| 192153db43c59e5ca460b2a8cd4605de91cfd511 |
|
06-Feb-2017 |
James Carter <jwcart2@tycho.nsa.gov> |
checkpolicy: Make print_error_msg() static
The function print_error_msg() in module_compiler.c is not called
externally, so make it static.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
/external/selinux/checkpolicy/module_compiler.c
|
| 5d56c2679d3fff113c76bd8bd7846628a2e46f04 |
|
31-Jan-2017 |
James Carter <jwcart2@tycho.nsa.gov> |
checkpolicy: Remove uneeded return check in require_symbol()
Since symtab_insert() no longer returns -2 in the case of a
declaration of an identifier followed by a require of the same
symbol, remove the uneeded check.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
/external/selinux/checkpolicy/module_compiler.c
|
| b6f3e0086fdf0ffb8a5e1ff34245596bc67007f3 |
|
31-Jan-2017 |
James Carter <jwcart2@tycho.nsa.gov> |
checkpolicy: Improve check for identifier flavor mismatch
An identifier flavor mismatch occurs when an identifier is
declared or required as a regular role or type in one place but as
an attribute in another place.
Currently there is only a check for an identifier flavor mismatch
when a type has already been declared and there is a require of
the same type in the same scope. There are no checks if the require
comes first and there are no checks for roles.
Check for an identifier flavor mismatch for both roles and types
whenever a declaration or requirement tries to add an identifier
that is already in the symtab.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
/external/selinux/checkpolicy/module_compiler.c
|
| d676e7ce3c618c9f3ce8d50fce9ef64772e1e677 |
|
31-Jan-2017 |
James Carter <jwcart2@tycho.nsa.gov> |
checkpolicy: Move common require and declare code into new function
Move common code from declare_symbol() and require_symbol() to a new
function named create_symbol().
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
/external/selinux/checkpolicy/module_compiler.c
|
| a7a0678999e3b1fd4b36743d8a3c909dc7a2ded4 |
|
31-Jan-2017 |
James Carter <jwcart2@tycho.nsa.gov> |
checkpolicy: Cleanup error messages
Add the new function print_error_msg() to print an error message
based on the local error number and symbol_type. Remove the
duplicate switch statements used throughout module_complier.c
to display error messages.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
/external/selinux/checkpolicy/module_compiler.c
|
| a141c0d19fccd1f19203e5e80ddbc74380636012 |
|
31-Jan-2017 |
James Carter <jwcart2@tycho.nsa.gov> |
checkpolicy: Create common function for user declares and requires
Move common code out of declare_user() and require_user() into the
new function create_user().
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
/external/selinux/checkpolicy/module_compiler.c
|
| bd0576805769a93075a79315598c4c54f55778ed |
|
31-Jan-2017 |
James Carter <jwcart2@tycho.nsa.gov> |
checkpolicy: Create common function for role declares and requires
Move common code out of declare_role() and require_role_or_attribute()
into the new function create_role().
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
/external/selinux/checkpolicy/module_compiler.c
|
| daaaf28bfb66c2c56cfdf500916356c0ef0373a4 |
|
31-Jan-2017 |
James Carter <jwcart2@tycho.nsa.gov> |
checkpolicy: Create common function for type declares and requires
Move common code out of declare_type() and require_type_or_attribute()
into the new function create_type().
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
/external/selinux/checkpolicy/module_compiler.c
|
| 93b2e5fa0763425f950598442a91fcab9314094b |
|
12-Jun-2015 |
Dan Albert <danalbert@google.com> |
Fix -Wreturn-type issues.
--089e013a1a2abb8ecf0518469d04
Content-Type: text/plain; charset=UTF-8
assert() only prevents -Wreturn-type from firing if asserts are
enabled. Use abort() so we don't do unexpected things even if we use
-UNDEBUG.
<div dir="ltr"><div>assert() only prevents -Wreturn-type from firing if asserts are</div><div>enabled. Use abort() so we don't do unexpected things even if we use</div><div>-UNDEBUG.</div></div>
From b53ad041daa53f511baccc860b6fe6993590aa87 Mon Sep 17 00:00:00 2001
From: Dan Albert <danalbert@google.com>
Date: Wed, 10 Jun 2015 17:01:23 -0700
Subject: [PATCH] Fix -Wreturn-type issues.
To: selinux@tycho.nsa.gov
Cc: nnk@google.com,
sds@tycho.nsa.gov
assert() only prevents -Wreturn-type from firing if asserts are
enabled. Use abort() so we don't do unexpected things even if we use
-UNDEBUG.
/external/selinux/checkpolicy/module_compiler.c
|
| 5af8c5adb274cc45d3a41ce9b1ab2c7573463d74 |
|
14-Sep-2014 |
Nicolas Iooss <nicolas.iooss@m4x.org> |
checkpolicy: fix gcc -Wunused-variable warnings
Add __attribute__ ((unused)) to unused function parameters.
