psss / rpms / checkpolicy

Forked from rpms/checkpolicy 5 years ago
Clone
Source Code
GIT

Files

  1.   02cf4abf2d1729d0a729963cdf6aee3b72958cdd
  2.   checkpolicy-rhat.patch
Blob Blame History Raw 
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index 2c12447..5db1bca 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -415,6 +415,38 @@ int define_default_role(int which)
 	return 0;
 }
 
+int define_default_type(int which)
+{
+	char *id;
+	class_datum_t *cladatum;
+
+	if (pass == 1) {
+		while ((id = queue_remove(id_queue)))
+			free(id);
+		return 0;
+	}
+
+	while ((id = queue_remove(id_queue))) {
+		if (!is_id_in_scope(SYM_CLASSES, id)) {
+			yyerror2("class %s is not within scope", id);
+			return -1;
+		}
+		cladatum = hashtab_search(policydbp->p_classes.table, id);
+		if (!cladatum) {
+			yyerror2("unknown class %s", id);
+			return -1;
+		}
+		if (cladatum->default_type && cladatum->default_type != which) {
+			yyerror2("conflicting default type information for class %s", id);
+			return -1;
+		}
+		cladatum->default_type = which;
+		free(id);
+	}
+
+	return 0;
+}
+
 int define_default_range(int which)
 {
 	char *id;
@@ -2777,6 +2809,7 @@ int define_constraint(constraint_expr_t * expr)
 		}
 		if (!node->expr) {
 			yyerror("out of memory");
+			free(node);
 			return -1;
 		}
 		node->permissions = 0;
@@ -3068,13 +3101,11 @@ uintptr_t define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2)
 		ebitmap_destroy(&negset);
 		return (uintptr_t) expr;
 	default:
-		yyerror("invalid constraint expression");
-		constraint_expr_destroy(expr);
-		return 0;
+		break;
 	}
 
 	yyerror("invalid constraint expression");
-	free(expr);
+	constraint_expr_destroy(expr);
 	return 0;
 }
 
@@ -3281,6 +3312,7 @@ cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void *arg2)
 		return expr;
 	default:
 		yyerror("illegal conditional expression");
+		free(expr);
 		return NULL;
 	}
 }
@@ -4627,7 +4659,10 @@ int define_range_trans(int class_specified)
 			goto out;
 		}
 
-		ebitmap_set_bit(&rule->tclasses, cladatum->s.value - 1, TRUE);
+		if (ebitmap_set_bit(&rule->tclasses, cladatum->s.value - 1, TRUE)) {
+			yyerror("out of memory");
+			goto out;
+		}
 	}
 
 	id = (char *)queue_remove(id_queue);
diff --git a/checkpolicy/policy_define.h b/checkpolicy/policy_define.h
index ccbe56f..8bfd8f6 100644
--- a/checkpolicy/policy_define.h
+++ b/checkpolicy/policy_define.h
@@ -26,6 +26,7 @@ int define_category(void);
 int define_class(void);
 int define_default_user(int which);
 int define_default_role(int which);
+int define_default_type(int which);
 int define_default_range(int which);
 int define_common_perms(void);
 int define_compute_type(int which);
diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y
index d92cc32..b40f413 100644
--- a/checkpolicy/policy_parse.y
+++ b/checkpolicy/policy_parse.y
@@ -143,7 +143,7 @@ typedef int (* require_func_t)();
 %token POLICYCAP
 %token PERMISSIVE
 %token FILESYSTEM
-%token DEFAULT_USER DEFAULT_ROLE DEFAULT_RANGE
+%token DEFAULT_USER DEFAULT_ROLE DEFAULT_TYPE DEFAULT_RANGE
 %token LOW_HIGH LOW HIGH
 
 %left OR
@@ -202,9 +202,11 @@ opt_default_rules	: default_rules
 			;
 default_rules		: default_user_def
 			| default_role_def
+			| default_type_def
 			| default_range_def
 			| default_rules default_user_def
 			| default_rules default_role_def
+			| default_rules default_type_def
 			| default_rules default_range_def
 			;
 default_user_def	: DEFAULT_USER names SOURCE ';'
@@ -217,6 +219,11 @@ default_role_def	: DEFAULT_ROLE names SOURCE ';'
 			| DEFAULT_ROLE names TARGET ';'
 			{if (define_default_role(DEFAULT_TARGET)) return -1; }
 			;
+default_type_def	: DEFAULT_TYPE names SOURCE ';'
+			{if (define_default_type(DEFAULT_SOURCE)) return -1; }
+			| DEFAULT_TYPE names TARGET ';'
+			{if (define_default_type(DEFAULT_TARGET)) return -1; }
+			;
 default_range_def	: DEFAULT_RANGE names SOURCE LOW ';'
 			{if (define_default_range(DEFAULT_SOURCE_LOW)) return -1; }
 			| DEFAULT_RANGE names SOURCE HIGH ';'
diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
index 62d03f0..bba7667 100644
--- a/checkpolicy/policy_scan.l
+++ b/checkpolicy/policy_scan.l
@@ -229,6 +229,8 @@ default_user |
 DEFAULT_USER			{ return(DEFAULT_USER); }
 default_role |
 DEFAULT_ROLE			{ return(DEFAULT_ROLE); }
+default_type |
+DEFAULT_TYPE			{ return(DEFAULT_TYPE); }
 default_range |
 DEFAULT_RANGE			{ return(DEFAULT_RANGE); }
 low-high |
diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c
index 6a951f6..96ef047 100644
--- a/checkpolicy/test/dismod.c
+++ b/checkpolicy/test/dismod.c
@@ -844,7 +844,10 @@ int main(int argc, char **argv)
 
 	/* read the binary policy */
 	fprintf(out_fp, "Reading policy...\n");
-	policydb_init(&policydb);
+	if (policydb_init(&policydb)) {
+		fprintf(stderr, "%s:  Out of memory!\n", __FUNCTION__);
+		exit(1);
+	}
 	if (read_policy(argv[1], &policydb)) {
 		fprintf(stderr,
 			"%s:  error(s) encountered while loading policy\n",
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.