checkpolicy-excludetypes.patch

   1 --- checkpolicy-1.4/policy_parse.y.excludetypes 2004-01-20 18:11:12.024833429 -0500
   2 +++ checkpolicy-1.4/policy_parse.y      2004-01-20 18:11:12.044834543 -0500
   3 @@ -520,6 +520,8 @@
   4                         | tilde nested_id_set
   5                         { if (insert_id("~", 0)) return -1;
   6                           if (insert_separator(0)) return -1; }
   7 +                        | identifier '-' { if (insert_id("-", 0)) return -1; } identifier
   8 +                       { if (insert_separator(0)) return -1; }
   9                         ;
  10  tilde_push              : tilde
  11                          { if (insert_id("~", 1)) return -1; }
  12 @@ -546,7 +548,7 @@
  13                          ;
  14  nested_id_list          : nested_id_element | nested_id_list nested_id_element
  15                          ;
  16 -nested_id_element       : identifier | nested_id_set
  17 +nested_id_element       : identifier | '-' { if (insert_id("-", 0)) return -1; } identifier | nested_id_set
  18                          ;
  19  identifier             : IDENTIFIER
  20                         { if (insert_id(yytext,0)) return -1; }
  21 @@ -1661,15 +1663,19 @@
  22
  23
  24  static int set_types(ebitmap_t *set,
  25 -                    char *id)
  26 +                    ebitmap_t *negset,
  27 +                    char *id,
  28 +                    int *add)
  29  {
  30         type_datum_t *t;
  31         unsigned int i;
  32
  33         if (strcmp(id, "*") == 0) {
  34 -               /* set all types */
  35 -               for (i = 0; i < policydbp->p_types.nprim; i++)
  36 -                       ebitmap_set_bit(set, i, TRUE);
  37 +               /* set all types not in negset */
  38 +               for (i = 0; i < policydbp->p_types.nprim; i++) {
  39 +                       if (!ebitmap_get_bit(negset, i))
  40 +                               ebitmap_set_bit(set, i, TRUE);
  41 +               }
  42                 free(id);
  43                 return 0;
  44         }
  45 @@ -1686,6 +1692,12 @@
  46                 return 0;
  47         }
  48
  49 +       if (strcmp(id, "-") == 0) {
  50 +               *add = 0;
  51 +               free(id);
  52 +               return 0;
  53 +       }
  54 +
  55         t = hashtab_search(policydbp->p_types.table, id);
  56         if (!t) {
  57                 sprintf(errormsg, "unknown type %s", id);
  58 @@ -1695,18 +1707,42 @@
  59         }
  60
  61         if (t->isattr) {
  62 -               /* set all types with this attribute */
  63 +               /* set or clear all types with this attribute,
  64 +                  but do not set anything explicitly cleared previously */
  65                 for (i = ebitmap_startbit(&t->types); i < ebitmap_length(&t->types); i++) {
  66                         if (!ebitmap_get_bit(&t->types, i))
  67                                 continue;
  68 -                       ebitmap_set_bit(set, i, TRUE);
  69 +                       if (!(*add)) {
  70 +                               ebitmap_set_bit(set, i, FALSE);
  71 +                               ebitmap_set_bit(negset, i, TRUE);
  72 +                       } else if (!ebitmap_get_bit(negset, i)) {
  73 +                               ebitmap_set_bit(set, i, TRUE);
  74 +#if VERBOSE
  75 +                       } else {
  76 +                               char *name = type_val_to_name(i+1);
  77 +                               sprintf(errormsg, "ignoring %s due to prior -%s", name, name);
  78 +                               yywarn(errormsg);
  79 +#endif
  80 +                       }
  81                 }
  82         } else {
  83 -               /* set one type */
  84 -               ebitmap_set_bit(set, t->value - 1, TRUE);
  85 +               /* set or clear one type, but do not set anything
  86 +                  explicitly cleared previously */
  87 +               if (!(*add)) {
  88 +                       ebitmap_set_bit(set, t->value - 1, FALSE);
  89 +                       ebitmap_set_bit(negset, t->value - 1, TRUE);
  90 +               } else if (!ebitmap_get_bit(negset, t->value - 1)) {
  91 +                       ebitmap_set_bit(set, t->value - 1, TRUE);
  92 +#if VERBOSE
  93 +               } else {
  94 +                       sprintf(errormsg, "ignoring %s due to prior -%s", id, id);
  95 +                       yywarn(errormsg);
  96 +#endif
  97 +               }
  98         }
  99
 100         free(id);
 101 +       *add = 1;
 102         return 0;
 103  }
 104
 105 @@ -1718,9 +1754,9 @@
 106         avtab_datum_t avdatum, *avdatump;
 107         type_datum_t *datum;
 108         class_datum_t *cladatum;
 109 -       ebitmap_t stypes, ttypes, tclasses;
 110 +       ebitmap_t stypes, ttypes, tclasses, negset;
 111         __u32 newtype = 0;
 112 -       int ret;
 113 +       int ret, add = 1;
 114         unsigned int i, j, k;
 115
 116         if (pass == 1) {
 117 @@ -1739,15 +1775,19 @@
 118         ebitmap_init(&ttypes);
 119         ebitmap_init(&tclasses);
 120
 121 +       ebitmap_init(&negset);
