Wed Feb 7 2007 Dan Walsh <dwalsh@redhat.com> 2.0.1-1
- Upgrade to latest from NSA
Merged libsepol segfault fix from Stephen Smalley for when sensitivities
are required but not present in the base.
Merged patch to add errcodes.h to libsepol by Karl MacMillan.
Fri Jan 19 2007 Dan Walsh <dwalsh@redhat.com> 1.16.0-1
- Upgrade to latest from NSA
Updated version for stable branch.
This commit is contained in:
Daniel J Walsh
parent
91512f93d1
commit
f50a75ee09
|
|
@ -1,11 +1,237 @@
|
|||
diff --exclude-from=exclude -N -u -r nsalibsepol/Makefile libsepol-1.12.8/Makefile
|
||||
--- nsalibsepol/Makefile 2006-05-08 09:52:40.000000000 -0400
|
||||
+++ libsepol-1.12.8/Makefile 2006-05-08 10:12:29.000000000 -0400
|
||||
@@ -1,7 +1,6 @@
|
||||
all:
|
||||
$(MAKE) -C src
|
||||
$(MAKE) -C utils
|
||||
- $(MAKE) -C tests
|
||||
diff --exclude-from=exclude -N -u -r nsalibsepol/include/sepol/policydb/conditional.h libsepol-2.0.1/include/sepol/policydb/conditional.h
|
||||
--- nsalibsepol/include/sepol/policydb/conditional.h 2006-11-16 17:14:15.000000000 -0500
|
||||
+++ libsepol-2.0.1/include/sepol/policydb/conditional.h 2007-03-28 14:13:02.000000000 -0400
|
||||
@@ -100,6 +100,8 @@
|
||||
cond_node_t * needle, cond_node_t * haystack,
|
||||
int *was_created);
|
||||
|
||||
install:
|
||||
$(MAKE) -C include install
|
||||
+extern cond_node_t *cond_node_create(policydb_t * p, cond_node_t * node);
|
||||
+
|
||||
extern cond_node_t *cond_node_search(policydb_t * p, cond_node_t * list,
|
||||
cond_node_t * cn);
|
||||
|
||||
diff --exclude-from=exclude -N -u -r nsalibsepol/src/conditional.c libsepol-2.0.1/src/conditional.c
|
||||
--- nsalibsepol/src/conditional.c 2006-11-16 17:14:24.000000000 -0500
|
||||
+++ libsepol-2.0.1/src/conditional.c 2007-03-28 14:13:02.000000000 -0400
|
||||
@@ -26,9 +26,6 @@
|
||||
|
||||
#include "private.h"
|
||||
|
||||
-#undef min
|
||||
-#define min(a,b) (((a) < (b)) ? (a) : (b))
|
||||
-
|
||||
/* move all type rules to top of t/f lists to help kernel on evaluation */
|
||||
static void cond_optimize(cond_av_list_t ** l)
|
||||
{
|
||||
@@ -136,6 +133,38 @@
|
||||
return 1;
|
||||
}
|
||||
|
||||
+/* Create a new conditional node, optionally copying
|
||||
+ * the conditional expression from an existing node.
|
||||
+ * If node is NULL then a new node will be created
|
||||
+ * with no conditional expression.
|
||||
+ */
|
||||
+cond_node_t *cond_node_create(policydb_t * p, cond_node_t * node)
|
||||
+{
|
||||
+ cond_node_t *new_node;
|
||||
+ unsigned int i;
|
||||
+
|
||||
+ new_node = (cond_node_t *)malloc(sizeof(cond_node_t));
|
||||
+ if (!new_node) {
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ memset(new_node, 0, sizeof(cond_node_t));
|
||||
+
|
||||
+ if (node) {
|
||||
+ new_node->expr = cond_copy_expr(node->expr);
|
||||
+ if (!new_node->expr) {
|
||||
+ free(new_node);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ new_node->cur_state = cond_evaluate_expr(p, new_node->expr);
|
||||
+ new_node->nbools = node->nbools;
|
||||
+ for (i = 0; i < min(node->nbools, COND_MAX_BOOLS); i++)
|
||||
+ new_node->bool_ids[i] = node->bool_ids[i];
|
||||
+ new_node->expr_pre_comp = node->expr_pre_comp;
|
||||
+ }
|
||||
+
|
||||
+ return new_node;
|
||||
+}
|
||||
+
|
||||
/* Find a conditional (the needle) within a list of existing ones (the
|
||||
* haystack) that has a matching expression. If found, return a
|
||||
* pointer to the existing node, setting 'was_created' to 0.
