil_tree_node *parse_current, struct cil_tree_no
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad defaultrange declaration at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad defaultrange declaration");
|
||||
cil_destroy_defaultrange(def);
|
||||
return rc;
|
||||
}
|
||||
@ -5821,8 +5741,7 @@ int cil_gen_handleunknown(struct cil_tree_node *parse_current, struct cil_tree_n
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad handleunknown at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad handleunknown");
|
||||
cil_destroy_handleunknown(unknown);
|
||||
return rc;
|
||||
}
|
||||
@ -5870,8 +5789,7 @@ int cil_gen_mls(struct cil_tree_node *parse_current, struct cil_tree_node *ast_n
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad mls at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Bad mls");
|
||||
cil_destroy_mls(mls);
|
||||
return rc;
|
||||
}
|
||||
@ -5881,6 +5799,27 @@ void cil_destroy_mls(struct cil_mls *mls)
|
||||
free(mls);
|
||||
}
|
||||
|
||||
int cil_gen_src_info(struct cil_tree_node *parse_current, struct cil_tree_node *ast_node)
|
||||
{
|
||||
/* No need to check syntax, because this is auto generated */
|
||||
struct cil_src_info *info = NULL;
|
||||
|
||||
cil_src_info_init(&info);
|
||||
|
||||
info->is_cil = (parse_current->next->data == CIL_KEY_SRC_CIL) ? CIL_TRUE : CIL_FALSE;
|
||||
info->path = parse_current->next->next->data;
|
||||
|
||||
ast_node->data = info;
|
||||
ast_node->flavor = CIL_SRC_INFO;
|
||||
|
||||
return SEPOL_OK;
|
||||
}
|
||||
|
||||
void cil_destroy_src_info(struct cil_src_info *info)
|
||||
{
|
||||
free(info);
|
||||
}
|
||||
|
||||
int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *finished, void *extra_args)
|
||||
{
|
||||
struct cil_args_build *args = NULL;
|
||||
@ -5915,7 +5854,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
|
||||
if (parse_current->parent->parent == NULL) {
|
||||
rc = SEPOL_OK;
|
||||
} else {
|
||||
cil_log(CIL_ERR, "Keyword expected after open parenthesis in line %d of %s\n", parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Keyword expected after open parenthesis");
|
||||
}
|
||||
goto exit;
|
||||
}
|
||||
@ -5928,7 +5867,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
|
||||
parse_current->data == CIL_KEY_BLOCKINHERIT ||
|
||||
parse_current->data == CIL_KEY_BLOCKABSTRACT) {
|
||||
rc = SEPOL_ERR;
|
||||
cil_log(CIL_ERR, "%s is not allowed in macros (%s:%d)\n", (char *)parse_current->data, parse_current->path, parse_current->line);
|
||||
cil_tree_log(parse_current, CIL_ERR, "%s is not allowed in macros", (char *)parse_current->data);
|
||||
goto exit;
|
||||
}
|
||||
}
|
||||
@ -5944,8 +5883,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
|
||||
parse_current->data != CIL_KEY_TYPECHANGE &&
|
||||
parse_current->data != CIL_KEY_CALL) {
|
||||
rc = SEPOL_ERR;
|
||||
cil_log(CIL_ERR, "Found %s at line %d of %s\n",
|
||||
(char*)parse_current->data, parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Found %s", (char*)parse_current->data);
|
||||
if (((struct cil_booleanif*)boolif->data)->preserved_tunable) {
|
||||
cil_log(CIL_ERR, "%s cannot be defined within tunableif statement (treated as a booleanif due to preserve-tunables)\n",
|
||||
(char*)parse_current->data);
|
||||
@ -5960,8 +5898,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
|
||||
if (tunif != NULL) {
|
||||
if (parse_current->data == CIL_KEY_TUNABLE) {
|
||||
rc = SEPOL_ERR;
|
||||
cil_log(CIL_ERR, "Found tunable at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Found tunable");
|
||||
cil_log(CIL_ERR, "Tunables cannot be defined within tunableif statement\n");
|
||||
goto exit;
|
||||
}
|
||||
@ -5970,8 +5907,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
|
||||
if (in != NULL) {
|
||||
if (parse_current->data == CIL_KEY_IN) {
|
||||
rc = SEPOL_ERR;
|
||||
cil_log(CIL_ERR, "Found in-statement at line %d of %s\n",
|
||||
parse_current->line, parse_current->path);
|
||||
cil_tree_log(parse_current, CIL_ERR, "Found in-statement");
|
||||
cil_log(CIL_ERR, "in-statements cannot be defined within in-statements\n");
|
||||
goto exit;
|
||||
}
|
||||
@ -5981,7 +5917,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
|
||||
|
||||
ast_node->parent = ast_current;
|
||||
ast_node->line = parse_current->line;
|
||||
ast_node->path = parse_current->path;
|
||||
ast_node->hll_line = parse_current->hll_line;
|
||||
|
||||
if (parse_current->data == CIL_KEY_BLOCK) {
|
||||
rc = cil_gen_block(db, parse_current, ast_node, 0);
|
||||
@ -6244,8 +6180,10 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
|
||||
} else if (parse_current->data == CIL_KEY_MLS) {
|
||||
rc = cil_gen_mls(parse_current, ast_node);
|
||||
*finished = CIL_TREE_SKIP_NEXT;
|
||||
} else if (parse_current->data == CIL_KEY_SRC_INFO) {
|
||||
rc = cil_gen_src_info(parse_current, ast_node);
|
||||
} else {
|
||||
cil_log(CIL_ERR, "Error: Unknown keyword %s\n", (char*)parse_current->data);
|
||||
cil_log(CIL_ERR, "Error: Unknown keyword %s\n", (char *)parse_current->data);
|
||||
rc = SEPOL_ERR;
|
||||
}
|
||||
|
||||
@ -6266,7 +6204,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
|
||||
if (ast_current->flavor == CIL_IN) {
|
||||
args->in = ast_current;
|
||||
}
|
||||
|
||||
|
||||
ast_current->cl_head = ast_node;
|
||||
} else {
|
||||
ast_current->cl_tail->next = ast_node;
|
||||
|
||||
@ -215,6 +215,8 @@ int cil_gen_mls(struct cil_tree_node *parse_current, struct cil_tree_node *ast_n
|
||||
void cil_destroy_mls(struct cil_mls *mls);
|
||||
int cil_gen_defaultrange(struct cil_tree_node *parse_current, struct cil_tree_node *ast_node);
|
||||
void cil_destroy_defaultrange(struct cil_defaultrange *def);
|
||||
int cil_gen_src_info(struct cil_tree_node *parse_current, struct cil_tree_node *ast_node);
|
||||
void cil_destroy_src_info(struct cil_src_info *info);
|
||||
|
||||
int cil_fill_cats(struct cil_tree_node *curr, struct cil_cats **cats);
|
||||
void cil_destroy_cats(struct cil_cats *cats);
|
||||
|
||||
@ -1666,6 +1666,21 @@ int cil_copy_bounds(__attribute__((unused)) struct cil_db *db, void *data, void
|
||||
return SEPOL_OK;
|
||||
}
|
||||
|
||||
int cil_copy_src_info(__attribute__((unused)) struct cil_db *db, void *data, void **copy, __attribute__((unused)) symtab_t *symtab)
|
||||
{
|
||||
struct cil_src_info *orig = data;
|
||||
struct cil_src_info *new = NULL;
|
||||
|
||||
cil_src_info_init(&new);
|
||||
|
||||
new->is_cil = orig->is_cil;
|
||||
new->path = orig->path;
|
||||
|
||||
*copy = new;
|
||||
|
||||
return SEPOL_OK;
|
||||
}
|
||||
|
||||
int __cil_copy_node_helper(struct cil_tree_node *orig, __attribute__((unused)) uint32_t *finished, void *extra_args)
|
||||
{
|
||||
int rc = SEPOL_ERR;
|
||||
@ -1942,6 +1957,9 @@ int __cil_copy_node_helper(struct cil_tree_node *orig, __attribute__((unused)) u
|
||||
case CIL_MLS:
|
||||
copy_func = &cil_copy_mls;
|
||||
break;
|
||||
case CIL_SRC_INFO:
|
||||
copy_func = &cil_copy_src_info;
|
||||
break;
|
||||
default:
|
||||
goto exit;
|
||||
}
|
||||
@ -1964,7 +1982,7 @@ int __cil_copy_node_helper(struct cil_tree_node *orig, __attribute__((unused)) u
|
||||
|
||||
new->parent = parent;
|
||||
new->line = orig->line;
|
||||
new->path = orig->path;
|
||||
new->hll_line = orig->hll_line;
|
||||
new->flavor = orig->flavor;
|
||||
new->data = data;
|
||||
|
||||
@ -1985,8 +2003,8 @@ int __cil_copy_node_helper(struct cil_tree_node *orig, __attribute__((unused)) u
|
||||
param = item->data;
|
||||
if (param->flavor == new->flavor) {
|
||||
if (param->str == ((struct cil_symtab_datum*)new->data)->name) {
|
||||
cil_log(CIL_ERR, "%s %s shadows a macro parameter (%s line:%d)\n", cil_node_to_string(new), ((struct cil_symtab_datum*)orig->data)->name, orig->path, orig->line);
|
||||
cil_log(CIL_ERR, "Note: macro declaration (%s line:%d)\n", namespace->path, namespace->line);
|
||||
