[packages/checkpolicy.git] / checkpolicy-excludetypes.patch

--- checkpolicy-1.4/policy_parse.y.excludetypes	2004-01-20 18:11:12.024833429 -0500
+++ checkpolicy-1.4/policy_parse.y	2004-01-20 18:11:12.044834543 -0500
@@ -520,6 +520,8 @@
 			| tilde nested_id_set
 	 		{ if (insert_id("~", 0)) return -1; 
 			  if (insert_separator(0)) return -1; }
+                        | identifier '-' { if (insert_id("-", 0)) return -1; } identifier 
+			{ if (insert_separator(0)) return -1; }
 			;
 tilde_push              : tilde
                         { if (insert_id("~", 1)) return -1; }
@@ -546,7 +548,7 @@
                         ;
 nested_id_list          : nested_id_element | nested_id_list nested_id_element
                         ;
-nested_id_element       : identifier | nested_id_set
+nested_id_element       : identifier | '-' { if (insert_id("-", 0)) return -1; } identifier | nested_id_set
                         ;
 identifier		: IDENTIFIER
 			{ if (insert_id(yytext,0)) return -1; }
@@ -1661,15 +1663,19 @@
 
 
 static int set_types(ebitmap_t *set,
-		     char *id)
+		     ebitmap_t *negset,
+		     char *id,
+		     int *add)
 {
 	type_datum_t *t;
 	unsigned int i;
 
 	if (strcmp(id, "*") == 0) {
-		/* set all types */
-		for (i = 0; i < policydbp->p_types.nprim; i++) 
-			ebitmap_set_bit(set, i, TRUE);
+		/* set all types not in negset */
+		for (i = 0; i < policydbp->p_types.nprim; i++) {
+			if (!ebitmap_get_bit(negset, i))
+				ebitmap_set_bit(set, i, TRUE);
+		}
 		free(id);
 		return 0;
 	}
@@ -1686,6 +1692,12 @@
 		return 0;
 	}
 
+	if (strcmp(id, "-") == 0) {
+		*add = 0;
+		free(id);
+		return 0;
+	}	
+
 	t = hashtab_search(policydbp->p_types.table, id);
 	if (!t) {
 		sprintf(errormsg, "unknown type %s", id);
@@ -1695,18 +1707,42 @@
 	}
 
 	if (t->isattr) {
-		/* set all types with this attribute */
+		/* set or clear all types with this attribute,
+		   but do not set anything explicitly cleared previously */
 		for (i = ebitmap_startbit(&t->types); i < ebitmap_length(&t->types); i++) {
 			if (!ebitmap_get_bit(&t->types, i)) 
 				continue;		
-			ebitmap_set_bit(set, i, TRUE);
+			if (!(*add)) {
+				ebitmap_set_bit(set, i, FALSE);
+				ebitmap_set_bit(negset, i, TRUE);
+			} else if (!ebitmap_get_bit(negset, i)) {
+				ebitmap_set_bit(set, i, TRUE);
+#if VERBOSE
+			} else {
+				char *name = type_val_to_name(i+1);
+				sprintf(errormsg, "ignoring %s due to prior -%s", name, name);
+				yywarn(errormsg);
+#endif
+			}
 		}
 	} else {
-		/* set one type */
-		ebitmap_set_bit(set, t->value - 1, TRUE);
+		/* set or clear one type, but do not set anything
+		   explicitly cleared previously */	
+		if (!(*add)) {
+			ebitmap_set_bit(set, t->value - 1, FALSE);
+			ebitmap_set_bit(negset, t->value - 1, TRUE);
+		} else if (!ebitmap_get_bit(negset, t->value - 1)) {
+			ebitmap_set_bit(set, t->value - 1, TRUE);
+#if VERBOSE
+		} else {
+			sprintf(errormsg, "ignoring %s due to prior -%s", id, id);
+			yywarn(errormsg);
+#endif
+		}
 	}
 
 	free(id);
+	*add = 1;
 	return 0;
 }
 
@@ -1718,9 +1754,9 @@
 	avtab_datum_t avdatum, *avdatump;
 	type_datum_t *datum;
 	class_datum_t *cladatum;
-	ebitmap_t stypes, ttypes, tclasses;
+	ebitmap_t stypes, ttypes, tclasses, negset;
 	__u32 newtype = 0;
-	int ret;
+	int ret, add = 1;
 	unsigned int i, j, k;
 
 	if (pass == 1) {
@@ -1739,15 +1775,19 @@
 	ebitmap_init(&ttypes);
 	ebitmap_init(&tclasses);
 
+	ebitmap_init(&negset);
 	while ((id = queue_remove(id_queue))) {
-		if (set_types(&stypes, id))
+		if (set_types(&stypes, &negset, id, &add))
 			return -1;
 	}
+	ebitmap_destroy(&negset);
 