 122         while ((id = queue_remove(id_queue))) {
 123 -               if (set_types(&stypes, id))
 124 +               if (set_types(&stypes, &negset, id, &add))
 125                         return -1;
 126         }
 127 +       ebitmap_destroy(&negset);
 128
 129 +       ebitmap_init(&negset);
 130         while ((id = queue_remove(id_queue))) {
 131 -               if (set_types(&ttypes, id))
 132 +               if (set_types(&ttypes, &negset, id, &add))
 133                         return -1;
 134         }
 135 +       ebitmap_destroy(&negset);
 136
 137         while ((id = queue_remove(id_queue))) {
 138                 cladatum = hashtab_search(policydbp->p_classes.table, id);
 139 @@ -1964,10 +2004,10 @@
 140         char *id;
 141         class_datum_t *cladatum;
 142         perm_datum_t *perdatum;
 143 -       ebitmap_t stypes, ttypes, tclasses;
 144 +       ebitmap_t stypes, ttypes, tclasses, negset;
 145         access_vector_t *avp;
 146         unsigned int i, j, hiclass;
 147 -       int self = 0;
 148 +       int self = 0, add = 1;
 149         te_assert_t *newassert;
 150
 151         if (pass == 1) {
 152 @@ -1986,19 +2026,23 @@
 153         ebitmap_init(&ttypes);
 154         ebitmap_init(&tclasses);
 155
 156 +       ebitmap_init(&negset);
 157         while ((id = queue_remove(id_queue))) {
 158 -               if (set_types(&stypes, id))
 159 +               if (set_types(&stypes, &negset, id, &add))
 160                         return -1;
 161         }
 162 +       ebitmap_destroy(&negset);
 163
 164 +       ebitmap_init(&negset);
 165         while ((id = queue_remove(id_queue))) {
 166                 if (strcmp(id, "self") == 0) {
 167                         self = 1;
 168                         continue;
 169                 }
 170 -               if (set_types(&ttypes, id))
 171 +               if (set_types(&ttypes, &negset, id, &add))
 172                         return -1;
 173         }
 174 +       ebitmap_destroy(&negset);
 175
 176         hiclass = 0;
 177         while ((id = queue_remove(id_queue))) {
 178 @@ -2139,7 +2183,8 @@
 179  {
 180         role_datum_t *role;
 181         char *role_id, *id;
 182 -       int ret;
 183 +       int ret, add = 1;
 184 +       ebitmap_t negset;
 185
 186         if (pass == 1) {
 187                 while ((id = queue_remove(id_queue)))
 188 @@ -2173,10 +2218,12 @@
 189         } else
 190                 free(role_id);
 191
 192 +       ebitmap_init(&negset);
 193         while ((id = queue_remove(id_queue))) {
 194 -               if (set_types(&role->types, id))
 195 +               if (set_types(&role->types, &negset, id, &add))
 196                         return -1;
 197         }
 198 +       ebitmap_destroy(&negset);
 199
 200         return 0;
 201  }
 202 @@ -2325,9 +2372,10 @@
 203  {
 204         char *id;
 205         role_datum_t *role;
 206 -       ebitmap_t roles, types;
 207 +       ebitmap_t roles, types, negset;
 208         struct role_trans *tr = 0;
 209         unsigned int i, j;
 210 +       int add = 1;
 211
 212         if (pass == 1) {
 213                 while ((id = queue_remove(id_queue)))
 214 @@ -2347,10 +2395,12 @@
 215                         return -1;
 216         }
 217
 218 +       ebitmap_init(&negset);
 219         while ((id = queue_remove(id_queue))) {
 220 -               if (set_types(&types, id))
 221 +               if (set_types(&types, &negset, id, &add))
 222                         return -1;
 223         }
 224 +       ebitmap_destroy(&negset);
 225
 226         id = (char *) queue_remove(id_queue);
 227         if (!id) {
 228 @@ -2587,8 +2637,10 @@
 229         struct constraint_expr *expr, *e1 = NULL, *e2;
 230         user_datum_t *user;
 231         role_datum_t *role;
 232 +       ebitmap_t negset;
 233         char *id;
 234         __u32 val;
 235 +       int add = 1;
 236
 237         if (pass == 1) {
 238                 if (expr_type == CEXPR_NAMES) {
 239 @@ -2656,6 +2708,7 @@
 240         case CEXPR_NAMES:
 241                 expr->attr = arg1;
 242                 expr->op = arg2;
 243 +               ebitmap_init(&negset);
 244                 while ((id = (char *) queue_remove(id_queue))) {
 245                         if (expr->attr & CEXPR_USER) {
 246                                 user = (user_datum_t *) hashtab_search(policydbp->p_users.table,
 247 @@ -2678,7 +2731,7 @@
 248                                 }
 249                                 val = role->value;
 250                         } else if (expr->attr & CEXPR_TYPE) {
 251 -                               if (set_types(&expr->names, id)) {
 252 +                               if (set_types(&expr->names, &negset, id, &add)) {
 253                                         free(expr);
 254                                         return 0;
 255                                 }
 256 @@ -2696,6 +2749,7 @@
 257                         }
 258                         free(id);
 259                 }
 260 +               ebitmap_destroy(&negset);
 261                 return (uintptr_t)expr;
 262         default:
 263                 yyerror("invalid constraint expression");