cil_tree_log(orig, CIL_ERR, "%s %s shadows a macro parameter", cil_node_to_string(new), ((struct cil_symtab_datum*)orig->data)->name);
|
||||
cil_tree_log(namespace, CIL_ERR, "Note: macro declaration");
|
||||
rc = SEPOL_ERR;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
@ -111,6 +111,7 @@ enum cil_flavor {
|
||||
CIL_DEFAULTRANGE,
|
||||
CIL_HANDLEUNKNOWN,
|
||||
CIL_MLS,
|
||||
CIL_SRC_INFO,
|
||||
|
||||
/*
|
||||
* boolean constraint set catset
|
||||
|
||||
@ -121,7 +121,7 @@ static int __cil_fqn_qualify_blocks(__attribute__((unused)) hashtab_key_t k, has
|
||||
|
||||
exit:
|
||||
if (rc != SEPOL_OK) {
|
||||
cil_log(CIL_ERR,"Problem qualifying names in block at line %d of %s\n", child_args.node->line, child_args.node->path);
|
||||
cil_tree_log(child_args.node, CIL_ERR,"Problem qualifying names in block");
|
||||
}
|
||||
|
||||
return rc;
|
||||
|
||||
@ -226,6 +226,9 @@ char *CIL_KEY_NEVERALLOWX;
|
||||
char *CIL_KEY_PERMISSIONX;
|
||||
char *CIL_KEY_IOCTL;
|
||||
char *CIL_KEY_UNORDERED;
|
||||
char *CIL_KEY_SRC_INFO;
|
||||
char *CIL_KEY_SRC_CIL;
|
||||
char *CIL_KEY_SRC_HLL;
|
||||
|
||||
/*
|
||||
Symbol Table Array Indices
|
||||
@ -917,6 +920,11 @@ struct cil_mls {
|
||||
int value;
|
||||
};
|
||||
|
||||
struct cil_src_info {
|
||||
int is_cil;
|
||||
char *path;
|
||||
};
|
||||
|
||||
void cil_db_init(struct cil_db **db);
|
||||
void cil_db_destroy(struct cil_db **db);
|
||||
|
||||
@ -1019,6 +1027,7 @@ void cil_default_init(struct cil_default **def);
|
||||
void cil_defaultrange_init(struct cil_defaultrange **def);
|
||||
void cil_handleunknown_init(struct cil_handleunknown **unk);
|
||||
void cil_mls_init(struct cil_mls **mls);
|
||||
void cil_src_info_init(struct cil_src_info **info);
|
||||
void cil_userattribute_init(struct cil_userattribute **attribute);
|
||||
void cil_userattributeset_init(struct cil_userattributeset **attrset);
|
||||
|
||||
|
||||
@ -37,8 +37,10 @@
|
||||
#define SYMBOL 3
|
||||
#define QSTRING 4
|
||||
#define COMMENT 5
|
||||
#define END_OF_FILE 6
|
||||
#define UNKNOWN 7
|
||||
#define HLL_LINEMARK 6
|
||||
#define NEWLINE 7
|
||||
#define END_OF_FILE 8
|
||||
#define UNKNOWN 9
|
||||
|
||||
struct token {
|
||||
uint32_t type;
|
||||
|
||||
@ -50,15 +50,17 @@ symbol ({digit}|{alpha}|{spec_char})+
|
||||
white [ \t]
|
||||
newline [\n\r]
|
||||
qstring \"[^"\n]*\"
|
||||
comment ;[^\n]*
|
||||
hll_lm ^;;\*
|
||||
comment ;
|
||||
|
||||
%%
|
||||
{newline} line++;
|
||||
{newline} line++; return NEWLINE;
|
||||
{hll_lm} value=yytext; return HLL_LINEMARK;
|
||||
{comment} value=yytext; return COMMENT;
|
||||
"(" value=yytext; return OPAREN;
|
||||
")" value=yytext; return CPAREN;
|
||||
")" value=yytext; return CPAREN;
|
||||
{symbol} value=yytext; return SYMBOL;
|
||||
{white} //cil_log(CIL_INFO, "white, ");
|
||||
{white} ;
|
||||
{qstring} value=yytext; return QSTRING;
|
||||
<<EOF>> return END_OF_FILE;
|
||||
. value=yytext; return UNKNOWN;
|
||||
@ -73,7 +75,7 @@ int cil_lexer_setup(char *buffer, uint32_t size)
|
||||
}
|
||||
|
||||
line = 1;
|
||||
|
||||
|
||||
return SEPOL_OK;
|
||||
}
|
||||
|
||||
@ -87,7 +89,6 @@ int cil_lexer_next(struct token *tok)
|
||||
tok->type = yylex();
|
||||
tok->value = value;
|
||||
tok->line = line;
|
||||
|
||||
|
||||
return SEPOL_OK;
|
||||
}
|
||||
|
||||
|
||||
@ -36,9 +36,165 @@
|
||||
#include "cil_internal.h"
|
||||
#include "cil_log.h"
|
||||
#include "cil_mem.h"
|
||||
#include "cil_tree.h"
|
||||
#include "cil_tree.h"
|
||||
#include "cil_lexer.h"
|
||||
#include "cil_strpool.h"
|
||||
#include "cil_stack.h"
|
||||
|
||||
char *CIL_KEY_HLL_LMS;
|
||||
char *CIL_KEY_HLL_LMX;
|
||||
char *CIL_KEY_HLL_LME;
|
||||
|
||||
struct hll_info {
|
||||
int hll_lineno;
|
||||
int hll_expand;
|
||||
};
|
||||
|
||||
static void push_hll_info(struct cil_stack *stack, int hll_lineno, int hll_expand)
|
||||
{
|
||||
struct hll_info *new = cil_malloc(sizeof(*new));
|
||||
|
||||
new->hll_lineno = hll_lineno;
|
||||
new->hll_expand = hll_expand;
|
||||
|
||||
cil_stack_push(stack, CIL_NONE, new);
|
||||
}
|
||||
|
||||
static void pop_hll_info(struct cil_stack *stack, int *hll_lineno, int *hll_expand)
|
||||
{
|
||||
struct cil_stack_item *curr = cil_stack_pop(stack);
|
||||
struct cil_stack_item *prev = cil_stack_peek(stack);
|
||||
struct hll_info *old;
|
||||
|
||||
free(curr->data);
|
||||
|
||||
if (!prev) {
|
||||
*hll_lineno = -1;
|
||||
*hll_expand = -1;
|
||||
} else {
|
||||
old = prev->data;
|
||||
*hll_lineno = old->hll_lineno;
|
||||
*hll_expand = old->hll_expand;
|
||||
}
|
||||
}
|
||||
|
||||
static void create_node(struct cil_tree_node **node, struct cil_tree_node *current, int line, int hll_line, void *value)
|
||||
{
|
||||
cil_tree_node_init(node);
|
||||
(*node)->parent = current;
|
||||
(*node)->flavor = CIL_NODE;
|
||||
(*node)->line = line;
|
||||
(*node)->hll_line = hll_line;
|
||||
(*node)->data = value;
|
||||
}
|
||||
|
||||
static void insert_node(struct cil_tree_node *node, struct cil_tree_node *current)
|
||||
{
|
||||
if (current->cl_head == NULL) {
|
||||
current->cl_head = node;
|
||||
} else {
|
||||
current->cl_tail->next = node;
|
||||
}
|
||||
current->cl_tail = node;
|
||||
}
|
||||
|
||||
static int add_hll_linemark(struct cil_tree_node **current, int *hll_lineno, int *hll_expand, struct cil_stack *stack, char *path)
|
||||
{
|
||||
char *hll_type;
|
||||
struct cil_tree_node *node;
|
||||
struct token tok;
|
||||
char *hll_file;
|
||||
char *end = NULL;
|
||||
|
||||
cil_lexer_next(&tok);
|
||||
hll_type = cil_strpool_add(tok.value);
|
||||
if (hll_type == CIL_KEY_HLL_LME) {
|
||||
if (cil_stack_is_empty(stack)) {
|
||||
cil_log(CIL_ERR, "Line mark end without start\n");
|
||||
goto exit;
|
||||
}
|
||||
pop_hll_info(stack, hll_lineno, hll_expand);
|
||||
*current = (*current)->parent;
|
||||
} else {
|
||||
create_node(&node, *current, tok.line, *hll_lineno, NULL);
|
||||
insert_node(node, *current);
|
||||
*current = node;
|
||||
|
||||
create_node(&node, *current, tok.line, *hll_lineno, CIL_KEY_SRC_INFO);
|
||||
insert_node(node, *current);
|
||||
|
||||
create_node(&node, *current, tok.line, *hll_lineno, CIL_KEY_SRC_HLL);
|
||||
insert_node(node, *current);
|
||||
|
||||
if (hll_type == CIL_KEY_HLL_LMS) {
|
||||
*hll_expand = 0;
|
||||
} else if (hll_type == CIL_KEY_HLL_LMX) {
|
||||
*hll_expand = 1;
|
||||
} else {
|
||||
cil_log(CIL_ERR, "Invalid line mark syntax\n");
|
||||
goto exit;
|
||||
}
|
||||
|
||||
cil_lexer_next(&tok);
|
||||
if (tok.type != SYMBOL) {
|
||||
cil_log(CIL_ERR, "Invalid line mark syntax\n");
|
||||
goto exit;
|
||||
}
|
||||
*hll_lineno = strtol(tok.value, &end, 10);
|
||||
if (errno == ERANGE || *end != '\0') {
|
||||
cil_log(CIL_ERR, "Problem parsing line number for line mark\n");
|
||||
goto exit;
|
||||
}
|
||||
|
||||
push_hll_info(stack, *hll_lineno, *hll_expand);
|
||||
|
||||
cil_lexer_next(&tok);
|
||||
if (tok.type != SYMBOL && tok.type != QSTRING) {
|
||||
cil_log(CIL_ERR, "Invalid line mark syntax\n");
|
||||
goto exit;
|
||||
}
|
||||
|
||||
if (tok.type == QSTRING) {
|
||||
tok.value[strlen(tok.value) - 1] = '\0';
|
||||
tok.value = tok.value+1;
|
||||
}
|
||||
|
||||
hll_file = cil_strpool_add(tok.value);
|
||||
|
||||
create_node(&node, *current, tok.line, *hll_lineno, hll_file);
|
||||
insert_node(node, *current);
|
||||
}
|
||||
|
||||
cil_lexer_next(&tok);
|
||||
if (tok.type != NEWLINE) {
|
||||
cil_log(CIL_ERR, "Invalid line mark syntax\n");
|
||||
goto exit;
|
||||
}
|
||||
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Problem with high-level line mark at line %d of %s\n", tok.line, path);
|
||||
return SEPOL_ERR;
|
||||
}
|
||||
|
||||
static void add_cil_path(struct cil_tree_node **current, char *path)
|
||||
{
|
||||
struct cil_tree_node *node;
|
||||
|
||||
create_node(&node, *current, 0, 0, NULL);
|
||||
insert_node(node, *current);
|
||||
*current = node;
|
||||
|
||||
create_node(&node, *current, 0, 0, CIL_KEY_SRC_INFO);
|
||||
