{
ts = _ts;
int res = 0;
- char * fullPath = NULL, * fullPath1 = NULL;
+ char *fullPath = NULL, *fullPath1 = NULL;
if (!ts)
- return RPMRC_FAIL;
+ return RPMRC_FAIL;
fullPath = rpmGenPath(ts->rootDir, DEVICE_SECURITY_POLICY, NULL);
rpmlog(RPMLOG_DEBUG, "fullPath %s\n", fullPath);
if (!fullPath) {
- rpmlog(RPMLOG_ERR, "building a full path failed\n");
- return RPMRC_FAIL;
+ rpmlog(RPMLOG_ERR, "Building a full path failed for device security policy\n");
+ return RPMRC_FAIL;
}
-
+
rpmlog(RPMLOG_DEBUG, "reading device security policy from %s\n", fullPath);
root = msmProcessDevSecPolicyXml(fullPath);
if (root) {
- if (msmSetupSWSources(NULL, root, NULL)) {
- rpmlog(RPMLOG_ERR, "Failed to setup device security policy from %s\n",
- fullPath);
- return RPMRC_FAIL;
- }
+ if (msmSetupSWSources(NULL, root, NULL)) {
+ rpmlog(RPMLOG_ERR, "Failed to setup device security policy from %s\n",
+ fullPath);
+ return RPMRC_FAIL;
+ }
} else {
- /* Do not allow plug-in to proceed without security policy existing */
- rpmlog(RPMLOG_ERR, "Failed to process sw sources from %s\n",
- fullPath);
- return RPMRC_FAIL;
+ /* Do not allow plug-in to proceed without security policy existing */
+ rpmlog(RPMLOG_ERR, "Failed to process sw sources from %s\n",
+ fullPath);
+ return RPMRC_FAIL;
}
-
+
msmFreePointer((void**)&fullPath);
-
+
fullPath = rpmGenPath(ts->rootDir, SMACK_LOAD_PATH, NULL);
rpmlog(RPMLOG_DEBUG, "fullPath for SMACK_LOAD_PATH %s\n", fullPath);
if (!fullPath) {
- rpmlog(RPMLOG_ERR, "building a full path failed\n");
- return RPMRC_FAIL;
+ rpmlog(RPMLOG_ERR, "Building a full path for smack load failed\n");
+ return RPMRC_FAIL;
}
+
/* check its own security context and store it for the case when packages without manifest will be installed */
struct stat buf;
rpmlog(RPMLOG_DEBUG, "fullPath for SMACK_RULES_PATH %s\n", fullPath);
rpmlog(RPMLOG_DEBUG, "fullPath1 for SMACK_RULES_PATH_BEG %s\n", fullPath1);
if ((!fullPath) || (!fullPath1)){
- rpmlog(RPMLOG_ERR, "building a full path failed\n");
+ rpmlog(RPMLOG_ERR, "Building a full path failed for smack rules path\n");
return RPMRC_FAIL;
}
-
+
if (stat(fullPath, &buf) != 0) {
rpmlog(RPMLOG_DEBUG, "A directory for writing smack rules is missing. Creating one.\n");
mode_t mode = S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IROTH; // 644 -rwer--r--
- if (stat(fullPath1, &buf) != 0) {
- if (mkdir(fullPath1, mode) != 0) {
- rpmlog(RPMLOG_ERR, "Failed to create a sub-directory for smack rules\n");
- return RPMRC_FAIL;
- }
- }
+ if (stat(fullPath1, &buf) != 0) {
+ if (mkdir(fullPath1, mode) != 0) {
+ rpmlog(RPMLOG_ERR, "Failed to create a sub-directory for smack rules\n");
+ return RPMRC_FAIL;
+ }
+ }
if (mkdir(fullPath, mode) != 0){
rpmlog(RPMLOG_ERR, "Failed to create a directory for smack rules\n");
return RPMRC_FAIL;
msmFreePointer((void**)&fullPath);
msmFreePointer((void**)&fullPath1);
-
+
rpmlog(RPMLOG_DEBUG, "rpm security context: %s\n", ownSmackLabel);
cookie = magic_open(0);
if (!cookie)
- return RPMRC_FAIL;
+ return RPMRC_FAIL;
if (magic_load(cookie, NULL) != 0) {
- rpmlog(RPMLOG_ERR, "cannot load magic database - %s\n", magic_error(cookie));
- magic_close(cookie);
- cookie = NULL;
- return RPMRC_FAIL;
+ rpmlog(RPMLOG_ERR, "cannot load magic database - %s\n", magic_error(cookie));
+ magic_close(cookie);
+ cookie = NULL;
+ return RPMRC_FAIL;
}
-
+
return RPMRC_OK;
}
{
fileconflict *fc;
if (!path)
- return rpmrc;
+ return rpmrc;
rpmlog(RPMLOG_DEBUG, "FILE_CONFLICT_FUNC hook path %s\n",path);
const char *name = headerGetString(oldHeader, RPMTAG_SECSWSOURCE);
if (!name || !root) {
- return rpmrc; /* no sw source(s) - abnormal state */
+ return rpmrc; /* no sw source(s) - abnormal state */
}
const char *pkg_name = headerGetString(oldHeader, RPMTAG_NAME);
sw_source_x *sw_source = msmSWSourceTreeTraversal(root->sw_sources, findSWSourceByName, (void *)name, NULL);
if (!sw_source)
- return rpmrc; /* no old sw_source - abnormal state */
+ return rpmrc; /* no old sw_source - abnormal state */
HASH_FIND(hh, allfileconflicts, path, strlen(path), fc);
if (!fc) {
- /* Add new file conflict into hash */
- fc = xcalloc(1, sizeof(*fc));
- if (!fc) return RPMRC_FAIL;
- fc->path = path;
- fc->sw_source = sw_source;
- fc->pkg_name = pkg_name;
- HASH_ADD_KEYPTR(hh, allfileconflicts, path, strlen(path), fc);
+ /* Add new file conflict into hash */
+ fc = xcalloc(1, sizeof(*fc));
+ if (!fc) return RPMRC_FAIL;
+ fc->path = path;
+ fc->sw_source = sw_source;
+ fc->pkg_name = pkg_name;
+ HASH_ADD_KEYPTR(hh, allfileconflicts, path, strlen(path), fc);
} else {
- /* Many packages have installed the same file */
- if (strcmp(sw_source->rankkey, fc->sw_source->rankkey) <= 0) {
- /* Change sw source to the higher ranked one */
- fc->sw_source = sw_source;
- }
- msmFreePointer((void**)&path);
+ /* Many packages have installed the same file */
+ if (strcmp(sw_source->rankkey, fc->sw_source->rankkey) <= 0) {
+ /* Change sw source to the higher ranked one */
+ fc->sw_source = sw_source;
+ }
+ msmFreePointer((void**)&path);
}
-
+
if (rpmtsFilterFlags(ts) & RPMPROB_FILTER_REPLACEOLDFILES) {
- /* Conflict has been noted, now return ok. It will be actually */
- /* resolved later when conflicting package signature is verified */
- /* and sw_source is known. */
- return rpmrc;
+ /* Conflict has been noted, now return ok. It will be actually */
+ /* resolved later when conflicting package signature is verified */
+ /* and sw_source is known. */
+ return rpmrc;
}
return rpmrc;
}
{
if (!root) {
rpmlog(RPMLOG_DEBUG, "Policy is missing. Ending transaction\n");
- return RPMRC_FAIL;
+ return RPMRC_FAIL;
}
-
+
return RPMRC_OK;
}
pgpDigParams sig = (pgpDigParams)param;
DIGEST_CTX ctx = (DIGEST_CTX)param2;
pgpDigParams key = NULL;
-
+
for (origin = sw_source->origins; origin; origin = origin->prev) {
- for (keyinfo = origin->keyinfos; keyinfo; keyinfo = keyinfo->prev) {
- if (pgpPrtParams(keyinfo->keydata, keyinfo->keylen, PGPTAG_PUBLIC_KEY, &key)) {
- rpmlog(RPMLOG_ERR, "invalid sw source key\n");
- return -1;
- }
- if (pgpVerifySignature(key, sig, ctx) == RPMRC_OK) {
- return 0;
- }
- }
+ for (keyinfo = origin->keyinfos; keyinfo; keyinfo = keyinfo->prev) {
+ if (pgpPrtParams(keyinfo->keydata, keyinfo->keylen, PGPTAG_PUBLIC_KEY, &key)) {
+ rpmlog(RPMLOG_ERR, "invalid sw source key\n");
+ return -1;
+ }
+ if (pgpVerifySignature(key, sig, ctx) == RPMRC_OK) {
+ return 0;
+ }
+ }
}
return 1;
}
#if 0
if (!root) {
- if (rpmrc == RPMRC_NOKEY) {
- rpmlog(RPMLOG_INFO, "package verified as root sw source\n");
- rootSWSource = 1; /* accept any signed package as root */
- return RPMRC_OK;
- }
- rpmlog(RPMLOG_ERR, "No device security policy, cannot verify signature\n");
- return rpmrc;
+ if (rpmrc == RPMRC_NOKEY) {
+ rpmlog(RPMLOG_INFO, "package verified as root sw source\n");
+ rootSWSource = 1; /* accept any signed package as root */
+ return RPMRC_OK;
+ }
+ rpmlog(RPMLOG_ERR, "No device security policy, cannot verify signature\n");
+ return rpmrc;
}
+ // make currently that even non-signed package with root policy will be treated as trusted
-// make currently that even non-signed package with root policy will be treated as trusted
+ if (!root) {
+ rpmlog(RPMLOG_INFO, "package verified as root sw source\n");
+ rootSWSource = 1; /* accept any signed package as root */
+ return RPMRC_OK;
+ }
- if (!root) {
- rpmlog(RPMLOG_INFO, "package verified as root sw source\n");
- rootSWSource = 1; /* accept any signed package as root */
- return RPMRC_OK;
- }
+ //------------------
-//------------------
#endif
- if (!root) {
- rpmlog(RPMLOG_ERR, "No device policy found\n");
- rootSWSource = 1; /* accept any signed package as root */
- return rpmrc;
- }
+ if (!root) {
+ rpmlog(RPMLOG_ERR, "No device policy found\n");
+ rootSWSource = 1; /* accept any signed package as root */
+ return rpmrc;
+ }
if (rpmrc == RPMRC_NOKEY) {
- /* No key, revert to unknown sw source. */
- rpmlog(RPMLOG_ERR, "no key for signature, cannot search sw source\n");
- goto exit;
+ /* No key, revert to unknown sw source. */
+ rpmlog(RPMLOG_ERR, "no key for signature, cannot search sw source\n");
+ goto exit;
}
if (rpmrc) {
- /* RPM failed to verify signature */
- rpmlog(RPMLOG_ERR, "Invalid signature, cannot search sw source\n");
- return rpmrc;
+ /* RPM failed to verify signature */
+ rpmlog(RPMLOG_ERR, "Invalid signature, cannot search sw source\n");
+ return rpmrc;
}
if (sigtd->tag != RPMSIGTAG_RSA) {
- /* Not RSA, revert to unknown sw source. */
- rpmlog(RPMLOG_DEBUG, "no RSA signature, cannot search sw source\n");
- goto exit;
+ /* Not RSA, revert to unknown sw source. */
+ rpmlog(RPMLOG_DEBUG, "no RSA signature, cannot search sw source\n");
+ goto exit;
}
+
current = msmSWSourceTreeTraversal(root->sw_sources, findSWSourceBySignature, sig, ctx);
if (current)
- rpmlog(RPMLOG_DEBUG, "signature matches sw source %s\n", current->name);
+ rpmlog(RPMLOG_DEBUG, "signature matches sw source %s\n", current->name);
else
- rpmlog(RPMLOG_DEBUG, "valid signature but no matching sw source\n");
+ rpmlog(RPMLOG_DEBUG, "valid signature but no matching sw source\n");
exit:
if (!current) {