+	ebitmap_init(&negset);
 	while ((id = queue_remove(id_queue))) {
-		if (set_types(&ttypes, id))
+		if (set_types(&ttypes, &negset, id, &add))
 			return -1;
 	}
+	ebitmap_destroy(&negset);
 
 	while ((id = queue_remove(id_queue))) {
 		cladatum = hashtab_search(policydbp->p_classes.table, id);
@@ -1964,10 +2004,10 @@
 	char *id;
 	class_datum_t *cladatum;
 	perm_datum_t *perdatum;
-	ebitmap_t stypes, ttypes, tclasses;
+	ebitmap_t stypes, ttypes, tclasses, negset;
 	access_vector_t *avp;
 	unsigned int i, j, hiclass;
-	int self = 0;
+	int self = 0, add = 1;
 	te_assert_t *newassert;
 
 	if (pass == 1) {
@@ -1986,19 +2026,23 @@
 	ebitmap_init(&ttypes);
 	ebitmap_init(&tclasses);
 
+	ebitmap_init(&negset);
 	while ((id = queue_remove(id_queue))) {
-		if (set_types(&stypes, id))
+		if (set_types(&stypes, &negset, id, &add))
 			return -1;
 	}
+	ebitmap_destroy(&negset);
 
+	ebitmap_init(&negset);
 	while ((id = queue_remove(id_queue))) {
 		if (strcmp(id, "self") == 0) {
 			self = 1;
 			continue;
 		}
-		if (set_types(&ttypes, id))
+		if (set_types(&ttypes, &negset, id, &add))
 			return -1;
 	}
+	ebitmap_destroy(&negset);
 
 	hiclass = 0;
 	while ((id = queue_remove(id_queue))) {
@@ -2139,7 +2183,8 @@
 {
 	role_datum_t *role;
 	char *role_id, *id;
-	int ret;
+	int ret, add = 1;
+	ebitmap_t negset;
 
 	if (pass == 1) {
 		while ((id = queue_remove(id_queue))) 
@@ -2173,10 +2218,12 @@
 	} else
 		free(role_id);
 
+	ebitmap_init(&negset);
 	while ((id = queue_remove(id_queue))) {
-		if (set_types(&role->types, id))
+		if (set_types(&role->types, &negset, id, &add))
 			return -1;
 	}
+	ebitmap_destroy(&negset);
 
 	return 0;
 }
@@ -2325,9 +2372,10 @@
 {
 	char *id;
 	role_datum_t *role;
-	ebitmap_t roles, types;
+	ebitmap_t roles, types, negset;
 	struct role_trans *tr = 0;
 	unsigned int i, j;
+	int add = 1;
 
 	if (pass == 1) {
 		while ((id = queue_remove(id_queue))) 
@@ -2347,10 +2395,12 @@
 			return -1;
 	}
 
+	ebitmap_init(&negset);
 	while ((id = queue_remove(id_queue))) {
-		if (set_types(&types, id))
+		if (set_types(&types, &negset, id, &add))
 			return -1;
 	}
+	ebitmap_destroy(&negset);
 
 	id = (char *) queue_remove(id_queue);
 	if (!id) {
@@ -2587,8 +2637,10 @@
 	struct constraint_expr *expr, *e1 = NULL, *e2;
 	user_datum_t *user;
 	role_datum_t *role;
+	ebitmap_t negset;
 	char *id;
 	__u32 val;
+	int add = 1;
 