insert_node(node, *current);
|
||||
|
||||
create_node(&node, *current, 0, 0, CIL_KEY_SRC_CIL);
|
||||
insert_node(node, *current);
|
||||
|
||||
create_node(&node, *current, 0, 0, path);
|
||||
insert_node(node, *current);
|
||||
}
|
||||
|
||||
int cil_parser(char *_path, char *buffer, uint32_t size, struct cil_tree **parse_tree)
|
||||
{
|
||||
@ -47,89 +203,112 @@ int cil_parser(char *_path, char *buffer, uint32_t size, struct cil_tree **parse
|
||||
|
||||
struct cil_tree *tree = NULL;
|
||||
struct cil_tree_node *node = NULL;
|
||||
struct cil_tree_node *item = NULL;
|
||||
struct cil_tree_node *current = NULL;
|
||||
char *path = cil_strpool_add(_path);
|
||||
|
||||
struct cil_stack *stack;
|
||||
int hll_lineno = -1;
|
||||
int hll_expand = -1;
|
||||
struct token tok;
|
||||
int rc = SEPOL_OK;
|
||||
|
||||
CIL_KEY_HLL_LMS = cil_strpool_add("lms");
|
||||
CIL_KEY_HLL_LMX = cil_strpool_add("lmx");
|
||||
CIL_KEY_HLL_LME = cil_strpool_add("lme");
|
||||
|
||||
cil_stack_init(&stack);
|
||||
|
||||
cil_lexer_setup(buffer, size);
|
||||
|
||||
tree = *parse_tree;
|
||||
current = tree->root;
|
||||
current = tree->root;
|
||||
|
||||
add_cil_path(¤t, path);
|
||||
|
||||
do {
|
||||
cil_lexer_next(&tok);
|
||||
switch (tok.type) {
|
||||
case HLL_LINEMARK:
|
||||
rc = add_hll_linemark(¤t, &hll_lineno, &hll_expand, stack, path);
|
||||
if (rc != SEPOL_OK) {
|
||||
goto exit;
|
||||
}
|
||||
break;
|
||||
case OPAREN:
|
||||
paren_count++;
|
||||
cil_tree_node_init(&node);
|
||||
node->parent = current;
|
||||
node->flavor = CIL_NODE;
|
||||
node->line = tok.line;
|
||||
node->path = path;
|
||||
if (current->cl_head == NULL) {
|
||||
current->cl_head = node;
|
||||
} else {
|
||||
current->cl_tail->next = node;
|
||||
}
|
||||
current->cl_tail = node;
|
||||
|
||||
create_node(&node, current, tok.line, hll_lineno, NULL);
|
||||
insert_node(node, current);
|
||||
current = node;
|
||||
break;
|
||||
case CPAREN:
|
||||
paren_count--;
|
||||
if (paren_count < 0) {
|
||||
cil_log(CIL_ERR, "Close parenthesis without matching open at line %d of %s\n", tok.line, path);
|
||||
return SEPOL_ERR;
|
||||
goto exit;
|
||||
}
|
||||
current = current->parent;
|
||||
break;
|
||||
case SYMBOL:
|
||||
case QSTRING:
|
||||
tok.value[strlen(tok.value) - 1] = '\0';
|
||||
tok.value = tok.value+1;
|
||||
case SYMBOL:
|
||||
if (paren_count == 0) {
|
||||
cil_log(CIL_ERR, "Symbol not inside parenthesis at line %d of %s\n", tok.line, path);
|
||||
return SEPOL_ERR;
|
||||
goto exit;
|
||||
}
|
||||
cil_tree_node_init(&item);
|
||||
item->parent = current;
|
||||
if (tok.type == QSTRING) {
|
||||
tok.value[strlen(tok.value) - 1] = '\0';
|
||||
item->data = cil_strpool_add(tok.value + 1);
|
||||
} else {
|
||||
item->data = cil_strpool_add(tok.value);
|
||||
}
|
||||
item->flavor = CIL_NODE;
|
||||
item->line = tok.line;
|
||||
item->path = path;
|
||||
if (current->cl_head == NULL) {
|
||||
current->cl_head = item;
|
||||
} else {
|
||||
current->cl_tail->next = item;
|
||||
}
|
||||
current->cl_tail = item;
|
||||
|
||||
create_node(&node, current, tok.line, hll_lineno, cil_strpool_add(tok.value));
|
||||
insert_node(node, current);
|
||||
break;
|
||||
case END_OF_FILE:
|
||||
if (paren_count > 0) {
|
||||
cil_log(CIL_ERR, "Open parenthesis without matching close at line %d of %s\n", tok.line, path);
|
||||
return SEPOL_ERR;
|
||||
case NEWLINE :
|
||||
if (!hll_expand) {
|
||||
hll_lineno++;
|
||||
}
|
||||
break;
|
||||
case COMMENT:
|
||||
// ignore
|
||||
while (tok.type != NEWLINE && tok.type != END_OF_FILE) {
|
||||
cil_lexer_next(&tok);
|
||||
}
|
||||
if (!hll_expand) {
|
||||
hll_lineno++;
|
||||
}
|
||||
if (tok.type != END_OF_FILE) {
|
||||
break;
|
||||
}
|
||||
// Fall through if EOF
|
||||
case END_OF_FILE:
|
||||
if (paren_count > 0) {
|
||||
cil_log(CIL_ERR, "Open parenthesis without matching close at line %d of %s\n", tok.line, path);
|
||||
goto exit;
|
||||
}
|
||||
if (!cil_stack_is_empty(stack)) {
|
||||
cil_log(CIL_ERR, "High-level language line marker start without close at line %d of %s\n", tok.line, path);
|
||||
goto exit;
|
||||
}
|
||||
break;
|
||||
case UNKNOWN:
|
||||
cil_log(CIL_ERR, "Invalid token '%s' at line %d of %s\n", tok.value, tok.line, path);
|
||||
return SEPOL_ERR;
|
||||
goto exit;
|
||||
default:
|
||||
cil_log(CIL_ERR, "Unknown token type '%d' at line %d of %s\n", tok.type, tok.line, path);
|
||||
return SEPOL_ERR;
|
||||
goto exit;
|
||||
}
|
||||
}
|
||||
while (tok.type != END_OF_FILE);
|
||||
|
||||
cil_lexer_destroy();
|
||||
|
||||
cil_stack_destroy(&stack);
|
||||
|
||||
*parse_tree = tree;
|
||||
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
while (!cil_stack_is_empty(stack)) {
|
||||
pop_hll_info(stack, &hll_lineno, &hll_expand);
|
||||
}
|
||||
cil_stack_destroy(&stack);
|
||||
|
||||
return SEPOL_ERR;
|
||||
}
|
||||
|
||||
@ -497,7 +497,7 @@ int cil_resolve_alias_to_actual(struct cil_tree_node *current, enum cil_flavor f
|
||||
int limit = 2;
|
||||
|
||||
if (alias->actual == NULL) {
|
||||
cil_log(CIL_ERR, "Alias declared but not used at line %d of %s\n",current->line, current->path);
|
||||
cil_tree_log(current, CIL_ERR, "Alias declared but not used");
|
||||
return SEPOL_ERR;
|
||||
}
|
||||
|
||||
@ -1380,7 +1380,7 @@ struct cil_list *__cil_ordered_lists_merge_all(struct cil_list **ordered_lists,
|
||||
cil_list_for_each(curr, *ordered_lists) {
|
||||
struct cil_ordered_list *ordered_list = curr->data;
|
||||
if (ordered_list->merged == CIL_FALSE) {
|
||||
cil_log(CIL_ERR, "Unable to merge ordered list at line %d of %s\n",ordered_list->node->line, ordered_list->node->path);
|
||||
cil_tree_log(ordered_list->node, CIL_ERR, "Unable to merge ordered list");
|
||||
}
|
||||
}
|
||||
goto exit;
|
||||
@ -2252,12 +2252,10 @@ void cil_print_recursive_blockinherit(struct cil_tree_node *bi_node, struct cil_
|
||||
|
||||
cil_list_for_each(item, trace) {
|
||||
curr = item->data;
|
||||
cil_log(CIL_ERR, " %s:%d: ", curr->path, curr->line);
|
||||
|
||||
if (curr->flavor == CIL_BLOCK) {
|
||||
cil_log(CIL_ERR, "block %s\n", DATUM(curr->data)->name);
|
||||
cil_tree_log(curr, CIL_ERR, "block %s", DATUM(curr->data)->name);
|
||||
} else {
|
||||
cil_log(CIL_ERR, "blockinherit %s\n", ((struct cil_blockinherit *)curr->data)->block_str);
|
||||
cil_tree_log(curr, CIL_ERR, "blockinherit %s", ((struct cil_blockinherit *)curr->data)->block_str);
|
||||
}
|
||||
}
|
||||
|
||||
@ -2442,7 +2440,7 @@ int cil_resolve_in_list(void *extra_args)
|
||||
}
|
||||
|
||||
if (unresolved > 0 && resolved == 0) {
|
||||
cil_log(CIL_ERR, "Failed to resolve in-statement on line %d of %s\n", last_failed_node->line, last_failed_node->path);
|
||||
cil_tree_log(last_failed_node, CIL_ERR, "Failed to resolve in-statement");
|
||||
rc = SEPOL_ERR;
|
||||
goto exit;
|
||||
}
|
||||
@ -2485,7 +2483,7 @@ int cil_resolve_bounds(struct cil_tree_node *current, void *extra_args, enum cil
|
||||
|
||||
if (user->bounds != NULL) {
|
||||
struct cil_tree_node *node = user->bounds->datum.nodes->head->data;
|
||||
cil_log(CIL_ERR, "User %s already bound by parent at line %u of %s\n", bounds->child_str, node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "User %s already bound by parent", bounds->child_str);
|
||||
rc = SEPOL_ERR;
|
||||
goto exit;
|
||||
}
|
||||
@ -2498,7 +2496,7 @@ int cil_resolve_bounds(struct cil_tree_node *current, void *extra_args, enum cil
|
||||
|
||||
if (role->bounds != NULL) {
|
||||
struct cil_tree_node *node = role->bounds->datum.nodes->head->data;
|
||||
cil_log(CIL_ERR, "Role %s already bound by parent at line %u of %s\n", bounds->child_str, node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "Role %s already bound by parent", bounds->child_str);
|
||||
rc = SEPOL_ERR;
|
||||
goto exit;
|
||||
}
|
||||
@ -2512,8 +2510,8 @@ int cil_resolve_bounds(struct cil_tree_node *current, void *extra_args, enum cil
|
||||
|
||||
if (type->bounds != NULL) {
|