- current = msmSWSourceTreeTraversal(root->sw_sources, findSWSourceByName, (void *)"_default_", NULL);
- if (current)
- rpmlog(RPMLOG_DEBUG, "using _default_ sw source\n");
- else { // for now in case default sw source isn't there yet, allow to think that it is coming from root
- current = msmSWSourceTreeTraversal(root->sw_sources, findSWSourceByName, (void *)"root", NULL);
- if (current)
- rpmlog(RPMLOG_DEBUG, "using _root_ sw source now for testing\n");
- }
+ current = msmSWSourceTreeTraversal(root->sw_sources, findSWSourceByName, (void *)"_default_", NULL);
+ if (current) {
+ rpmlog(RPMLOG_DEBUG, "using _default_ sw source\n");
+ } else { // for now in case default sw source isn't there yet, allow to think that it is coming from root
+ current = msmSWSourceTreeTraversal(root->sw_sources, findSWSourceByName, (void *)"root", NULL);
+ if (current)
+ rpmlog(RPMLOG_DEBUG, "using _root_ sw source now for testing\n");
+ }
}
return rpmrc;
ctx = xcalloc(1, sizeof(*ctx));
if (!ctx) {
- goto exit1;
+ goto exit1;
}
ctx->te = te;
if (!headerIsEntry(h, RPMTAG_SECMANIFEST)) {
- goto exit1;
+ goto exit1;
}
if (!headerGet(h, RPMTAG_SECMANIFEST, &msm, HEADERGET_MINMEM)) {
- goto exit1;
+ goto exit1;
}
count = rpmtdCount(&msm);
if (count != 1) {
- goto exit2;
+ goto exit2;
}
ctx->data = xstrdup(rpmtdNextString(&msm));
rpmlog(RPMLOG_DEBUG, "%s manifest b64 data: %.40s...\n",
rpmteN(ctx->te), ctx->data);
-
exit2:
rpmtdFreeData(&msm);
exit1:
if (rpmteType(ctx->te) == TR_ADDED) {
- /* Save sw_source name into database, we need it when package */
- /* is removed because signature verify is not called then. */
- if (current) sw_source = current->name;
- else if (rootSWSource) sw_source = rpmteN(ctx->te);
-
- if (!sw_source || !headerPutString(h, RPMTAG_SECSWSOURCE, sw_source)) {
- rpmlog(RPMLOG_ERR, "Failed to save sw source for %s, sw_source: %s\n",
- rpmteN(ctx->te), sw_source);
- msmFreePointer((void**)&ctx->data);
- msmFreePointer((void**)&ctx);
- }
+ /* Save sw_source name into database, we need it when package */
+ /* is removed because signature verify is not called then. */
+ if (current) sw_source = current->name;
+ else if (rootSWSource) sw_source = rpmteN(ctx->te);
+
+ if (!sw_source || !headerPutString(h, RPMTAG_SECSWSOURCE, sw_source)) {
+ rpmlog(RPMLOG_ERR, "Failed to save sw source for %s, sw_source: %s\n",
+ rpmteN(ctx->te), sw_source);
+ msmFreePointer((void**)&ctx->data);
+ msmFreePointer((void**)&ctx);
+ }
}
headerFree(h);
{
packagecontext *ctx = msmNew(te);
if (ctx) {
- /* add the new policy to the list */
- if (!contextsHead) {
- contextsHead = ctx;
- contextsTail = ctx;
- } else {
- if (rpmteType(te) == TR_ADDED) {
- /* add to the end of the list */
- contextsTail->next = ctx;
- contextsTail = ctx;
- } else {
- /* add to the beginning of the list */
- ctx->next = contextsHead;
- contextsHead = ctx;
- }
- }
+ /* add the new policy to the list */
+ if (!contextsHead) {
+ contextsHead = ctx;
+ contextsTail = ctx;
+ } else {
+ if (rpmteType(te) == TR_ADDED) {
+ /* add to the end of the list */
+ contextsTail->next = ctx;
+ contextsTail = ctx;
+ } else {
+ /* add to the beginning of the list */
+ ctx->next = contextsHead;
+ contextsHead = ctx;
+ }
+ }
}
return ctx;
}
int ret = 0;
if (!root && !rootSWSource) {
- /* no sw source config, just exit */
- goto exit;
+ /* no sw source config, just exit */
+ goto exit;
}
if (!current) {
/* this means that verify hook has not been called */
current = msmSWSourceTreeTraversal(root->sw_sources, findSWSourceByName, (void *)"_default_", NULL);
- if (current)
- rpmlog(RPMLOG_DEBUG, "using _default_ sw source\n");
- else {
+ if (current) {
+ rpmlog(RPMLOG_DEBUG, "using _default_ sw source\n");
+ } else {
rpmlog(RPMLOG_ERR, "Default source isn't availiable. Package source can't be determined. Abort installation\n");
- goto fail;
- }
+ goto fail;
+ }
}
ctx = msmAddTE(te);
if (!ctx) {
- rpmlog(RPMLOG_ERR, "Failed to create security context for %s\n",
- rpmteNEVRA(te));
- goto fail;
+ rpmlog(RPMLOG_ERR, "Failed to create security context for %s\n", rpmteNEVRA(te));
+ goto fail;
}
if (rpmteType(ctx->te) == TR_REMOVED) {
-
- /* Verify hook is not called before remove, */
- /* so get the sw_source name from package header */
- Header h = rpmteHeader(te);
- if (h) {
- const char *name = headerGetString(h, RPMTAG_SECSWSOURCE);
- if (name) {
- current = msmSWSourceTreeTraversal(root->sw_sources, findSWSourceByName, (void *)name, NULL);
- rpmlog(RPMLOG_DEBUG, "removing %s from sw source %s\n",
+ /* Verify hook is not called before remove, */
+ /* so get the sw_source name from package header */
+ Header h = rpmteHeader(te);
+ if (h) {
+ const char *name = headerGetString(h, RPMTAG_SECSWSOURCE);
+ if (name) {
+ current = msmSWSourceTreeTraversal(root->sw_sources, findSWSourceByName, (void *)name, NULL);
+ rpmlog(RPMLOG_DEBUG, "removing %s from sw source %s\n",
rpmteN(ctx->te), name);
- }
- headerFree(h);
- }
- /* if (!current) {
- rpmlog(RPMLOG_INFO, "no sw source for removing %s\n", rpmteN(ctx->te));
- goto exit;
- }*/
+ }
+ headerFree(h);
+ }
+ /* if (!current) {
+ rpmlog(RPMLOG_INFO, "no sw source for removing %s\n", rpmteN(ctx->te));
+ goto exit;
+ }*/
}
if (!ctx->data) {
- rpmlog(RPMLOG_INFO, "No manifest in this package. Creating default one\n");
+ rpmlog(RPMLOG_INFO, "No manifest in this package. Creating default one\n");
/* create default manifest manually. Make the package to belong to the domain where rpm is running */
mfx = calloc(1, sizeof(manifest_x));
- if (!mfx) goto fail;
+ if (!mfx) goto fail;
mfx->sw_source = current;
- mfx->name = strdup(rpmteN(ctx->te));
+ mfx->name = strdup(rpmteN(ctx->te));
mfx->request = calloc(1, sizeof(request_x));
- if (!mfx->request) {
- msmFreePointer((void**)&mfx->name);
- msmFreePointer((void**)&mfx);
- goto fail;
+ if (!mfx->request) {
+ msmFreePointer((void**)&mfx->name);
+ msmFreePointer((void**)&mfx);
+ goto fail;
}
mfx->request->ac_domain = strdup(ownSmackLabel);
rpmlog(RPMLOG_DEBUG, "Done with manifest creation\n");
-
} else {
if (rpmBase64Decode(ctx->data, (void **) &xml, &xmllen) != 0) {
- rpmlog(RPMLOG_ERR, "Failed to decode manifest for %s\n",
- rpmteN(ctx->te));
- goto fail;
+ rpmlog(RPMLOG_ERR, "Failed to decode manifest for %s\n",
+ rpmteN(ctx->te));
+ goto fail;
}
rpmlog(RPMLOG_DEBUG, "parsing %s manifest: \n%s", rpmteN(ctx->te), xml);
mfx = msmProcessManifestXml(xml, xmllen, current, rpmteN(ctx->te));
if (!mfx) {
- rpmlog(RPMLOG_ERR, "Failed to parse manifest for %s\n",
- rpmteN(ctx->te));
- goto fail;
+ rpmlog(RPMLOG_ERR, "Failed to parse manifest for %s\n",
+ rpmteN(ctx->te));
+ goto fail;
}
}
-
ctx->mfx = mfx;
int res = smack_accesses_new(&(ctx->smack_accesses));
if (res != 0) {
- rpmlog(RPMLOG_ERR, "Failed to create smack access set\n");
- goto fail;
+ rpmlog(RPMLOG_ERR, "Failed to create smack access set\n");
+ goto fail;
}
if (rpmteType(ctx->te) == TR_ADDED) {
+ rpmlog(RPMLOG_DEBUG, "Installing the package\n");
+ package_x *package = NULL;
- rpmlog(RPMLOG_DEBUG, "Installing the package\n");
-
- package_x *package = NULL;
-
- if (rootSWSource) {
- /* this is the first package */
- package = msmCreatePackage(mfx->name, mfx->sw_sources,
+ if (rootSWSource) {
+ /* this is the first package */
+ package = msmCreatePackage(mfx->name, mfx->sw_sources,
mfx->provides, NULL);
- } else if (mfx->sw_source) {
- /* all packages must have sw_source */
- package = msmCreatePackage(mfx->name, mfx->sw_source,
+ } else if (mfx->sw_source) {
+ /* all packages must have sw_source */
+ package = msmCreatePackage(mfx->name, mfx->sw_source,
mfx->provides, NULL);
- } else {
- rpmlog(RPMLOG_ERR, "Package doesn't have a sw source. Abnormal situation. Abort.\n");
- goto fail;
+ } else {
+ rpmlog(RPMLOG_ERR, "Package doesn't have a sw source. Abnormal situation. Abort.\n");
+ goto fail;
}
- if (!package) {
- rpmlog(RPMLOG_ERR, "Package could not be created. \n");
- goto fail;
- }
-
- mfx->provides = NULL; /* owned by package now */
-
- if (!package->sw_source) { /* this must never happen */
- rpmlog(RPMLOG_ERR, "Install failed. Check that configuration has at least root sw source installed.\n");
- msmFreePackage(package);
- package = NULL;
- goto fail;
- }
-
- rpmlog(RPMLOG_DEBUG, "adding %s manifest data to system, package_name %s\n",
- rpmteN(ctx->te), package->name);
-
- if (msmSetupPackages(ctx->smack_accesses, package, package->sw_source)) {
- rpmlog(RPMLOG_ERR, "Package setup failed for %s\n", rpmteN(ctx->te) );
- msmFreePackage(package);
- package = NULL;
- goto fail;
+ if (!package) {
+ rpmlog(RPMLOG_ERR, "Package could not be created. \n");
+ goto fail;
+ }
+
+ mfx->provides = NULL; /* owned by package now */
+
+ if (!package->sw_source) { /* this must never happen */
+ rpmlog(RPMLOG_ERR, "Install failed. Check that configuration has at least root sw source installed.\n");
+ msmFreePackage(package);
+ package = NULL;
+ goto fail;
}
- if (rootSWSource) {
- /* current is root */
- root = ctx->mfx;
- }
+ rpmlog(RPMLOG_DEBUG, "adding %s manifest data to system, package_name %s\n",
+ rpmteN(ctx->te), package->name);
+
+ if (msmSetupPackages(ctx->smack_accesses, package, package->sw_source)) {
