[libsepol/f17] Update to upstream
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Jul 4 11:43:10 UTC 2012
commit fb3c76a451b36833ec3419a1a8adfc68284be13e
Author: Dan Walsh <dwalsh at redhat.com>
Date: Wed Jul 4 07:43:08 2012 -0400
Update to upstream
* reserve policycapability for redhat testing of ptrace child
* cosmetic changes to make the source easier to read
* prepend instead of append to filename_trans list
* Android/MacOS X build support
* allocate enough space to hold filename in trans rules
.gitignore | 1 +
libsepol-rhat.patch | 265 +++++++++++++++++++++++++++++++++++++++++++++++----
libsepol.spec | 15 ++-
sources | 2 +-
4 files changed, 257 insertions(+), 26 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index b16d91e..d7285e5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -158,3 +158,4 @@ libsepol-2.0.41.tgz
/libsepol-2.1.3.tgz
/libsepol-2.1.4.tgz
/libsepol-2.1.5.tgz
+/libsepol-2.1.7.tgz
diff --git a/libsepol-rhat.patch b/libsepol-rhat.patch
index de02868..d3cafa3 100644
--- a/libsepol-rhat.patch
+++ b/libsepol-rhat.patch
@@ -1,37 +1,260 @@
diff --git a/libsepol/include/sepol/policydb/polcaps.h b/libsepol/include/sepol/policydb/polcaps.h
-index 40c0a48..0ac2a1d 100644
+index 481c0ba..f90a48d 100644
--- a/libsepol/include/sepol/policydb/polcaps.h
+++ b/libsepol/include/sepol/policydb/polcaps.h
-@@ -5,6 +5,7 @@
- enum {
+@@ -6,6 +6,7 @@ enum {
POLICYDB_CAPABILITY_NETPEER,
POLICYDB_CAPABILITY_OPENPERM,
-+ POLICYDB_CAPABILITY_PTRACE_CHILD,
+ POLICYDB_CAPABILITY_REDHAT1, /* reserved for RH testing of ptrace_child */
++ POLICYDB_CAPABILITY_ALWAYSNETWORK,
__POLICYDB_CAPABILITY_MAX
};
#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
+diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
+index bef759c..4663321 100644
+--- a/libsepol/src/expand.c
++++ b/libsepol/src/expand.c
+@@ -49,6 +49,79 @@ typedef struct expand_state {
+ int expand_neverallow;
+ } expand_state_t;
+
++struct linear_probe {
++ filename_trans_t **table; /* filename_trans chunks with same stype */
++ filename_trans_t **ends; /* pointers to ends of **table chunks */
++ uint32_t length; /* length of the table */
++};
++
++static int linear_probe_create(struct linear_probe *probe, uint32_t length)
++{
++ probe->table = calloc(length, sizeof(*probe->table));
++ if (probe->table == NULL)
++ return -1;
++
++ probe->ends = calloc(length, sizeof(*probe->ends));
++ if (probe->ends == NULL)
++ return -1;
++
++ probe->length = length;
++
++ return 0;
++}
++
++static void linear_probe_destroy(struct linear_probe *probe)
++{
++ if (probe->length == 0)
++ return;
++
++ free(probe->table);
++ free(probe->ends);
++ memset(probe, 0, sizeof(*probe));
++}
++
++static void linear_probe_insert(struct linear_probe *probe, uint32_t key,
++ filename_trans_t *data)
++{
++ assert(probe->length > key);
++
++ if (probe->table[key] != NULL) {
++ data->next = probe->table[key];
++ probe->table[key] = data;
++ } else {
++ probe->table[key] = probe->ends[key] = data;
++ }
++}
++
++static filename_trans_t *linear_probe_find(struct linear_probe *probe, uint32_t key)
++{
++ assert(probe->length > key);
++
++ return probe->table[key];
++}
++
++/* Returns all chunks stored in the *probe as single-linked list */
++static filename_trans_t *linear_probe_dump(struct linear_probe *probe,
++ filename_trans_t **endp)
++{
++ uint32_t i;
++ filename_trans_t *result = NULL;
++ filename_trans_t *end = NULL;
++
++ for (i = 0; i < probe->length; i++) {
++ if (probe->table[i] != NULL) {
++ if (end == NULL)
++ end = probe->ends[i];
++ probe->ends[i]->next = result;
++ result = probe->table[i];
++ probe->table[i] = probe->ends[i] = NULL;
++ }
++ }
++
++ *endp = end;
++ return result;
++}
++
+ static void expand_state_init(expand_state_t * state)
+ {
+ memset(state, 0, sizeof(expand_state_t));
+@@ -1352,10 +1425,20 @@ static int copy_role_trans(expand_state_t * state, role_trans_rule_t * rules)
+ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *rules)
+ {
+ unsigned int i, j;
+- filename_trans_t *new_trans, *cur_trans;
++ filename_trans_t *new_trans, *cur_trans, *end;
+ filename_trans_rule_t *cur_rule;
+ ebitmap_t stypes, ttypes;
+ ebitmap_node_t *snode, *tnode;
++ struct linear_probe probe;
++
++ /*
++ * Linear probing speeds-up finding filename_trans rules with certain
++ * "stype" value.
