]>
Commit | Line | Data |
---|---|---|
5aeacf9b AM |
1 | --- checkpolicy-1.4/policy_parse.y.excludetypes 2004-01-20 18:11:12.024833429 -0500 |
2 | +++ checkpolicy-1.4/policy_parse.y 2004-01-20 18:11:12.044834543 -0500 | |
3 | @@ -520,6 +520,8 @@ | |
4 | | tilde nested_id_set | |
5 | { if (insert_id("~", 0)) return -1; | |
6 | if (insert_separator(0)) return -1; } | |
7 | + | identifier '-' { if (insert_id("-", 0)) return -1; } identifier | |
8 | + { if (insert_separator(0)) return -1; } | |
9 | ; | |
10 | tilde_push : tilde | |
11 | { if (insert_id("~", 1)) return -1; } | |
12 | @@ -546,7 +548,7 @@ | |
13 | ; | |
14 | nested_id_list : nested_id_element | nested_id_list nested_id_element | |
15 | ; | |
16 | -nested_id_element : identifier | nested_id_set | |
17 | +nested_id_element : identifier | '-' { if (insert_id("-", 0)) return -1; } identifier | nested_id_set | |
18 | ; | |
19 | identifier : IDENTIFIER | |
20 | { if (insert_id(yytext,0)) return -1; } | |
21 | @@ -1661,15 +1663,19 @@ | |
22 | ||
23 | ||
24 | static int set_types(ebitmap_t *set, | |
25 | - char *id) | |
26 | + ebitmap_t *negset, | |
27 | + char *id, | |
28 | + int *add) | |
29 | { | |
30 | type_datum_t *t; | |
31 | unsigned int i; | |
32 | ||
33 | if (strcmp(id, "*") == 0) { | |
34 | - /* set all types */ | |
35 | - for (i = 0; i < policydbp->p_types.nprim; i++) | |
36 | - ebitmap_set_bit(set, i, TRUE); | |
37 | + /* set all types not in negset */ | |
38 | + for (i = 0; i < policydbp->p_types.nprim; i++) { | |
39 | + if (!ebitmap_get_bit(negset, i)) | |
40 | + ebitmap_set_bit(set, i, TRUE); | |
41 | + } | |
42 | free(id); | |
43 | return 0; | |
44 | } | |
45 | @@ -1686,6 +1692,12 @@ | |
46 | return 0; | |
47 | } | |
48 | ||
49 | + if (strcmp(id, "-") == 0) { | |
50 | + *add = 0; | |
51 | + free(id); | |
52 | + return 0; | |
53 | + } | |
54 | + | |
55 | t = hashtab_search(policydbp->p_types.table, id); | |
56 | if (!t) { | |
57 | sprintf(errormsg, "unknown type %s", id); | |
58 | @@ -1695,18 +1707,42 @@ | |
59 | } | |
60 | ||
61 | if (t->isattr) { | |
62 | - /* set all types with this attribute */ | |
63 | + /* set or clear all types with this attribute, | |
64 | + but do not set anything explicitly cleared previously */ | |
65 | for (i = ebitmap_startbit(&t->types); i < ebitmap_length(&t->types); i++) { | |
66 | if (!ebitmap_get_bit(&t->types, i)) | |
67 | continue; | |
68 | - ebitmap_set_bit(set, i, TRUE); | |
69 | + if (!(*add)) { | |
70 | + ebitmap_set_bit(set, i, FALSE); | |
71 | + ebitmap_set_bit(negset, i, TRUE); | |
72 | + } else if (!ebitmap_get_bit(negset, i)) { | |
73 | + ebitmap_set_bit(set, i, TRUE); | |
74 | +#if VERBOSE | |
75 | + } else { | |
76 | + char *name = type_val_to_name(i+1); | |
77 | + sprintf(errormsg, "ignoring %s due to prior -%s", name, name); | |
78 | + yywarn(errormsg); | |
79 | +#endif | |