+ rpmlog(RPMLOG_ERR, "Package setup failed for %s\n", rpmteN(ctx->te) );
+ msmFreePackage(package);
+ package = NULL;
+ goto fail;
+ }
+
+ if (rootSWSource) {
+ /* current is root */
+ root = ctx->mfx;
+ }
rpmlog(RPMLOG_DEBUG, "Starting the security setup...\n");
unsigned int smackLabel = 0;
- if (rootSWSource || ctx->mfx->sw_source) {
- if (ctx->mfx->sw_sources) {
- smackLabel = 1; /* setting this one on since this manifest doesn't have any define/request section */
- ret = msmSetupSWSources(ctx->smack_accesses, ctx->mfx, ts);
- if (ret) {
- rpmlog(RPMLOG_ERR, "SW source setup failed for %s\n",
- rpmteN(ctx->te));
- msmCancelPackage(ctx->mfx->name);
- goto fail;
- }
- }
- if (ctx->mfx->define) {
- if (ctx->mfx->define->name)
- smackLabel = 1;
- ret = msmSetupDefine(ctx->smack_accesses, ctx->mfx);
- if (ret) {
- rpmlog(RPMLOG_ERR, "AC domain setup failed for %s\n",
- rpmteN(ctx->te));
- msmCancelPackage(ctx->mfx->name);
- goto fail;
- }
- }
- if (ctx->mfx->request) {
- if (ctx->mfx->request->ac_domain)
- smackLabel = 1;
- ret = msmSetupRequests(ctx->mfx);
- if (ret) {
- rpmlog(RPMLOG_ERR, "Request setup failed for %s\n",
- rpmteN(ctx->te));
- msmCancelPackage(ctx->mfx->name);
- goto fail;
- }
- }
- if (ctx->smack_accesses) {
- ret = msmSetupSmackRules(ctx->smack_accesses, ctx->mfx->name, 0, SmackEnabled);
- smack_accesses_free(ctx->smack_accesses);
- ctx->smack_accesses = NULL;
- if (ret) {
- rpmlog(RPMLOG_ERR, "Setting up smack rules for %s failed\n",
- rpmteN(ctx->te));
- msmCancelPackage(ctx->mfx->name);
- goto fail;
- }
- }
- if (package->provides) {
- ret = msmSetupDBusPolicies(package, ctx->mfx);
- if (ret) {
- rpmlog(RPMLOG_ERR, "Setting up dbus policies for %s failed\n",
- rpmteN(ctx->te));
- msmCancelPackage(ctx->mfx->name);
- goto fail;
- }
- }
-
- /* last check is needed in order to catch in advance
- the situation when no ac domain defined or requested */
- if (smackLabel == 0) {
- rpmlog(RPMLOG_ERR, "No ac domain defined or requested for package %s. Abort.\n", rpmteN(ctx->te));
- msmCancelPackage(ctx->mfx->name);
- goto fail;
- }
- }
-
+ if (rootSWSource || ctx->mfx->sw_source) {
+ if (ctx->mfx->sw_sources) {
+ smackLabel = 1; /* setting this one on since this manifest doesn't have any define/request section */
+ ret = msmSetupSWSources(ctx->smack_accesses, ctx->mfx, ts);
+ if (ret) {
+ rpmlog(RPMLOG_ERR, "SW source setup failed for %s\n",
+ rpmteN(ctx->te));
+ msmCancelPackage(ctx->mfx->name);
+ goto fail;
+ }
+ }
+ if (ctx->mfx->define) {
+ if (ctx->mfx->define->name)
+ smackLabel = 1;
+ ret = msmSetupDefine(ctx->smack_accesses, ctx->mfx);
+ if (ret) {
+ rpmlog(RPMLOG_ERR, "AC domain setup failed for %s\n",
+ rpmteN(ctx->te));
+ msmCancelPackage(ctx->mfx->name);
+ goto fail;
+ }
+ }
+ if (ctx->mfx->request) {
+ if (ctx->mfx->request->ac_domain)
+ smackLabel = 1;
+ ret = msmSetupRequests(ctx->mfx);
+ if (ret) {
+ rpmlog(RPMLOG_ERR, "Request setup failed for %s\n",
+ rpmteN(ctx->te));
+ msmCancelPackage(ctx->mfx->name);
+ goto fail;
+ }
+ }
+ if (ctx->smack_accesses) {
+ ret = msmSetupSmackRules(ctx->smack_accesses, ctx->mfx->name, 0, SmackEnabled);
+ smack_accesses_free(ctx->smack_accesses);
+ ctx->smack_accesses = NULL;
+ if (ret) {
+ rpmlog(RPMLOG_ERR, "Setting up smack rules for %s failed\n",
+ rpmteN(ctx->te));
+ msmCancelPackage(ctx->mfx->name);
+ goto fail;
+ }
+ }
+ if (package->provides) {
+ ret = msmSetupDBusPolicies(package, ctx->mfx);
+ if (ret) {
+ rpmlog(RPMLOG_ERR, "Setting up dbus policies for %s failed\n",
+ rpmteN(ctx->te));
+ msmCancelPackage(ctx->mfx->name);
+ goto fail;
+ }
+ }
+
+ /* last check is needed in order to catch in advance
+ the situation when no ac domain defined or requested */
+ if (smackLabel == 0) {
+ rpmlog(RPMLOG_ERR, "No ac domain defined or requested for package %s. Abort.\n", rpmteN(ctx->te));
+ msmCancelPackage(ctx->mfx->name);
+ goto fail;
+ }
+ }
- } else if (rpmteDependsOn(ctx->te)) { /* TR_REMOVED */
- rpmlog(RPMLOG_DEBUG, "upgrading package %s by %s\n",
- rpmteNEVR(ctx->te), rpmteNEVR(rpmteDependsOn(ctx->te)));
- } else if (mfx->sw_sources) {
- rpmlog(RPMLOG_ERR, "Cannot remove sw source package %s\n",
- rpmteN(ctx->te));
- goto fail;
- }
+ } else if (rpmteDependsOn(ctx->te)) { /* TR_REMOVED */
+ rpmlog(RPMLOG_DEBUG, "upgrading package %s by %s\n",
+ rpmteNEVR(ctx->te), rpmteNEVR(rpmteDependsOn(ctx->te)));
+ } else if (mfx->sw_sources) {
+ rpmlog(RPMLOG_ERR, "Cannot remove sw source package %s\n",
+ rpmteN(ctx->te));
+ goto fail;
+ }
- rpmlog(RPMLOG_DEBUG, "Finished with pre psm hook \n");
- package_created = 1;
+ rpmlog(RPMLOG_DEBUG, "Finished with pre psm hook \n");
+ package_created = 1;
- goto exit;
+ goto exit;
fail: /* error, cancel the rpm operation */
- rc = RPMRC_FAIL;
+ rc = RPMRC_FAIL;
exit: /* success, continue rpm operation */
- context = ctx;
- msmFreePointer((void**)&xml);
+ context = ctx;
+ msmFreePointer((void**)&xml);
- return rc;
+ return rc;
}
rpmRC PLUGINHOOK_FSM_INIT_FUNC(const char* path, mode_t mode)
{
-
//check if there any conflicts that prevent file being written to the disk
fileconflict *fc;
packagecontext *ctx = context;
- char * cleanedPath = NULL, *dupPath = NULL;
-
+ char *cleanedPath = NULL, *dupPath = NULL;
+
rpmlog(RPMLOG_DEBUG, "Started with FSM_INIT_FUNC hook for file: %s\n", path);
-
+
if (!ctx) return RPMRC_FAIL;
if (!path) return RPMRC_FAIL;
-
+
dupPath = strdup(path);
cleanedPath = strchr(dupPath, ';');
if (cleanedPath)
- *cleanedPath = '\0';
-
+ *cleanedPath = '\0';
+
//rpmlog(RPMLOG_DEBUG, "dupapth: %s\n", dupPath);
-
+
HASH_FIND(hh, allfileconflicts, dupPath, strlen(dupPath), fc);
msmFreePointer((void**)&dupPath);
if (fc) {
//rpmlog(RPMLOG_DEBUG, "rpmteN(ctx->te) %s fc->pkg_name: %s\n", rpmteN(ctx->te), fc->pkg_name);
- /* There is a conflict, see if we are not allowed to overwrite */
- if ((!current || (strcmp(current->rankkey, fc->sw_source->rankkey) >= 0)) && (strcmp(rpmteN(ctx->te), fc->pkg_name))){
- rpmlog(RPMLOG_ERR, "%s has file conflict in %s from sw source %s\n",
- rpmteN(ctx->te), fc->path, fc->sw_source->name);
- return RPMRC_FAIL;
- }
- rpmlog(RPMLOG_DEBUG, "%s from %s overwrites %s from %s\n",
- rpmteN(ctx->te), current->name, fc->path, fc->sw_source->name);
+ /* There is a conflict, see if we are not allowed to overwrite */
+ if ((!current ||
+ (strcmp(current->rankkey, fc->sw_source->rankkey) >= 0)) &&
+ (strcmp(rpmteN(ctx->te), fc->pkg_name))) {
+ rpmlog(RPMLOG_ERR, "%s has file conflict in %s from sw source %s\n",
+ rpmteN(ctx->te), fc->path, fc->sw_source->name);
+ return RPMRC_FAIL;
+ }
+ rpmlog(RPMLOG_DEBUG, "%s from %s overwrites %s from %s\n",
+ rpmteN(ctx->te), current->name, fc->path, fc->sw_source->name);
}
rpmlog(RPMLOG_DEBUG, "Finished with FSM_INIT_FUNC hook for file: %s\n", path);
-
+
return RPMRC_OK;
}
if (!path) return RPMRC_FAIL;
/* the type is ignored for now */
-
+
rpmlog(RPMLOG_DEBUG, "Started with FSM_COMMIT_FUNC hook for file: %s\n", path);
if (ctx->mfx) {
- file_x *file = xcalloc(1, sizeof(*file));
- if (file) {
- file->path = strndup(path, strlen(path) + 1);
- LISTADD(ctx->mfx->files, file);
- if (rpmteType(ctx->te) == TR_ADDED) {
- if (msmSetFileXAttributes(ctx->mfx, file->path, cookie) < 0) {
- rpmlog(RPMLOG_ERR, "Setting of extended attributes failed for file %s from package %s\n",
- file->path, rpmteN(ctx->te));
- return RPMRC_FAIL;
- }
- }
-
- } else
- return RPMRC_FAIL;
+ file_x *file = xcalloc(1, sizeof(*file));
+ if (file) {
+ file->path = strndup(path, strlen(path) + 1);
+ LISTADD(ctx->mfx->files, file);
+ if (rpmteType(ctx->te) == TR_ADDED) {
+ if (msmSetFileXAttributes(ctx->mfx, file->path, cookie) < 0) {
+ rpmlog(RPMLOG_ERR, "Setting of extended attributes failed for file %s from package %s\n",
+ file->path, rpmteN(ctx->te));
+ return RPMRC_FAIL;
+ }
+ }
+
+ } else
+ return RPMRC_FAIL;
} else {
- rpmlog(RPMLOG_ERR, "Manifest is missing while it should be present for the package %s\n",
- rpmteN(ctx->te));
- return RPMRC_FAIL;
+ rpmlog(RPMLOG_ERR, "Manifest is missing while it should be present for the package %s\n",
+ rpmteN(ctx->te));
+ return RPMRC_FAIL;
}
rpmlog(RPMLOG_DEBUG, "Finished with FSM_COMMIT_FUNC hook for file: %s\n", path);
int ret = 0;
packagecontext *ctx = context;
if (!ctx) return RPMRC_FAIL;
-
+
if (!package_created) {
- /* failure in rpm pre psm hook, rollback */
- return RPMRC_FAIL;
+ /* failure in rpm pre psm hook, rollback */
+ return RPMRC_FAIL;
}
-
+
if (rpmrc) {
- /* failure in rpm psm, rollback */
- if (rpmteType(ctx->te) == TR_ADDED)
- msmCancelPackage(ctx->mfx->name);
- goto exit;
+ /* failure in rpm psm, rollback */
+ if (rpmteType(ctx->te) == TR_ADDED)
+ msmCancelPackage(ctx->mfx->name);
+ goto exit;
}
if (!ctx->mfx){
rpmlog(RPMLOG_ERR, "Manifest is missing while it should be present for the package %s\n",
- rpmteN(ctx->te));
- goto exit;
+ rpmteN(ctx->te));
+ goto exit;
}
if (rootSWSource) {
- /* current is root */
- root = context->mfx;
+ /* current is root */
+ root = context->mfx;
}
-
if (rpmteType(ctx->te) == TR_REMOVED) {
- if (ctx->mfx->sw_source) {
- if (rpmteDependsOn(ctx->te)) {
- rpmlog(RPMLOG_DEBUG, "upgrading %s manifest data\n",
- rpmteN(ctx->te));
- } else {