||||
node = ((struct cil_symtab_datum *)type->bounds)->nodes->head->data;
|
||||
cil_log(CIL_ERR, "Type %s already bound by parent at line %u of %s\n", bounds->child_str, node->line, node->path);
|
||||
cil_log(CIL_ERR, "Now being bound to parent %s at line %u of %s\n", bounds->parent_str, current->line, current->path);
|
||||
cil_tree_log(node, CIL_ERR, "Type %s already bound by parent", bounds->child_str);
|
||||
cil_tree_log(current, CIL_ERR, "Now being bound to parent %s", bounds->parent_str);
|
||||
rc = SEPOL_ERR;
|
||||
goto exit;
|
||||
}
|
||||
@ -2542,7 +2540,7 @@ int cil_resolve_bounds(struct cil_tree_node *current, void *extra_args, enum cil
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Bad bounds statement at line %u of %s\n", current->line, current->path);
|
||||
cil_tree_log(current, CIL_ERR, "Bad bounds statement");
|
||||
return rc;
|
||||
}
|
||||
|
||||
@ -2617,12 +2615,10 @@ void cil_print_recursive_call(struct cil_tree_node *call_node, struct cil_tree_n
|
||||
|
||||
cil_list_for_each(item, trace) {
|
||||
curr = item->data;
|
||||
cil_log(CIL_ERR, " %s:%d: ", curr->path, curr->line);
|
||||
|
||||
if (curr->flavor == CIL_MACRO) {
|
||||
cil_log(CIL_ERR, "macro %s\n", DATUM(curr->data)->name);
|
||||
cil_tree_log(curr, CIL_ERR, "macro %s", DATUM(curr->data)->name);
|
||||
} else {
|
||||
cil_log(CIL_ERR, "call %s\n", ((struct cil_call *)curr->data)->macro_str);
|
||||
cil_tree_log(curr, CIL_ERR, "call %s", ((struct cil_call *)curr->data)->macro_str);
|
||||
}
|
||||
}
|
||||
|
||||
@ -2700,7 +2696,7 @@ int cil_resolve_call1(struct cil_tree_node *current, void *extra_args)
|
||||
struct cil_tree_node *pc = NULL;
|
||||
|
||||
if (new_call->args_tree == NULL) {
|
||||
cil_log(CIL_ERR, "Missing arguments (%s, line: %d)\n", current->path, current->line);
|
||||
cil_tree_log(current, CIL_ERR, "Missing arguments");
|
||||
rc = SEPOL_ERR;
|
||||
goto exit;
|
||||
}
|
||||
@ -2713,7 +2709,7 @@ int cil_resolve_call1(struct cil_tree_node *current, void *extra_args)
|
||||
enum cil_flavor flavor = ((struct cil_param*)item->data)->flavor;
|
||||
|
||||
if (pc == NULL) {
|
||||
cil_log(CIL_ERR, "Missing arguments (%s, line: %d)\n", current->path, current->line);
|
||||
cil_tree_log(current, CIL_ERR, "Missing arguments");
|
||||
rc = SEPOL_ERR;
|
||||
goto exit;
|
||||
}
|
||||
@ -2890,12 +2886,12 @@ int cil_resolve_call1(struct cil_tree_node *current, void *extra_args)
|
||||
}
|
||||
|
||||
if (pc != NULL) {
|
||||
cil_log(CIL_ERR, "Unexpected arguments (%s, line: %d)\n", current->path, current->line);
|
||||
cil_tree_log(current, CIL_ERR, "Unexpected arguments");
|
||||
rc = SEPOL_ERR;
|
||||
goto exit;
|
||||
}
|
||||
} else if (new_call->args_tree != NULL) {
|
||||
cil_log(CIL_ERR, "Unexpected arguments (%s, line: %d)\n", current->path, current->line);
|
||||
cil_tree_log(current, CIL_ERR, "Unexpected arguments");
|
||||
rc = SEPOL_ERR;
|
||||
goto exit;
|
||||
}
|
||||
@ -3593,7 +3589,7 @@ int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished
|
||||
if (optstack != NULL) {
|
||||
if (node->flavor == CIL_TUNABLE || node->flavor == CIL_MACRO) {
|
||||
/* tuanbles and macros are not allowed in optionals*/
|
||||
cil_log(CIL_ERR, "%s statement is not allowed in optionals (%s:%d)\n", cil_node_to_string(node), node->path, node->line);
|
||||
cil_tree_log(node, CIL_ERR, "%s statement is not allowed in optionals", cil_node_to_string(node));
|
||||
rc = SEPOL_ERR;
|
||||
goto exit;
|
||||
}
|
||||
@ -3601,7 +3597,7 @@ int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished
|
||||
|
||||
if (blockstack != NULL) {
|
||||
if (node->flavor == CIL_CAT || node->flavor == CIL_SENS) {
|
||||
cil_log(CIL_ERR, "%s statement is not allowed in blocks (%s:%d)\n", cil_node_to_string(node), node->path, node->line);
|
||||
cil_tree_log(node, CIL_ERR, "%s statement is not allowed in blocks", cil_node_to_string(node));
|
||||
rc = SEPOL_ERR;
|
||||
goto exit;
|
||||
}
|
||||
@ -3612,7 +3608,7 @@ int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished
|
||||
node->flavor == CIL_BLOCK ||
|
||||
node->flavor == CIL_BLOCKABSTRACT ||
|
||||
node->flavor == CIL_MACRO) {
|
||||
cil_log(CIL_ERR, "%s statement is not allowed in macros (%s:%d)\n", cil_node_to_string(node), node->path, node->line);
|
||||
cil_tree_log(node, CIL_ERR, "%s statement is not allowed in macros", cil_node_to_string(node));
|
||||
rc = SEPOL_ERR;
|
||||
goto exit;
|
||||
}
|
||||
@ -3626,9 +3622,9 @@ int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished
|
||||
node->flavor == CIL_TUNABLEIF ||
|
||||
node->flavor == CIL_NAMETYPETRANSITION)) {
|
||||
if (((struct cil_booleanif*)boolif->data)->preserved_tunable) {
|
||||
cil_log(CIL_ERR, "%s statement is not allowed in booleanifs (tunableif treated as a booleanif) (%s:%d)\n", cil_node_to_string(node), node->path, node->line);
|
||||
cil_tree_log(node, CIL_ERR, "%s statement is not allowed in booleanifs (tunableif treated as a booleanif)", cil_node_to_string(node));
|
||||
} else {
|
||||
cil_log(CIL_ERR, "%s statement is not allowed in booleanifs (%s:%d)\n", cil_node_to_string(node), node->path, node->line);
|
||||
cil_tree_log(node, CIL_ERR, "%s statement is not allowed in booleanifs", cil_node_to_string(node));
|
||||
}
|
||||
rc = SEPOL_ERR;
|
||||
goto exit;
|
||||
@ -3658,14 +3654,13 @@ int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished
|
||||
|
||||
struct cil_optional *opt = (struct cil_optional *)optstack->data;
|
||||
struct cil_tree_node *opt_node = opt->datum.nodes->head->data;
|
||||
cil_log(lvl, "Disabling optional '%s' at line %d of %s: ", opt->datum.name, opt_node->line, opt_node->path);
|
||||
cil_tree_log(opt_node, lvl, "Disabling optional '%s'", opt->datum.name);
|
||||
/* disable an optional if something failed to resolve */
|
||||
opt->enabled = CIL_FALSE;
|
||||
rc = SEPOL_OK;
|
||||
}
|
||||
|
||||
cil_log(lvl, "Failed to resolve '%s' in %s statement at line %d of %s\n",
|
||||
args->last_resolved_name, cil_node_to_string(node), node->line, node->path);
|
||||
cil_tree_log(node, lvl, "Failed to resolve '%s' in %s statement", args->last_resolved_name, cil_node_to_string(node));
|
||||
goto exit;
|
||||
}
|
||||
|
||||
|
||||
@ -59,6 +59,92 @@ __attribute__((noreturn)) __attribute__((format (printf, 1, 2))) void cil_tree_e
|
||||
exit(1);
|
||||
}
|
||||
|
||||
struct cil_tree_node *cil_tree_get_next_path(struct cil_tree_node *node, char **path, int* is_cil)
|
||||
{
|
||||
if (!node) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
node = node->parent;
|
||||
|
||||
while (node) {
|
||||
if (node->flavor == CIL_NODE && node->data == NULL) {
|
||||
if (node->cl_head->data == CIL_KEY_SRC_INFO) {
|
||||
/* Parse Tree */
|
||||
*path = node->cl_head->next->next->data;
|
||||
*is_cil = (node->cl_head->next->data == CIL_KEY_SRC_CIL);
|
||||
return node;
|
||||
}
|
||||
node = node->parent;
|
||||
} else if (node->flavor == CIL_SRC_INFO) {
|
||||
/* AST */
|
||||
struct cil_src_info *info = node->data;
|
||||
*path = info->path;
|
||||
*is_cil = info->is_cil;
|
||||
return node;
|
||||
} else {
|
||||
if (node->flavor == CIL_CALL) {
|
||||
struct cil_call *call = node->data;
|
||||
node = NODE(call->macro);
|
||||
} else if (node->flavor == CIL_BLOCKINHERIT) {
|
||||
struct cil_blockinherit *inherit = node->data;
|
||||
node = NODE(inherit->block);
|
||||
} else {
|
||||
node = node->parent;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return NULL;
|
||||
}
|
||||
|
||||
char *cil_tree_get_cil_path(struct cil_tree_node *node)
|
||||
{
|
||||
char *path = NULL;
|
||||
int is_cil;
|
||||
|
||||
while (node) {
|
||||
node = cil_tree_get_next_path(node, &path, &is_cil);
|
||||
if (node && is_cil) {
|
||||
return path;
|
||||
}
|
||||
}
|
||||
|
||||
return NULL;
|
||||
}
|
||||
|
||||
__attribute__((format (printf, 3, 4))) void cil_tree_log(struct cil_tree_node *node, enum cil_log_level lvl, const char* msg, ...)