Acked-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/checkpolicy/module_compiler.c
|
| 581d3eb1281f7c970376649f5027df012269935a |
|
14-Sep-2014 |
Nicolas Iooss <nicolas.iooss@m4x.org> |
checkpolicy: fix gcc -Wsign-compare warnings
Acked-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/checkpolicy/module_compiler.c
|
| 832e7017f881f0a66e24170b7a2ff1cd9b113239 |
|
14-Sep-2014 |
Nicolas Iooss <nicolas.iooss@m4x.org> |
checkpolicy: constify the message written by yyerror and yywarn
Acked-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/checkpolicy/module_compiler.c
|
| 8db96d0cb4feb1323488a5e04a3d4623ba22ffce |
|
14-Sep-2014 |
Nicolas Iooss <nicolas.iooss@m4x.org> |
checkpolicy: add printf format attribute to relevant functions
Once __attribute__ ((format(printf, 1, 2))) is added to yyerror2,
"gcc -Wformat -Wformat-security" shows some issues. Fix them.
Acked-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/checkpolicy/module_compiler.c
|
| 80f26c5ee865993264ef638480c6a05ab574f7c0 |
|
01-Sep-2011 |
Harry Ciao <qingtao.cao@windriver.com> |
checkpolicy: Separate tunable from boolean during compile.
Both boolean and tunable keywords are processed by define_bool_tunable(),
argument 0 and 1 would be passed for boolean and tunable respectively.
For tunable, a TUNABLE flag would be set in cond_bool_datum_t.flags.
Note, when creating an if-else conditional we can not know if the
tunable identifier is indeed a tunable(for example, a boolean may be
misused in tunable_policy() or vice versa), thus the TUNABLE flag
for cond_node_t would be calculated and used in expansion when all
booleans/tunables copied during link.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/checkpolicy/module_compiler.c
|
| 16675b7f96b7a61ac64180b1824ec04984b72b3b |
|
25-Jul-2011 |
Harry Ciao <qingtao.cao@windriver.com> |
Add role attribute support when compiling modules.
1. Add a uint32_t "flavor" field and an ebitmap "roles" to the
role_datum_t structure;
2. Add a new "attribute_role" statement and its handler to declare
a role attribute;
3. Modify declare_role() to setup role_datum_t.flavor according
to the isattr argument;
4. Add a new "roleattribute" rule and its handler, which will record
the regular role's (policy value - 1) into the role attribute's
role_datum_t.roles ebitmap;
5. Modify the syntax for the role-types rule only to define the
role-type associations;
6. Add a new role-attr rule to support the declaration of a single
role, and optionally the role attribute that the role belongs to;
7. Check if the new_role used in role-transition rule is a regular role;
8. Support to require a role attribute;
9. Modify symtab_insert() to allow multiple declarations only for
the regular role, while a role attribute can't be declared more than once
and can't share a same name with another regular role.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/checkpolicy/module_compiler.c
|
| 516cb2a264448421bff692f47f61e8cf2a74237e |
|
28-Mar-2011 |
Eric Paris <eparis@redhat.com> |
checkpolicy: add support for using last path component in type transition rules
This patch adds support for using the last path component as part of the
information in making labeling decisions for new objects. A example
rule looks like so:
type_transition unconfined_t etc_t:file system_conf_t eric;
This rule says if unconfined_t creates a file in a directory labeled
etc_t and the last path component is "eric" (no globbing, no matching
magic, just exact strcmp) it should be labeled system_conf_t.
The kernel and policy representation does not have support for such
rules in conditionals, and thus policy explicitly notes that fact if
such a rule is added to a conditional.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/checkpolicy/module_compiler.c
|
| f7917ea9cf6af752de98a1e742152d813028c669 |
|
10-Feb-2009 |
Caleb Case <ccase@tresys.com> |
aliases for the boundry format
The boundry format mapped the primary field to a boolean in the
properties bitmap. This is appropriate for the kernel policy, but in
modular policy the primary field may be an integer that indicates the
primary type that is being aliased. In this case, the primary value cannot
be assumed to be boolean.
This patch creates a new module format that writes out the primary value
as was done before the boundry format.
Signed-off-by: Caleb Case <ccase@tresys.com>
Signed-off-by: Joshua Brindle <method@manicmethod.com>
/external/selinux/checkpolicy/module_compiler.c
|
| 45728407d60a5297deac7aa65fd92adf2412d5f7 |
|
08-Oct-2008 |
Joshua Brindle <method@manicmethod.com> |
Author: KaiGai Kohei
Email: kaigai@ak.jp.nec.com
Subject: Thread/Child-Domain Assignment (rev.2)
Date: Tue, 05 Aug 2008 14:55:52 +0900
[2/3] thread-context-checkpolicy.2.patch
It enables to support TYPEBOUNDS statement and to expand
existing hierarchies implicitly.
Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
--
module_compiler.c | 86 +++++++++++++++++++++++++++++++++++++++++++++++++
policy_define.c | 93 +++++++++++++++++++++++++++++++++++++++++++++++++++++-
policy_define.h | 1
policy_parse.y | 5 ++
policy_scan.l | 2 +
5 files changed, 186 insertions(+), 1 deletion(-)
Signed-off-by: Joshua Brindle <method@manicmethod.com>
/external/selinux/checkpolicy/module_compiler.c
|
| 13cd4c8960688af11ad23b4c946149015c80d549 |
|
19-Aug-2008 |
Joshua Brindle <method@manicmethod.com> |
initial import from svn trunk revision 2950
/external/selinux/checkpolicy/module_compiler.c
|