- rpmlog(RPMLOG_DEBUG, "removing %s manifest data\n",
- rpmteN(ctx->te));
- if (ctx->mfx->define || ctx->mfx->provides || ctx->mfx->sw_sources) {
- msmRemoveRules(ctx->smack_accesses, ctx->mfx, SmackEnabled);
- }
- msmRemoveConfig(ctx->mfx);
- }
- }
-
- }
+ if (ctx->mfx->sw_source) {
+ if (rpmteDependsOn(ctx->te)) {
+ rpmlog(RPMLOG_DEBUG, "upgrading %s manifest data\n",
+ rpmteN(ctx->te));
+ } else {
+ rpmlog(RPMLOG_DEBUG, "removing %s manifest data\n",
+ rpmteN(ctx->te));
+ if (ctx->mfx->define || ctx->mfx->provides || ctx->mfx->sw_sources) {
+ msmRemoveRules(ctx->smack_accesses, ctx->mfx, SmackEnabled);
+ }
+ msmRemoveConfig(ctx->mfx);
+ }
+ }
+ }
exit:
current = NULL;
if (ret) {
- return RPMRC_FAIL;
+ return RPMRC_FAIL;
}
return rpmrc;
}
static packagecontext *msmFree(packagecontext *ctx)
{
-
while (ctx) {
- packagecontext *next = ctx->next;
- msmFreePointer((void**)&ctx->data);
- ctx->mfx = msmFreeManifestXml(ctx->mfx);
- if (ctx->smack_accesses) smack_accesses_free(ctx->smack_accesses);
- msmFreePointer((void**)&ctx);
- ctx = next;
+ packagecontext *next = ctx->next;
+ msmFreePointer((void**)&ctx->data);
+ ctx->mfx = msmFreeManifestXml(ctx->mfx);
+ if (ctx->smack_accesses) smack_accesses_free(ctx->smack_accesses);
+ msmFreePointer((void**)&ctx);
+ ctx = next;
}
-
return NULL;
-
}
rpmRC PLUGINHOOK_CLEANUP_FUNC(void)
msmFreeInternalHashes(); // free hash structures first
if (root) {
- msmSaveDeviceSecPolicyXml(root);
- if (!rootSWSource) root = msmFreeManifestXml(root);
+ msmSaveDeviceSecPolicyXml(root);
+ if (!rootSWSource) root = msmFreeManifestXml(root);
}
ts = NULL;
contextsHead = contextsTail = NULL;
if (allfileconflicts) {
- fileconflict *fc, *temp;
- HASH_ITER(hh, allfileconflicts, fc, temp) {
- HASH_DELETE(hh, allfileconflicts, fc);
- msmFreePointer((void**)&fc->path);
- msmFreePointer((void**)&fc);
- }
+ fileconflict *fc, *temp;
+ HASH_ITER(hh, allfileconflicts, fc, temp) {
+ HASH_DELETE(hh, allfileconflicts, fc);
+ msmFreePointer((void**)&fc->path);
+ msmFreePointer((void**)&fc);
+ }
}
msmFreePointer((void**)&ownSmackLabel);
const char *path = NULL;
if (ts) {
- char *sep = strchr(rfor, ':');
- if (sep && sep[1] == ':' && sep[2] == '/')
- path = &sep[2];
- if (!path) return NULL;
-
- rpmdbMatchIterator mi = rpmtsInitIterator(ts, RPMTAG_BASENAMES, path, 0);
- if (!mi)
- mi = rpmtsInitIterator(ts, RPMTAG_PROVIDENAME, path, 0);
- if (mi) {
- Header h;
- const char *name, *sw_source;
- while ((h = rpmdbNextIterator(mi))) {
- rpmdbCheckSignals();
- name = headerGetString(h, RPMTAG_NAME);
- sw_source = headerGetString(h, RPMTAG_SECSWSOURCE);
- if (name && sw_source) {
- match = !strncmp(rfor, name, path - rfor - 2);
- rpmlog(RPMLOG_DEBUG, "file %s belongs to package %s in sw source %s %s\n", path, name, sw_source, (match ? "(matched request)" : ""));
- if (match) {
- *pname = xstrdup(name);
- *dname = xstrdup(sw_source);
- break;
- }
- }
- }
- mi = rpmdbFreeIterator(mi);
- }
+ char *sep = strchr(rfor, ':');
+ if (sep && sep[1] == ':' && sep[2] == '/')
+ path = &sep[2];
+ if (!path) return NULL;
+
+ rpmdbMatchIterator mi = rpmtsInitIterator(ts, RPMTAG_BASENAMES, path, 0);
+ if (!mi)
+ mi = rpmtsInitIterator(ts, RPMTAG_PROVIDENAME, path, 0);
+ if (mi) {
+ Header h;
+ const char *name, *sw_source;
+ while ((h = rpmdbNextIterator(mi))) {
+ rpmdbCheckSignals();
+ name = headerGetString(h, RPMTAG_NAME);
+ sw_source = headerGetString(h, RPMTAG_SECSWSOURCE);
+ if (name && sw_source) {
+ match = !strncmp(rfor, name, path - rfor - 2);
+ rpmlog(RPMLOG_DEBUG, "file %s belongs to package %s in sw source %s %s\n",
+ path, name, sw_source, (match ? "(matched request)" : ""));
+ if (match) {
+ *pname = xstrdup(name);
+ *dname = xstrdup(sw_source);
+ break;
+ }
+ }
+ }
+ mi = rpmdbFreeIterator(mi);
+ }
}
return match ? path : NULL;
}
void msmFreePointer(void** ptr)
{
- if (*ptr)
- free(*ptr);
- *ptr = NULL;
- return;
+ if (*ptr)
+ free(*ptr);
+ *ptr = NULL;
+ return;
}
* These structures represent the parsed security manifest of a package.
*/
-
typedef struct file_x {
const char *path; /* file path */
ino_t ino; /* file inode */
*/
int msmSetupSWSources(struct smack_accesses *smack_accesses, manifest_x *mfx, rpmts ts);
-
/** \ingroup msm
* Create package structure for package being installed.
* @param name package name
*/
int msmSetupDBusPolicies(package_x *package, manifest_x *mfx);
-
/** \ingroup msm
* Package is removed, remove related data in device security policy.
* @param mfx package manifest
const char *msmQueryPackageFile(const char *rfor,
const char **sw_sname, const char **pname);
-
#endif
while (provide) {
if (provide->ac_domains) {
- xmlNode *node = xmlNewNode(NULL, BAD_CAST "provide");
- xmlAddChild(parent, node);
- msmHandleACDomains(node, CRED_PROVIDE, provide->ac_domains);
- if (provide->origin) {
- xmlNode *childnode = xmlNewNode(NULL, BAD_CAST "for");
- xmlNewProp(childnode, BAD_CAST "origin", BAD_CAST provide->origin);
- xmlAddChild(node, childnode);
- }
+ xmlNode *node = xmlNewNode(NULL, BAD_CAST "provide");
+ xmlAddChild(parent, node);
+ msmHandleACDomains(node, CRED_PROVIDE, provide->ac_domains);
+ if (provide->origin) {
+ xmlNode *childnode = xmlNewNode(NULL, BAD_CAST "for");
+ xmlNewProp(childnode, BAD_CAST "origin", BAD_CAST provide->origin);
+ xmlAddChild(node, childnode);
+ }
}
provide = provide->prev;
}
#define ASCII(s) (const char *)s
#define XMLCHAR(s) (const xmlChar *)s
-
static int msmVerifyAccessType(const char* type)
{
- int res = 0, idx = 0;
-
- if (type) {
- if (strlen(type) > SMACK_ACCESS_TYPE_LENGHT) {
- rpmlog(RPMLOG_ERR, "Lenght of the access type is bigger than allowed value: %s\n", type);
- return -1;
- }
- while ( type[idx] != '\0' ){
- if ((type[idx] !='a') && (type[idx]!='r') && (type[idx]!='w') &&
- (type[idx]!='x') && (type[idx]!='t') && (type[idx] !='-')) {
- rpmlog(RPMLOG_ERR, "Not allowed character in access type: %s\n", type);
- res = -1;
- break;
- }
- idx++;
- }
- } else return -1;
- return res;
+ int res = 0, idx = 0;
+
+ if (type) {
+ if (strlen(type) > SMACK_ACCESS_TYPE_LENGHT) {
+ rpmlog(RPMLOG_ERR, "Lenght of the access type is bigger than allowed value: %s\n", type);
+ return -1;
+ }
+ while ( type[idx] != '\0' ){
+ if ((type[idx] !='a') && (type[idx]!='r') && (type[idx]!='w') &&
+ (type[idx]!='x') && (type[idx]!='t') && (type[idx] !='-')) {
+ rpmlog(RPMLOG_ERR, "Not allowed character in access type: %s\n", type);
+ res = -1;
+ break;
+ }
+ idx++;
+ }
+ } else return -1;
+
+ return res;
}
static int msmVerifySmackLabel(const char* label)
{
- int res = 0, idx = 0;
-
- if (label) {
- if (strlen(ASCII(label)) > SMACK_LABEL_LENGTH) { //smack limitation on lenght
- rpmlog(RPMLOG_ERR, "Domain or label name %s lenght is longer than defined SMACK_LABEL_LENGTH\n", label);
- return -1;
- }
- if (strlen(ASCII(label)) == 0){
- rpmlog(RPMLOG_ERR, "An attempt to define an empty domain or label name\n");
- return -1;
- }
- if (label[0] == '-') {
- rpmlog(RPMLOG_ERR, "Dash is not allowed as first character in smack label: %s\n", label);
- return -1;
- }
- while ( label[idx] != '\0' ){
- if ((label[idx] =='\"') || (label[idx] =='\'') || (label[idx] =='/') ||
- (label[idx] =='\\') || (label[idx] > '~') || (label[idx] <= ' ')) {
- rpmlog(RPMLOG_ERR, "Not allowed character in smack label: %s, position: %d \n", label, idx);
- res = -1;
- break;
- }
- idx++;
- }
- } else return -1;
-
- return res;
+ int res = 0, idx = 0;
+
+ if (label) {
+ if (strlen(ASCII(label)) > SMACK_LABEL_LENGTH) { //smack limitation on lenght
+ rpmlog(RPMLOG_ERR, "Domain or label name %s lenght is longer than defined SMACK_LABEL_LENGTH\n", label);
+ return -1;
+ }
+ if (strlen(ASCII(label)) == 0){
+ rpmlog(RPMLOG_ERR, "An attempt to define an empty domain or label name\n");
+ return -1;
+ }
+ if (label[0] == '-') {
+ rpmlog(RPMLOG_ERR, "Dash is not allowed as first character in smack label: %s\n", label);
+ return -1;
+ }
+ while ( label[idx] != '\0' ){
+ if ((label[idx] =='\"') || (label[idx] =='\'') || (label[idx] =='/') ||
+ (label[idx] =='\\') || (label[idx] > '~') || (label[idx] <= ' ')) {
+ rpmlog(RPMLOG_ERR, "Not allowed character in smack label: %s, position: %d \n", label, idx);
+ res = -1;
+ break;
+ }
+ idx++;
+ }
+ } else return -1;
+
+ return res;
}
static int msmVerifyLabelPrefix(const char* sub_label, const char* domain_name)
tmp = calloc(strlen(domain_name) + 3, sizeof (const char));
if (!tmp)
- return -1;
+ return -1;
strncpy(tmp, domain_name, strlen(domain_name));
strncpy(tmp + strlen(domain_name), sep, 2);
if (strstr(ASCII(sub_label), tmp) != ASCII(sub_label)) { //sub label name should be prefixed by domain name and "::"
- rpmlog(RPMLOG_ERR, "Label name %s isn't prefixed by domain name %s\n", ASCII(sub_label), domain_name);
- msmFreePointer((void**)&tmp);
- return -1;
+ rpmlog(RPMLOG_ERR, "Label name %s isn't prefixed by domain name %s\n", ASCII(sub_label), domain_name);
+ msmFreePointer((void**)&tmp);
+ return -1;
}
msmFreePointer((void**)&tmp);
return 0;
-
}
static int msmNextChildElement(xmlTextReaderPtr reader, int depth)
int ret = xmlTextReaderRead(reader);
int cur = xmlTextReaderDepth(reader);
while (ret == 1) {
- /*
