|
|
a1e6032 |
diff --git checkpolicy-2.5/Android.mk checkpolicy-2.5/Android.mk
|
|
|
a1e6032 |
index 98f5168..3b7ff8a 100644
|
|
|
a1e6032 |
--- checkpolicy-2.5/Android.mk
|
|
|
a1e6032 |
+++ checkpolicy-2.5/Android.mk
|
|
|
a1e6032 |
@@ -12,10 +12,6 @@ common_cflags := \
|
|
|
a1e6032 |
-Wall -Wshadow -O2 \
|
|
|
a1e6032 |
-pipe -fno-strict-aliasing \
|
|
|
a1e6032 |
|
|
|
a1e6032 |
-ifeq ($(HOST_OS),darwin)
|
|
|
a1e6032 |
-common_cflags += -DDARWIN
|
|
|
a1e6032 |
-endif
|
|
|
a1e6032 |
-
|
|
|
a1e6032 |
common_includes := \
|
|
|
a1e6032 |
$(LOCAL_PATH)/ \
|
|
|
a1e6032 |
$(LOCAL_PATH)/../libsepol/include/ \
|
|
|
65b4436 |
diff --git checkpolicy-2.5/ChangeLog checkpolicy-2.5/ChangeLog
|
|
|
a1e6032 |
index dfe4908..429a163 100644
|
|
|
65b4436 |
--- checkpolicy-2.5/ChangeLog
|
|
|
65b4436 |
+++ checkpolicy-2.5/ChangeLog
|
|
|
a1e6032 |
@@ -1,3 +1,9 @@
|
|
|
a1e6032 |
+ * Set flex as default lexer, from Julien Pivotto.
|
|
|
a1e6032 |
+ * Fix checkmodule output message, from Petr Lautrbach.
|
|
|
43d653f |
+ * Build policy on systems not supporting DCCP protocol, from Richard Haines.
|
|
|
43d653f |
+ * Fail if module name different than output base filename, from James Carter
|
|
|
65b4436 |
+ * Add support for portcon dccp protocol, from Richard Haines
|
|
|
a1e6032 |
+
|
|
|
65b4436 |
2.5 2016-02-23
|
|
|
65b4436 |
* Add neverallow support for ioctl extended permissions, from Jeff Vander Stoep.
|
|
|
65b4436 |
* fix double free on name-based type transitions, from Stephen Smalley.
|
|
|
a1e6032 |
diff --git checkpolicy-2.5/Makefile checkpolicy-2.5/Makefile
|
|
|
a1e6032 |
index e5fae3d..53a3074 100644
|
|
|
a1e6032 |
--- checkpolicy-2.5/Makefile
|
|
|
a1e6032 |
+++ checkpolicy-2.5/Makefile
|
|
|
a1e6032 |
@@ -8,6 +8,7 @@ LIBDIR ?= $(PREFIX)/lib
|
|
|
a1e6032 |
INCLUDEDIR ?= $(PREFIX)/include
|
|
|
a1e6032 |
TARGETS = checkpolicy checkmodule
|
|
|
a1e6032 |
|
|
|
a1e6032 |
+LEX = flex
|
|
|
a1e6032 |
YACC = bison -y
|
|
|
a1e6032 |
|
|
|
a1e6032 |
CFLAGS ?= -g -Wall -Werror -Wshadow -O2 -pipe -fno-strict-aliasing
|
|
|
43d653f |
diff --git checkpolicy-2.5/checkmodule.c checkpolicy-2.5/checkmodule.c
|
|
|
a1e6032 |
index 5957d29..53cc5a0 100644
|
|
|
43d653f |
--- checkpolicy-2.5/checkmodule.c
|
|
|
43d653f |
+++ checkpolicy-2.5/checkmodule.c
|
|
|
43d653f |
@@ -19,6 +19,7 @@
|
|
|
43d653f |
#include <stdio.h>
|
|
|
43d653f |
#include <errno.h>
|
|
|
43d653f |
#include <sys/mman.h>
|
|
|
43d653f |
+#include <libgen.h>
|
|
|
43d653f |
|
|
|
43d653f |
#include <sepol/module_to_cil.h>
|
|
|
43d653f |
#include <sepol/policydb/policydb.h>
|
|
|
43d653f |
@@ -258,6 +259,25 @@ int main(int argc, char **argv)
|
|
|
43d653f |
}
|
|
|
43d653f |
}
|
|
|
43d653f |
|
|
|
43d653f |
+ if (policy_type != POLICY_BASE && outfile) {
|
|
|
43d653f |
+ char *mod_name = modpolicydb.name;
|
|
|
43d653f |
+ char *out_path = strdup(outfile);
|
|
|
43d653f |
+ if (out_path == NULL) {
|
|
|
43d653f |
+ fprintf(stderr, "%s: out of memory\n", argv[0]);
|
|
|
43d653f |
+ exit(1);
|
|
|
43d653f |
+ }
|
|
|
43d653f |
+ char *out_name = basename(out_path);
|
|
|
43d653f |
+ char *separator = strrchr(out_name, '.');
|
|
|
43d653f |
+ if (separator) {
|
|
|
43d653f |
+ *separator = '\0';
|
|
|
43d653f |
+ }
|
|
|
43d653f |
+ if (strcmp(mod_name, out_name) != 0) {
|
|
|
43d653f |
+ fprintf(stderr, "%s: Module name %s is different than the output base filename %s\n", argv[0], mod_name, out_name);
|
|
|
43d653f |
+ exit(1);
|
|
|
