| Message ID | 20230714173240.192987-1-jwcart2@gmail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | e60939110598 |
| Delegated to: | Petr Lautrbach |
| Headers | show |
| Series | checkpolicy: Remove support for role dominance rules | expand |
On Fri, Jul 14, 2023 at 1:32 PM James Carter <jwcart2@gmail.com> wrote: > > Role dominance has been deprecated for a very, very long time (since > at least August 2008) and has never been used in any widely deployed > policy. > > Remove support for compiling role dominance rules. > > Support will remain, for now, in libsepol for backwards compatibility. > > Signed-off-by: James Carter <jwcart2@gmail.com> There should not be any controversy over this patch, so I plan on merging it soon unless someone objects. Jim > --- > checkpolicy/policy_define.c | 184 ------------------------------------ > checkpolicy/policy_define.h | 2 - > checkpolicy/policy_parse.y | 14 --- > 3 files changed, 200 deletions(-) > > diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c > index 8421b253..23a65339 100644 > --- a/checkpolicy/policy_define.c > +++ b/checkpolicy/policy_define.c > @@ -2926,190 +2926,6 @@ int define_roleattribute(void) > return 0; > } > > -role_datum_t *merge_roles_dom(role_datum_t * r1, role_datum_t * r2) > -{ > - role_datum_t *new; > - > - if (pass == 1) { > - return (role_datum_t *) 1; /* any non-NULL value */ > - } > - > - new = malloc(sizeof(role_datum_t)); > - if (!new) { > - yyerror("out of memory"); > - return NULL; > - } > - memset(new, 0, sizeof(role_datum_t)); > - new->s.value = 0; /* temporary role */ > - if (ebitmap_or(&new->dominates, &r1->dominates, &r2->dominates)) { > - yyerror("out of memory"); > - free(new); > - return NULL; > - } > - if (ebitmap_or(&new->types.types, &r1->types.types, &r2->types.types)) { > - yyerror("out of memory"); > - free(new); > - return NULL; > - } > - if (!r1->s.value) { > - /* free intermediate result */ > - type_set_destroy(&r1->types); > - ebitmap_destroy(&r1->dominates); > - free(r1); > - } > - if (!r2->s.value) { > - /* free intermediate result */ > - yyerror("right hand role is temporary?"); > - type_set_destroy(&r2->types); > - ebitmap_destroy(&r2->dominates); > - free(r2); > - } > - return new; > -} > - > -/* This function eliminates the ordering dependency of role dominance rule */ > -static int dominate_role_recheck(hashtab_key_t key __attribute__ ((unused)), > - hashtab_datum_t datum, void *arg) > -{ > - role_datum_t *rdp = (role_datum_t *) arg; > - role_datum_t *rdatum = (role_datum_t *) datum; > - ebitmap_node_t *node; > - uint32_t i; > - > - /* Don't bother to process against self role */ > - if (rdatum->s.value == rdp->s.value) > - return 0; > - > - /* If a dominating role found */ > - if (ebitmap_get_bit(&(rdatum->dominates), rdp->s.value - 1)) { > - ebitmap_t types; > - ebitmap_init(&types); > - if (type_set_expand(&rdp->types, &types, policydbp, 1)) { > - ebitmap_destroy(&types); > - return -1; > - } > - /* raise types and dominates from dominated role */ > - ebitmap_for_each_positive_bit(&rdp->dominates, node, i) { > - if (ebitmap_set_bit(&rdatum->dominates, i, TRUE)) > - goto oom; > - } > - ebitmap_for_each_positive_bit(&types, node, i) { > - if (ebitmap_set_bit(&rdatum->types.types, i, TRUE)) > - goto oom; > - } > - ebitmap_destroy(&types); > - } > - > - /* go through all the roles */ > - return 0; > - oom: > - yyerror("Out of memory"); > - return -1; > -} > - > -role_datum_t *define_role_dom(role_datum_t * r) > -{ > - role_datum_t *role; > - char *role_id; > - ebitmap_node_t *node; > - unsigned int i; > - int ret; > - > - if (pass == 1) { > - role_id = queue_remove(id_queue); > - free(role_id); > - return (role_datum_t *) 1; /* any non-NULL value */ > - } > - > - yywarn("Role dominance has been deprecated"); > - > - role_id = queue_remove(id_queue); > - if (!is_id_in_scope(SYM_ROLES, role_id)) { > - yyerror2("role %s is not within scope", role_id); > - free(role_id); > - return NULL; > - } > - role = (role_datum_t *) hashtab_search(policydbp->p_roles.table, > - role_id); > - if (!role) { > - role = (role_datum_t *) malloc(sizeof(role_datum_t)); > - if (!role) { > - yyerror("out of