- rpmlog(RPMLOG_DEBUG, "node %s %d\n",
- ASCII(xmlTextReaderConstName(reader)),
- xmlTextReaderDepth(reader));
- */
- switch (xmlTextReaderNodeType(reader)) {
- case XML_READER_TYPE_ELEMENT:
- case XML_READER_TYPE_TEXT:
- if (cur == depth+1)
- return 1;
- break;
- case XML_READER_TYPE_END_ELEMENT:
- if (cur == depth)
- return 0;
- break;
- default:
- if (cur <= depth)
- return 0;
- break;
- }
- ret = xmlTextReaderRead(reader);
- cur = xmlTextReaderDepth(reader);
+ /* rpmlog(RPMLOG_DEBUG, "node %s %d\n",
+ ASCII(xmlTextReaderConstName(reader)),
+ xmlTextReaderDepth(reader));
+ */
+ switch (xmlTextReaderNodeType(reader)) {
+ case XML_READER_TYPE_ELEMENT:
+ case XML_READER_TYPE_TEXT:
+ if (cur == depth+1)
+ return 1;
+ break;
+ case XML_READER_TYPE_END_ELEMENT:
+ if (cur == depth)
+ return 0;
+ break;
+ default:
+ if (cur <= depth)
+ return 0;
+ break;
+ }
+ ret = xmlTextReaderRead(reader);
+ cur = xmlTextReaderDepth(reader);
}
return ret;
}
static ac_domain_x *msmFreeACDomain(ac_domain_x *ac_domain)
{
- if (ac_domain) {
- ac_domain_x *prev = ac_domain->prev;
- msmFreePointer((void**)&ac_domain->name);
- msmFreePointer((void**)&ac_domain->type);
- msmFreePointer((void**)&ac_domain->match);
- msmFreePointer((void**)&ac_domain->plist);
- msmFreePointer((void**)&ac_domain);
- return prev;
- } else return NULL;
+ if (ac_domain) {
+ ac_domain_x *prev = ac_domain->prev;
+ msmFreePointer((void**)&ac_domain->name);
+ msmFreePointer((void**)&ac_domain->type);
+ msmFreePointer((void**)&ac_domain->match);
+ msmFreePointer((void**)&ac_domain->plist);
+ msmFreePointer((void**)&ac_domain);
+ return prev;
+ } else return NULL;
}
static annotation_x *msmProcessAnnotation(xmlTextReaderPtr reader)
rpmlog(RPMLOG_DEBUG, "annotation %s %s\n", ASCII(name), ASCII(value));
if (name && value) {
- annotation_x *annotation = calloc(1, sizeof(annotation_x));
- if (annotation) {
- annotation->name = ASCII(name);
- annotation->value = ASCII(value);
- return annotation;
- }
+ annotation_x *annotation = calloc(1, sizeof(annotation_x));
+ if (annotation) {
+ annotation->name = ASCII(name);
+ annotation->value = ASCII(value);
+ return annotation;
+ }
}
msmFreePointer((void**)&name);
msmFreePointer((void**)&value);
depth = xmlTextReaderDepth(reader);
while ((ret = msmNextChildElement(reader, depth))) {
- node = xmlTextReaderConstName(reader);
- if (!node) return -1;
-
- if (!strcmp(ASCII(node), "annotation")) {
- annotation_x *annotation = msmProcessAnnotation(reader);
- if (annotation) {
- member->annotation = annotation;
- } else return -1;
- } else return -1;
+ node = xmlTextReaderConstName(reader);
+ if (!node) return -1;
+
+ if (!strcmp(ASCII(node), "annotation")) {
+ annotation_x *annotation = msmProcessAnnotation(reader);
+ if (annotation) {
+ member->annotation = annotation;
+ } else return -1;
+ } else return -1;
- if (ret < 0) return -1;
+ if (ret < 0) return -1;
}
return ret;
}
depth = xmlTextReaderDepth(reader);
while ((ret = msmNextChildElement(reader, depth))) {
- node = xmlTextReaderConstName(reader);
- if (!node) return -1;
-
- if (!strcmp(ASCII(node), "method")) {
- member_x *member = calloc(1, sizeof(member_x));
- if (member) {
- member->type = DBUS_METHOD;
- ret = msmProcessMember(reader, member);
- LISTADD(interface->members, member);
- } else return -1;
- } else if (!strcmp(ASCII(node), "signal")) {
- member_x *member = calloc(1, sizeof(member_x));
- if (member) {
- member->type = DBUS_SIGNAL;
- ret = msmProcessMember(reader, member);
- LISTADD(interface->members, member);
- } else return -1;
- } else if (!strcmp(ASCII(node), "annotation")) {
- annotation_x *annotation = msmProcessAnnotation(reader);
- if (annotation) {
- interface->annotation = annotation;
- } else return -1;
- } else return -1;
-
- if (ret < 0) return -1;
+ node = xmlTextReaderConstName(reader);
+ if (!node) return -1;
+
+ if (!strcmp(ASCII(node), "method")) {
+ member_x *member = calloc(1, sizeof(member_x));
+ if (member) {
+ member->type = DBUS_METHOD;
+ ret = msmProcessMember(reader, member);
+ LISTADD(interface->members, member);
+ } else return -1;
+ } else if (!strcmp(ASCII(node), "signal")) {
+ member_x *member = calloc(1, sizeof(member_x));
+ if (member) {
+ member->type = DBUS_SIGNAL;
+ ret = msmProcessMember(reader, member);
+ LISTADD(interface->members, member);
+ } else return -1;
+ } else if (!strcmp(ASCII(node), "annotation")) {
+ annotation_x *annotation = msmProcessAnnotation(reader);
+ if (annotation) {
+ interface->annotation = annotation;
+ } else return -1;
+ } else return -1;
+
+ if (ret < 0) return -1;
}
return ret;
}
depth = xmlTextReaderDepth(reader);
while ((ret = msmNextChildElement(reader, depth))) {
- node = xmlTextReaderConstName(reader);
- if (!node) return -1;
-
- if (!strcmp(ASCII(node), "interface")) {
- interface_x *interface = calloc(1, sizeof(interface_x));
- if (interface) {
- ret = msmProcessInterface(reader, interface);
- LISTADD(nodex->interfaces, interface);
- } else return -1;
- } else if (!strcmp(ASCII(node), "method")) {
- member_x *member = calloc(1, sizeof(member_x));
- if (member) {
- member->type = DBUS_METHOD;
- ret = msmProcessMember(reader, member);
- LISTADD(nodex->members, member);
- } else return -1;
- } else if (!strcmp(ASCII(node), "signal")) {
- member_x *member = calloc(1, sizeof(member_x));
- if (member) {
- member->type = DBUS_SIGNAL;
- ret = msmProcessMember(reader, member);
- LISTADD(nodex->members, member);
- } else return -1;
- } else if (!strcmp(ASCII(node), "annotation")) {
- annotation_x *annotation = msmProcessAnnotation(reader);
- if (annotation) {
- nodex->annotation = annotation;
- } else return -1;
- } else return -1;
-
- if (ret < 0) return -1;
+ node = xmlTextReaderConstName(reader);
+ if (!node) return -1;
+
+ if (!strcmp(ASCII(node), "interface")) {
+ interface_x *interface = calloc(1, sizeof(interface_x));
+ if (interface) {
+ ret = msmProcessInterface(reader, interface);
+ LISTADD(nodex->interfaces, interface);
+ } else return -1;
+ } else if (!strcmp(ASCII(node), "method")) {
+ member_x *member = calloc(1, sizeof(member_x));
+ if (member) {
+ member->type = DBUS_METHOD;
+ ret = msmProcessMember(reader, member);
+ LISTADD(nodex->members, member);
+ } else return -1;
+ } else if (!strcmp(ASCII(node), "signal")) {
+ member_x *member = calloc(1, sizeof(member_x));
+ if (member) {
+ member->type = DBUS_SIGNAL;
+ ret = msmProcessMember(reader, member);
+ LISTADD(nodex->members, member);
+ } else return -1;
+ } else if (!strcmp(ASCII(node), "annotation")) {
+ annotation_x *annotation = msmProcessAnnotation(reader);
+ if (annotation) {
+ nodex->annotation = annotation;
+ } else return -1;
+ } else return -1;
+
+ if (ret < 0) return -1;
}
return ret;
}
if (!name || !bus) return -1;
if (strcmp(dbus->bus, "session") && strcmp(dbus->bus, "system"))
- return -1;
+ return -1;
depth = xmlTextReaderDepth(reader);
while ((ret = msmNextChildElement(reader, depth))) {
- node = xmlTextReaderConstName(reader);
- if (!node) return -1;
-
- if (!strcmp(ASCII(node), "node")) {
- node_x *nodex = calloc(1, sizeof(node_x));
- if (nodex) {
- ret = msmProcessNode(reader, nodex);
- LISTADD(dbus->nodes, nodex);
- } else return -1;
- } else if (!strcmp(ASCII(node), "annotation")) {
- annotation_x *annotation = msmProcessAnnotation(reader);
- if (annotation) {
- dbus->annotation = annotation;
- } else return -1;
- } else return -1;
-
- if (ret < 0) return -1;
+ node = xmlTextReaderConstName(reader);
+ if (!node) return -1;
+
+ if (!strcmp(ASCII(node), "node")) {
+ node_x *nodex = calloc(1, sizeof(node_x));
+ if (nodex) {
+ ret = msmProcessNode(reader, nodex);
+ LISTADD(dbus->nodes, nodex);
+ } else return -1;
+ } else if (!strcmp(ASCII(node), "annotation")) {
+ annotation_x *annotation = msmProcessAnnotation(reader);
+ if (annotation) {
+ dbus->annotation = annotation;
+ } else return -1;
+ } else return -1;
+
+ if (ret < 0) return -1;
}
return ret;
}
rpmlog(RPMLOG_DEBUG, "ac_domain %s match %s policy %s plist %s\n", ASCII(name), ASCII(match), ASCII(policy), ASCII(plist));
if (!((!name && !match) || (name && match))) {
- ac_domain_x *ac_domain = calloc(1, sizeof(ac_domain_x));
- if (ac_domain) {
- ac_domain->name = ASCII(name);
- ac_domain->match = ASCII(match);
- ac_domain->type = ASCII(policy);
- ac_domain->plist = ASCII(plist);
- ac_domain->sw_source = sw_source;
- ac_domain->pkg_name = pkg_name;
- return ac_domain;
- }
+ ac_domain_x *ac_domain = calloc(1, sizeof(ac_domain_x));
+ if (ac_domain) {
+ ac_domain->name = ASCII(name);
+ ac_domain->match = ASCII(match);
+ ac_domain->type = ASCII(policy);
+ ac_domain->plist = ASCII(plist);
+ ac_domain->sw_source = sw_source;
+ ac_domain->pkg_name = pkg_name;
+ return ac_domain;
+ }
}
rpmlog(RPMLOG_ERR, "Mandatory argument is missing for ac domain definition\n");
rpmlog(RPMLOG_ERR, "ac_domain %s match %s policy %s plist %s\n", ASCII(name), ASCII(match), ASCII(policy), ASCII(plist));
ASCII(path), ASCII(label), ASCII(exec_label), ASCII(type));
if (path && (label || exec_label)) {
- if ((label) && (msmVerifySmackLabel(ASCII(label)) < 0)) {
- goto fail;
+ if ((label) && (msmVerifySmackLabel(ASCII(label)) < 0)) {