 	if (pass == 1) {
 		if (expr_type == CEXPR_NAMES) {
@@ -2656,6 +2708,7 @@
 	case CEXPR_NAMES:
 		expr->attr = arg1;
 		expr->op = arg2;
+		ebitmap_init(&negset);
 		while ((id = (char *) queue_remove(id_queue))) {
 			if (expr->attr & CEXPR_USER) {
 				user = (user_datum_t *) hashtab_search(policydbp->p_users.table,
@@ -2678,7 +2731,7 @@
 				}
 				val = role->value;
 			} else if (expr->attr & CEXPR_TYPE) {
-				if (set_types(&expr->names, id)) {
+				if (set_types(&expr->names, &negset, id, &add)) {
 					free(expr);
 					return 0;
 				}
@@ -2696,6 +2749,7 @@
 			}
 			free(id);
 		}
+		ebitmap_destroy(&negset);
 		return (uintptr_t)expr;
 	default:
 		yyerror("invalid constraint expression");
Commit	Line	Data
5aeacf9b AM	1	--- checkpolicy-1.4/policy_parse.y.excludetypes 2004-01-20 18:11:12.024833429 -0500
	2	+++ checkpolicy-1.4/policy_parse.y 2004-01-20 18:11:12.044834543 -0500
	3	@@ -520,6 +520,8 @@
	4	\| tilde nested_id_set
	5	{ if (insert_id("~", 0)) return -1;
	6	if (insert_separator(0)) return -1; }
	7	+ \| identifier '-' { if (insert_id("-", 0)) return -1; } identifier
	8	+ { if (insert_separator(0)) return -1; }
	9	;
	10	tilde_push : tilde
	11	{ if (insert_id("~", 1)) return -1; }
	12	@@ -546,7 +548,7 @@
	13	;
	14	nested_id_list : nested_id_element \| nested_id_list nested_id_element
	15	;
	16	-nested_id_element : identifier \| nested_id_set
	17	+nested_id_element : identifier \| '-' { if (insert_id("-", 0)) return -1; } identifier \| nested_id_set
	18	;
	19	identifier : IDENTIFIER
	20	{ if (insert_id(yytext,0)) return -1; }
	21	@@ -1661,15 +1663,19 @@
	22
	23
	24	static int set_types(ebitmap_t *set,
	25	- char *id)
	26	+ ebitmap_t *negset,
	27	+ char *id,
	28	+ int *add)
	29	{
	30	type_datum_t *t;
	31	unsigned int i;
	32
	33	if (strcmp(id, "*") == 0) {
	34	- /* set all types */
	35	- for (i = 0; i < policydbp->p_types.nprim; i++)
	36	- ebitmap_set_bit(set, i, TRUE);
	37	+ /* set all types not in negset */
	38	+ for (i = 0; i < policydbp->p_types.nprim; i++) {
	39	+ if (!ebitmap_get_bit(negset, i))
	40	+ ebitmap_set_bit(set, i, TRUE);
	41	+ }
	42	free(id);
	43	return 0;
	44	}
	45	@@ -1686,6 +1692,12 @@
	46	return 0;
	47	}
	48
	49	+ if (strcmp(id, "-") == 0) {
	50	+ *add = 0;
	51	+ free(id);
	52	+ return 0;
	53	+ }
	54	+
	55	t = hashtab_search(policydbp->p_types.table, id);
	56	if (!t) {
	57	sprintf(errormsg, "unknown type %s", id);
	58	@@ -1695,18 +1707,42 @@
	59	}
	60
	61	if (t->isattr) {
	62	- /* set all types with this attribute */
	63	+ /* set or clear all types with this attribute,
	64	+ but do not set anything explicitly cleared previously */
65	for (i = ebitmap_startbit(&t->types); i < ebitmap_length(&t->types); i++) {
66	if (!ebitmap_get_bit(&t->types, i))
67	continue;
68	- ebitmap_set_bit(set, i, TRUE);
69	+ if (!(*add)) {
70	+ ebitmap_set_bit(set, i, FALSE);
71	+ ebitmap_set_bit(negset, i, TRUE);
72	+ } else if (!ebitmap_get_bit(negset, i)) {
73	+ ebitmap_set_bit(set, i, TRUE);
74	+#if VERBOSE
75	+ } else {
76	+ char *name = type_val_to_name(i+1);
77	+ sprintf(errormsg, "ignoring %s due to prior -%s", name, name);
78	+ yywarn(errormsg);
79	+#endif
80	+ }
81	}
82	} else {
83	- /* set one type */
84	- ebitmap_set_bit(set, t->value - 1, TRUE);
85	+ /* set or clear one type, but do not set anything
86	+ explicitly cleared previously */
87	+ if (!(*add)) {
88	+ ebitmap_set_bit(set, t->value - 1, FALSE);
89	+ ebitmap_set_bit(negset, t->value - 1, TRUE);
90	+ } else if (!ebitmap_get_bit(negset, t->value - 1)) {
91	+ ebitmap_set_bit(set, t->value - 1, TRUE);
92	+#if VERBOSE
93	+ } else {
94	+ sprintf(errormsg, "ignoring %s due to prior -%s", id, id);
95	+ yywarn(errormsg);
96	+#endif
97	+ }
98	}
99
100	free(id);
101	+ *add = 1;
102	return 0;
103	}
104
105	@@ -1718,9 +1754,9 @@
106	avtab_datum_t avdatum, *avdatump;
107	type_datum_t *datum;
108	class_datum_t *cladatum;