|
||||
@@ -145,9 +174,6 @@
|
||||
cond_node_t * needle, cond_node_t * haystack,
|
||||
int *was_created)
|
||||
{
|
||||
- cond_node_t *new_node;
|
||||
- unsigned int i;
|
||||
-
|
||||
while (haystack) {
|
||||
if (cond_expr_equal(needle, haystack)) {
|
||||
*was_created = 0;
|
||||
@@ -156,26 +182,8 @@
|
||||
haystack = haystack->next;
|
||||
}
|
||||
*was_created = 1;
|
||||
- new_node = (cond_node_t *) malloc(sizeof(cond_node_t));
|
||||
- if (!new_node) {
|
||||
- return NULL;
|
||||
- }
|
||||
- memset(new_node, 0, sizeof(cond_node_t));
|
||||
- new_node->expr = cond_copy_expr(needle->expr);
|
||||
- if (!new_node->expr) {
|
||||
- free(new_node);
|
||||
- return NULL;
|
||||
- }
|
||||
- new_node->cur_state = cond_evaluate_expr(p, new_node->expr);
|
||||
- new_node->nbools = needle->nbools;
|
||||
- for (i = 0; i < min(needle->nbools, COND_MAX_BOOLS); i++)
|
||||
- new_node->bool_ids[i] = needle->bool_ids[i];
|
||||
- new_node->expr_pre_comp = needle->expr_pre_comp;
|
||||
- new_node->true_list = NULL;
|
||||
- new_node->false_list = NULL;
|
||||
- new_node->avtrue_list = NULL;
|
||||
- new_node->avfalse_list = NULL;
|
||||
- return new_node;
|
||||
+
|
||||
+ return cond_node_create(p, needle);
|
||||
}
|
||||
|
||||
/* return either a pre-existing matching node or create a new node */
|
||||
diff --exclude-from=exclude -N -u -r nsalibsepol/src/expand.c libsepol-2.0.1/src/expand.c
|
||||
--- nsalibsepol/src/expand.c 2007-02-07 12:11:48.000000000 -0500
|
||||
+++ libsepol-2.0.1/src/expand.c 2007-03-28 14:13:02.000000000 -0400
|
||||
@@ -35,10 +35,12 @@
|
||||
#include <assert.h>
|
||||
|
||||
#include "debug.h"
|
||||
+#include "private.h"
|
||||
|
||||
typedef struct expand_state {
|
||||
int verbose;
|
||||
uint32_t *typemap;
|
||||
+ uint32_t *boolmap;
|
||||
policydb_t *base;
|
||||
policydb_t *out;
|
||||
sepol_handle_t *handle;
|
||||
@@ -791,8 +793,8 @@
|
||||
return -1;
|
||||
}
|
||||
|
||||
- new_bool->s.value = bool->s.value;
|
||||
state->out->p_bools.nprim++;
|
||||
+ new_bool->s.value = state->out->p_bools.nprim;
|
||||
|
||||
ret = hashtab_insert(state->out->p_bools.table,
|
||||
(hashtab_key_t) new_id,
|
||||
@@ -804,6 +806,8 @@
|
||||
return -1;
|
||||
}
|
||||
|
||||
+ state->boolmap[bool->s.value - 1] = new_bool->s.value;
|
||||
+
|
||||
new_bool->state = bool->state;
|
||||
|
||||
return 0;
|
||||
@@ -1555,12 +1559,35 @@
|
||||
return 0;
|
||||
}
|
||||
|
||||
+static int cond_node_map_bools(expand_state_t * state, cond_node_t * cn)
|
||||
+{
|
||||
+ cond_expr_t *cur;
|
||||
+ unsigned int i;
|
||||
+
|
||||
+ cur = cn->expr;
|
||||
+ while (cur) {
|
||||
+ if (cur->bool)
|
||||
+ cur->bool = state->boolmap[cur->bool - 1];
|
||||
+ cur = cur->next;
|
||||
+ }
|
||||
+
|
||||
+ for (i = 0; i < min(cn->nbools, COND_MAX_BOOLS); i++)
|
||||
+ cn->bool_ids[i] = state->boolmap[cn->bool_ids[i] - 1];
|
||||
+
|
||||
+ if (cond_normalize_expr(state->out, cn)) {
|
||||
+ ERR(state->handle, "Error while normalizing conditional");
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
/* copy the nodes in *reverse* order -- the result is that the last
|
||||
* given conditional appears first in the policy, so as to match the
|
||||
* behavior of the upstream compiler */