+ goto fail;
}
- if ((exec_label) && (msmVerifySmackLabel(ASCII(exec_label)) < 0)) {
- goto fail;
- }
-
- filesystem_x *filesystem = calloc(1, sizeof(filesystem_x));
- if (filesystem) {
- filesystem->path = ASCII(path);
- filesystem->label = ASCII(label);
- filesystem->exec_label = ASCII(exec_label);
- filesystem->type = ASCII(type);
- return filesystem;
+ if ((exec_label) && (msmVerifySmackLabel(ASCII(exec_label)) < 0)) {
+ goto fail;
+ }
+
+ filesystem_x *filesystem = calloc(1, sizeof(filesystem_x));
+ if (filesystem) {
+ filesystem->path = ASCII(path);
+ filesystem->label = ASCII(label);
+ filesystem->exec_label = ASCII(exec_label);
+ filesystem->type = ASCII(type);
+ return filesystem;
}
} else {
- rpmlog(RPMLOG_ERR, "Mandatory argument is missing for filesystem assign request\n");
- rpmlog(RPMLOG_ERR, "filesystem path %s label %s exec label %s\n",
- ASCII(path), ASCII(label), ASCII(exec_label));
+ rpmlog(RPMLOG_ERR, "Mandatory argument is missing for filesystem assign request\n");
+ rpmlog(RPMLOG_ERR, "filesystem path %s label %s exec label %s\n",
+ ASCII(path), ASCII(label), ASCII(exec_label));
}
fail:
provide->name = ASCII(name);
if (provide->name &&
- (strcmp(provide->name, "_system_") || mfx->sw_source->parent))
- return -1; /* only _system_ is accepted from root sw source */
+ (strcmp(provide->name, "_system_") || mfx->sw_source->parent))
+ return -1; /* only _system_ is accepted from root sw source */
depth = xmlTextReaderDepth(reader);
while ((ret = msmNextChildElement(reader, depth))) {
- node = xmlTextReaderConstName(reader);
- if (!node) return -1;
-
- if (!strcmp(ASCII(node), "dbus")) {
- dbus_x *dbus = calloc(1, sizeof(dbus_x));
- if (dbus) {
- ret = msmProcessDBus(reader, dbus);
- LISTADD(provide->dbuss, dbus);
- } else return -1;
- } else if (!strcmp(ASCII(node), "ac_domain")) {
- ac_domain_x *ac_domain = msmProcessACDomain(reader, current, pkg_name);
- if (ac_domain) {
- const char *name = ac_domain->name;
- LISTADD(provide->ac_domains, ac_domain);
+ node = xmlTextReaderConstName(reader);
+ if (!node) return -1;
+
+ if (!strcmp(ASCII(node), "dbus")) {
+ dbus_x *dbus = calloc(1, sizeof(dbus_x));
+ if (dbus) {
+ ret = msmProcessDBus(reader, dbus);
+ LISTADD(provide->dbuss, dbus);
+ } else return -1;
+ } else if (!strcmp(ASCII(node), "ac_domain")) {
+ ac_domain_x *ac_domain = msmProcessACDomain(reader, current, pkg_name);
+ if (ac_domain) {
+ const char *name = ac_domain->name;
+ LISTADD(provide->ac_domains, ac_domain);
if (!name) return -1;
- if (mfx && !provide->name) {
- ac_domain->name = malloc(strlen(mfx->name) + 2 +
+ if (mfx && !provide->name) {
+ ac_domain->name = malloc(strlen(mfx->name) + 2 +
strlen(name) + 1);
- sprintf((char *)ac_domain->name, "%s::%s", mfx->name, name);
- msmFreePointer((void**)&name);
+ sprintf((char *)ac_domain->name, "%s::%s", mfx->name, name);
+ msmFreePointer((void**)&name);
}
} else return -1;
- } else if (!strcmp(ASCII(node), "for")) {
- origin = xmlTextReaderGetAttribute(reader, XMLCHAR("origin"));
- rpmlog(RPMLOG_DEBUG, "for %s\n", ASCII(origin));
- if (!origin) return -1;
- if (provide->origin) {
- msmFreePointer((void**)&origin);
- return -1;
+ } else if (!strcmp(ASCII(node), "for")) {
+ origin = xmlTextReaderGetAttribute(reader, XMLCHAR("origin"));
+ rpmlog(RPMLOG_DEBUG, "for %s\n", ASCII(origin));
+ if (!origin) return -1;
+ if (provide->origin) {
+ msmFreePointer((void**)&origin);
+ return -1;
}
- provide->origin = ASCII(origin);
- if (strcmp(ASCII(origin), "trusted") &&
- strcmp(ASCII(origin), "current") &&
- strcmp(ASCII(origin), "all"))
- return -1;
-
- } else if (!strcmp(ASCII(node), "filesystem")) {
- filesystem_x *filesystem = msmProcessFilesystem(reader);
- if (filesystem) {
- LISTADD(provide->filesystems, filesystem);
- } else return -1;
-
- } else {
- rpmlog(RPMLOG_ERR, "No allowed element in assign section: %s\n", ASCII(node));
- return -1;
- }
-
- if (ret < 0) return ret;
+ provide->origin = ASCII(origin);
+ if (strcmp(ASCII(origin), "trusted") &&
+ strcmp(ASCII(origin), "current") &&
+ strcmp(ASCII(origin), "all"))
+ return -1;
+
+ } else if (!strcmp(ASCII(node), "filesystem")) {
+ filesystem_x *filesystem = msmProcessFilesystem(reader);
+ if (filesystem) {
+ LISTADD(provide->filesystems, filesystem);
+ } else return -1;
+
+ } else {
+ rpmlog(RPMLOG_ERR, "No allowed element in assign section: %s\n", ASCII(node));
+ return -1;
+ }
+
+ if (ret < 0) return ret;
}
return ret;
depth = xmlTextReaderDepth(reader);
while ((ret = msmNextChildElement(reader, depth))) {
- node = xmlTextReaderConstName(reader);
- if (!node) return -1;
-
- if (!strcmp(ASCII(node), "provide")) {
- provide_x *provide = calloc(1, sizeof(provide_x));
- if (provide) {
- LISTADD(package->provides, provide);
- ret = msmProcessProvide(reader, provide, current, NULL, package->name);
- } else return -1;
+ node = xmlTextReaderConstName(reader);
+ if (!node) return -1;
+
+ if (!strcmp(ASCII(node), "provide")) {
+ provide_x *provide = calloc(1, sizeof(provide_x));
+ if (provide) {
+ LISTADD(package->provides, provide);
+ ret = msmProcessProvide(reader, provide, current, NULL, package->name);
+ } else return -1;
} else return -1;
- if (ret < 0) return ret;
+ if (ret < 0) return ret;
}
return ret;
}
rpmlog(RPMLOG_DEBUG, "request \n");
depth = xmlTextReaderDepth(reader);
while ((ret = msmNextChildElement(reader, depth))) {
-
- node = xmlTextReaderConstName(reader);
- if (!node) return -1;
-
- if (!strcmp(ASCII(node), "domain")) {
- if (requestPresent) {
- rpmlog(RPMLOG_ERR, "A second domain defined inside a request section. Abort package installation\n");
- return -1;
- }
- name = xmlTextReaderGetAttribute(reader, XMLCHAR("name"));
- rpmlog(RPMLOG_DEBUG, "ac domain name %s\n", ASCII(name));
- if (name) {
- request->ac_domain = ASCII(name);
- requestPresent = 1;
- } else {
- rpmlog(RPMLOG_ERR, "No ac domain name defined in request.\n");
- return -1;
- }
- } else {
- rpmlog(RPMLOG_ERR, "Not allowed element in request section: %s\n", ASCII(node));
- return -1;
- }
+ node = xmlTextReaderConstName(reader);
+ if (!node) return -1;
+
+ if (!strcmp(ASCII(node), "domain")) {
+ if (requestPresent) {
+ rpmlog(RPMLOG_ERR, "A second domain defined inside a request section. Abort package installation\n");
+ return -1;
+ }
+ name = xmlTextReaderGetAttribute(reader, XMLCHAR("name"));
+ rpmlog(RPMLOG_DEBUG, "ac domain name %s\n", ASCII(name));
+ if (name) {
+ request->ac_domain = ASCII(name);
+ requestPresent = 1;
+ } else {
+ rpmlog(RPMLOG_ERR, "No ac domain name defined in request.\n");
+ return -1;
+ }
+ } else {
+ rpmlog(RPMLOG_ERR, "Not allowed element in request section: %s\n", ASCII(node));
+ return -1;
+ }
}
-
return ret;
}
depth = xmlTextReaderDepth(reader);
while ((ret = msmNextChildElement(reader, depth))) {
- node = xmlTextReaderConstName(reader);
- if (!node) return -1;
+ node = xmlTextReaderConstName(reader);
+ if (!node) return -1;
if (!strcmp(ASCII(node), "smack")) {
label = xmlTextReaderGetAttribute(reader, XMLCHAR("request"));
type = xmlTextReaderGetAttribute(reader, XMLCHAR("type"));
rpmlog(RPMLOG_DEBUG, "request label %s type %s\n", ASCII(label), ASCII(type));
if (label && type) {
- if (msmVerifyAccessType(ASCII(type)) < 0) {
- msmFreePointer((void**)&label);
- msmFreePointer((void**)&type);
- return -1;
- }
- if (msmVerifySmackLabel(ASCII(label)) < 0) {
- msmFreePointer((void**)&label);
- msmFreePointer((void**)&type);
- return -1;
- }
- d_request_x *request = calloc(1, sizeof(d_request_x));
- if (request) {
- request->label_name = ASCII(label);
- request->ac_type = ASCII(type);
- LISTADD(define->d_requests, request);
- } else {
- msmFreePointer((void**)&label);
- msmFreePointer((void**)&type);
- return -1;
- }
-
- } else {
- rpmlog(RPMLOG_ERR, "One of the mandatory arguments for domain request is missing. Abort installation\n");
- rpmlog(RPMLOG_ERR, "smack request label %s type %s\n", ASCII(label), ASCII(type));
- msmFreePointer((void**)&label);
- msmFreePointer((void**)&type);
- return -1;
- }
+ if (msmVerifyAccessType(ASCII(type)) < 0) {
+ msmFreePointer((void**)&label);
+ msmFreePointer((void**)&type);
+ return -1;
+ }
+ if (msmVerifySmackLabel(ASCII(label)) < 0) {
+ msmFreePointer((void**)&label);
+ msmFreePointer((void**)&type);
+ return -1;
+ }
+ d_request_x *request = calloc(1, sizeof(d_request_x));
+ if (request) {
+ request->label_name = ASCII(label);
+ request->ac_type = ASCII(type);
+ LISTADD(define->d_requests, request);
+ } else {
+ msmFreePointer((void**)&label);
+ msmFreePointer((void**)&type);
+ return -1;
+ }
+ } else {
+ rpmlog(RPMLOG_ERR, "One of the mandatory arguments for domain request is missing. Abort installation\n");
+ rpmlog(RPMLOG_ERR, "smack request label %s type %s\n", ASCII(label), ASCII(type));
+ msmFreePointer((void**)&label);
+ msmFreePointer((void**)&type);
+ return -1;
+ }
} else {
- rpmlog(RPMLOG_ERR, "Not allowed element in domain request section: %s\n", ASCII(node));
- return -1;
- }
- if (ret < 0) return ret;
+ rpmlog(RPMLOG_ERR, "Not allowed element in domain request section: %s\n", ASCII(node));
+ return -1;
+ }
+ if (ret < 0) return ret;
}
return ret;
