Hello,
Am Donnerstag, 6. März 2014 schrieb Steve Beattie:
On Thu, Mar 06, 2014 at 10:10:16PM +0100, Christian Boltz wrote:
Am Mittwoch, 5. März 2014 schrieb Steve Beattie:
D-Bus rules in particular seem to get written as multi-line rules.
This patch adds very simple hackish support for
It was never used, never supported, and we are doing it differently now.
Signed-off-by: John Johansen john.johan...@canonical.com
---
parser/immunix.h |7 +--
parser/parser_alias.c |3 +--
parser/parser_merge.c |6 --
parser/parser_regex.c | 15 ---
The features file patch broke detection of network support.
Signed-off-by: John Johansen john.johan...@canonical.com
---
parser/parser_common.c |2 +-
parser/parser_main.c |2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- 2.9-test.orig/parser/parser_common.c
+++
Policy enforcement needs to be able to support older userspaces and
compilers that don't know about new features. The absence of a feature
in the policydb indicates that feature mediation is not present for
it.
We add stub rules, that provide a none 0 start state for features that
are supported
This cleans things up a bit and fixes a bug where not all rules are
getting properly counted so that the addition of policy_mediation
rules fails to generate the policy dfa in some cases.
Because the policy dfa is being generated correctly now we need to
fix some tests to use the new -M flag to
This is not the cleanup this code needs, but a quick hack to add the
-M flag so we can specify a feature file (or directory) to use for
the compile.
It mostly just moves around existing code and adds the -M option,
though it does introduce a few changes.
While I didn't do it in this patch I
This will allow for the parser to invalidate its caches separate of whether
the kernel policy version has changed. This can be desirable if a parser
bug is discovered, a new version the parser is shipped and we need to
force cache files to be regenerated.
Policy current stores a 32 bit version
Signed-off-by: John Johansen john.johan...@canonical.com
---
parser/parser_lex.l | 19 +--
1 file changed, 9 insertions(+), 10 deletions(-)
--- 2.9-test.orig/parser/parser_lex.l
+++ 2.9-test/parser/parser_lex.l
@@ -52,7 +52,7 @@
/* #define DEBUG */
#ifdef DEBUG
static int
Using the parser timestamp was a work around to force recompilation of
policy that was built with a buggy parser. There are better ways to
handle this so remove checking of the parser timestamp.
Signed-off-by: John Johansen john.johan...@canonical.com
---
parser/parser_main.c |7 ---
The label class is used to lookup object permissions based off of label
alone when the labeling is not path dependent.
Some rules will not generate label entries, some will generate only
label entries and some will generate both label and path entries.
This is left to the particular rule
Tag start of entries in the policydb as being mediated. This makes
the start state for any class being mediated be none 0. The kernel
can detect this to determine whether the parser expected mediation
for the class.
This is just a way of encoding what features expect mediation within
the policydb
Signed-off-by: John Johansen john.johan...@canonical.com
---
parser/parser.h |5
parser/parser_interface.c | 510 +-
parser/parser_policy.c|8
3 files changed, 151 insertions(+), 372 deletions(-)
---
The addition of the dbus tests requires dbus dev libraries be installed
to run the test suite. This is not always desirable or even possible.
So make building and running the dbus tests conditional on the
pkg-config info from those libs. If they are not present output a
message about skipping the
Signed-off-by: John Johansen john.johan...@canonical.com
---
parser/Makefile |7 +
parser/features.c| 214 +++
parser/features.h| 22 +
parser/parser_main.c | 192 -
4 files
Signed-off-by: John Johansen john.johan...@canonical.com
---
parser/Makefile|7 +-
parser/common_optarg.c | 170 +
parser/common_optarg.h | 47 +
parser/parser.h|1
parser/parser_main.c | 157
ptrace rules currently take the form of
ptrace [ptrace_perms] [peer_profile_name],
ptrace_perm := read|trace|readby|tracedby
ptrace_perms := ptrace_perm | '(' ptrace_perm+ ')'
After having used the cross check (permission needed in both profiles)
I am not sure it is correct for ptrace.
On Fri, Mar 07, 2014 at 01:49:54PM +0100, Christian Boltz wrote:
I found another evil testcase:
parser/tst/simple_tests/vars/vars_alternation_3.sd
(and I'm slightly ;-) surprised about EXRESULT PASS - I wouldn't be
surprised if it breaks the tools)
As an aside, one of my future goals is to
17 matches
Mail list logo