[prev in list] [next in list] [prev in thread] [next in thread]
List: selinux
Subject: Re: [POLICYREP] [PATCH 1/1] policyrep role implementation
From: Joshua Brindle <method () manicmethod ! com>
Date: 2007-07-18 15:11:57
Message-ID: 469E2DBD.8060102 () manicmethod ! com
[Download RAW message or body]
Karl MacMillan wrote:
> The copy operator and constructor are not properly chaining to the base
> classes (it was my mistake in the initial patch). I think you can go
> ahead and check this in and I will fix it up when I fix everything else.
>
Following patch applied to policyrep branch:
Index: libpolicyrep/tests/example.te
===================================================================
--- libpolicyrep/tests/example.te (revision 2495)
+++ libpolicyrep/tests/example.te (working copy)
@@ -23,6 +23,10 @@
typealias xdm_t alias { foo_t bar_t };
+role foo_r types user_t;
+
+role bar_r;
+
if (foo) {
allow foo bar : file read;
}
Index: libpolicyrep/tests/libpolicyrep-test.cpp
===================================================================
--- libpolicyrep/tests/libpolicyrep-test.cpp (revision 2495)
+++ libpolicyrep/tests/libpolicyrep-test.cpp (working copy)
@@ -39,7 +39,11 @@
t->attributes().insert("userdomain");
mod->append_child(t);
-
+
+ RolePtr r(new Role("foo"));
+ r->types().insert("foo");
+ mod->append_child(r);
+
std::cout << "============ basic test ============" << std::endl;
output_tree(std::cout, pol);
Index: libpolicyrep/include/policyrep/policy.hpp
===================================================================
--- libpolicyrep/include/policyrep/policy.hpp (revision 2495)
+++ libpolicyrep/include/policyrep/policy.hpp (working copy)
@@ -8,6 +8,7 @@
#include <policyrep/te_decl.hpp>
#include <policyrep/rule.hpp>
#include <policyrep/conditional.hpp>
+#include <policyrep/rbac.hpp>
namespace policyrep
{
Index: libpolicyrep/include/policyrep/rbac.hpp
===================================================================
--- libpolicyrep/include/policyrep/rbac.hpp (revision 0)
+++ libpolicyrep/include/policyrep/rbac.hpp (revision 0)
@@ -0,0 +1,46 @@
+/* Author: Joshua Brindle <jbrindle@tresys.com> */
+
+#ifndef __role_hpp__
+#define __role_hpp__
+
+#include <policyrep/policy_base.hpp>
+
+namespace policyrep
+{
+
+ //
+ // Role
+ //
+
+ struct RoleImpl;
+ class Role : public Node
+ {
+ public:
+ Role();
+ Role(const std::string& name);
+ Role(const Role& other);
+ virtual ~Role();
+ virtual void operator=(const Role& other);
+
+ template<class T>
+ Role(const std::string& name, T types_begin, T end)
+ {
+ init();
+ set_name(name);
+ types().insert(types_begin, end);
+ }
+
+ virtual const std::string& get_name() const;
+ virtual void set_name(const std::string& name);
+
+ virtual StringSet& types();
+ protected:
+ virtual void do_output(std::ostream& o, const OutputFormatter& op) const;
+ void init();
+ RoleImpl* impl;
+ };
+ typedef boost::shared_ptr<Role> RolePtr;
+
+} // namespace policyrep
+
+#endif
Index: libpolicyrep/src/rbac.cpp
===================================================================
--- libpolicyrep/src/rbac.cpp (revision 0)
+++ libpolicyrep/src/rbac.cpp (revision 0)
@@ -0,0 +1,89 @@
+/*
+ * Author : Joshua Brindle <jbrindle@tresys.com>
+ *
+ * Copyright (C) 2007 Tresys Technology, LLC.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#include <policyrep/rbac.hpp>
+
+namespace policyrep
+{
+
+ //
+ // Role
+ //
+
+ struct RoleImpl
+ {
+ std::string name;
+ StringSet types;
+ };
+
+ void Role::init()
+ {
+ impl = new RoleImpl;
+ }
+
+ Role::Role() { init(); }
+
+ Role::Role(const std::string& name)
+ {
+ init();
+ impl->name = name;
+ }
+
+ Role::Role(const Role& other)
+ : Node()
+ {
+ init();
+ *impl = *other.impl;
+ }
+
+ Role::~Role() { delete impl; }
+
+ void Role::operator=(const Role& other)
+ {
+ *impl = *other.impl;
+ }
+
+ const std::string& Role::get_name() const
+ {
+ return impl->name;
+ }
+
+ void Role::set_name(const std::string& name)
+ {
+ impl->name = name;
+ }
+
+ StringSet& Role::types()
+ {
+ return impl->types;
+ }
+
+ void Role::do_output(std::ostream& o, const OutputFormatter& op) const
+ {
+ o << "role " << impl->name;
+ if (!impl->types.empty()) {
+ o << " types ";
+ output_set_comma(o, impl->types);
+ }
+ o << ";";
+ }
+
+
+} // namespace policyrep
Index: libpolicyrep/src/policy_parse.y
===================================================================
--- libpolicyrep/src/policy_parse.y (revision 2495)
+++ libpolicyrep/src/policy_parse.y (working copy)
@@ -116,6 +116,7 @@
%type <pnode> av_perms_def
%type <pnode> attribute_def
%type <pnode> type_def
+%type <pnode> role_type_def
%type <pnode> typealias_def
%type <pnode> typeattribute_def
%type <pnode> allow_def
@@ -237,6 +238,8 @@
| type_def
| typealias_def
| typeattribute_def
+ /* Roles */
+ | role_type_def
/* rules */
| allow_def
| auditallow_def
@@ -427,12 +430,12 @@
neverallow_def : NEVERALLOW names names COLON names names SEMI
{ $$ = define_avrule(AVRule::NEVERALLOW, $2, $3, $5, $6, driver); }
;
+role_type_def : ROLE IDENTIFIER TYPES id_comma_list SEMI
+ { $$ = new Role(*$2, $4->begin(), $4->end()); delete $2; delete $4; }
+ | ROLE IDENTIFIER SEMI
+ { $$ = new Role(*$2); delete $2; }
+ ;
/*
-role_type_def : ROLE IDENTIFIER TYPES names SEMI
- { $$ = define_role_types(); check($$); }
- | ROLE IDENTIFIERSEMI
- { $$ = define_role_types(); check($$); }
- ;
role_dominance : DOMINANCE LBRACE roles RBRACE { $$ = $3; check($$); }
;
role_trans_def : ROLE_TRANSITION names names IDENTIFIER SEMI
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic