SOURCES: gradm-show-trans.patch (NEW), gradm-ignore-repos.patch (NEW), grad...
zbyniu
zbyniu at pld-linux.org
Wed Oct 22 11:20:57 CEST 2008
Author: zbyniu Date: Wed Oct 22 09:20:57 2008 GMT
Module: SOURCES Tag: HEAD
---- Log message:
- new, desc inside
---- Files affected:
SOURCES:
gradm-show-trans.patch (NONE -> 1.1) (NEW), gradm-ignore-repos.patch (NONE -> 1.1) (NEW), gradm-num-ugid.patch (NONE -> 1.1) (NEW), gradm-num-protocols.patch (NONE -> 1.1) (NEW), gradm-cap_invert.patch (NONE -> 1.1) (NEW)
---- Diffs:
================================================================
Index: SOURCES/gradm-show-trans.patch
diff -u /dev/null SOURCES/gradm-show-trans.patch:1.1
--- /dev/null Wed Oct 22 11:20:58 2008
+++ SOURCES/gradm-show-trans.patch Wed Oct 22 11:20:50 2008
@@ -0,0 +1,31 @@
+print USER_TRANSITIONS_ALLOW/DENY in show_policy() (debug mode)
+
+--- gradm2./gradm.l 2008-08-08 12:44:37.468468000 +0200
++++ gradm2/gradm.l 2008-08-08 13:50:44.695810222 +0200
+@@ -555,6 +555,26 @@
+ printf("\tSUBJECT: %s dev:%lu inode:%lu mode:%lu c_raise:%x c_drop:%x\n",
+ proc->filename, proc->dev, proc->inode, proc->mode,
+ cap_invert(proc->cap_drop), proc->cap_drop);
++ if (proc->user_trans_num > 0) {
++ printf("\tUSER_TRANSITIONS_");
++ if (proc->user_trans_type & GR_ID_ALLOW)
++ printf("ALLOW:");
++ else
++ printf("DENY:");
++ for (i = 0; i < proc->user_trans_num; i++)
++ printf(" %u", *(proc->user_transitions + i));
++ printf("\n");
++ }
++ if (proc->group_trans_num > 0) {
++ printf("\tGROUP_TRANSITIONS_");
++ if (proc->group_trans_type & GR_ID_ALLOW)
++ printf("ALLOW:");
++ else
++ printf("DENY:");
++ for (i = 0; i < proc->group_trans_num; i++)
++ printf(" %u", *(proc->group_transitions + i));
++ printf("\n");
++ }
+ for (i = 0; i < proc->ip_num; i++) {
+ char ipaddr[4];
+ int c;
================================================================
Index: SOURCES/gradm-ignore-repos.patch
diff -u /dev/null SOURCES/gradm-ignore-repos.patch:1.1
--- /dev/null Wed Oct 22 11:20:58 2008
+++ SOURCES/gradm-ignore-repos.patch Wed Oct 22 11:20:50 2008
@@ -0,0 +1,14 @@
+ignore "CVS" ".svn" "*~" files/dirs
+--- gradm2/gradm.l~ 2008-04-04 22:05:25.000000000 +0200
++++ gradm2/gradm.l 2008-07-18 15:06:51.613273610 +0200
+@@ -388,7 +388,9 @@
+ return;
+
+ for (i = 0; i < n; i++) {
+- if (!strcmp(namelist[i]->d_name, ".") || !strcmp(namelist[i]->d_name, ".."))