109	- ebitmap_t stypes, ttypes, tclasses;
110	+ ebitmap_t stypes, ttypes, tclasses, negset;
111	__u32 newtype = 0;
112	- int ret;
113	+ int ret, add = 1;
114	unsigned int i, j, k;
115
116	if (pass == 1) {
117	@@ -1739,15 +1775,19 @@
118	ebitmap_init(&ttypes);
119	ebitmap_init(&tclasses);
120
121	+ ebitmap_init(&negset);
122	while ((id = queue_remove(id_queue))) {
123	- if (set_types(&stypes, id))
124	+ if (set_types(&stypes, &negset, id, &add))
125	return -1;
126	}
127	+ ebitmap_destroy(&negset);
128
129	+ ebitmap_init(&negset);
130	while ((id = queue_remove(id_queue))) {
131	- if (set_types(&ttypes, id))
132	+ if (set_types(&ttypes, &negset, id, &add))
133	return -1;
134	}
135	+ ebitmap_destroy(&negset);
136
137	while ((id = queue_remove(id_queue))) {
138	cladatum = hashtab_search(policydbp->p_classes.table, id);
139	@@ -1964,10 +2004,10 @@
140	char *id;
141	class_datum_t *cladatum;
142	perm_datum_t *perdatum;
143	- ebitmap_t stypes, ttypes, tclasses;
144	+ ebitmap_t stypes, ttypes, tclasses, negset;
145	access_vector_t *avp;
146	unsigned int i, j, hiclass;
147	- int self = 0;
148	+ int self = 0, add = 1;
149	te_assert_t *newassert;
150
151	if (pass == 1) {
152	@@ -1986,19 +2026,23 @@
153	ebitmap_init(&ttypes);
154	ebitmap_init(&tclasses);
155
156	+ ebitmap_init(&negset);
157	while ((id = queue_remove(id_queue))) {
158	- if (set_types(&stypes, id))
159	+ if (set_types(&stypes, &negset, id, &add))
160	return -1;
161	}
162	+ ebitmap_destroy(&negset);
163
164	+ ebitmap_init(&negset);
165	while ((id = queue_remove(id_queue))) {
166	if (strcmp(id, "self") == 0) {
167	self = 1;
168	continue;
169	}
170	- if (set_types(&ttypes, id))
171	+ if (set_types(&ttypes, &negset, id, &add))
172	return -1;
173	}
174	+ ebitmap_destroy(&negset);
175
176	hiclass = 0;
177	while ((id = queue_remove(id_queue))) {
178	@@ -2139,7 +2183,8 @@
179	{
180	role_datum_t *role;
181	char role_id, id;
182	- int ret;
183	+ int ret, add = 1;
184	+ ebitmap_t negset;
185
186	if (pass == 1) {
187	while ((id = queue_remove(id_queue)))
188	@@ -2173,10 +2218,12 @@
189	} else
190	free(role_id);
191
192	+ ebitmap_init(&negset);
193	while ((id = queue_remove(id_queue))) {
194	- if (set_types(&role->types, id))
195	+ if (set_types(&role->types, &negset, id, &add))
196	return -1;
197	}
198	+ ebitmap_destroy(&negset);
199
200	return 0;
201	}
202	@@ -2325,9 +2372,10 @@
203	{
204	char *id;
205	role_datum_t *role;
206	- ebitmap_t roles, types;
207	+ ebitmap_t roles, types, negset;
208	struct role_trans *tr = 0;
209	unsigned int i, j;
210	+ int add = 1;
211
212	if (pass == 1) {
213	while ((id = queue_remove(id_queue)))
214	@@ -2347,10 +2395,12 @@
215	return -1;
216	}
217
218	+ ebitmap_init(&negset);
219	while ((id = queue_remove(id_queue))) {
220	- if (set_types(&types, id))
221	+ if (set_types(&types, &negset, id, &add))
222	return -1;
223	}
224	+ ebitmap_destroy(&negset);
225
226	id = (char *) queue_remove(id_queue);
227	if (!id) {
228	@@ -2587,8 +2637,10 @@
229	struct constraint_expr expr, e1 = NULL, *e2;
230	user_datum_t *user;
231	role_datum_t *role;
232	+ ebitmap_t negset;
233	char *id;
234	__u32 val;
235	+ int add = 1;
236
237	if (pass == 1) {
238	if (expr_type == CEXPR_NAMES) {
239	@@ -2656,6 +2708,7 @@
240	case CEXPR_NAMES:
241	expr->attr = arg1;
242	expr->op = arg2;
243	+ ebitmap_init(&negset);
244	while ((id = (char *) queue_remove(id_queue))) {
245	if (expr->attr & CEXPR_USER) {
246	user = (user_datum_t *) hashtab_search(policydbp->p_users.table,
247	@@ -2678,7 +2731,7 @@
248	}
249	val = role->value;
250	} else if (expr->attr & CEXPR_TYPE) {
251	- if (set_types(&expr->names, id)) {
252	+ if (set_types(&expr->names, &negset, id, &add)) {
253	free(expr);
254	return 0;
255	}
256	@@ -2696,6 +2749,7 @@
257	}
258	free(id);
259	}
260	+ ebitmap_destroy(&negset);
261	return (uintptr_t)expr;
262	default:
263	yyerror("invalid constraint expression");