++ */
++ if (linear_probe_create(&probe, 4096)) { /* Assume 4096 is enough for most cases */
++ ERR(state->handle, "Out of memory!");
++ return -1;
++ }
+
+ cur_rule = rules;
+ while (cur_rule) {
+@@ -1378,6 +1461,14 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
+
+ mapped_otype = state->typemap[cur_rule->otype - 1];
+
++ if (ebitmap_length(&stypes) > probe.length) {
++ linear_probe_destroy(&probe);
++ if (linear_probe_create(&probe, ebitmap_length(&stypes))) {
++ ERR(state->handle, "Out of memory!");
++ return -1;
++ }
++ }
++
+ ebitmap_for_each_bit(&stypes, snode, i) {
+ if (!ebitmap_node_get_bit(snode, i))
+ continue;
+@@ -1385,16 +1476,14 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
+ if (!ebitmap_node_get_bit(tnode, j))
+ continue;
+
+- cur_trans = state->out->filename_trans;
+- while (cur_trans) {
+- if ((cur_trans->stype == i + 1) &&
+- (cur_trans->ttype == j + 1) &&
++ cur_trans = linear_probe_find(&probe, i);
++ while (cur_trans != NULL) {
++ if ((cur_trans->ttype == j + 1) &&
+ (cur_trans->tclass == cur_rule->tclass) &&
+ (!strcmp(cur_trans->name, cur_rule->name))) {
+ /* duplicate rule, who cares */
+ if (cur_trans->otype == mapped_otype)
+ break;
+-
+ ERR(state->handle, "Conflicting filename trans rules %s %s %s : %s otype1:%s otype2:%s",
+ cur_trans->name,
+ state->out->p_type_val_to_name[i],
+@@ -1402,7 +1491,7 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
+ state->out->p_class_val_to_name[cur_trans->tclass - 1],
+ state->out->p_type_val_to_name[cur_trans->otype - 1],
+ state->out->p_type_val_to_name[mapped_otype - 1]);
+-
++
+ return -1;
+ }
+ cur_trans = cur_trans->next;
+@@ -1417,8 +1506,6 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
+ return -1;
+ }
+ memset(new_trans, 0, sizeof(*new_trans));
+- new_trans->next = state->out->filename_trans;
+- state->out->filename_trans = new_trans;
+
+ new_trans->name = strdup(cur_rule->name);
+ if (!new_trans->name) {
+@@ -1429,9 +1516,14 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
+ new_trans->ttype = j + 1;
+ new_trans->tclass = cur_rule->tclass;
+ new_trans->otype = mapped_otype;
++ linear_probe_insert(&probe, i, new_trans);
+ }
+ }
+
++ cur_trans = linear_probe_dump(&probe, &end);
++ end->next = state->out->filename_trans;
++ state->out->filename_trans = cur_trans;
++
+ ebitmap_destroy(&stypes);
+ ebitmap_destroy(&ttypes);
+
+@@ -2032,13 +2124,14 @@ static int ocontext_copy_xen(expand_state_t *state)
+ else
+ state->out->ocontexts[i] = n;
+ l = n;
+- if (context_copy(&n->context[0], &c->context[0],
+- state)) {
+- ERR(state->handle, "Out of memory!");
+- return -1;
+- }
+ switch (i) {
+ case OCON_XEN_ISID:
++ if (c->context[0].user == 0) {
++ ERR(state->handle,
++ "Missing context for %s initial sid",
++ c->u.name);
++ return -1;
++ }
+ n->sid[0] = c->sid[0];
+ break;
+ case OCON_XEN_PIRQ:
+@@ -2061,6 +2154,11 @@ static int ocontext_copy_xen(expand_state_t *state)
+ ERR(state->handle, "Unknown ocontext");
+ return -1;
+ }
++ if (context_copy(&n->context[0], &c->context[0],
++ state)) {
++ ERR(state->handle, "Out of memory!");
++ return -1;
++ }
+ }
+ }
+ return 0;