|
||||
{
|
||||
va_list ap;
|
||||
|
||||
va_start(ap, msg);
|
||||
cil_vlog(lvl, msg, ap);
|
||||
va_end(ap);
|
||||
|
||||
if (node) {
|
||||
char *path = NULL;
|
||||
int is_cil;
|
||||
unsigned hll_line = node->hll_line;
|
||||
|
||||
path = cil_tree_get_cil_path(node);
|
||||
|
||||
if (path != NULL) {
|
||||
cil_log(lvl, " at %s:%d", path, node->line);
|
||||
}
|
||||
|
||||
while (node) {
|
||||
node = cil_tree_get_next_path(node, &path, &is_cil);
|
||||
if (node && !is_cil) {
|
||||
cil_log(lvl," from %s:%d", path, hll_line);
|
||||
path = NULL;
|
||||
hll_line = node->hll_line;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
cil_log(lvl,"\n");
|
||||
}
|
||||
|
||||
int cil_tree_init(struct cil_tree **tree)
|
||||
{
|
||||
struct cil_tree *new_tree = cil_malloc(sizeof(*new_tree));
|
||||
@ -128,8 +214,8 @@ void cil_tree_node_init(struct cil_tree_node **node)
|
||||
new_node->data = NULL;
|
||||
new_node->next = NULL;
|
||||
new_node->flavor = CIL_ROOT;
|
||||
new_node->line = 0;
|
||||
new_node->path = NULL;
|
||||
new_node->line = 0;
|
||||
new_node->hll_line = 0;
|
||||
|
||||
*node = new_node;
|
||||
}
|
||||
@ -185,7 +271,7 @@ int cil_tree_walk_core(struct cil_tree_node *node,
|
||||
if (process_node != NULL) {
|
||||
rc = (*process_node)(node, &finished, extra_args);
|
||||
if (rc != SEPOL_OK) {
|
||||
cil_log(CIL_INFO, "Problem at line %d of %s\n", node->line, node->path);
|
||||
cil_tree_log(node, CIL_INFO, "Problem");
|
||||
return rc;
|
||||
}
|
||||
}
|
||||
@ -222,7 +308,7 @@ int cil_tree_walk(struct cil_tree_node *node,
|
||||
if (first_child != NULL) {
|
||||
rc = (*first_child)(node->cl_head, extra_args);
|
||||
if (rc != SEPOL_OK) {
|
||||
cil_log(CIL_INFO, "Problem at line %d of %s\n", node->line, node->path);
|
||||
cil_tree_log(node, CIL_INFO, "Problem");
|
||||
return rc;
|
||||
}
|
||||
}
|
||||
@ -235,7 +321,7 @@ int cil_tree_walk(struct cil_tree_node *node,
|
||||
if (last_child != NULL) {
|
||||
rc = (*last_child)(node->cl_tail, extra_args);
|
||||
if (rc != SEPOL_OK) {
|
||||
cil_log(CIL_INFO, "Problem at line %d of %s\n",node->line, node->path);
|
||||
cil_tree_log(node, CIL_INFO, "Problem");
|
||||
return rc;
|
||||
}
|
||||
}
|
||||
|
||||
@ -46,10 +46,14 @@ struct cil_tree_node {
|
||||
struct cil_tree_node *next; //Each element in the list points to the next element
|
||||
enum cil_flavor flavor;
|
||||
uint32_t line;
|
||||
char *path;
|
||||
uint32_t hll_line;
|
||||
void *data;
|
||||
};
|
||||
|
||||
struct cil_tree_node *cil_tree_get_next_path(struct cil_tree_node *node, char **path, int* is_cil);
|
||||
char *cil_tree_get_cil_path(struct cil_tree_node *node);
|
||||
__attribute__((format (printf, 3, 4))) void cil_tree_log(struct cil_tree_node *node, enum cil_log_level lvl, const char* msg, ...);
|
||||
|
||||
int cil_tree_init(struct cil_tree **tree);
|
||||
void cil_tree_destroy(struct cil_tree **tree);
|
||||
void cil_tree_subtree_destroy(struct cil_tree_node *node);
|
||||
|
||||
@ -377,25 +377,25 @@ int __cil_verify_ordered_node_helper(struct cil_tree_node *node, __attribute__((
|
||||
if (node->flavor == CIL_SID) {
|
||||
struct cil_sid *sid = node->data;
|
||||
if (sid->ordered == CIL_FALSE) {
|
||||
cil_log(CIL_ERR, "SID %s not in sidorder statement at line %d of %s\n", sid->datum.name, node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "SID %s not in sidorder statement", sid->datum.name);
|
||||
return SEPOL_ERR;
|
||||
}
|
||||
} else if (node->flavor == CIL_CLASS) {
|
||||
struct cil_class *class = node->data;
|
||||
if (class->ordered == CIL_FALSE) {
|
||||
cil_log(CIL_ERR, "Class %s not in classorder statement at line %d of %s\n", class->datum.name, node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "Class %s not in classorder statement", class->datum.name);
|
||||
return SEPOL_ERR;
|
||||
}
|
||||
} else if (node->flavor == CIL_CAT) {
|
||||
struct cil_cat *cat = node->data;
|
||||
if (cat->ordered == CIL_FALSE) {
|
||||
cil_log(CIL_ERR, "Category %s not in categoryorder statement at line %d of %s\n", cat->datum.name, node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "Category %s not in categoryorder statement", cat->datum.name);
|
||||
return SEPOL_ERR;
|
||||
}
|
||||
} else if (node->flavor == CIL_SENS) {
|
||||
struct cil_sens *sens = node->data;
|
||||
if (sens->ordered == CIL_FALSE) {
|
||||
cil_log(CIL_ERR, "Sensitivity %s not in sensitivityorder statement at line %d of %s\n", sens->datum.name, node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "Sensitivity %s not in sensitivityorder statement", sens->datum.name);
|
||||
return SEPOL_ERR;
|
||||
}
|
||||
}
|
||||
@ -430,7 +430,7 @@ int __cil_verify_initsids(struct cil_list *sids)
|
||||
struct cil_sid *sid = i->data;
|
||||
if (sid->context == NULL) {
|
||||
struct cil_tree_node *node = sid->datum.nodes->head->data;
|
||||
cil_log(CIL_ERR, "No context assigned to SID %s declared at line %d in %s\n",sid->datum.name, node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "No context assigned to SID %s declared",sid->datum.name);
|
||||
rc = SEPOL_ERR;
|
||||
}
|
||||
}
|
||||
@ -598,7 +598,7 @@ int __cil_verify_named_levelrange(struct cil_db *db, struct cil_tree_node *node)
|
||||
|
||||
return SEPOL_OK;
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Invalid named range at line %d of %s\n", node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "Invalid named range");
|
||||
return rc;
|
||||
}
|
||||
|
||||
@ -638,7 +638,7 @@ static int __cil_verify_user_pre_eval(struct cil_tree_node *node)
|
||||
|
||||
return SEPOL_OK;
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Invalid user at line %d of %s\n", node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "Invalid user");
|
||||
return rc;
|
||||
}
|
||||
|
||||
@ -657,7 +657,7 @@ static int __cil_verify_user_post_eval(struct cil_db *db, struct cil_tree_node *
|
||||
|
||||
return SEPOL_OK;
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Invalid user at line %d of %s\n", node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "Invalid user");
|
||||
return rc;
|
||||
}
|
||||
|
||||
@ -688,7 +688,7 @@ int __cil_verify_role(struct cil_tree_node *node)
|
||||
|
||||
return SEPOL_OK;
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Invalid role at line %d of %s\n", node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "Invalid role");
|
||||
return rc;
|
||||
}
|
||||
|
||||
@ -719,7 +719,7 @@ int __cil_verify_type(struct cil_tree_node *node)
|
||||
|
||||
return SEPOL_OK;
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Invalid type at line %d of %s\n", node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "Invalid type");
|
||||
return rc;
|
||||
}
|
||||
|
||||
@ -813,7 +813,7 @@ int __cil_verify_named_context(struct cil_db *db, struct cil_tree_node *node)
|
||||
|
||||
return SEPOL_OK;
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Invalid named context at line %d of %s\n", node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "Invalid named context");
|
||||
return rc;
|
||||
}
|
||||
|
||||
@ -852,8 +852,7 @@ int __cil_verify_rule(struct cil_tree_node *node, struct cil_complex_symtab *sym
|
||||
struct cil_complex_symtab_datum *datum = NULL;
|
||||
cil_complex_symtab_search(symtab, &ckey, &datum);
|
||||
if (datum == NULL) {
|
||||
cil_log(CIL_ERR, "Duplicate rule defined on line %d of %s\n",
|
||||
node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "Duplicate rule defined");
|
||||
rc = SEPOL_ERR;
|
||||
goto exit;
|
||||
}
|
||||
@ -861,7 +860,7 @@ int __cil_verify_rule(struct cil_tree_node *node, struct cil_complex_symtab *sym
|
||||
|
||||
return SEPOL_OK;
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Invalid rule at line %d of %s\n", node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "Invalid rule");
|
||||
return rc;
|
||||
}
|
||||
|
||||
@ -877,11 +876,9 @@ int __cil_verify_booleanif_helper(struct cil_tree_node *node, __attribute__((unu
|
||||
avrule = rule_node->data;
|
||||
if (avrule->rule_kind == CIL_AVRULE_NEVERALLOW) {
|
||||
if (bif->preserved_tunable) {
|
||||
cil_log(CIL_ERR, "Neverallow found in tunableif block (treated as a booleanif due to preserve-tunables) at line %d or %s\n",
|
||||
node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "Neverallow found in tunableif block (treated as a booleanif due to preserve-tunables)");
|
||||
} else {
|
||||
cil_log(CIL_ERR, "Neverallow found in booleanif block at line %d or %s\n",
|
||||
node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "Neverallow found in booleanif block");
|
||||
}
|
||||
rc = SEPOL_ERR;
|
||||
goto exit;
|
||||
@ -942,11 +939,9 @@ int __cil_verify_booleanif_helper(struct cil_tree_node *node, __attribute__((unu
|
||||
default: {
|
||||
