1 --- checkpolicy-1.4/policy_parse.y.excludetypes 2004-01-20 18:11:12.024833429 -0500
2 +++ checkpolicy-1.4/policy_parse.y 2004-01-20 18:11:12.044834543 -0500
5 { if (insert_id("~", 0)) return -1;
6 if (insert_separator(0)) return -1; }
7 + | identifier '-' { if (insert_id("-", 0)) return -1; } identifier
8 + { if (insert_separator(0)) return -1; }
11 { if (insert_id("~", 1)) return -1; }
14 nested_id_list : nested_id_element | nested_id_list nested_id_element
16 -nested_id_element : identifier | nested_id_set
17 +nested_id_element : identifier | '-' { if (insert_id("-", 0)) return -1; } identifier | nested_id_set
19 identifier : IDENTIFIER
20 { if (insert_id(yytext,0)) return -1; }
21 @@ -1661,15 +1663,19 @@
24 static int set_types(ebitmap_t *set,
33 if (strcmp(id, "*") == 0) {
35 - for (i = 0; i < policydbp->p_types.nprim; i++)
36 - ebitmap_set_bit(set, i, TRUE);
37 + /* set all types not in negset */
38 + for (i = 0; i < policydbp->p_types.nprim; i++) {
39 + if (!ebitmap_get_bit(negset, i))
40 + ebitmap_set_bit(set, i, TRUE);
45 @@ -1686,6 +1692,12 @@
49 + if (strcmp(id, "-") == 0) {
55 t = hashtab_search(policydbp->p_types.table, id);
57 sprintf(errormsg, "unknown type %s", id);
58 @@ -1695,18 +1707,42 @@
62 - /* set all types with this attribute */
63 + /* set or clear all types with this attribute,
64 + but do not set anything explicitly cleared previously */
65 for (i = ebitmap_startbit(&t->types); i < ebitmap_length(&t->types); i++) {
66 if (!ebitmap_get_bit(&t->types, i))
68 - ebitmap_set_bit(set, i, TRUE);
70 + ebitmap_set_bit(set, i, FALSE);
71 + ebitmap_set_bit(negset, i, TRUE);
72 + } else if (!ebitmap_get_bit(negset, i)) {
73 + ebitmap_set_bit(set, i, TRUE);
76 + char *name = type_val_to_name(i+1);
77 + sprintf(errormsg, "ignoring %s due to prior -%s", name, name);
84 - ebitmap_set_bit(set, t->value - 1, TRUE);
85 + /* set or clear one type, but do not set anything
86 + explicitly cleared previously */
88 + ebitmap_set_bit(set, t->value - 1, FALSE);
89 + ebitmap_set_bit(negset, t->value - 1, TRUE);
90 + } else if (!ebitmap_get_bit(negset, t->value - 1)) {
91 + ebitmap_set_bit(set, t->value - 1, TRUE);
94 + sprintf(errormsg, "ignoring %s due to prior -%s", id, id);
105 @@ -1718,9 +1754,9 @@
106 avtab_datum_t avdatum, *avdatump;
108 class_datum_t *cladatum;
109 - ebitmap_t stypes, ttypes, tclasses;
110 + ebitmap_t stypes, ttypes, tclasses, negset;
114 unsigned int i, j, k;
117 @@ -1739,15 +1775,19 @@
118 ebitmap_init(&ttypes);
119 ebitmap_init(&tclasses);
121 + ebitmap_init(&negset);
122 while ((id = queue_remove(id_queue))) {
123 - if (set_types(&stypes, id))
124 + if (set_types(&stypes, &negset, id, &add))
127 + ebitmap_destroy(&negset);
129 + ebitmap_init(&negset);
130 while ((id = queue_remove(id_queue))) {
131 - if (set_types(&ttypes, id))
132 + if (set_types(&ttypes, &negset, id, &add))
135 + ebitmap_destroy(&negset);
137 while ((id = queue_remove(id_queue))) {
138 cladatum = hashtab_search(policydbp->p_classes.table, id);
139 @@ -1964,10 +2004,10 @@
141 class_datum_t *cladatum;
142 perm_datum_t *perdatum;
143 - ebitmap_t stypes, ttypes, tclasses;
144 + ebitmap_t stypes, ttypes, tclasses, negset;
145 access_vector_t *avp;
146 unsigned int i, j, hiclass;
148 + int self = 0, add = 1;
149 te_assert_t *newassert;
152 @@ -1986,19 +2026,23 @@
153 ebitmap_init(&ttypes);
154 ebitmap_init(&tclasses);
156 + ebitmap_init(&negset);
157 while ((id = queue_remove(id_queue))) {
158 - if (set_types(&stypes, id))
159 + if (set_types(&stypes, &negset, id, &add))
162 + ebitmap_destroy(&negset);
164 + ebitmap_init(&negset);
165 while ((id = queue_remove(id_queue))) {
166 if (strcmp(id, "self") == 0) {
170 - if (set_types(&ttypes, id))
171 + if (set_types(&ttypes, &negset, id, &add))
174 + ebitmap_destroy(&negset);
177 while ((id = queue_remove(id_queue))) {
178 @@ -2139,7 +2183,8 @@
187 while ((id = queue_remove(id_queue)))
188 @@ -2173,10 +2218,12 @@
192 + ebitmap_init(&negset);
193 while ((id = queue_remove(id_queue))) {
194 - if (set_types(&role->types, id))
195 + if (set_types(&role->types, &negset, id, &add))
198 + ebitmap_destroy(&negset);
202 @@ -2325,9 +2372,10 @@
206 - ebitmap_t roles, types;
207 + ebitmap_t roles, types, negset;
208 struct role_trans *tr = 0;
213 while ((id = queue_remove(id_queue)))
214 @@ -2347,10 +2395,12 @@
218 + ebitmap_init(&negset);
219 while ((id = queue_remove(id_queue))) {
220 - if (set_types(&types, id))
221 + if (set_types(&types, &negset, id, &add))
224 + ebitmap_destroy(&negset);
226 id = (char *) queue_remove(id_queue);
228 @@ -2587,8 +2637,10 @@
229 struct constraint_expr *expr, *e1 = NULL, *e2;
238 if (expr_type == CEXPR_NAMES) {
239 @@ -2656,6 +2708,7 @@
243 + ebitmap_init(&negset);
244 while ((id = (char *) queue_remove(id_queue))) {
245 if (expr->attr & CEXPR_USER) {
246 user = (user_datum_t *) hashtab_search(policydbp->p_users.table,
247 @@ -2678,7 +2731,7 @@
250 } else if (expr->attr & CEXPR_TYPE) {
251 - if (set_types(&expr->names, id)) {
252 + if (set_types(&expr->names, &negset, id, &add)) {
256 @@ -2696,6 +2749,7 @@
260 + ebitmap_destroy(&negset);
261 return (uintptr_t)expr;
263 yyerror("invalid constraint expression");