rpmlog(RPMLOG_DEBUG, "permit %s to %s type %s\n", ASCII(label), ASCII(to_label), ASCII(type));
if (label && type) {
- if (msmVerifyAccessType(ASCII(type)) < 0) {
- msmFreePointer((void**)&label);
- msmFreePointer((void**)&to_label);
- msmFreePointer((void**)&type);
- return -1;
- }
- if (msmVerifySmackLabel(ASCII(label)) < 0) {
- msmFreePointer((void**)&label);
- msmFreePointer((void**)&to_label);
- msmFreePointer((void**)&type);
- return -1;
- }
- if ((to_label) && (msmVerifyLabelPrefix(ASCII(to_label), define->name) < 0)) {
- msmFreePointer((void**)&label);
- msmFreePointer((void**)&to_label);
- msmFreePointer((void**)&type);
- return -1;
- }
- d_permit_x *permit = calloc(1, sizeof(d_permit_x));
- if (permit) {
- permit->label_name = ASCII(label);
- permit->to_label_name = ASCII(to_label);
- permit->ac_type = ASCII(type);
- LISTADD(define->d_permits, permit);
- } else {
- msmFreePointer((void**)&label);
- msmFreePointer((void**)&to_label);
- msmFreePointer((void**)&type);
- return -1;
- }
-
+ if (msmVerifyAccessType(ASCII(type)) < 0) {
+ msmFreePointer((void**)&label);
+ msmFreePointer((void**)&to_label);
+ msmFreePointer((void**)&type);
+ return -1;
+ }
+ if (msmVerifySmackLabel(ASCII(label)) < 0) {
+ msmFreePointer((void**)&label);
+ msmFreePointer((void**)&to_label);
+ msmFreePointer((void**)&type);
+ return -1;
+ }
+ if ((to_label) && (msmVerifyLabelPrefix(ASCII(to_label), define->name) < 0)) {
+ msmFreePointer((void**)&label);
+ msmFreePointer((void**)&to_label);
+ msmFreePointer((void**)&type);
+ return -1;
+ }
+ d_permit_x *permit = calloc(1, sizeof(d_permit_x));
+ if (permit) {
+ permit->label_name = ASCII(label);
+ permit->to_label_name = ASCII(to_label);
+ permit->ac_type = ASCII(type);
+ LISTADD(define->d_permits, permit);
+ } else {
+ msmFreePointer((void**)&label);
+ msmFreePointer((void**)&to_label);
+ msmFreePointer((void**)&type);
+ return -1;
+ }
} else {
- rpmlog(RPMLOG_ERR, "One of the mandatory arguments for domain permit is missing. Abort installation\n");
- rpmlog(RPMLOG_ERR, "smack permit label %s type %s\n", ASCII(label), ASCII(type));
- msmFreePointer((void**)&label);
- msmFreePointer((void**)&to_label);
- msmFreePointer((void**)&type);
- return -1;
+ rpmlog(RPMLOG_ERR, "One of the mandatory arguments for domain permit is missing. Abort installation\n");
+ rpmlog(RPMLOG_ERR, "smack permit label %s type %s\n", ASCII(label), ASCII(type));
+ msmFreePointer((void**)&label);
+ msmFreePointer((void**)&to_label);
+ msmFreePointer((void**)&type);
+ return -1;
}
- } else {
- rpmlog(RPMLOG_ERR, "Not allowed element in domain permit section: %s\n", ASCII(node));
- return -1;
- }
- if (ret < 0) return ret;
+ } else {
+ rpmlog(RPMLOG_ERR, "Not allowed element in domain permit section: %s\n", ASCII(node));
+ return -1;
+ }
+ if (ret < 0) return ret;
}
return ret;
while ((ret = msmNextChildElement(reader, depth))) {
node = xmlTextReaderConstName(reader);
if (!node) return -1;
-
if (!strcmp(ASCII(node), "label")) {
label = xmlTextReaderGetAttribute(reader, XMLCHAR("name"));
rpmlog(RPMLOG_DEBUG, "label %s \n", ASCII(label));
if (label) {
- if (msmVerifySmackLabel(ASCII(label)) < 0) {
- msmFreePointer((void**)&label);
- return -1;
- }
-
- if (msmVerifyLabelPrefix(ASCII(label), define->name) < 0) {
- msmFreePointer((void**)&label);
- return -1;
- }
-
- d_provide_x *provide = calloc(1, sizeof(d_provide_x));
- if (provide) {
- provide->label_name = ASCII(label);
- LISTADD(define->d_provides, provide);
- } else {
- msmFreePointer((void**)&label);
- return -1;
- }
-
- } else {
- rpmlog(RPMLOG_INFO, "Label name is empty. Label provide is ignored\n");
- continue;
- }
- } else {
- rpmlog(RPMLOG_ERR, "Not allowed element in domain provide section: %s\n", ASCII(node));
- return -1;
- }
- if (ret < 0) return ret;
+ if (msmVerifySmackLabel(ASCII(label)) < 0) {
+ msmFreePointer((void**)&label);
+ return -1;
+ }
+ if (msmVerifyLabelPrefix(ASCII(label), define->name) < 0) {
+ msmFreePointer((void**)&label);
+ return -1;
+ }
+ d_provide_x *provide = calloc(1, sizeof(d_provide_x));
+ if (provide) {
+ provide->label_name = ASCII(label);
+ LISTADD(define->d_provides, provide);
+ } else {
+ msmFreePointer((void**)&label);
+ return -1;
+ }
+ } else {
+ rpmlog(RPMLOG_INFO, "Label name is empty. Label provide is ignored\n");
+ continue;
+ }
+ } else {
+ rpmlog(RPMLOG_ERR, "Not allowed element in domain provide section: %s\n", ASCII(node));
+ return -1;
+ }
+ if (ret < 0) return ret;
}
return ret;
depth = xmlTextReaderDepth(reader);
while ((ret = msmNextChildElement(reader, depth))) {
- node = xmlTextReaderConstName(reader);
- if (!node) return -1;
-
- if (!strcmp(ASCII(node), "domain")) {
- if (domainPresent) {
- rpmlog(RPMLOG_ERR, "Only one domain is allowed per define section. Abort installation\n");
- return -1;
- }
- domainPresent = 1;
- name = xmlTextReaderGetAttribute(reader, XMLCHAR("name"));
- policy = xmlTextReaderGetAttribute(reader, XMLCHAR("policy"));
- plist = xmlTextReaderGetAttribute(reader, XMLCHAR("plist"));
- rpmlog(RPMLOG_DEBUG, "domain %s policy %s plist %s\n",
- ASCII(name), ASCII(policy), ASCII(plist));
-
- if (name) {
-
- if (msmVerifySmackLabel(ASCII(name)) < 0){
- msmFreePointer((void**)&name);
- msmFreePointer((void**)&policy);
- msmFreePointer((void**)&plist);
- return -1;
- }
-
- define->name = ASCII(name);
- define->policy = ASCII(policy);
- define->plist = ASCII(plist);
-
- // store defined ac domain name
- ac_domain_x *ac_domain = calloc(1, sizeof(ac_domain_x));
- if (ac_domain) {
- if (define->name) {
- ac_domain->name = strdup(define->name);
- }
- ac_domain->match = strdup("trusted"); // hardcode trusted policy for ac domain definition
- if (define->policy) {
- ac_domain->type = strdup(define->policy);
- }
- if (define->plist) {
- ac_domain->plist = strdup(define->plist);
- }
- ac_domain->sw_source = current;
- ac_domain->pkg_name = mfx->name;
- if (!mfx->provides){
- provide_x *provide = calloc(1, sizeof(provide_x));
- if (provide) {
- LISTADD(mfx->provides, provide);
- } else {
- if (ac_domain) {
- msmFreeACDomain(ac_domain);
- return -1;
- }
- }
- }
- LISTADD(mfx->provides->ac_domains, ac_domain);
- } else return -1;
-
- } else {
- rpmlog(RPMLOG_ERR, "Domain name must be defined. Abort installation\n");
- msmFreePointer((void**)&policy);
- msmFreePointer((void**)&plist);
- return -1;
- }
- } else if (!strcmp(ASCII(node), "request")) {
- int res = msmProcessDRequest(reader, define);
- if (res < 0) return res;
-
- } else if (!strcmp(ASCII(node), "permit")) {
- int res = msmProcessDPermit(reader, define);
- if (res < 0) return res;
-
- } else if (!strcmp(ASCII(node), "provide")) {
- int res = msmProcessDProvide(reader, define);
- if (res < 0) return res;
- } else {
- rpmlog(RPMLOG_ERR, "Not allowed element in domain define section: %s\n", ASCII(node));
- return -1;
- }
-
- if (ret < 0) return ret;
+ node = xmlTextReaderConstName(reader);
+ if (!node) return -1;
+ if (!strcmp(ASCII(node), "domain")) {
+ if (domainPresent) {
+ rpmlog(RPMLOG_ERR, "Only one domain is allowed per define section. Abort installation\n");
+ return -1;
+ }
+ domainPresent = 1;
+ name = xmlTextReaderGetAttribute(reader, XMLCHAR("name"));
+ policy = xmlTextReaderGetAttribute(reader, XMLCHAR("policy"));
+ plist = xmlTextReaderGetAttribute(reader, XMLCHAR("plist"));
+ rpmlog(RPMLOG_DEBUG, "domain %s policy %s plist %s\n",
+ ASCII(name), ASCII(policy), ASCII(plist));
+
+ if (name) {
+ if (msmVerifySmackLabel(ASCII(name)) < 0) {
+ msmFreePointer((void**)&name);
+ msmFreePointer((void**)&policy);
+ msmFreePointer((void**)&plist);
+ return -1;
+ }
+
+ define->name = ASCII(name);
+ define->policy = ASCII(policy);
+ define->plist = ASCII(plist);
+ // store defined ac domain name
+ ac_domain_x *ac_domain = calloc(1, sizeof(ac_domain_x));
+ if (ac_domain) {
+ if (define->name) {
+ ac_domain->name = strdup(define->name);
+ }
+ ac_domain->match = strdup("trusted"); // hardcode trusted policy for ac domain definition
+ if (define->policy) {
+ ac_domain->type = strdup(define->policy);
+ }
+ if (define->plist) {
+ ac_domain->plist = strdup(define->plist);
+ }
+ ac_domain->sw_source = current;
+ ac_domain->pkg_name = mfx->name;
+ if (!mfx->provides){
+ provide_x *provide = calloc(1, sizeof(provide_x));
+ if (provide) {
+ LISTADD(mfx->provides, provide);
+ } else {
+ if (ac_domain) {
+ msmFreeACDomain(ac_domain);
+ return -1;
+ }
+ }
+ }
+ LISTADD(mfx->provides->ac_domains, ac_domain);
+ } else return -1;
+ } else {
+ rpmlog(RPMLOG_ERR, "Domain name must be defined. Abort installation\n");
+ msmFreePointer((void**)&policy);
+ msmFreePointer((void**)&plist);
+ return -1;
+ }
+ } else if (!strcmp(ASCII(node), "request")) {
+ int res = msmProcessDRequest(reader, define);
+ if (res < 0) return res;
+ } else if (!strcmp(ASCII(node), "permit")) {
+ int res = msmProcessDPermit(reader, define);
+ if (res < 0) return res;
+ } else if (!strcmp(ASCII(node), "provide")) {
+ int res = msmProcessDProvide(reader, define);
+ if (res < 0) return res;
+ } else {
+ rpmlog(RPMLOG_ERR, "Not allowed element in domain define section: %s\n", ASCII(node));
+ return -1;
+ }
+ if (ret < 0) return ret;