++ if (!strcmp(namelist[i]->d_name, ".") || !strcmp(namelist[i]->d_name, "..") ||
++ !strcmp(namelist[i]->d_name, ".svn") || !strcmp(namelist[i]->d_name, "CVS") ||
++ !strcmp(namelist[i]->d_name+strlen(namelist[i]->d_name)-1, "~"))
+ continue;
+ tmp = calloc(1, sizeof(struct include_entry));
+ if (tmp == NULL)
================================================================
Index: SOURCES/gradm-num-ugid.patch
diff -u /dev/null SOURCES/gradm-num-ugid.patch:1.1
--- /dev/null Wed Oct 22 11:20:59 2008
+++ SOURCES/gradm-num-ugid.patch Wed Oct 22 11:20:51 2008
@@ -0,0 +1,287 @@
+support for numerical uids/gids in policy
+--- gradm2./gradm_parse.c 2008-03-14 02:01:39.000000000 +0100
++++ gradm2/gradm_parse.c 2008-08-13 13:17:20.197960211 +0200
+@@ -9,6 +9,9 @@ add_id_transition(struct proc_acl *subje
+ struct passwd *pwd;
+ struct group *grp;
+ int i;
++ uid_t uid;
++ gid_t gid;
++ char *end;
+
+ if (usergroup == GR_ID_USER) {
+ if ((subject->user_trans_type | allowdeny) == (GR_ID_ALLOW | GR_ID_DENY)) {
+@@ -25,15 +28,28 @@ add_id_transition(struct proc_acl *subje
+ if (*(subject->user_transitions + i) == usergroup)
+ return;
+
+- pwd = getpwnam(idname);
++ if (!isdigit(idname[0])) {
++ pwd = getpwnam(idname);
+
+- if (!pwd) {
+- fprintf(stderr, "User %s on line %lu of %s "
+- "does not exist.\nThe RBAC system will "
+- "not be allowed to be enabled until "
+- "this error is fixed.\n", idname,
+- lineno, current_acl_file);
+- exit(EXIT_FAILURE);
++ if (!pwd) {
++ fprintf(stderr, "User %s on line %lu of %s "
++ "does not exist.\nThe RBAC system will "
++ "not be allowed to be enabled until "
++ "this error is fixed.\n", idname,
++ lineno, current_acl_file);
++ exit(EXIT_FAILURE);
++ }
++ uid = pwd->pw_uid;
++ } else {
++ uid = strtoul(idname, &end, 10);
++ if (*end != '\0') {
++ fprintf(stderr, "User %s on line %lu of %s "
++ "is incorrect.\nThe RBAC system will "
++ "not be allowed to be enabled until "
++ "this error is fixed.\n", idname,
++ lineno, current_acl_file);
++ exit(EXIT_FAILURE);
++ }
+ }
+
+ /* increment pointer count upon allocation of user transition list */
+@@ -42,7 +58,7 @@ add_id_transition(struct proc_acl *subje
+
+ subject->user_trans_num++;
+ subject->user_transitions = gr_dyn_realloc(subject->user_transitions, subject->user_trans_num * sizeof(uid_t));
+- *(subject->user_transitions + subject->user_trans_num - 1) = pwd->pw_uid;
++ *(subject->user_transitions + subject->user_trans_num - 1) = uid;
+ } else if (usergroup == GR_ID_GROUP) {
+ if ((subject->group_trans_type | allowdeny) == (GR_ID_ALLOW | GR_ID_DENY)) {
+ fprintf(stderr, "Error on line %lu of %s. You cannot use "
+@@ -58,15 +74,28 @@ add_id_transition(struct proc_acl *subje
+ if (*(subject->group_transitions + i) == usergroup)
+ return;
+
+- grp = getgrnam(idname);
++ if (!isdigit(idname[0])) {
++ grp = getgrnam(idname);
+
+- if (!grp) {
+- fprintf(stderr, "Group %s on line %lu of %s "
+- "does not exist.\nThe RBAC system will "
+- "not be allowed to be enabled until "
+- "this error is fixed.\n", idname,