|
||||
static int cond_node_copy(expand_state_t * state, cond_node_t * cn)
|
||||
{
|
||||
- cond_node_t *new_cond;
|
||||
+ cond_node_t *new_cond, *tmp;
|
||||
|
||||
if (cn == NULL) {
|
||||
return 0;
|
||||
@@ -1573,11 +1600,26 @@
|
||||
return -1;
|
||||
}
|
||||
|
||||
- new_cond = cond_node_search(state->out, state->out->cond_list, cn);
|
||||
+ /* create a new temporary conditional node with the booleans
|
||||
+ * mapped */
|
||||
+ tmp = cond_node_create(state->base, cn);
|
||||
+ if (!tmp) {
|
||||
+ ERR(state->handle, "Out of memory");
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ if (cond_node_map_bools(state, tmp)) {
|
||||
+ ERR(state->handle, "Error mapping booleans");
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ new_cond = cond_node_search(state->out, state->out->cond_list, tmp);
|
||||
if (!new_cond) {
|
||||
+ cond_node_destroy(tmp);
|
||||
ERR(state->handle, "Out of memory!");
|
||||
return -1;
|
||||
}
|
||||
+ cond_node_destroy(tmp);
|
||||
|
||||
if (cond_avrule_list_copy
|
||||
(state->out, cn->avtrue_list, &state->out->te_cond_avtab,
|
||||
@@ -2210,6 +2252,12 @@
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
+ state.boolmap = (uint32_t *)calloc(state.base->p_bools.nprim, sizeof(uint32_t));
|
||||
+ if (!state.boolmap) {
|
||||
+ ERR(handle, "Out of memory!");
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+
|
||||
/* order is important - types must be first */
|
||||
|
||||
/* copy types */
|
||||
@@ -2364,6 +2412,7 @@
|
||||
|
||||
cleanup:
|
||||
free(state.typemap);
|
||||
+ free(state.boolmap);
|
||||
return retval;
|
||||
}
|
||||
|
||||
diff --exclude-from=exclude -N -u -r nsalibsepol/src/private.h libsepol-2.0.1/src/private.h
|
||||
--- nsalibsepol/src/private.h 2007-02-07 12:11:48.000000000 -0500
|
||||
+++ libsepol-2.0.1/src/private.h 2007-03-28 14:13:02.000000000 -0400
|
||||
@@ -24,6 +24,9 @@
|
||||
#define le64_to_cpu(x) bswap_64(x)
|
||||
#endif
|
||||
|
||||
+#undef min
|
||||
+#define min(a,b) (((a) < (b)) ? (a) : (b))
|
||||
+
|
||||
/* Policy compatibility information. */
|
||||
struct policydb_compat_info {
|
||||
unsigned int type;
|
||||
|
|
|
|||
|
|
@ -1,10 +1,11 @@
|
|||
Summary: SELinux binary policy manipulation library
|
||||
Name: libsepol
|
||||
Version: 2.0.1
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: GPL
|
||||
Group: System Environment/Libraries
|
||||
Source: http://www.nsa.gov/selinux/archives/libsepol-%{version}.tgz
|
||||
Patch: libsepol-rhat.patch
|
||||
|
||||
Prefix: %{_prefix}
|
||||
BuildRoot: %{_tmppath}/%{name}-buildroot
|
||||
|
|
@ -37,6 +38,7 @@ needed for developing applications that manipulate binary policies.
|
|||
|
||||
%prep
|
||||
%setup -q
|
||||
%patch -p1 -b .rhat
|
||||
# sparc64 is an -fPIC arch, so we need to fix it here
|
||||
%ifarch sparc64
|
||||
sed -i 's/fpic/fPIC/g' src/Makefile
|
||||
|
|
@ -85,6 +87,7 @@ exit 0
|
|||
/%{_lib}/libsepol.so.1
|
||||
|
||||
%changelog
|
||||
* Wed Mar 28 2007 Dan Walsh <dwalsh@redhat.com> 2.0.1-2
|
||||
* Wed Feb 7 2007 Dan Walsh <dwalsh@redhat.com> 2.0.1-1
|
||||
- Upgrade to latest from NSA
|
||||
* Merged libsepol segfault fix from Stephen Smalley for when
|
||||
|
|
|
|||
Loading…
Reference in New Issue