memory"); > - free(role_id); > - return NULL; > - } > - memset(role, 0, sizeof(role_datum_t)); > - ret = > - declare_symbol(SYM_ROLES, (hashtab_key_t) role_id, > - (hashtab_datum_t) role, &role->s.value, > - &role->s.value); > - switch (ret) { > - case -3:{ > - yyerror("Out of memory!"); > - goto cleanup; > - } > - case -2:{ > - yyerror2("duplicate declaration of role %s", > - role_id); > - goto cleanup; > - } > - case -1:{ > - yyerror("could not declare role here"); > - goto cleanup; > - } > - case 0: > - case 1:{ > - break; > - } > - default:{ > - assert(0); /* should never get here */ > - } > - } > - if (ebitmap_set_bit(&role->dominates, role->s.value - 1, TRUE)) { > - yyerror("Out of memory!"); > - goto cleanup; > - } > - } > - if (r) { > - ebitmap_t types; > - ebitmap_init(&types); > - ebitmap_for_each_positive_bit(&r->dominates, node, i) { > - if (ebitmap_set_bit(&role->dominates, i, TRUE)) > - goto oom; > - } > - if (type_set_expand(&r->types, &types, policydbp, 1)) { > - ebitmap_destroy(&types); > - return NULL; > - } > - ebitmap_for_each_positive_bit(&types, node, i) { > - if (ebitmap_set_bit(&role->types.types, i, TRUE)) > - goto oom; > - } > - ebitmap_destroy(&types); > - if (!r->s.value) { > - /* free intermediate result */ > - type_set_destroy(&r->types); > - ebitmap_destroy(&r->dominates); > - free(r); > - } > - /* > - * Now go through all the roles and escalate this role's > - * dominates and types if a role dominates this role. > - */ > - hashtab_map(policydbp->p_roles.table, > - dominate_role_recheck, role); > - } > - return role; > - cleanup: > - free(role_id); > - role_datum_destroy(role); > - free(role); > - return NULL; > - oom: > - yyerror("Out of memory"); > - goto cleanup; > -} > - > static int role_val_to_name_helper(hashtab_key_t key, hashtab_datum_t datum, > void *p) > { > diff --git a/checkpolicy/policy_define.h b/checkpolicy/policy_define.h > index c1314871..7c5a4e6c 100644 > --- a/checkpolicy/policy_define.h > +++ b/checkpolicy/policy_define.h > @@ -69,8 +69,6 @@ int define_validatetrans(constraint_expr_t *expr); > int expand_attrib(void); > int insert_id(const char *id,int push); > int insert_separator(int push); > -role_datum_t *define_role_dom(role_datum_t *r); > -role_datum_t *merge_roles_dom(role_datum_t *r1,role_datum_t *r2); > uintptr_t define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2); > > #endif /* _POLICY_DEFINE_H_ */ > diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y > index 6b6890a3..02b076c7 100644 > --- a/checkpolicy/policy_parse.y > +++ b/checkpolicy/policy_parse.y > @@ -76,7 +76,6 @@ typedef int (* require_func_t)(int pass); > %type <ptr> cond_expr cond_expr_prim cond_pol_list cond_else > %type <ptr> cond_allow_def cond_auditallow_def cond_auditdeny_def cond_dontaudit_def > %type <ptr> cond_transition_def cond_te_avtab_def cond_rule_def > -%type <ptr> role_def roles > %type <valptr> cexpr cexpr_prim op role_mls_op > %type <val> ipv4_addr_def number > %type <val64> number64 > @@ -312,7 +311,6 @@ te_rbac_decl : te_decl > ; > rbac_decl : attribute_role_def > | role_type_def > - | role_dominance > | role_trans_def > | role_allow_def > | roleattribute_def > @@ -515,8 +513,6 @@ role_type_def : ROLE identifier TYPES names ';' > role_attr_def : ROLE identifier opt_attr_list ';' > {if (define_role_attr()) return -1;} > ; > -role_dominance : DOMINANCE '{' roles '}' > - ; > role_trans_def : ROLE_TRANSITION names names identifier ';' > {if (define_role_trans(0)) return -1; } > | ROLE_TRANSITION names names ':' names identifier ';' > @@ -525,16 +521,6 @@ role_trans_def : ROLE_TRANSITION names names identifier ';' > role_allow_def : ALLOW names names ';' > {if (define_role_allow()) return -1; } > ; > -roles : role_def > - { $$ = $1; } > - | roles role_def > - { $$ = merge_roles_dom((role_datum_t*)$1, (role_datum_t*)$2); if ($$ == 0) return -1;} > - ; > -role_def : ROLE identifier_push ';' > - {$$ = define_role_dom(NULL); if ($$ == 0) return -1;} > - | ROLE identifier_push '{' roles '}' > - {$$ = define_role_dom((role_datum_t*)$4); if ($$ == 0) return -1;} > - ; > roleattribute_def : ROLEATTRIBUTE identifier id_comma_list ';' > {if (define_roleattribute()) return -1;} > ; > -- > 2.41.0 >
James Carter <jwcart2@gmail.com> writes: > On Fri, Jul 14, 2023 at 1:32 PM James Carter <jwcart2@gmail.com> wrote: >> >> Role dominance has been deprecated for a very, very long time (since >> at least August 2008) and has never been used in any widely deployed >> policy. >> >> Remove support for compiling role dominance rules. >> >> Support will remain, for now, in libsepol for backwards compatibility. >> >> Signed-off-by: James Carter <jwcart2@gmail.com> > > There should not be any controversy over this patch, so I plan on > merging it soon unless someone objects. > Jim Acked-by: Petr Lautrbach <lautrbach@redhat.com> > >> --- >> checkpolicy/policy_define.c | 184 ------------------------------------ >> checkpolicy/policy_define.h | 2 - >> checkpolicy/policy_parse.y | 14 --- >> 3 files changed, 200 deletions(-) >> >> diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c >> index 8421b253..23a65339 100644 >> --- a/checkpolicy/policy_define.c >> +++ b/checkpolicy/policy_define.c >> @@ -2926,190 +2926,6 @@ int define_roleattribute(void) >> return 0; >> } >> >> -role_datum_t *merge_roles_dom(role_datum_t * r1, role_datum_t * r2) >> -{ >> - role_datum_t *new; >> - >> - if (pass == 1) { >> - return (role_datum_t *) 1; /* any non-NULL value */ >> - } >> - >> - new = malloc(sizeof(role_datum_t)); >> - if (!new) { >> - yyerror("out of memory"); >> - return NULL; >> - } >> - memset(new, 0, sizeof(role_datum_t)); >> - new->s.value = 0; /* temporary role */ >> - if (ebitmap_or(&new->dominates, &r1->dominates, &r2->dominates)) { >> - yyerror("out of memory"); >> - free(new); >> - return NULL; >> - } >> - if (ebitmap_or(&new->types.types, &r1->types.types, &r2->types.types)) { >> - yyerror("out of memory"); >> - free(new); >> - return NULL; >> - } >> - if (!r1->s.value) { >> - /* free intermediate result */ >> - type_set_destroy(&r1->types); >> - ebitmap_destroy(&r1->dominates); >> - free(r1); >> - } >> - if (!r2->s.value) { >> - /* free intermediate result */ >> - yyerror("right hand role is temporary?"); >> - type_set_destroy(&r2->types); >> - ebitmap_destroy(&r2->dominates); >> - free(r2); >> - } >> - return new; >> -} >> - >> -/* This function eliminates the ordering dependency of role dominance rule */ >> -static int dominate_role_recheck(hashtab_key_t key __attribute__ ((unused)), >> - hashtab_datum_t datum, void *arg) >> -{ >> - role_datum_t *rdp = (role_datum_t *) arg; >> - role_datum_t *rdatum = (role_datum_t *) datum; >> - ebitmap_node_t *node; >> - uint32_t i; >> - >> - /* Don't bother to process against self role */ >> - if (rdatum->s.value == rdp->s.value) >> - return 0; >> - >> - /* If a dominating role found */ >> - if (ebitmap_get_bit(&(rdatum->dominates), rdp->s.value - 1)) { >> - ebitmap_t types; >> - ebitmap_init(&types); >> - if (type_set_expand(&rdp->types, &types, policydbp, 1)) { >> - ebitmap_destroy(&types); >> - return -1; >> - } >> - /* raise types and dominates from dominated role */ >> - ebitmap_for_each_positive_bit(&rdp->dominates, node, i) { >> - if (ebitmap_set_bit(&rdatum->dominates, i, TRUE)) >> - goto oom; >> - } >> - ebitmap_for_each_positive_bit(&types, node, i) { >> - if (ebitmap_set_bit(&rdatum->types.types, i, TRUE)) >> - goto oom; >> - } >> - ebitmap_destroy(&types); >> - } >> - >> - /* go through all the roles */ >> - return 0; >> - oom: >> - yyerror("Out of memory"); >> - return -1; >> -} >> - >> -role_datum_t *define_role_dom(role_datum_t * r) >> -{ >> - role_datum_t *role; >> - char *role_id; >> - ebitmap_node_t *node; >> - unsigned int i; >> - int ret; >> - >> - if (pass == 1) { >> - role_id = queue_remove(id_queue); >> - free(role_id); >> - return (role_datum_t *) 1; /* any non-NULL value */ >> - } >> - >> - yywarn("Role dominance has been deprecated"); >> - >> - role_id = queue_remove(id_queue); >> - if (!is_id_in_scope(SYM_ROLES, role_id)) { >> - yyerror2("role %s is not within scope", role_id); >> - free(role_id); >> - return NULL; >> - } >> - role = (role_datum_t *) hashtab_search(policydbp->p_roles.table, >> - role_id); >> - if (!role) { >> - role = (role_datum_t *) malloc(sizeof(role_datum_t)); >> - if (!role) { >> - yyerror("out of