+- lineno, current_acl_file);
+- exit(EXIT_FAILURE);
++ if (!grp) {
++ fprintf(stderr, "Group %s on line %lu of %s "
++ "does not exist.\nThe RBAC system will "
++ "not be allowed to be enabled until "
++ "this error is fixed.\n", idname,
++ lineno, current_acl_file);
++ exit(EXIT_FAILURE);
++ }
++ gid = grp->gr_gid;
++ } else {
++ gid = strtoul(idname, &end, 10);
++ if (*end != '\0') {
++ fprintf(stderr, "Group %s on line %lu of %s "
++ "is incorrect.\nThe RBAC system will "
++ "not be allowed to be enabled until "
++ "this error is fixed.\n", idname,
++ lineno, current_acl_file);
++ exit(EXIT_FAILURE);
++ }
+ }
+
+ /* increment pointer count upon allocation of group transition list */
+@@ -75,7 +104,7 @@ add_id_transition(struct proc_acl *subje
+
+ subject->group_trans_num++;
+ subject->group_transitions = gr_dyn_realloc(subject->group_transitions, subject->group_trans_num * sizeof(gid_t));
+- *(subject->group_transitions + subject->group_trans_num - 1) = grp->gr_gid;
++ *(subject->group_transitions + subject->group_trans_num - 1) = gid;
+ }
+
+ return;
+@@ -98,6 +127,9 @@ add_domain_child(struct role_acl *role,
+ {
+ struct passwd *pwd;
+ struct group *grp;
++ uid_t uid;
++ gid_t gid;
++ char *end;
+
+ if (is_role_dupe(current_role, idname, role->roletype)) {
+ fprintf(stderr, "Duplicate role %s on line %lu of %s.\n"
+@@ -119,35 +151,61 @@ add_domain_child(struct role_acl *role,
+ num_pointers++;
+
+ if (role->roletype & GR_ROLE_USER) {
+- pwd = getpwnam(idname);
++ if (!isdigit(idname[0])) {
++ pwd = getpwnam(idname);
+
+- if (!pwd) {
+- fprintf(stderr, "User %s on line %lu of %s "
+- "does not exist.\nThe RBAC system will "
+- "not be allowed to be enabled until "
+- "this error is fixed.\n", idname,
+- lineno, current_acl_file);
+- exit(EXIT_FAILURE);
++ if (!pwd) {
++ fprintf(stderr, "User %s on line %lu of %s "
++ "does not exist.\nThe RBAC system will "
++ "not be allowed to be enabled until "
++ "this error is fixed.\n", idname,
++ lineno, current_acl_file);
++ exit(EXIT_FAILURE);
++ }
++ uid = pwd->pw_uid;
++ } else {
++ uid = strtoul(idname, &end, 10);
++ if (*end != '\0') {
++ fprintf(stderr, "User %s on line %lu of %s "
++ "is incorrect.\nThe RBAC system will "
++ "not be allowed to be enabled until "
++ "this error is fixed.\n", idname,
++ lineno, current_acl_file);
++ exit(EXIT_FAILURE);
++ }
+ }
+
+ role->domain_child_num++;
+ role->domain_children = gr_dyn_realloc(role->domain_children, role->domain_child_num * sizeof(uid_t));
+- *(role->domain_children + role->domain_child_num - 1) = pwd->pw_uid;
++ *(role->domain_children + role->domain_child_num - 1) = uid;
+ } else if (role->roletype & GR_ROLE_GROUP) {
+- grp = getgrnam(idname);
++ if (!isdigit(idname[0])) {
++ grp = getgrnam(idname);
+
+- if (!grp) {
+- fprintf(stderr, "Group %s on line %lu of %s "
+- "does not exist.\nThe RBAC system will "
+- "not be allowed to be enabled until "
+- "this error is fixed.\n", idname,
+- lineno, current_acl_file);
+- exit(EXIT_FAILURE);