const char * flavor = cil_node_to_string(node);
|
||||
if (bif->preserved_tunable) {
|
||||
cil_log(CIL_ERR, "Invalid %s statement in tunableif (treated as a booleanif due to preserve-tunables) at line %d of %s\n",
|
||||
flavor, node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "Invalid %s statement in tunableif (treated as a booleanif due to preserve-tunables)", flavor);
|
||||
} else {
|
||||
cil_log(CIL_ERR, "Invalid %s statement in booleanif at line %d of %s\n",
|
||||
flavor, node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "Invalid %s statement in booleanif", flavor);
|
||||
}
|
||||
goto exit;
|
||||
}
|
||||
@ -974,9 +969,9 @@ int __cil_verify_booleanif(struct cil_tree_node *node, struct cil_complex_symtab
|
||||
return SEPOL_OK;
|
||||
exit:
|
||||
if (bif->preserved_tunable) {
|
||||
cil_log(CIL_ERR, "Invalid tunableif (treated as a booleanif due to preserve-tunables) at line %d of %s\n", node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "Invalid tunableif (treated as a booleanif due to preserve-tunables)");
|
||||
} else {
|
||||
cil_log(CIL_ERR, "Invalid booleanif at line %d of %s\n", node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "Invalid booleanif");
|
||||
}
|
||||
return rc;
|
||||
}
|
||||
@ -1007,7 +1002,7 @@ int __cil_verify_netifcon(struct cil_db *db, struct cil_tree_node *node)
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Invalid netifcon at line %d of %s\n", node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "Invalid netifcon");
|
||||
return rc;
|
||||
}
|
||||
|
||||
@ -1028,7 +1023,7 @@ int __cil_verify_genfscon(struct cil_db *db, struct cil_tree_node *node)
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Invalid genfscon at line %d of %s\n", node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "Invalid genfscon");
|
||||
return rc;
|
||||
}
|
||||
|
||||
@ -1047,8 +1042,7 @@ int __cil_verify_filecon(struct cil_db *db, struct cil_tree_node *node)
|
||||
if (ctx->datum.name == NULL) {
|
||||
rc = __cil_verify_context(db, ctx);
|
||||
if (rc != SEPOL_OK) {
|
||||
cil_log(CIL_ERR, "Invalid filecon at line %d of %s\n",
|
||||
node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "Invalid filecon");
|
||||
goto exit;
|
||||
}
|
||||
}
|
||||
@ -1076,7 +1070,7 @@ int __cil_verify_nodecon(struct cil_db *db, struct cil_tree_node *node)
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Invalid nodecon at line %d of %s\n", node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "Invalid nodecon");
|
||||
return rc;
|
||||
}
|
||||
|
||||
@ -1097,7 +1091,7 @@ int __cil_verify_portcon(struct cil_db *db, struct cil_tree_node *node)
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Invalid portcon at line %d of %s\n", node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "Invalid portcon");
|
||||
return rc;
|
||||
}
|
||||
|
||||
@ -1118,7 +1112,7 @@ int __cil_verify_pirqcon(struct cil_db *db, struct cil_tree_node *node)
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Invalid pirqcon at line %d of %s\n", node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "Invalid pirqcon");
|
||||
return rc;
|
||||
}
|
||||
|
||||
@ -1139,7 +1133,7 @@ int __cil_verify_iomemcon(struct cil_db *db, struct cil_tree_node *node)
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Invalid iomemcon at line %d of %s\n", node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "Invalid iomemcon");
|
||||
return rc;
|
||||
}
|
||||
|
||||
@ -1160,7 +1154,7 @@ int __cil_verify_ioportcon(struct cil_db *db, struct cil_tree_node *node)
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Invalid ioportcon at line %d of %s\n", node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "Invalid ioportcon");
|
||||
return rc;
|
||||
}
|
||||
|
||||
@ -1181,7 +1175,7 @@ int __cil_verify_pcidevicecon(struct cil_db *db, struct cil_tree_node *node)
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Invalid pcidevicecon at line %d of %s\n", node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "Invalid pcidevicecon");
|
||||
return rc;
|
||||
}
|
||||
|
||||
@ -1202,7 +1196,7 @@ int __cil_verify_devicetreecon(struct cil_db *db, struct cil_tree_node *node)
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Invalid devicetreecon at line %d of %s\n", node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "Invalid devicetreecon");
|
||||
return rc;
|
||||
}
|
||||
|
||||
@ -1223,7 +1217,7 @@ int __cil_verify_fsuse(struct cil_db *db, struct cil_tree_node *node)
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Invalid fsuse at line %d of %s\n", node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "Invalid fsuse");
|
||||
return rc;
|
||||
}
|
||||
|
||||
@ -1241,7 +1235,7 @@ int __cil_verify_permissionx(struct cil_permissionx *permx, struct cil_tree_node
|
||||
kind_str = CIL_KEY_IOCTL;
|
||||
break;
|
||||
default:
|
||||
cil_log(CIL_ERR, "Invalid permissionx kind (%d) at line %d of %s\n", permx->kind, node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "Invalid permissionx kind (%d)", permx->kind);
|
||||
rc = SEPOL_ERR;
|
||||
goto exit;
|
||||
}
|
||||
@ -1257,7 +1251,7 @@ int __cil_verify_permissionx(struct cil_permissionx *permx, struct cil_tree_node
|
||||
}
|
||||
|
||||
if (rc == SEPOL_ENOENT) {
|
||||
cil_log(CIL_ERR, "Invalid permissionx at line %d of %s: %s is not a permission of class %s\n", node->line, node->path, kind_str, class->datum.name);
|
||||
cil_tree_log(node, CIL_ERR, "Invalid permissionx: %s is not a permission of class %s", kind_str, class->datum.name);
|
||||
rc = SEPOL_ERR;
|
||||
goto exit;
|
||||
}
|
||||
@ -1312,7 +1306,7 @@ int __cil_verify_class(struct cil_tree_node *node)
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Invalid class at line %d of %s\n", node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "Invalid class");
|
||||
return rc;
|
||||
}
|
||||
|
||||
@ -1329,8 +1323,7 @@ int __cil_verify_policycap(struct cil_tree_node *node)
|
||||
return SEPOL_OK;
|
||||
|
||||
exit:
|
||||
cil_log(CIL_ERR, "Invalid policycap (%s) at line %d of %s\n",
|
||||
(const char*)polcap->datum.name, node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "Invalid policycap (%s)", (const char*)polcap->datum.name);
|
||||
return rc;
|
||||
}
|
||||
|
||||
@ -1547,14 +1540,14 @@ static int __cil_verify_classpermission(struct cil_tree_node *node)
|
||||
struct cil_classpermission *cp = node->data;
|
||||
|
||||
if (cp->classperms == NULL) {
|
||||
cil_log(CIL_ERR, "Classpermission %s does not have a classpermissionset at line %d of %s\n", cp->datum.name, node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "Classpermission %s does not have a classpermissionset", cp->datum.name);
|
||||
rc = SEPOL_ERR;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
rc = __cil_verify_classperms(cp->classperms, &cp->datum);
|
||||
if (rc != SEPOL_OK) {
|
||||
cil_log(CIL_ERR, "Found circular class permissions involving the set %s at line %d of %s\n",cp->datum.name, node->line, node->path);
|
||||
cil_tree_log(node, CIL_ERR, "Found circular class permissions involving the set %s",cp->datum.name);
|
||||
goto exit;
|
||||
}
|
||||
|
||||
@ -1577,14 +1570,14 @@ static int __verify_map_perm_classperms(__attribute__((unused)) hashtab_key_t k,
|
||||
struct cil_perm *cmp = (struct cil_perm *)d;
|
||||
|
||||
if (cmp->classperms == NULL) {
|
||||
cil_log(CIL_ERR, "Map class %s does not have a classmapping for %s at line %d of %s\n", map_args->class->datum.name, cmp->datum.name, map_args->node->line, map_args->node->path);
|
||||
cil_tree_log(map_args->node, CIL_ERR, "Map class %s does not have a classmapping for %s", map_args->class->datum.name, cmp->datum.name);
|
||||
map_args->rc = SEPOL_ERR;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
rc = __cil_verify_classperms(cmp->classperms, &cmp->datum);
|
||||
if (rc != SEPOL_OK) {
|
||||
cil_log(CIL_ERR, "Found circular class permissions involving the map class %s and permission %s at line %d of %s\n", map_args->class->datum.name, cmp->datum.name, map_args->node->line, map_args->node->path);
|
||||
cil_tree_log(map_args->node, CIL_ERR, "Found circular class permissions involving the map class %s and permission %s", map_args->class->datum.name, cmp->datum.name);
|
||||
map_args->rc = SEPOL_ERR;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
@ -76,7 +76,7 @@ relabel:
|
||||
/sbin/restorecon $(SHLIBDIR)/$(LIBSO)
|
||||
|
||||
clean:
|
||||
-rm -f $(LIBPC) $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(TARGET) $(CIL_GENERATED)
|
||||
-rm -f $(LIBPC) $(LIBMAP) $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(TARGET) $(CIL_GENERATED)
|
||||
|
||||
indent:
|
||||
../../scripts/Lindent $(wildcard *.[ch])
|
||||
|
||||