80 | + } | |
81 | } | |
82 | } else { | |
83 | - /* set one type */ | |
84 | - ebitmap_set_bit(set, t->value - 1, TRUE); | |
85 | + /* set or clear one type, but do not set anything | |
86 | + explicitly cleared previously */ | |
87 | + if (!(*add)) { | |
88 | + ebitmap_set_bit(set, t->value - 1, FALSE); | |
89 | + ebitmap_set_bit(negset, t->value - 1, TRUE); | |
90 | + } else if (!ebitmap_get_bit(negset, t->value - 1)) { | |
91 | + ebitmap_set_bit(set, t->value - 1, TRUE); | |
92 | +#if VERBOSE | |
93 | + } else { | |
94 | + sprintf(errormsg, "ignoring %s due to prior -%s", id, id); | |
95 | + yywarn(errormsg); | |
96 | +#endif | |
97 | + } | |
98 | } | |
99 | ||
100 | free(id); | |
101 | + *add = 1; | |
102 | return 0; | |
103 | } | |
104 | ||
105 | @@ -1718,9 +1754,9 @@ | |
106 | avtab_datum_t avdatum, *avdatump; | |
107 | type_datum_t *datum; | |
108 | class_datum_t *cladatum; | |
109 | - ebitmap_t stypes, ttypes, tclasses; | |
110 | + ebitmap_t stypes, ttypes, tclasses, negset; | |
111 | __u32 newtype = 0; | |
112 | - int ret; | |
113 | + int ret, add = 1; | |
114 | unsigned int i, j, k; | |
115 | ||
116 | if (pass == 1) { | |
117 | @@ -1739,15 +1775,19 @@ | |
118 | ebitmap_init(&ttypes); | |
119 | ebitmap_init(&tclasses); | |
120 | ||
121 | + ebitmap_init(&negset); | |
122 | while ((id = queue_remove(id_queue))) { | |
123 | - if (set_types(&stypes, id)) | |
124 | + if (set_types(&stypes, &negset, id, &add)) | |
125 | return -1; | |
126 | } | |
127 | + ebitmap_destroy(&negset); | |
128 | ||
129 | + ebitmap_init(&negset); | |
130 | while ((id = queue_remove(id_queue))) { | |
131 | - if (set_types(&ttypes, id)) | |
132 | + if (set_types(&ttypes, &negset, id, &add)) | |
133 | return -1; | |
134 | } | |
135 | + ebitmap_destroy(&negset); | |
136 | ||
137 | while ((id = queue_remove(id_queue))) { | |
138 | cladatum = hashtab_search(policydbp->p_classes.table, id); | |
139 | @@ -1964,10 +2004,10 @@ | |
140 | char *id; | |
141 | class_datum_t *cladatum; | |
142 | perm_datum_t *perdatum; | |
143 | - ebitmap_t stypes, ttypes, tclasses; | |
144 | + ebitmap_t stypes, ttypes, tclasses, negset; | |
145 | access_vector_t *avp; | |
146 | unsigned int i, j, hiclass; | |
147 | - int self = 0; | |
148 | + int self = 0, add = 1; | |
149 | te_assert_t *newassert; | |
150 | ||
151 | if (pass == 1) { | |
152 | @@ -1986,19 +2026,23 @@ | |
153 | ebitmap_init(&ttypes); | |
154 | ebitmap_init(&tclasses); | |
155 | ||
156 | + ebitmap_init(&negset); | |
157 | while ((id = queue_remove(id_queue))) { | |
158 | - if (set_types(&stypes, id)) | |
159 | + if (set_types(&stypes, &negset, id, &add)) | |
160 | return -1; | |
161 | } | |
162 | + ebitmap_destroy(&negset); | |
163 | ||
164 | + ebitmap_init(&negset); | |
165 | while ((id = queue_remove(id_queue))) { | |
166 | if (strcmp(id, "self") == 0) { | |
167 | self = 1; | |