memory"); >> - free(role_id); >> - return NULL; >> - } >> - memset(role, 0, sizeof(role_datum_t)); >> - ret = >> - declare_symbol(SYM_ROLES, (hashtab_key_t) role_id, >> - (hashtab_datum_t) role, &role->s.value, >> - &role->s.value); >> - switch (ret) { >> - case -3:{ >> - yyerror("Out of memory!"); >> - goto cleanup; >> - } >> - case -2:{ >> - yyerror2("duplicate declaration of role %s", >> - role_id); >> - goto cleanup; >> - } >> - case -1:{ >> - yyerror("could not declare role here"); >> - goto cleanup; >> - } >> - case 0: >> - case 1:{ >> - break; >> - } >> - default:{ >> - assert(0); /* should never get here */ >> - } >> - } >> - if (ebitmap_set_bit(&role->dominates, role->s.value - 1, TRUE)) { >> - yyerror("Out of memory!"); >> - goto cleanup; >> - } >> - } >> - if (r) { >> - ebitmap_t types; >> - ebitmap_init(&types); >> - ebitmap_for_each_positive_bit(&r->dominates, node, i) { >> - if (ebitmap_set_bit(&role->dominates, i, TRUE)) >> - goto oom; >> - } >> - if (type_set_expand(&r->types, &types, policydbp, 1)) { >> - ebitmap_destroy(&types); >> - return NULL; >> - } >> - ebitmap_for_each_positive_bit(&types, node, i) { >> - if (ebitmap_set_bit(&role->types.types, i, TRUE)) >> - goto oom; >> - } >> - ebitmap_destroy(&types); >> - if (!r->s.value) { >> - /* free intermediate result */ >> - type_set_destroy(&r->types); >> - ebitmap_destroy(&r->dominates); >> - free(r); >> - } >> - /* >> - * Now go through all the roles and escalate this role's >> - * dominates and types if a role dominates this role. >> - */ >> - hashtab_map(policydbp->p_roles.table, >> - dominate_role_recheck, role); >> - } >> - return role; >> - cleanup: >> - free(role_id); >> - role_datum_destroy(role); >> - free(role); >> - return NULL; >> - oom: >> - yyerror("Out of memory"); >> - goto cleanup; >> -} >> - >> static int role_val_to_name_helper(hashtab_key_t key, hashtab_datum_t datum, >> void *p) >> { >> diff --git a/checkpolicy/policy_define.h b/checkpolicy/policy_define.h >> index c1314871..7c5a4e6c 100644 >> --- a/checkpolicy/policy_define.h >> +++ b/checkpolicy/policy_define.h >> @@ -69,8 +69,6 @@ int define_validatetrans(constraint_expr_t *expr); >> int expand_attrib(void); >> int insert_id(const char *id,int push); >> int insert_separator(int push); >> -role_datum_t *define_role_dom(role_datum_t *r); >> -role_datum_t *merge_roles_dom(role_datum_t *r1,role_datum_t *r2); >> uintptr_t define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2); >> >> #endif /* _POLICY_DEFINE_H_ */ >> diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y >> index 6b6890a3..02b076c7 100644 >> --- a/checkpolicy/policy_parse.y >> +++ b/checkpolicy/policy_parse.y >> @@ -76,7 +76,6 @@ typedef int (* require_func_t)(int pass); >> %type <ptr> cond_expr cond_expr_prim cond_pol_list cond_else >> %type <ptr> cond_allow_def cond_auditallow_def cond_auditdeny_def cond_dontaudit_def >> %type <ptr> cond_transition_def cond_te_avtab_def cond_rule_def >> -%type <ptr> role_def roles >> %type <valptr> cexpr cexpr_prim op role_mls_op >> %type <val> ipv4_addr_def number >> %type <val64> number64 >> @@ -312,7 +311,6 @@ te_rbac_decl : te_decl >> ; >> rbac_decl : attribute_role_def >> | role_type_def >> - | role_dominance >> | role_trans_def >> | role_allow_def >> | roleattribute_def >> @@ -515,8 +513,6 @@ role_type_def : ROLE identifier TYPES names ';' >> role_attr_def : ROLE identifier opt_attr_list ';' >> {if (define_role_attr()) return -1;} >> ; >> -role_dominance : DOMINANCE '{' roles '}' >> - ; >> role_trans_def : ROLE_TRANSITION names names identifier ';' >> {if (define_role_trans(0)) return -1; } >> | ROLE_TRANSITION names names ':' names identifier ';' >> @@ -525,16 +521,6 @@ role_trans_def : ROLE_TRANSITION names names identifier ';' >> role_allow_def : ALLOW names names ';' >> {if (define_role_allow()) return -1; } >> ; >> -roles : role_def >> - { $$ = $1; } >> - | roles role_def >> - { $$ = merge_roles_dom((role_datum_t*)$1, (role_datum_t*)$2); if ($$ == 0) return -1;} >> - ; >> -role_def : ROLE identifier_push ';' >> - {$$ = define_role_dom(NULL); if ($$ == 0) return -1;} >> - | ROLE identifier_push '{' roles '}' >> - {$$ = define_role_dom((role_datum_t*)$4); if ($$ == 0) return -1;} >> - ; >> roleattribute_def : ROLEATTRIBUTE identifier id_comma_list ';' >> {if (define_roleattribute()) return -1;} >> ; >> -- >> 2.41.0 >>