@ -147,8 +147,8 @@ static int report_assertion_extended_permissions(sepol_handle_t *handle,
|
||||
avtab_key_t tmp_key;
|
||||
avtab_extended_perms_t *xperms;
|
||||
avtab_extended_perms_t error;
|
||||
ebitmap_t *sattr = &p->type_attr_map[k->source_type - 1];
|
||||
ebitmap_t *tattr = &p->type_attr_map[k->target_type - 1];
|
||||
ebitmap_t *sattr = &p->type_attr_map[stype];
|
||||
ebitmap_t *tattr = &p->type_attr_map[ttype];
|
||||
ebitmap_node_t *snode, *tnode;
|
||||
unsigned int i, j;
|
||||
int rc = 1;
|
||||
@ -174,14 +174,14 @@ static int report_assertion_extended_permissions(sepol_handle_t *handle,
|
||||
continue;
|
||||
|
||||
rc = check_extended_permissions(avrule->xperms, xperms);
|
||||
/* failure on the extended permission check_extended_permissionss */
|
||||
/* failure on the extended permission check_extended_permissions */
|
||||
if (rc) {
|
||||
extended_permissions_violated(&error, avrule->xperms, xperms);
|
||||
ERR(handle, "neverallowxperm on line %lu of %s (or line %lu of policy.conf) violated by\n"
|
||||
"allowxperm %s %s:%s %s;",
|
||||
avrule->source_line, avrule->source_filename, avrule->line,
|
||||
p->p_type_val_to_name[stype],
|
||||
p->p_type_val_to_name[ttype],
|
||||
p->p_type_val_to_name[i],
|
||||
p->p_type_val_to_name[j],
|
||||
p->p_class_val_to_name[curperm->tclass - 1],
|
||||
sepol_extended_perms_to_string(&error));
|
||||
|
||||
@ -317,29 +317,19 @@ oom:
|
||||
}
|
||||
|
||||
/*
|
||||
* If the ioctl permission is granted in check_assertion_avtab_match for the
|
||||
* source/target/class matching the current avrule neverallow, a lookup is
|
||||
* performed to determine if extended permissions exist for the source/target/class.
|
||||
*
|
||||
* Four scenarios of interest:
|
||||
* 1. PASS - the ioctl permission is not granted for this source/target/class
|
||||
* This case is handled in check_assertion_avtab_match
|
||||
* 2. PASS - The ioctl permission is granted AND the extended permission
|
||||
* is NOT granted
|
||||
* 3. FAIL - The ioctl permission is granted AND no extended permissions
|
||||
* exist
|
||||
* 4. FAIL - The ioctl permission is granted AND the extended permission is
|
||||
* granted
|
||||
* Look up the extended permissions in avtab and verify that neverallowed
|
||||
* permissions are not granted.
|
||||
*/
|
||||
static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab,
|
||||
static int check_assertion_extended_permissions_avtab(avrule_t *avrule, avtab_t *avtab,
|
||||
unsigned int stype, unsigned int ttype,
|
||||
avtab_key_t *k, policydb_t *p)
|
||||
{
|
||||
avtab_ptr_t node;
|
||||
avtab_key_t tmp_key;
|
||||
avtab_extended_perms_t *xperms;
|
||||
av_extended_perms_t *neverallow_xperms = avrule->xperms;
|
||||
ebitmap_t *sattr = &p->type_attr_map[k->source_type - 1];
|
||||
ebitmap_t *tattr = &p->type_attr_map[k->target_type - 1];
|
||||
ebitmap_t *sattr = &p->type_attr_map[stype];
|
||||
ebitmap_t *tattr = &p->type_attr_map[ttype];
|
||||
ebitmap_node_t *snode, *tnode;
|
||||
unsigned int i, j;
|
||||
int rc = 1;
|
||||
@ -373,6 +363,89 @@ static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab
|
||||
return rc;
|
||||
}
|
||||
|
||||
/*
|
||||
* When the ioctl permission is granted on an avtab entry that matches an
|
||||
* avrule neverallowxperm entry, enumerate over the matching
|
||||
* source/target/class sets to determine if the extended permissions exist
|
||||
* and if the neverallowed ioctls are granted.
|
||||
*
|
||||
* Four scenarios of interest:
|
||||
* 1. PASS - the ioctl permission is not granted for this source/target/class
|
||||
* This case is handled in check_assertion_avtab_match
|
||||
* 2. PASS - The ioctl permission is granted AND the extended permission
|
||||
* is NOT granted
|
||||
* 3. FAIL - The ioctl permission is granted AND no extended permissions
|
||||
* exist
|
||||
* 4. FAIL - The ioctl permission is granted AND the extended permission is
|
||||
* granted
|
||||
*/
|
||||
static int check_assertion_extended_permissions(avrule_t *avrule, avtab_t *avtab,
|
||||
avtab_key_t *k, policydb_t *p)
|
||||
{
|
||||
ebitmap_t src_matches, tgt_matches, matches;
|
||||
unsigned int i, j;
|
||||
ebitmap_node_t *snode, *tnode;
|
||||
class_perm_node_t *cp;
|
||||
int rc;
|
||||
int ret = 1;
|
||||
|
||||
ebitmap_init(&src_matches);
|
||||
ebitmap_init(&tgt_matches);
|
||||
ebitmap_init(&matches);
|
||||
rc = ebitmap_and(&src_matches, &avrule->stypes.types,
|
||||
&p->attr_type_map[k->source_type - 1]);
|
||||
if (rc)
|
||||
goto oom;
|
||||
|
||||
if (ebitmap_length(&src_matches) == 0)
|
||||
goto exit;
|
||||
|
||||
if (avrule->flags == RULE_SELF) {
|
||||
rc = ebitmap_and(&matches, &p->attr_type_map[k->source_type - 1],
|
||||
&p->attr_type_map[k->target_type - 1]);
|
||||
if (rc)
|
||||
goto oom;
|
||||
rc = ebitmap_and(&tgt_matches, &avrule->stypes.types, &matches);
|
||||
if (rc)
|
||||
goto oom;
|
||||
} else {
|
||||
rc = ebitmap_and(&tgt_matches, &avrule->ttypes.types,
|
||||
&p->attr_type_map[k->target_type -1]);
|
||||
if (rc)
|
||||
goto oom;
|
||||
}
|
||||
|
||||
if (ebitmap_length(&tgt_matches) == 0)
|
||||
goto exit;
|
||||
|
||||
for (cp = avrule->perms; cp; cp = cp->next) {
|
||||
if (cp->tclass != k->target_class)
|
||||
continue;
|
||||
ebitmap_for_each_bit(&src_matches, snode, i) {
|
||||
if (!ebitmap_node_get_bit(snode, i))
|
||||
continue;
|
||||
ebitmap_for_each_bit(&tgt_matches, tnode, j) {
|
||||
if (!ebitmap_node_get_bit(tnode, j))
|
||||
continue;
|
||||
|
||||
ret = check_assertion_extended_permissions_avtab(
|
||||
avrule, avtab, i, j, k, p);
|
||||
if (ret)
|
||||
goto exit;
|
||||
}
|
||||
}
|
||||
}
|
||||
goto exit;
|
||||
|
||||
oom:
|
||||
ERR(NULL, "Out of memory - unable to check neverallows");
|
||||
|
||||
exit:
|
||||
ebitmap_destroy(&src_matches);
|
||||
ebitmap_destroy(&tgt_matches);
|
||||
ebitmap_destroy(&matches);
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int check_assertion_avtab_match(avtab_key_t *k, avtab_datum_t *d, void *args)
|
||||
{
|
||||
@ -382,7 +455,7 @@ static int check_assertion_avtab_match(avtab_key_t *k, avtab_datum_t *d, void *a
|
||||
avrule_t *avrule = a->avrule;
|
||||
avtab_t *avtab = a->avtab;
|
||||
|
||||
if (k->specified != AVTAB_ALLOWED && k->specified != AVTAB_XPERMS_ALLOWED)
|
||||
if (k->specified != AVTAB_ALLOWED)
|
||||
goto exit;
|
||||
|
||||
if (!match_any_class_permissions(avrule->perms, k->target_class, d->data))
|
||||
|
||||
@ -301,20 +301,21 @@ static int bounds_check_rule(sepol_handle_t *handle, policydb_t *p,
|
||||
ebitmap_for_each_bit(&p->attr_type_map[tgt - 1], tnode, i) {
|
||||
if (!ebitmap_node_get_bit(tnode, i))
|
||||
continue;
|
||||
avtab_key.target_type = i + 1;
|
||||
d = bounds_not_covered(global_avtab, cur_avtab,
|
||||
&avtab_key, data);
|
||||
if (!d) continue;
|
||||
td = p->type_val_to_struct[i];
|
||||
if (td && td->bounds) {
|
||||
avtab_key.target_type = td->bounds;
|
||||
d = bounds_not_covered(global_avtab, cur_avtab,
|
||||
&avtab_key, data);
|
||||
if (!d) continue;
|
||||
} else {
|
||||
avtab_key.target_type = i + 1;
|
||||
d = bounds_not_covered(global_avtab, cur_avtab,
|
||||
&avtab_key, data);
|
||||
}
|
||||
if (d) {
|
||||
(*numbad)++;
|
||||
rc = bounds_add_bad(handle, child, i+1, class, d, bad);
|
||||
if (rc) goto exit;
|
||||
}
|
||||
(*numbad)++;
|
||||
rc = bounds_add_bad(handle, child, i+1, class, d, bad);
|
||||
if (rc) goto exit;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -1073,6 +1073,10 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a
|
||||
struct type_set *ts;
|
||||
|
||||
for (avrule = avrule_list; avrule != NULL; avrule = avrule->next) {
|
||||
if (avrule->specified == AVRULE_NEVERALLOW && avrule->source_filename) {
|
||||
cil_println(0, ";;* lmx %lu %s\n",avrule->source_line, avrule->source_filename);
|
||||
}
|
||||
|
||||
ts = &avrule->stypes;
|
||||
rc = process_typeset(indent, pdb, ts, attr_list, &snames, &num_snames);
|
||||
if (rc != 0) {
|
||||
@ -1103,6 +1107,10 @@ static int avrule_list_to_cil(int indent, struct policydb *pdb, struct avrule *a
|
||||
|
||||
names_destroy(&snames, &num_snames);
|
||||
names_destroy(&tnames, &num_tnames);
|
||||
|
||||
if (avrule->specified == AVRULE_NEVERALLOW && avrule->source_filename) {
|
||||
cil_println(0, ";;* lme\n");
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
|
||||
1
libsepol/tests/.gitignore
vendored
Normal file
1
libsepol/tests/.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
||||
libsepol-tests
|
||||
3
libsepol/tests/policies/.gitignore
vendored
Normal file
3
libsepol/tests/policies/.gitignore
vendored
Normal file
@ -0,0 +1,3 @@
|
||||
test-downgrade/
|
||||
test-*/*.mls
|
||||
test-*/*.std
|
||||
@ -1,3 +1,7 @@
|
||||
* Minor fix in a French translation, from Laurent Bigonville.