168 | continue; | |
169 | } | |
170 | - if (set_types(&ttypes, id)) | |
171 | + if (set_types(&ttypes, &negset, id, &add)) | |
172 | return -1; | |
173 | } | |
174 | + ebitmap_destroy(&negset); | |
175 | ||
176 | hiclass = 0; | |
177 | while ((id = queue_remove(id_queue))) { | |
178 | @@ -2139,7 +2183,8 @@ | |
179 | { | |
180 | role_datum_t *role; | |
181 | char *role_id, *id; | |
182 | - int ret; | |
183 | + int ret, add = 1; | |
184 | + ebitmap_t negset; | |
185 | ||
186 | if (pass == 1) { | |
187 | while ((id = queue_remove(id_queue))) | |
188 | @@ -2173,10 +2218,12 @@ | |
189 | } else | |
190 | free(role_id); | |
191 | ||
192 | + ebitmap_init(&negset); | |
193 | while ((id = queue_remove(id_queue))) { | |
194 | - if (set_types(&role->types, id)) | |
195 | + if (set_types(&role->types, &negset, id, &add)) | |
196 | return -1; | |
197 | } | |
198 | + ebitmap_destroy(&negset); | |
199 | ||
200 | return 0; | |
201 | } | |
202 | @@ -2325,9 +2372,10 @@ | |
203 | { | |
204 | char *id; | |
205 | role_datum_t *role; | |
206 | - ebitmap_t roles, types; | |
207 | + ebitmap_t roles, types, negset; | |
208 | struct role_trans *tr = 0; | |
209 | unsigned int i, j; | |
210 | + int add = 1; | |
211 | ||
212 | if (pass == 1) { | |
213 | while ((id = queue_remove(id_queue))) | |
214 | @@ -2347,10 +2395,12 @@ | |
215 | return -1; | |
216 | } | |
217 | ||
218 | + ebitmap_init(&negset); | |
219 | while ((id = queue_remove(id_queue))) { | |
220 | - if (set_types(&types, id)) | |
221 | + if (set_types(&types, &negset, id, &add)) | |
222 | return -1; | |
223 | } | |
224 | + ebitmap_destroy(&negset); | |
225 | ||
226 | id = (char *) queue_remove(id_queue); | |
227 | if (!id) { | |
228 | @@ -2587,8 +2637,10 @@ | |
229 | struct constraint_expr *expr, *e1 = NULL, *e2; | |
230 | user_datum_t *user; | |
231 | role_datum_t *role; | |
232 | + ebitmap_t negset; | |
233 | char *id; | |
234 | __u32 val; | |
235 | + int add = 1; | |
236 | ||
237 | if (pass == 1) { | |
238 | if (expr_type == CEXPR_NAMES) { | |
239 | @@ -2656,6 +2708,7 @@ | |
240 | case CEXPR_NAMES: | |
241 | expr->attr = arg1; | |
242 | expr->op = arg2; | |
243 | + ebitmap_init(&negset); | |
244 | while ((id = (char *) queue_remove(id_queue))) { | |
245 | if (expr->attr & CEXPR_USER) { | |
246 | user = (user_datum_t *) hashtab_search(policydbp->p_users.table, | |
247 | @@ -2678,7 +2731,7 @@ | |
248 | } | |
249 | val = role->value; | |
250 | } else if (expr->attr & CEXPR_TYPE) { | |
251 | - if (set_types(&expr->names, id)) { | |
252 | + if (set_types(&expr->names, &negset, id, &add)) { | |
253 | free(expr); | |
254 | return 0; | |
255 | } | |
256 | @@ -2696,6 +2749,7 @@ | |
257 | } | |
258 | free(id); | |
259 | } | |
260 | + ebitmap_destroy(&negset); | |
261 | return (uintptr_t)expr; | |
262 | default: | |
263 | yyerror("invalid constraint expression"); |