debuggers.hg

changeset 20694:91ec06817632

XSM: Restore policy backwards compatibility

This restores backwards compatibility with older XSM policy. Policies
built with older versions of checkpolicy will once again work in Xen.

Signed-off-by : Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
author Keir Fraser <keir.fraser@citrix.com>
date Wed Dec 16 12:21:43 2009 +0000 (2009-12-16)
parents f9998fedea78
children 976d679b04fb
files xen/xsm/flask/ss/policydb.c xen/xsm/flask/ss/policydb.h
line diff
     1.1 --- a/xen/xsm/flask/ss/policydb.c	Wed Dec 16 12:20:57 2009 +0000
     1.2 +++ b/xen/xsm/flask/ss/policydb.c	Wed Dec 16 12:21:43 2009 +0000
     1.3 @@ -66,6 +66,7 @@ struct policydb_compat_info {
     1.4      int version;
     1.5      int sym_num;
     1.6      int ocon_num;
     1.7 +    int target_type;
     1.8  };
     1.9  
    1.10  /* These need to be updated if SYM_NUM or OCON_NUM changes */
    1.11 @@ -74,62 +75,80 @@ static struct policydb_compat_info polic
    1.12          .version        = POLICYDB_VERSION_BASE,
    1.13          .sym_num        = SYM_NUM - 3,
    1.14          .ocon_num       = OCON_NUM - 1,
    1.15 +        .target_type    = TARGET_XEN_OLD,
    1.16      },
    1.17      {
    1.18          .version        = POLICYDB_VERSION_BOOL,
    1.19          .sym_num        = SYM_NUM - 2,
    1.20          .ocon_num       = OCON_NUM - 1,
    1.21 +        .target_type    = TARGET_XEN_OLD,
    1.22      },
    1.23      {
    1.24          .version        = POLICYDB_VERSION_IPV6,
    1.25          .sym_num        = SYM_NUM - 2,
    1.26          .ocon_num       = OCON_NUM,
    1.27 +        .target_type    = TARGET_XEN_OLD,
    1.28      },
    1.29      {
    1.30          .version        = POLICYDB_VERSION_NLCLASS,
    1.31          .sym_num        = SYM_NUM - 2,
    1.32          .ocon_num       = OCON_NUM,
    1.33 +        .target_type    = TARGET_XEN_OLD,
    1.34      },
    1.35      {
    1.36          .version        = POLICYDB_VERSION_MLS,
    1.37          .sym_num        = SYM_NUM,
    1.38          .ocon_num       = OCON_NUM,
    1.39 +        .target_type    = TARGET_XEN_OLD,
    1.40      },
    1.41      {
    1.42          .version        = POLICYDB_VERSION_AVTAB,
    1.43          .sym_num        = SYM_NUM,
    1.44          .ocon_num       = OCON_NUM,
    1.45 +        .target_type    = TARGET_XEN_OLD,
    1.46      },
    1.47      {
    1.48  	.version	= POLICYDB_VERSION_RANGETRANS,
    1.49  	.sym_num	= SYM_NUM,
    1.50  	.ocon_num	= OCON_NUM,
    1.51 +        .target_type    = TARGET_XEN_OLD,
    1.52      },
    1.53      {
    1.54  	.version	= POLICYDB_VERSION_POLCAP,
    1.55  	.sym_num	= SYM_NUM,
    1.56  	.ocon_num	= OCON_NUM,
    1.57 +        .target_type    = TARGET_XEN_OLD,
    1.58      },
    1.59      {
    1.60  	.version	= POLICYDB_VERSION_PERMISSIVE,
    1.61  	.sym_num	= SYM_NUM,
    1.62  	.ocon_num	= OCON_NUM,
    1.63 +        .target_type    = TARGET_XEN_OLD,
    1.64 +    },
    1.65 +    {
    1.66 +	.version	= POLICYDB_VERSION_BOUNDARY,
    1.67 +        .sym_num        = SYM_NUM,
    1.68 +        .ocon_num       = OCON_NUM_OLD,
    1.69 +        .target_type    = TARGET_XEN_OLD,
    1.70      },
    1.71      {
    1.72  	.version	= POLICYDB_VERSION_BOUNDARY,
    1.73  	.sym_num	= SYM_NUM,
    1.74  	.ocon_num	= OCON_NUM,
    1.75 +        .target_type    = TARGET_XEN,
    1.76      },
    1.77  };
    1.78  
    1.79 -static struct policydb_compat_info *policydb_lookup_compat(int version)
    1.80 +static struct policydb_compat_info *policydb_lookup_compat(int version,
    1.81 +                                                            int target)
    1.82  {
    1.83      int i;
    1.84      struct policydb_compat_info *info = NULL;
    1.85  
    1.86      for ( i = 0; i < sizeof(policydb_compat)/sizeof(*info); i++ )
    1.87      {
    1.88 -        if ( policydb_compat[i].version == version )
    1.89 +        if ( policydb_compat[i].version == version &&
    1.90 +             policydb_compat[i].target_type == target )
    1.91          {
    1.92              info = &policydb_compat[i];
    1.93              break;
    1.94 @@ -1838,11 +1857,11 @@ int policydb_read(struct policydb *p, vo
    1.95           ebitmap_read(&p->permissive_map, fp) != 0 )
    1.96          goto bad;
    1.97  
    1.98 -    info = policydb_lookup_compat(p->policyvers);
    1.99 +    info = policydb_lookup_compat(p->policyvers, p->target_type);
   1.100      if ( !info )
   1.101      {
   1.102          printk(KERN_ERR "Flask:  unable to find policy compat info "
   1.103 -               "for version %d\n", p->policyvers);
   1.104 +               "for version %d target %d\n", p->policyvers, p->target_type);
   1.105          goto bad;
   1.106      }
   1.107  
     2.1 --- a/xen/xsm/flask/ss/policydb.h	Wed Dec 16 12:20:57 2009 +0000
     2.2 +++ b/xen/xsm/flask/ss/policydb.h	Wed Dec 16 12:21:43 2009 +0000
     2.3 @@ -181,6 +181,7 @@ struct ocontext {
     2.4  #define OCON_IOMEM   3    /* io memory */
     2.5  #define OCON_DEVICE  4    /* pci devices */
     2.6  #define OCON_NUM     5
     2.7 +#define OCON_NUM_OLD 7
     2.8  
     2.9  /* The policy database */
    2.10  struct policydb {