On Tue, Aug 15, 2023 at 2:50 AM Petr Lautrbach <lautrbach@redhat.com> wrote: > > James Carter <jwcart2@gmail.com> writes: > > > On Fri, Jul 14, 2023 at 1:32 PM James Carter <jwcart2@gmail.com> wrote: > >> > >> Role dominance has been deprecated for a very, very long time (since > >> at least August 2008) and has never been used in any widely deployed > >> policy. > >> > >> Remove support for compiling role dominance rules. > >> > >> Support will remain, for now, in libsepol for backwards compatibility. > >> > >> Signed-off-by: James Carter <jwcart2@gmail.com> > > > > There should not be any controversy over this patch, so I plan on > > merging it soon unless someone objects. > > Jim > > Acked-by: Petr Lautrbach <lautrbach@redhat.com> > Merged. Thanks, Jim > > > >> --- > >> checkpolicy/policy_define.c | 184 ------------------------------------ > >> checkpolicy/policy_define.h | 2 - > >> checkpolicy/policy_parse.y | 14 --- > >> 3 files changed, 200 deletions(-) > >> > >> diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c > >> index 8421b253..23a65339 100644 > >> --- a/checkpolicy/policy_define.c > >> +++ b/checkpolicy/policy_define.c > >> @@ -2926,190 +2926,6 @@ int define_roleattribute(void) > >> return 0; > >> } > >> > >> -role_datum_t *merge_roles_dom(role_datum_t * r1, role_datum_t * r2) > >> -{ > >> - role_datum_t *new; > >> - > >> - if (pass == 1) { > >> - return (role_datum_t *) 1; /* any non-NULL value */ > >> - } > >> - > >> - new = malloc(sizeof(role_datum_t)); > >> - if (!new) { > >> - yyerror("out of memory"); > >> - return NULL; > >> - } > >> - memset(new, 0, sizeof(role_datum_t)); > >> - new->s.value = 0; /* temporary role */ > >> - if (ebitmap_or(&new->dominates, &r1->dominates, &r2->dominates)) { > >> - yyerror("out of memory"); > >> - free(new); > >> - return NULL; > >> - } > >> - if (ebitmap_or(&new->types.types, &r1->types.types, &r2->types.types)) { > >> - yyerror("out of memory"); > >> - free(new); > >> - return NULL; > >> - } > >> - if (!r1->s.value) { > >> - /* free intermediate result */ > >> - type_set_destroy(&r1->types); > >> - ebitmap_destroy(&r1->dominates); > >> - free(r1); > >> - } > >> - if (!r2->s.value) { > >> - /* free intermediate result */ > >> - yyerror("right hand role is temporary?"); > >> - type_set_destroy(&r2->types); > >> - ebitmap_destroy(&r2->dominates); > >> - free(r2); > >> - } > >> - return new; > >> -} > >> - > >> -/* This function eliminates the ordering dependency of role dominance rule */ > >> -static int dominate_role_recheck(hashtab_key_t key __attribute__ ((unused)), > >> - hashtab_datum_t datum, void *arg) > >> -{ > >> - role_datum_t *rdp = (role_datum_t *) arg; > >> - role_datum_t *rdatum = (role_datum_t *) datum; > >> - ebitmap_node_t *node; > >> - uint32_t i; > >> - > >> - /* Don't bother to process against self role */ > >> - if (rdatum->s.value == rdp->s.value) > >> - return 0; > >> - > >> - /* If a dominating role found */ > >> - if (ebitmap_get_bit(&(rdatum->dominates), rdp->s.value - 1)) { > >> - ebitmap_t types; > >> - ebitmap_init(&types); > >> - if (type_set_expand(&rdp->types, &types, policydbp, 1)) { > >> - ebitmap_destroy(&types); > >> - return -1; > >> - } > >> - /* raise types and dominates from dominated role */ > >> - ebitmap_for_each_positive_bit(&rdp->dominates, node, i) { > >> - if (ebitmap_set_bit(&rdatum->dominates, i, TRUE)) > >> - goto oom; > >> - } > >> - ebitmap_for_each_positive_bit(&types, node, i) { > >> - if (ebitmap_set_bit(&rdatum->types.types, i, TRUE)) > >> - goto oom; > >> - } > >> - ebitmap_destroy(&types); > >> - } > >> - > >> - /* go through all the roles */ > >> - return 0; > >> - oom: > >> - yyerror("Out of memory"); > >> - return -1; > >> -} > >> - > >> -role_datum_t *define_role_dom(role_datum_t * r) > >> -{ > >> - role_datum_t *role; > >> - char *role_id; > >> - ebitmap_node_t *node; > >> - unsigned int i; > >> - int ret; > >> - > >> - if (pass == 1) { > >> - role_id = queue_remove(id_queue); > >> - free(role_id); > >> - return (role_datum_t *) 