diff --git a/checkpolicy-rhat.patch b/checkpolicy-rhat.patch index c6c639c..3104d70 100644 --- a/checkpolicy-rhat.patch +++ b/checkpolicy-rhat.patch @@ -1,33 +1,165 @@ -diff --git a/checkpolicy/checkmodule.c b/checkpolicy/checkmodule.c -index 47603e0..cb58cf0 100644 ---- a/checkpolicy/checkmodule.c -+++ b/checkpolicy/checkmodule.c -@@ -63,10 +63,12 @@ static int read_binary_policy(policydb_t * p, char *file, char *progname) - if (fstat(fd, &sb) < 0) { - fprintf(stderr, "Can't stat '%s': %s\n", - file, strerror(errno)); -+ close(fd); - return -1; - } - map = - mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); -+ close(fd); - if (map == MAP_FAILED) { - fprintf(stderr, "Can't map '%s': %s\n", file, strerror(errno)); - return -1; diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c -index 8fa3214..2c12447 100644 +index 2c12447..5db1bca 100644 --- a/checkpolicy/policy_define.c +++ b/checkpolicy/policy_define.c -@@ -2341,7 +2341,10 @@ int define_role_trans(int class_specified) +@@ -415,6 +415,38 @@ int define_default_role(int which) + return 0; + } + ++int define_default_type(int which) ++{ ++ char *id; ++ class_datum_t *cladatum; ++ ++ if (pass == 1) { ++ while ((id = queue_remove(id_queue))) ++ free(id); ++ return 0; ++ } ++ ++ while ((id = queue_remove(id_queue))) { ++ if (!is_id_in_scope(SYM_CLASSES, id)) { ++ yyerror2("class %s is not within scope", id); ++ return -1; ++ } ++ cladatum = hashtab_search(policydbp->p_classes.table, id); ++ if (!cladatum) { ++ yyerror2("unknown class %s", id); ++ return -1; ++ } ++ if (cladatum->default_type && cladatum->default_type != which) { ++ yyerror2("conflicting default type information for class %s", id); ++ return -1; ++ } ++ cladatum->default_type = which; ++ free(id); ++ } ++ ++ return 0; ++} ++ + int define_default_range(int which) + { + char *id; +@@ -2777,6 +2809,7 @@ int define_constraint(constraint_expr_t * expr) + } + if (!node->expr) { + yyerror("out of memory"); ++ free(node); return -1; } + node->permissions = 0; +@@ -3068,13 +3101,11 @@ uintptr_t define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2) + ebitmap_destroy(&negset); + return (uintptr_t) expr; + default: +- yyerror("invalid constraint expression"); +- constraint_expr_destroy(expr); +- return 0; ++ break; + } + + yyerror("invalid constraint expression"); +- free(expr); ++ constraint_expr_destroy(expr); + return 0; + } + +@@ -3281,6 +3312,7 @@ cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void *arg2) + return expr; + default: + yyerror("illegal conditional expression"); ++ free(expr); + return NULL; + } + } +@@ -4627,7 +4659,10 @@ int define_range_trans(int class_specified) + goto out; + } -- ebitmap_set_bit(&e_classes, cladatum->s.value - 1, TRUE); -+ if (ebitmap_set_bit(&e_classes, cladatum->s.value - 1, TRUE)) { +- ebitmap_set_bit(&rule->tclasses, cladatum->s.value - 1, TRUE); ++ if (ebitmap_set_bit(&rule->tclasses, cladatum->s.value - 1, TRUE)) { + yyerror("out of memory"); -+ return -1; ++ goto out; + } } id = (char *)queue_remove(id_queue); +diff --git a/checkpolicy/policy_define.h b/checkpolicy/policy_define.h +index ccbe56f..8bfd8f6 100644 +--- a/checkpolicy/policy_define.h ++++ b/checkpolicy/policy_define.h +@@ -26,6 +26,7 @@ int define_category(void); + int define_class(void); + int define_default_user(int which); + int define_default_role(int which); ++int define_default_type(int which); + int define_default_range(int which); + int define_common_perms(void); + int define_compute_type(int which); +diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y +index d92cc32..b40f413 100644 +--- a/checkpolicy/policy_parse.y ++++ b/checkpolicy/policy_parse.y +@@ -143,7 +143,7 @@ typedef int (* require_func_t)(); + %token POLICYCAP + %token PERMISSIVE + %token FILESYSTEM +-%token DEFAULT_USER DEFAULT_ROLE DEFAULT_RANGE ++%token DEFAULT_USER DEFAULT_ROLE DEFAULT_TYPE DEFAULT_RANGE + %token LOW_HIGH LOW HIGH + + %left OR +@@ -202,9 +202,11 @@ opt_default_rules : default_rules + ; + default_rules : default_user_def + | default_role_def ++ | default_type_def + | default_range_def + | default_rules default_user_def + | default_rules default_role_def ++ | default_rules default_type_def + | default_rules default_range_def + ; + default_user_def : DEFAULT_USER names SOURCE ';' +@@ -217,6 +219,11 @@ default_role_def : DEFAULT_ROLE names SOURCE ';' + | DEFAULT_ROLE names TARGET ';' + {if (define_default_role(DEFAULT_TARGET)) return -1; } + ; ++default_type_def : DEFAULT_TYPE names SOURCE ';' ++ {if (define_default_type(DEFAULT_SOURCE)) return -1; } ++ | DEFAULT_TYPE names TARGET ';' ++ {if (define_default_type(DEFAULT_TARGET)) return -1; } ++ ; + default_range_def : DEFAULT_RANGE names SOURCE LOW ';' + {if (define_default_range(DEFAULT_SOURCE_LOW)) return -1; } + | DEFAULT_RANGE names SOURCE HIGH ';' +diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l +index 62d03f0..bba7667 100644 +--- a/checkpolicy/policy_scan.l ++++ b/checkpolicy/policy_scan.l +@@ -229,6 +229,8 @@ default_user | + DEFAULT_USER { return(DEFAULT_USER); } + default_role | + DEFAULT_ROLE { return(DEFAULT_ROLE); } ++default_type | ++DEFAULT_TYPE { return(DEFAULT_TYPE); } + default_range | + DEFAULT_RANGE { return(DEFAULT_RANGE); } + low-high | +diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c +index 6a951f6..96ef047 100644 +--- a/checkpolicy/test/dismod.c ++++ b/checkpolicy/test/dismod.c +@@ -844,7 +844,10 @@ int main(int argc, char **argv) + + /* read the binary policy */ + fprintf(out_fp, "Reading policy...\n"); +- policydb_init(&policydb); ++ if (policydb_init(&policydb)) { ++ fprintf(stderr, "%s: Out of memory!\n", __FUNCTION__); ++ exit(1); ++ } + if (read_policy(argv[1], &policydb)) { + fprintf(stderr, + "%s: error(s) encountered while loading policy\n", diff --git a/checkpolicy.spec b/checkpolicy.spec index 807796b..da05a4e 100644 --- a/checkpolicy.spec +++ b/checkpolicy.spec @@ -1,5 +1,5 @@ %define libselinuxver 2.1.11-1 -%define libsepolver 2.1.8-2 +%define libsepolver 2.1.8-5 Summary: SELinux policy compiler Name: checkpolicy Version: 2.1.11