++ if (!grp) {
++ fprintf(stderr, "Group %s on line %lu of %s "
++ "does not exist.\nThe RBAC system will "
++ "not be allowed to be enabled until "
++ "this error is fixed.\n", idname,
++ lineno, current_acl_file);
++ exit(EXIT_FAILURE);
++ }
++ grp->gr_gid;
++ } else {
++ gid = strtoul(idname, &end, 10);
++ if (*end != '\0') {
++ fprintf(stderr, "Group %s on line %lu of %s "
++ "is incorrect.\nThe RBAC system will "
++ "not be allowed to be enabled until "
++ "this error is fixed.\n", idname,
++ lineno, current_acl_file);
++ exit(EXIT_FAILURE);
++ }
+ }
+
+ role->domain_child_num++;
+ role->domain_children = gr_dyn_realloc(role->domain_children, role->domain_child_num * sizeof(uid_t));
+- *(role->domain_children + role->domain_child_num - 1) = grp->gr_gid;
++ *(role->domain_children + role->domain_child_num - 1) = gid;
+ } else {
+ // should never get here
+ fprintf(stderr, "Unhandled exception 1.\n");
+@@ -269,6 +327,7 @@ add_role_acl(struct role_acl **role, cha
+ struct role_acl *rtmp;
+ struct passwd *pwd;
+ struct group *grp;
++ char *end;
+
+ num_roles++;
+
+@@ -305,37 +364,59 @@ add_role_acl(struct role_acl **role, cha
+
+ if (ignore)
+ rtmp->uidgid = special_role_uid++;
+- else if (strcmp(rolename, "default") || !(type & GR_ROLE_DEFAULT)) {
++ else if (strcmp(rolename, "default") || !(type & GR_ROLE_DEFAULT))
+ if (type & GR_ROLE_USER) {
+- pwd = getpwnam(rolename);
++ if (!isdigit(rolename[0])) {
++ pwd = getpwnam(rolename);
+
+- if (!pwd) {
+- fprintf(stderr, "User %s on line %lu of %s "
+- "does not exist.\nThe RBAC system will "
+- "not be allowed to be enabled until "
+- "this error is fixed.\n", rolename,
+- lineno, current_acl_file);
+- exit(EXIT_FAILURE);
++ if (!pwd) {
++ fprintf(stderr, "User %s on line %lu of %s "
++ "does not exist.\nThe RBAC system will "
++ "not be allowed to be enabled until "
++ "this error is fixed.\n", rolename,
++ lineno, current_acl_file);
++ exit(EXIT_FAILURE);
++ }
++
++ rtmp->uidgid = pwd->pw_uid;
++ } else {
++ rtmp->uidgid = strtoul(rolename, &end, 10);
++ if (*end != '\0') {
++ fprintf(stderr, "User %s on line %lu of %s "
++ "is incorrect.\nThe RBAC system will "
++ "not be allowed to be enabled until "
++ "this error is fixed.\n", rolename,
++ lineno, current_acl_file);
++ exit(EXIT_FAILURE);
++ }
+ }
+-
+- rtmp->uidgid = pwd->pw_uid;
+ } else if (type & GR_ROLE_GROUP) {
+- grp = getgrnam(rolename);
++ if (!isdigit(rolename[0])) {
++ grp = getgrnam(rolename);
+
+- if (!grp) {
+- fprintf(stderr, "Group %s on line %lu of %s "
+- "does not exist.\nThe RBAC system will "
+- "not be allowed to be enabled until "
+- "this error is fixed.\n", rolename,
+- lineno, current_acl_file);
+- exit(EXIT_FAILURE);
++ if (!grp) {
++ fprintf(stderr, "Group %s on line %lu of %s "
++ "does not exist.\nThe RBAC system will "
++ "not be allowed to be enabled until "
++ "this error is fixed.\n", rolename,
++ lineno, current_acl_file);
++ exit(EXIT_FAILURE);
++ }
++
++ rtmp->uidgid = grp->gr_gid;
++ } else {
++ rtmp->uidgid = strtoul(rolename, &end, 10);