1; /* any non-NULL value */ > >> - } > >> - > >> - yywarn("Role dominance has been deprecated"); > >> - > >> - role_id = queue_remove(id_queue); > >> - if (!is_id_in_scope(SYM_ROLES, role_id)) { > >> - yyerror2("role %s is not within scope", role_id); > >> - free(role_id); > >> - return NULL; > >> - } > >> - role = (role_datum_t *) hashtab_search(policydbp->p_roles.table, > >> - role_id); > >> - if (!role) { > >> - role = (role_datum_t *) malloc(sizeof(role_datum_t)); > >> - if (!role) { > >> - yyerror("out of memory"); > >> - free(role_id); > >> - return NULL; > >> - } > >> - memset(role, 0, sizeof(role_datum_t)); > >> - ret = > >> - declare_symbol(SYM_ROLES, (hashtab_key_t) role_id, > >> - (hashtab_datum_t) role, &role->s.value, > >> - &role->s.value); > >> - switch (ret) { > >> - case -3:{ > >> - yyerror("Out of memory!"); > >> - goto cleanup; > >> - } > >> - case -2:{ > >> - yyerror2("duplicate declaration of role %s", > >> - role_id); > >> - goto cleanup; > >> - } > >> - case -1:{ > >> - yyerror("could not declare role here"); > >> - goto cleanup; > >> - } > >> - case 0: > >> - case 1:{ > >> - break; > >> - } > >> - default:{ > >> - assert(0); /* should never get here */ > >> - } > >> - } > >> - if (ebitmap_set_bit(&role->dominates, role->s.value - 1, TRUE)) { > >> - yyerror("Out of memory!"); > >> - goto cleanup; > >> - } > >> - } > >> - if (r) { > >> - ebitmap_t types; > >> - ebitmap_init(&types); > >> - ebitmap_for_each_positive_bit(&r->dominates, node, i) { > >> - if (ebitmap_set_bit(&role->dominates, i, TRUE)) > >> - goto oom; > >> - } > >> - if (type_set_expand(&r->types, &types, policydbp, 1)) { > >> - ebitmap_destroy(&types); > >> - return NULL; > >> - } > >> - ebitmap_for_each_positive_bit(&types, node, i) { > >> - if (ebitmap_set_bit(&role->types.types, i, TRUE)) > >> - goto oom; > >> - } > >> - ebitmap_destroy(&types); > >> - if (!r->s.value) { > >> - /* free intermediate result */ > >> - type_set_destroy(&r->types); > >> - ebitmap_destroy(&r->dominates); > >> - free(r); > >> - } > >> - /* > >> - * Now go through all the roles and escalate this role's > >> - * dominates and types if a role dominates this role. > >> - */ > >> - hashtab_map(policydbp->p_roles.table, > >> - dominate_role_recheck, role); > >> - } > >> - return role; > >> - cleanup: > >> - free(role_id); > >> - role_datum_destroy(role); > >> - free(role); > >> - return NULL; > >> - oom: > >> - yyerror("Out of memory"); > >> - goto cleanup; > >> -} > >> - > >> static int role_val_to_name_helper(hashtab_key_t key, hashtab_datum_t datum, > >> void *p) > >> { > >> diff --git a/checkpolicy/policy_define.h b/checkpolicy/policy_define.h > >> index c1314871..7c5a4e6c 100644 > >> --- a/checkpolicy/policy_define.h > >> +++ b/checkpolicy/policy_define.h > >> @@ -69,8 +69,6 @@ int define_validatetrans(constraint_expr_t *expr); > >> int expand_attrib(void); > >> int insert_id(const char *id,int push); > >> int insert_separator(int push); > >> -role_datum_t *define_role_dom(role_datum_t *r); > >> -role_datum_t *merge_roles_dom(role_datum_t *r1,role_datum_t *r2); > >> uintptr_t define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2); > >> > >> #endif /* _POLICY_DEFINE_H_ */ > >> diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y > >> index 6b6890a3..02b076c7 100644 > >> --- a/checkpolicy/policy_parse.y > >> +++ b/checkpolicy/policy_parse.y > >> @@ -76,7 +76,6 @@ typedef int (* require_func_t)(int pass); > >> %type <ptr> cond_expr cond_expr_prim cond_pol_list cond_else > >> %type <ptr> cond_allow_def cond_auditallow_def cond_auditdeny_def cond_dontaudit_def > >> %type <ptr> cond_transition_def cond_te_avtab_def cond_rule_def > >> -%type <ptr> role_def roles > >> %type <valptr> cexpr cexpr_prim op role_mls_op > >> %type <val> ipv4_addr_def number > >> %type <val64> number64 > >> @@ -312,7 +311,6 @@ te_rbac_decl : te_decl > >> ; > >> rbac_decl : attribute_role_def > >> | role_type_def > >> - | role_dominance > >> | role_trans_def > >> | role_allow_def > >> | roleattribute_def > >> @@ -515,8 +513,6 @@ role_type_def : ROLE identifier TYPES names ';' > >> role_attr_def : ROLE identifier opt_attr_list ';' > >> {if (define_role_attr()) return -1;} > >> ; > >> -role_dominance : DOMINANCE '{' roles '}' > >> - ; > >> role_trans_def : ROLE_TRANSITION names names identifier ';' > >> {if (define_role_trans(0)) return -1; } > >> | ROLE_TRANSITION names names ':' names identifier ';' > >> @@ -525,16 +521,6 @@ role_trans_def : ROLE_TRANSITION names names identifier ';' > >> role_allow_def : ALLOW names names ';' > >> {if (define_role_allow()) return -1; } > >> ; > >> -roles : role_def > >> - { $$ = $1; } > >> - | roles role_def > >> - { $$ = merge_roles_dom((role_datum_t*)$1, (role_datum_t*)$2); if ($$ == 0) return -1;} > >> - ; > >> -role_def : ROLE identifier_push ';' > >> - {$$ = define_role_dom(NULL); if ($$ == 0) return -1;} > >> - | ROLE identifier_push '{' roles '}' > >> - {$$ = define_role_dom((role_datum_t*)$4); if ($$ == 0) return -1;} > >> - ; > >> roleattribute_def : ROLEATTRIBUTE identifier id_comma_list ';' > >> {if (define_roleattribute()) return -1;} > >> ; > >> -- > >> 2.41.0 > >> >
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c index 8421b253..23a65339 100644 --- a/checkpolicy/policy_define.c +++ b/checkpolicy/policy_define.c @@ -2926,190 +2926,6 @@ int define_roleattribute(void) return 0; } -role_datum_t *merge_roles_dom(role_datum_t * r1, role_datum_t * r2) -{ - role_datum_t *new; - - if (pass == 1) { - return (role_datum_t *) 1; /* any non-NULL value */ - } - - new = malloc(sizeof(role_datum_t)); - if (!new) { - yyerror("out of memory"); - return NULL; - } - memset(new, 0, sizeof(role_datum_t)); - new->s.value = 0; /* temporary role */ - if (ebitmap_or(&new->dominates, &r1->dominates, &r2->dominates)) { - yyerror("out of memory"); - free(new); - return NULL; - } - if (ebitmap_or(&new->types.types, &r1->types.types, &r2->types.types)) { - yyerror("out of memory"); - free(new); - return NULL; - } - if (!r1->s.value) { - /* free intermediate result */ - type_set_destroy(&r1->types); - ebitmap_destroy(&r1->dominates); - free(r1); - } - if (!r2->s.value) { - /* free intermediate result */ - yyerror("right hand role is temporary?"); - type_set_destroy(&r2->types); - ebitmap_destroy(&r2->dominates); - free(r2); - } - return new; -} - -/* This function eliminates the ordering dependency of role dominance rule */ -static int dominate_role_recheck(hashtab_key_t key __attribute__ ((unused)), - hashtab_datum_t datum, void *arg) -{ - role_datum_t *rdp = (role_datum_t *) arg; - role_datum_t *rdatum = (role_datum_t *) datum; - ebitmap_node_t *node; - uint32_t i; - - /* Don't bother to process against self role */ - if (rdatum->s.value == rdp->s.value) - return 0; - - /* If a dominating role found */ - if (ebitmap_get_bit(&(rdatum->dominates), rdp->s.value - 1)) { - ebitmap_t types; - ebitmap_init(&types); - if (type_set_expand(&rdp->types, &types, policydbp, 1)) { - ebitmap_destroy(&types); - return -1; - } - /* raise types and dominates from dominated role */ - ebitmap_for_each_positive_bit(&rdp->dominates, node, i) { - if (ebitmap_set_bit(&rdatum->dominates, i, TRUE)) - goto oom; - } - ebitmap_for_each_positive_bit(&types, node, i) { - if (ebitmap_set_bit(&rdatum->types.types, i, TRUE)) - goto oom; - } - ebitmap_destroy(&types); - } - - /* go through all the roles */ - return 0; - oom: - yyerror("Out of memory"); - return -1; -} - -role_datum_t *define_role_dom(role_datum_t * r) -{ - role_datum_t *role; - char *role_id; - ebitmap_node_t *node; - unsigned int i; - int ret; - - if (pass == 1) { - role_id = queue_remove(id_queue); - free(role_id); - return (role_datum_t *) 1; /* any non-NULL value */ - } - - yywarn("Role dominance has been deprecated"); - - role_id = queue_remove(id_queue); - if (!is_id_in_scope(SYM_ROLES, role_id)) { - yyerror2("role %s is not within scope", role_id); - free(role_id); - return NULL; - } - role = (role_datum_t *) hashtab_search(policydbp->p_roles.table, - role_id); - if (!role) { - role = (role_datum_t *) malloc(sizeof(role_datum_t)); - if (!role) { - yyerror("out of memory"); - free(role_id); - return NULL; - } - memset(role, 0, sizeof(role_datum_t)); - ret = - declare_symbol(SYM_ROLES, (hashtab_key_t) role_id, - (hashtab_datum_t) role, &role->s.value, - &role->s.value); - switch (ret) { - case -3:{ - yyerror("Out of memory!"); - goto cleanup; - } - case -2:{ - yyerror2("duplicate declaration of role %s", - role_id); - goto cleanup; - } - case -1:{ - yyerror("could not declare role here"); - goto cleanup; - } - case 0: - case 1:{ - break; - } - default:{ - assert(0); /* should never get here */ - } - } - if (ebitmap_set_bit(&role->dominates, role->s.value - 1, TRUE)) { - yyerror("Out of memory!"); - goto cleanup; - } - } - if (r) { - ebitmap_t types; - ebitmap_init(&types); - ebitmap_for_each_positive_bit(&r->dominates, node, i) { - if (ebitmap_set_bit(&role->dominates, i, TRUE)) - goto oom; - } - if (type_set_expand(&r->types, &types, policydbp, 1)) { - ebitmap_destroy(&types); - return NULL; - } - ebitmap_for_each_positive_bit(&types, node, i) { - if (ebitmap_set_bit(&role->types.types, i, TRUE)) - goto oom; - } - ebitmap_destroy(&types); - if (!r->s.value) { - /* free intermediate result */ - type_set_destroy(&r->types); - ebitmap_destroy(&r->dominates); - free(r); - } - /* - * Now go through all the roles and escalate this role's - * dominates and types if a role dominates this role. - */ - hashtab_map(policydbp->p_roles.table, - dominate_role_recheck, role); - } - return role; - cleanup: - free(role_id); - role_datum_destroy(role); - free(role); - return NULL; - oom: - yyerror("Out of memory"); - goto cleanup; -} - static int role_val_to_name_helper(hashtab_key_t key, hashtab_datum_t datum, void *p) { diff --git a/checkpolicy/policy_define.h b/checkpolicy/policy_define.h index c1314871..7c5a4e6c 100644 --- a/checkpolicy/policy_define.h +++ b/checkpolicy/policy_define.h @@ -69,8 +69,6 @@ int define_validatetrans(constraint_expr_t *expr); int expand_attrib(void); int insert_id(const char *id,int push); int insert_separator(int push); -role_datum_t *define_role_dom(role_datum_t *r); -role_datum_t *merge_roles_dom(role_datum_t *r1,role_datum_t *r2); uintptr_t define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2); #endif /* _POLICY_DEFINE_H_ */ diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y index 6b6890a3..02b076c7 100644 --- a/checkpolicy/policy_parse.y +++ b/checkpolicy/policy_parse.y @@ -76,7 +76,6 @@ typedef int (* require_func_t)(int pass); %type <ptr> cond_expr cond_expr_prim cond_pol_list cond_else %type <ptr> cond_allow_def cond_auditallow_def cond_auditdeny_def cond_dontaudit_def %type <ptr> cond_transition_def cond_te_avtab_def cond_rule_def -%type <ptr> role_def roles %type <valptr> cexpr cexpr_prim op role_mls_op %type <val> ipv4_addr_def number %type <val64> number64 @@ -312,7 +311,6 @@ te_rbac_decl : te_decl ; rbac_decl : attribute_role_def | role_type_def - | role_dominance | role_trans_def | role_allow_def | roleattribute_def @@ -515,8 +513,6 @@ role_type_def : ROLE identifier TYPES names ';' role_attr_def : ROLE identifier opt_attr_list ';' {if (define_role_attr()) return -1;} ; -role_dominance : DOMINANCE '{' roles '}' - ; role_trans_def : ROLE_TRANSITION names names identifier ';' {if (define_role_trans(0)) return -1; } | ROLE_TRANSITION names names ':' names identifier ';' @@ -525,16 +521,6 @@ role_trans_def : ROLE_TRANSITION names names identifier ';' role_allow_def : ALLOW names names ';' {if (define_role_allow()) return -1; } ; -roles : role_def - { $$ = $1; } - | roles role_def - { $$ = merge_roles_dom((role_datum_t*)$1, (role_datum_t*)$2); if ($$ == 0) return -1;} - ; -role_def : ROLE identifier_push ';' - {$$ = define_role_dom(NULL); if ($$ == 0) return -1;} - | ROLE identifier_push '{' roles '}' - {$$ = define_role_dom((role_datum_t*)$4); if ($$ == 0) return -1;} - ; roleattribute_def : ROLEATTRIBUTE identifier id_comma_list ';' {if (define_roleattribute()) return -1;} ;
Role dominance has been deprecated for a very, very long time (since at least August 2008) and has never been used in any widely deployed policy. Remove support for compiling role dominance rules. Support will remain, for now, in libsepol for backwards compatibility. Signed-off-by: James Carter <jwcart2@gmail.com> --- checkpolicy/policy_define.c | 184 ------------------------------------ checkpolicy/policy_define.h | 2 - checkpolicy/policy_parse.y | 14 --- 3 files changed, 200 deletions(-)