43d653f |
+ }
|
|
|
43d653f |
+ free(out_path);
|
|
|
43d653f |
+ }
|
|
|
43d653f |
+
|
|
|
43d653f |
if (modpolicydb.policy_type == POLICY_BASE && !cil) {
|
|
|
43d653f |
/* Verify that we can successfully expand the base module. */
|
|
|
43d653f |
policydb_t kernpolicydb;
|
|
|
a1e6032 |
@@ -294,7 +314,7 @@ int main(int argc, char **argv)
|
|
|
a1e6032 |
|
|
|
a1e6032 |
if (!cil) {
|
|
|
a1e6032 |
printf("%s: writing binary representation (version %d) to %s\n",
|
|
|
a1e6032 |
- argv[0], policyvers, file);
|
|
|
a1e6032 |
+ argv[0], policyvers, outfile);
|
|
|
a1e6032 |
|
|
|
a1e6032 |
if (write_binary_policy(&modpolicydb, outfp) != 0) {
|
|
|
a1e6032 |
fprintf(stderr, "%s: error writing %s\n", argv[0], outfile);
|
|
|
65b4436 |
diff --git checkpolicy-2.5/checkpolicy.c checkpolicy-2.5/checkpolicy.c
|
|
|
a1e6032 |
index 9da661e..2d68316 100644
|
|
|
65b4436 |
--- checkpolicy-2.5/checkpolicy.c
|
|
|
65b4436 |
+++ checkpolicy-2.5/checkpolicy.c
|
|
|
a1e6032 |
@@ -64,13 +64,16 @@
|
|
|
43d653f |
#include <sys/stat.h>
|
|
|
43d653f |
#include <sys/socket.h>
|
|
|
43d653f |
#include <netinet/in.h>
|
|
|
43d653f |
+#ifndef IPPROTO_DCCP
|
|
|
43d653f |
+#define IPPROTO_DCCP 33
|
|
|
43d653f |
+#endif
|
|
|
43d653f |
#include <arpa/inet.h>
|
|
|
43d653f |
#include <fcntl.h>
|
|
|
43d653f |
#include <stdio.h>
|
|
|
a1e6032 |
#include <errno.h>
|
|
|
a1e6032 |
#include <sys/mman.h>
|
|
|
a1e6032 |
|
|
|
a1e6032 |
-#ifdef DARWIN
|
|
|
a1e6032 |
+#ifdef __APPLE__
|
|
|
a1e6032 |
#include <ctype.h>
|
|
|
a1e6032 |
#endif
|
|
|
a1e6032 |
|
|
|
43d653f |
@@ -919,6 +922,8 @@ int main(int argc, char **argv)
|
|
|
65b4436 |
protocol = IPPROTO_TCP;
|
|
|
65b4436 |
else if (!strcmp(ans, "udp") || !strcmp(ans, "UDP"))
|
|
|
65b4436 |
protocol = IPPROTO_UDP;
|
|
|
65b4436 |
+ else if (!strcmp(ans, "dccp") || !strcmp(ans, "DCCP"))
|
|
|
65b4436 |
+ protocol = IPPROTO_DCCP;
|
|
|
65b4436 |
else {
|
|
|
65b4436 |
printf("unknown protocol\n");
|
|
|
65b4436 |
break;
|
|
|
65b4436 |
diff --git checkpolicy-2.5/policy_define.c checkpolicy-2.5/policy_define.c
|
|
|
a1e6032 |
index ee20fea..100e517 100644
|
|
|
65b4436 |
--- checkpolicy-2.5/policy_define.c
|
|
|
65b4436 |
+++ checkpolicy-2.5/policy_define.c
|
|
|
43d653f |
@@ -36,6 +36,9 @@
|
|
|
43d653f |
#include <string.h>
|
|
|
43d653f |
#include <sys/socket.h>
|
|
|
43d653f |
#include <netinet/in.h>
|
|
|
43d653f |
+#ifndef IPPROTO_DCCP
|
|
|
43d653f |
+#define IPPROTO_DCCP 33
|
|
|
43d653f |
+#endif
|
|
|
43d653f |
#include <arpa/inet.h>
|
|
|
43d653f |
#include <stdlib.h>
|
|
|
43d653f |
#include <limits.h>
|
|
|
43d653f |
@@ -4876,6 +4879,8 @@ int define_port_context(unsigned int low, unsigned int high)
|
|
|
65b4436 |
protocol = IPPROTO_TCP;
|
|
|
65b4436 |
} else if ((strcmp(id, "udp") == 0) || (strcmp(id, "UDP") == 0)) {
|
|
|
65b4436 |
protocol = IPPROTO_UDP;
|
|
|
65b4436 |
+ } else if ((strcmp(id, "dccp") == 0) || (strcmp(id, "DCCP") == 0)) {
|
|
|
65b4436 |
+ protocol = IPPROTO_DCCP;
|
|
|
65b4436 |
} else {
|
|
|
65b4436 |
yyerror2("unrecognized protocol %s", id);
|
|
|
65b4436 |
free(newc);
|
|
|
a1e6032 |
@@ -5135,7 +5140,7 @@ int define_ipv6_node_context(void)
|
|
|
a1e6032 |
|
|
|
a1e6032 |
memset(newc, 0, sizeof(ocontext_t));
|
|
|
a1e6032 |
|
|
|
a1e6032 |
-#ifdef DARWIN
|
|
|
a1e6032 |
+#ifdef __APPLE__
|
|
|
a1e6032 |
memcpy(&newc->u.node6.addr[0], &addr.s6_addr[0], 16);
|
|
|
a1e6032 |
memcpy(&newc->u.node6.mask[0], &mask.s6_addr[0], 16);
|
|
|
a1e6032 |
#else
|