+@@ -2085,12 +2183,14 @@ static int ocontext_copy_selinux(expand_state_t *state)
+ else
+ state->out->ocontexts[i] = n;
+ l = n;
+- if (context_copy(&n->context[0], &c->context[0], state)) {
+- ERR(state->handle, "Out of memory!");
+- return -1;
+- }
+ switch (i) {
+ case OCON_ISID:
++ if (c->context[0].user == 0) {
++ ERR(state->handle,
++ "Missing context for %s initial sid",
++ c->u.name);
++ return -1;
++ }
+ n->sid[0] = c->sid[0];
+ break;
+ case OCON_FS: /* FALLTHROUGH */
+@@ -2134,6 +2234,10 @@ static int ocontext_copy_selinux(expand_state_t *state)
+ ERR(state->handle, "Unknown ocontext");
+ return -1;
+ }
++ if (context_copy(&n->context[0], &c->context[0], state)) {
++ ERR(state->handle, "Out of memory!");
++ return -1;
++ }
+ }
+ }
+ return 0;
diff --git a/libsepol/src/polcaps.c b/libsepol/src/polcaps.c
-index 71970b1..e003bc7 100644
+index bcaef0c..43a71a7 100644
--- a/libsepol/src/polcaps.c
+++ b/libsepol/src/polcaps.c
-@@ -8,6 +8,7 @@
- static const char *polcap_names[] = {
+@@ -9,6 +9,7 @@ static const char *polcap_names[] = {
"network_peer_controls", /* POLICYDB_CAPABILITY_NETPEER */
"open_perms", /* POLICYDB_CAPABILITY_OPENPERM */
-+ "ptrace_child", /* POLICYDB_CAPABILITY_PTRACE_CHILD */
+ "redhat1", /* POLICYDB_CAPABILITY_REDHAT1, aka ptrace_child */
++ "always_check_network", /* POLICYDB_CAPABILITY_ALWAYSNETWORK */
NULL
};
-diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
-index a84de2f..ff292f6 100644
---- a/libsepol/src/policydb.c
-+++ b/libsepol/src/policydb.c
-@@ -2380,7 +2380,7 @@ int filename_trans_read(filename_trans_t **t, struct policy_file *fp)
- return -1;
- len = le32_to_cpu(buf[0]);
-
-- name = calloc(len, sizeof(*name));
-+ name = calloc(len + 1, sizeof(*name));
- if (!name)
- return -1;
-
diff --git a/libsepol.spec b/libsepol.spec
index 04f40d7..7081c11 100644
--- a/libsepol.spec
+++ b/libsepol.spec
@@ -1,7 +1,7 @@
Summary: SELinux binary policy manipulation library
Name: libsepol
-Version: 2.1.5
-Release: 3%{?dist}
+Version: 2.1.7
+Release: 1%{?dist}
License: LGPLv2+
Group: System Environment/Libraries
Source: http://www.nsa.gov/selinux/archives/libsepol-%{version}.tgz
@@ -99,9 +99,16 @@ exit 0
/%{_lib}/libsepol.so.1
%changelog
+* Wed Jul 4 2012 Dan Walsh <dwalsh at redhat.com> - 2.1.7-1
+- Update to upstream
+ * reserve policycapability for redhat testing of ptrace child
+ * cosmetic changes to make the source easier to read
+ * prepend instead of append to filename_trans list
+ * Android/MacOS X build support
+ * allocate enough space to hold filename in trans rules
+
* Mon Apr 23 2012 Dan Walsh <dwalsh at redhat.com> - 2.1.5-3
-- Fix off by one error that is causing file_name transition rules to be expanded
-- incorrectly on i686 machines
+- Fix off by one error that is causing file_name transition rules to be expanded- incorrectly on i686 machines
* Tue Apr 17 2012 Dan Walsh <dwalsh at redhat.com> - 2.1.5-2
- Add support for ptrace_child
diff --git a/sources b/sources
index 1fbf579..5af123a 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-93ee0d98ded98cde7e4b1f9eac26dd73 libsepol-2.1.5.tgz
+332c564144780537c25f4498578e531f libsepol-2.1.7.tgz
More information about the scm-commits
mailing list