++ if (*end != '\0') {
++ fprintf(stderr, "Group %s on line %lu of %s "
++ "is incorrect.\nThe RBAC system will "
++ "not be allowed to be enabled until "
++ "this error is fixed.\n", rolename,
++ lineno, current_acl_file);
++ exit(EXIT_FAILURE);
++ }
+ }
+-
+- rtmp->uidgid = grp->gr_gid;
+- } else if (type & GR_ROLE_SPECIAL) {
++ } else if (type & GR_ROLE_SPECIAL)
+ rtmp->uidgid = special_role_uid++;
+- }
+- }
+
+ if (*role)
+ (*role)->next = rtmp;
================================================================
Index: SOURCES/gradm-num-protocols.patch
diff -u /dev/null SOURCES/gradm-num-protocols.patch:1.1
--- /dev/null Wed Oct 22 11:20:59 2008
+++ SOURCES/gradm-num-protocols.patch Wed Oct 22 11:20:51 2008
@@ -0,0 +1,47 @@
+support for numeric protocols values
+--- gradm2/gradm.l (wersja 285)
++++ gradm2/gradm.l (wersja 286)
+@@ -158,7 +158,7 @@
+ gradmlval.string = gr_strdup(yytext);
+ return IPTYPE;
+ }
+-<IP_STATE>[a-z_-]+ {
++<IP_STATE>[a-z0-9]+[a-z0-9_+-.]* {
+ gradmlval.string = gr_strdup(yytext);
+ return IPPROTO;
+ }
+--- gradm2/gradm_net.c (wersja 285)
++++ gradm2/gradm_net.c (wersja 303)
+@@ -147,6 +147,21 @@
+ {
+ struct protoent *proto;
+ unsigned short i;
++ unsigned short num_proto, ret=0;
++
++ if (strlen(name) <= 3) {
++ ret = 1;
++ for (i = 0; i < strlen(name) - 1; i++)
++ if (!isdigit(name[i]))
++ ret=0;
++ if (ret) {
++ num_proto = atoi(name);
++ if (num_proto<256)
++ ret=1;
++ else
++ ret=0;
++ }
++ }
+
+ if (!strcmp(name, "raw_proto"))
+ ip->proto[IPPROTO_RAW / 32] |= (1 << (IPPROTO_RAW % 32));
+@@ -170,7 +185,9 @@
+ } else if (!strcmp(name, "udp")) { // silly protocol 0
+ ip->proto[IPPROTO_IP / 32] |= (1 << (IPPROTO_IP % 32));
+ ip->proto[IPPROTO_UDP / 32] |= (1 << (IPPROTO_UDP % 32));
+- } else if ((proto = getprotobyname(name)))
++ } else if (ret)
++ ip->proto[num_proto / 32] |= (1 << (num_proto % 32));
++ else if ((proto = getprotobyname(name)))
+ ip->proto[proto->p_proto / 32] |= (1 << (proto->p_proto % 32));
+ else {
+ fprintf(stderr, "Invalid type/protocol: %s\n", name);
================================================================
Index: SOURCES/gradm-cap_invert.patch
diff -u /dev/null SOURCES/gradm-cap_invert.patch:1.1
--- /dev/null Wed Oct 22 11:21:00 2008
+++ SOURCES/gradm-cap_invert.patch Wed Oct 22 11:20:52 2008
@@ -0,0 +1,14 @@
+64bit caps miss in show_policy()
+--- gradm2/gradm.l~ 2008-07-26 20:21:06.000000000 +0200
++++ gradm2/gradm.l 2008-07-26 20:22:02.208776756 +0200
+@@ -553,8 +553,8 @@
+ printf("\n");
+ for (proc = rolp->hash->first;proc;proc=proc->prev) {
+ printf("\tSUBJECT: %s dev:%lu inode:%lu mode:%lu c_raise:%x c_drop:%x\n",
+- proc->filename, proc->dev, proc->inode, proc->mode, ~proc->cap_drop,
+- proc->cap_drop);
++ proc->filename, proc->dev, proc->inode, proc->mode,
++ cap_invert(proc->cap_drop), proc->cap_drop);
+ for (i = 0; i < proc->ip_num; i++) {
+ char ipaddr[4];
+ int c;
================================================================
More information about the pld-cvs-commit
mailing list