@@ -1220,6 +1220,80 @@ exit:
return rc;
}
+int define_segregate_attributes(void)
+{
+ char *id = NULL;
+ segregate_attribute_t *sattr = NULL;
+ int rc = -1;
+
+ if (pass == 1) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ sattr = malloc(sizeof(segregate_attribute_t));
+ if (!sattr) {
+ yyerror("Out of memory!");
+ goto exit;
+ }
+
+ ebitmap_init(&sattr->attrs);
+ sattr->line = policydb_lineno;
+ sattr->source_line = source_lineno;
+ sattr->source_filename = strdup(source_file);
+ if (!sattr->source_filename) {
+ yyerror("Out of memory!");
+ goto exit;
+ }
+
+ while ((id = queue_remove(id_queue))) {
+ const type_datum_t *attr;
+
+ if (!is_id_in_scope(SYM_TYPES, id)) {
+ yyerror2("attribute %s is not within scope", id);
+ goto exit;
+ }
+
+ attr = hashtab_search(policydbp->p_types.table, id);
+ if (!attr) {
+ yyerror2("attribute %s is not declared", id);
+ goto exit;
+ }
+
+ if (attr->flavor != TYPE_ATTRIB) {
+ yyerror2("%s is a type, not an attribute", id);
+ goto exit;
+ }
+
+ if (ebitmap_get_bit(&sattr->attrs, attr->s.value - 1)) {
+ yyerror2("attribute %s used multiple times", id);
+ goto exit;
+ }
+
+ if (ebitmap_set_bit(&sattr->attrs, attr->s.value - 1, TRUE)) {
+ yyerror("Out of memory!");
+ goto exit;
+ }
+
+ free(id);
+ }
+
+ sattr->next = policydbp->segregate_attributes;
+ policydbp->segregate_attributes = sattr;
+
+ sattr = NULL;
+ rc = 0;
+exit:
+ if (sattr) {
+ free(sattr->source_filename);
+ ebitmap_destroy(&sattr->attrs);
+ free(sattr);
+ }
+ free(id);
+ return rc;
+}
+
static int add_aliases_to_type(type_datum_t * type)
{
char *id;
@@ -68,6 +68,7 @@ int define_type(int alias);
int define_user(void);
int define_validatetrans(constraint_expr_t *expr);
int expand_attrib(void);
+int define_segregate_attributes(void);
int insert_id(const char *id,int push);
int insert_separator(int push);
role_datum_t *define_role_dom(role_datum_t *r);
@@ -104,6 +104,7 @@ typedef int (* require_func_t)(int pass);
%token ALIAS
%token ATTRIBUTE
%token EXPANDATTRIBUTE
+%token SEGREGATEATTRIBUTES
%token BOOL
%token TUNABLE
%token IF
@@ -320,6 +321,7 @@ rbac_decl : attribute_role_def
;
te_decl : attribute_def
| expandattribute_def
+ | segregateattributes_def
| type_def
| typealias_def
| typeattribute_def
@@ -337,6 +339,9 @@ attribute_def : ATTRIBUTE identifier ';'
expandattribute_def : EXPANDATTRIBUTE names bool_val ';'
{ if (expand_attrib()) return -1;}
;
+segregateattributes_def : SEGREGATEATTRIBUTES identifier ',' id_comma_list ';'
+ { if (define_segregate_attributes()) return -1;}
+ ;
type_def : TYPE identifier alias_def opt_attr_list ';'
{if (define_type(1)) return -1;}
| TYPE identifier opt_attr_list ';'
@@ -123,6 +123,8 @@ ATTRIBUTE |
attribute { return(ATTRIBUTE); }
EXPANDATTRIBUTE |
expandattribute { return(EXPANDATTRIBUTE); }
+SEGREGATE_ATTRIBUTES |
+segregate_attributes { return(SEGREGATEATTRIBUTES); }
TYPE_TRANSITION |
type_transition { return(TYPE_TRANSITION); }
TYPE_MEMBER |
Support specifying segregate attributes. The following two blocks are equivalent: segregate_attributes attr1, attr2, attr3; segregate_attributes attr1, attr2; segregate_attributes attr1, attr3; segregate_attributes attr2, attr3; Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- checkpolicy/policy_define.c | 74 +++++++++++++++++++++++++++++++++++++ checkpolicy/policy_define.h | 1 + checkpolicy/policy_parse.y | 5 +++ checkpolicy/policy_scan.l | 2 + 4 files changed, 82 insertions(+)