|
||||
* Fix the extract example in semodule.8, from Petr Lautrbach.
|
||||
* Update sandbox.8 man page, from Petr Lautrbach.
|
||||
* Remove typos from chcat --help, from Petr Lautrbach.
|
||||
* Fix multiple spelling errors, from Laurent Bigonville.
|
||||
* hll/pp: Warn if module name different than output filename, from James Carter
|
||||
|
||||
|
||||
@ -1307,7 +1307,7 @@ msgstr "syntaxe : %s [-q]\n"
|
||||
#: ../load_policy/load_policy.c:71
|
||||
#, c-format
|
||||
msgid "%s: Policy is already loaded and initial load requested\n"
|
||||
msgstr "La stratégie %s est déjà chargée et un chargement initial est requis\n"
|
||||
msgstr "%s : La stratégie est déjà chargée et un chargement initial est demandé\n"
|
||||
|
||||
#: ../load_policy/load_policy.c:80
|
||||
#, c-format
|
||||
|
||||
@ -3,11 +3,11 @@
|
||||
sandbox \- Run cmd under an SELinux sandbox
|
||||
.SH SYNOPSIS
|
||||
.B sandbox
|
||||
[\-C] [\-c] [\-s] [ \-d DPI ] [\-l level ] [[\-M | \-X] \-H homedir \-T tempdir ] [\-I includefile ] [ \-W windowmanager ] [ \-w windowsize ] [[\-i file ]...] [ \-t type ] cmd
|
||||
[\-C] [\-s] [ \-d DPI ] [\-l level ] [[\-M | \-X] \-H homedir \-T tempdir ] [\-I includefile ] [ \-W windowmanager ] [ \-w windowsize ] [[\-i file ]...] [ \-t type ] cmd
|
||||
|
||||
.br
|
||||
.B sandbox
|
||||
[\-C] [\-c] [\-s] [ \-d DPI ] [\-l level ] [[\-M | \-X] \-H homedir \-T tempdir ] [\-I includefile ] [ \-W windowmanager ] [ \-w windowsize ] [[\-i file ]...] [ \-t type ] \-S
|
||||
[\-C] [\-s] [ \-d DPI ] [\-l level ] [[\-M | \-X] \-H homedir \-T tempdir ] [\-I includefile ] [ \-W windowmanager ] [ \-w windowsize ] [[\-i file ]...] [ \-t type ] \-S
|
||||
.br
|
||||
.SH DESCRIPTION
|
||||
.PP
|
||||
@ -24,10 +24,10 @@ allows you to run X applications within a sandbox. These applications will star
|
||||
If directories are specified with \-H or \-T the directory will have its context modified with chcon(1) unless a level is specified with \-l. If the MLS/MCS security level is specified, the user is responsible to set the correct labels.
|
||||
.PP
|
||||
.TP
|
||||
\fB\-h\ \fB\\-\-help\fR
|
||||
\fB\-h\ \fB\-\-help\fR
|
||||
display usage message
|
||||
.TP
|
||||
\fB\-H\ \fB\\-\-homedir\fR
|
||||
\fB\-H\ \fB\-\-homedir\fR
|
||||
Use alternate homedir to mount over your home directory. Defaults to temporary. Requires \-X or \-M.
|
||||
.TP
|
||||
\fB\-i\fR \fB\-\-include\fR
|
||||
@ -84,9 +84,6 @@ $HOME and /tmp, secondary Xserver, defaults to sandbox_x_t
|
||||
\fB\-d\fR \fB\-\-dpi\fR
|
||||
Set the DPI value for the sandbox X Server. Defaults to the current X Sever DPI.
|
||||
.TP
|
||||
\fB\-c\fR \fB\-\-cgroups\fR
|
||||
Use control groups to control this copy of sandbox. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc.
|
||||
.TP
|
||||
\fB\-C\fR \fB\-\-capabilities\fR Use capabilities within the
|
||||
sandbox. By default applications executed within the sandbox will not
|
||||
be allowed to use capabilities (setuid apps), with the \-C flag, you
|
||||
|
||||
@ -346,8 +346,8 @@ def translate(cats):
|
||||
def usage():
|
||||
print(_("Usage %s CATEGORY File ...") % sys.argv[0])
|
||||
print(_("Usage %s -l CATEGORY user ...") % sys.argv[0])
|
||||
print(_("Usage %s [[+|-]CATEGORY],...]q File ...") % sys.argv[0])
|
||||
print(_("Usage %s -l [[+|-]CATEGORY],...]q user ...") % sys.argv[0])
|
||||
print(_("Usage %s [[+|-]CATEGORY],...] File ...") % sys.argv[0])
|
||||
print(_("Usage %s -l [[+|-]CATEGORY],...] user ...") % sys.argv[0])
|
||||
print(_("Usage %s -d File ...") % sys.argv[0])
|
||||
print(_("Usage %s -l -d user ...") % sys.argv[0])
|
||||
print(_("Usage %s -L") % sys.argv[0])
|
||||
|
||||
@ -88,10 +88,12 @@ Use an alternate path for the policy store root
|
||||
be verbose
|
||||
.TP
|
||||
.B \-c,\-\-cil
|
||||
Extract module as a CIL file. This only affects the \-\-extract option.
|
||||
Extract module as a CIL file. This only affects the \-\-extract option and
|
||||
only modules listed in \-\-extract after this option.
|
||||
.TP
|
||||
.B \-H,\-\-hll
|
||||
Extract module as an HLL file. This only affects the \-\-extract option.
|
||||
Extract module as an HLL file. This only affects the \-\-extract option and
|
||||
only modules listed in \-\-extract after this option.
|
||||
|
||||
.SH EXAMPLE
|
||||
.nf
|
||||
@ -121,7 +123,7 @@ $ semodule \-B \-p "/tmp"
|
||||
$ semodule \-B \-S "/tmp/var/lib/selinux"
|
||||
# Write the HLL version of puppet and the CIL version of wireshark
|
||||
# modules at priority 400 to the current working directory
|
||||
$ semodule \-X 400 \-g wireshark \-\-cil \-g puppet \-\-hll
|
||||
$ semodule \-X 400 \-\-hll \-E puppet \-\-cil \-E wireshark
|
||||
.fi
|
||||
|
||||
.SH SEE ALSO
|
||||
|
||||
@ -1,3 +1,4 @@
|
||||
* Remove additional files when cleaning, from Nicolas Iooss.
|
||||
* Add support for TYPEBOUNDS statement in INTERFACE policy files, from Miroslav Grepl.
|
||||
|
||||
1.2.3 2016-02-23
|
||||
|
||||
@ -11,5 +11,4 @@ install: all
|
||||
clean:
|
||||
rm -f parser.out parsetab.py
|
||||
rm -f *~ *.pyc
|
||||
|
||||
|
||||
rm -rf __pycache__
|
||||
|
||||
4
sepolgen/tests/.gitignore
vendored
Normal file
4
sepolgen/tests/.gitignore
vendored
Normal file
@ -0,0 +1,4 @@
|
||||
module_compile_test.fc
|
||||
module_compile_test.if
|
||||
output
|
||||
tmp/
|
||||
@ -4,8 +4,11 @@ clean:
|
||||
rm -f *~ *.pyc
|
||||
rm -f parser.out parsetab.py
|
||||
rm -f out.txt
|
||||
rm -f module_compile_test.fc
|
||||
rm -f module_compile_test.if
|
||||
rm -f module_compile_test.pp
|
||||
rm -f output
|
||||
rm -rf __pycache__ tmp
|
||||
|
||||
test:
|
||||
$(PYTHON) run-tests.py
|
||||
|
||||
Loading…
Reference in New Issue
Block a user