}
return ret;
}
while ((ret = msmNextChildElement(reader, depth))) {
node = xmlTextReaderConstName(reader);
if (!node) return -1;
-
if (!strcmp(ASCII(node), "keyinfo")) {
ret = msmProcessKeyinfo(reader, origin);
} else if (!strcmp(ASCII(node), "access")) {
while ((ret = msmNextChildElement(reader, depth))) {
node = xmlTextReaderConstName(reader);
if (!node) return -1;
-
if (!strcmp(ASCII(node), "ac_domain")) {
ac_domain_x *ac_domain = msmProcessACDomain(reader, sw_source, NULL);
if (ac_domain) {
while ((ret = msmNextChildElement(reader, depth))) {
node = xmlTextReaderConstName(reader);
if (!node) return -1;
-
if (!strcmp(ASCII(node), "deny")) {
ret = msmProcessDeny(reader, sw_source);
} else if (!strcmp(ASCII(node), "ac_domain")) {
while ((ret = msmNextChildElement(reader, depth))) {
node = xmlTextReaderConstName(reader);
if (!node) return -1;
-
if (!strcmp(ASCII(node), "allow")) {
ret = msmProcessAllow(reader, sw_source);
} else if (!strcmp(ASCII(node), "deny")) {
int ret, depth, attributePresent = 0;
rpmlog(RPMLOG_DEBUG, "attributes\n");
-
depth = xmlTextReaderDepth(reader);
while ((ret = msmNextChildElement(reader, depth))) {
- node = xmlTextReaderConstName(reader);
- if (!node) return -1;
-
- if (!strcmp(ASCII(node), "package")) {
- if (attributePresent) {
- rpmlog(RPMLOG_ERR, "Only one attribute is currently allowed per attribute section. Abort installation\n");
- return -1;
- }
- attributePresent = 1;
- type = xmlTextReaderGetAttribute(reader, XMLCHAR("type"));
- rpmlog(RPMLOG_DEBUG, "package type is %s\n", ASCII(type));
-
- if (type) {
-
- if ((strcmp(type, "system") != 0) &&
- (strcmp(type, "application") != 0)){
- rpmlog(RPMLOG_ERR, "Not allowed attribute name in a package type specification. Abort installation.\n");
- msmFreePointer((void**)&type);
- return -1;
- }
-
- mfx->package_type = ASCII(type);
-
- } else {
- rpmlog(RPMLOG_ERR, "Type name must be defined. Abort installation\n");
- return -1;
- }
- } else {
- rpmlog(RPMLOG_ERR, "Not allowed element in attribute section: %s\n", ASCII(node));
- return -1;
- }
-
- if (ret < 0) return ret;
+ node = xmlTextReaderConstName(reader);
+ if (!node) return -1;
+ if (!strcmp(ASCII(node), "package")) {
+ if (attributePresent) {
+ rpmlog(RPMLOG_ERR, "Only one attribute is currently allowed per attribute section. Abort installation\n");
+ return -1;
+ }
+ attributePresent = 1;
+ type = xmlTextReaderGetAttribute(reader, XMLCHAR("type"));
+ rpmlog(RPMLOG_DEBUG, "package type is %s\n", ASCII(type));
+
+ if (type) {
+ if ((strcmp(type, "system") != 0) &&
+ (strcmp(type, "application") != 0)){
+ rpmlog(RPMLOG_ERR, "Not allowed attribute name in a package type specification. Abort installation.\n");
+ msmFreePointer((void**)&type);
+ return -1;
+ }
+ mfx->package_type = ASCII(type);
+ } else {
+ rpmlog(RPMLOG_ERR, "Type name must be defined. Abort installation\n");
+ return -1;
+ }
+ } else {
+ rpmlog(RPMLOG_ERR, "Not allowed element in attribute section: %s\n", ASCII(node));
+ return -1;
+ }
+ if (ret < 0) return ret;
}
return ret;
}
depth = xmlTextReaderDepth(reader);
while ((ret = msmNextChildElement(reader, depth))) {
- node = xmlTextReaderConstName(reader);
+ node = xmlTextReaderConstName(reader);
if (!node) return -1;
-
if (!strcmp(ASCII(node), "assign")) {
- if (assignPresent) {
- rpmlog(RPMLOG_ERR, "A second assign section in manifest isn't allowed. Abort installation.\n");
- return -1;
- }
- assignPresent = 1;
- provide_x *provide = calloc(1, sizeof(provide_x));
- if (provide) {
- LISTADD(mfx->provides, provide);
- ret = msmProcessProvide(reader, provide, current, mfx, NULL);
- } else return -1;
+ if (assignPresent) {
+ rpmlog(RPMLOG_ERR, "A second assign section in manifest isn't allowed. Abort installation.\n");
+ return -1;
+ }
+ assignPresent = 1;
+ provide_x *provide = calloc(1, sizeof(provide_x));
+ if (provide) {
+ LISTADD(mfx->provides, provide);
+ ret = msmProcessProvide(reader, provide, current, mfx, NULL);
+ } else return -1;
} else if (!strcmp(ASCII(node), "attributes")) {
- if (attributesPresent) {
- rpmlog(RPMLOG_ERR, "A second attribute section in manifest isn't allowed. Abort installation.\n");
- return -1;
- }
- attributesPresent = 1;
- ret = msmProcessAttributes(reader, mfx);
+ if (attributesPresent) {
+ rpmlog(RPMLOG_ERR, "A second attribute section in manifest isn't allowed. Abort installation.\n");
+ return -1;
+ }
+ attributesPresent = 1;
+ ret = msmProcessAttributes(reader, mfx);
} else if (!strcmp(ASCII(node), "define")) {
- if (definePresent) {
- rpmlog(RPMLOG_ERR, "A second request section in manifest isn't allowed. Abort installation.\n");
- return -1;
- }
- definePresent = 1;
- mfx->define = calloc(1, sizeof(define_x));
- if (mfx->define) {
- ret = msmProcessDefine(reader, mfx->define, mfx, current);
- } else return -1;
+ if (definePresent) {
+ rpmlog(RPMLOG_ERR, "A second request section in manifest isn't allowed. Abort installation.\n");
+ return -1;
+ }
+ definePresent = 1;
+ mfx->define = calloc(1, sizeof(define_x));
+ if (mfx->define) {
+ ret = msmProcessDefine(reader, mfx->define, mfx, current);
+ } else return -1;
} else if (!strcmp(ASCII(node), "request")) {
- if (requestPresent) {
- rpmlog(RPMLOG_ERR, "A second request section in manifest isn't allowed. Abort installation.\n");
- return -1;
- }
- requestPresent = 1;
- mfx->request = calloc(1, sizeof(request_x));
- if (mfx->request) {
- ret = msmProcessRequest(reader, mfx->request);
- } else return -1;
+ if (requestPresent) {
+ rpmlog(RPMLOG_ERR, "A second request section in manifest isn't allowed. Abort installation.\n");
+ return -1;
+ }
+ requestPresent = 1;
+ mfx->request = calloc(1, sizeof(request_x));
+ if (mfx->request) {
+ ret = msmProcessRequest(reader, mfx->request);
+ } else return -1;
} else if (!strcmp(ASCII(node), "sw_source")) {
sw_source_x *sw_source = calloc(1, sizeof(sw_source_x));
if (sw_source) {
ret = msmProcessSWSource(reader, sw_source, parentkey, NULL);
} else return -1;
} else return -1;
-
if (ret < 0) return ret;
}
-
return ret;
}
if ((ret = msmNextChildElement(reader, depth))) {
node = xmlTextReaderConstName(reader);
if (!node) return -1;
-
if (!strcmp(ASCII(node), "sw_source")) {
mfx->sw_sources = calloc(1, sizeof(sw_source_x));
if (!mfx->sw_sources) return -1;
if ((ret = msmNextChildElement(reader, -1))) {
node = xmlTextReaderConstName(reader);
if (!node) return -1;
-
if (!strcmp(ASCII(node), "manifest")) {
ret = msmProcessMsm(reader, mfx, current);
} else if (!strcmp(ASCII(node), "config")) {
static filesystem_x *msmFreeFilesystem(filesystem_x *filesystem)
{
- if (filesystem) {
- filesystem_x *prev = filesystem->prev;
- msmFreePointer((void**)&filesystem->path);
- msmFreePointer((void**)&filesystem->label);
- msmFreePointer((void**)&filesystem->exec_label);
- msmFreePointer((void**)&filesystem->type);
- msmFreePointer((void**)&filesystem);
- return prev;
- } else
- return NULL;
-
+ if (filesystem) {
+ filesystem_x *prev = filesystem->prev;
+ msmFreePointer((void**)&filesystem->path);
+ msmFreePointer((void**)&filesystem->label);
+ msmFreePointer((void**)&filesystem->exec_label);
+ msmFreePointer((void**)&filesystem->type);
+ msmFreePointer((void**)&filesystem);
+ return prev;
+ } else
+ return NULL;
}
static member_x *msmFreeMember(member_x *member)
-{
-
- if (member) {
- member_x *prev = member->prev;
- msmFreePointer((void**)&member->name);
- if (member->annotation) {
- msmFreePointer((void**)&member->annotation->name);
- msmFreePointer((void**)&member->annotation->value);
- msmFreePointer((void**)&member->annotation);
- }
- msmFreePointer((void**)&member);
- return prev;
- } else
- return NULL;
-
+{
+ if (member) {
+ member_x *prev = member->prev;
+ msmFreePointer((void**)&member->name);
+ if (member->annotation) {
+ msmFreePointer((void**)&member->annotation->name);
+ msmFreePointer((void**)&member->annotation->value);
+ msmFreePointer((void**)&member->annotation);
+ }
+ msmFreePointer((void**)&member);
+ return prev;
+ } else
+ return NULL;
}
static interface_x *msmFreeInterface(interface_x *interface)
-{
-
- member_x *member;
-
- if (interface) {
- interface_x *prev = interface->prev;
- msmFreePointer((void**)&interface->name);
- if (interface->annotation) {
- msmFreePointer((void**)&interface->annotation->name);
- msmFreePointer((void**)&interface->annotation->value);
- msmFreePointer((void**)&interface->annotation);
- }
- for (member = interface->members; member; member = msmFreeMember(member));
- msmFreePointer((void**)&interface);
- return prev;
- } else
- return NULL;
-
+{
+ member_x *member;
+
+ if (interface) {
+ interface_x *prev = interface->prev;
+ msmFreePointer((void**)&interface->name);
+ if (interface->annotation) {
+ msmFreePointer((void**)&interface->annotation->name);
+ msmFreePointer((void**)&interface->annotation->value);
+ msmFreePointer((void**)&interface->annotation);
+ }
+ for (member = interface->members; member; member = msmFreeMember(member));
+ msmFreePointer((void**)&interface);
+ return prev;
+ } else
+ return NULL;
}
static node_x *msmFreeNode(node_x *node)
{
- member_x *member;
- interface_x *interface;
-
- if (node) {
- node_x *prev = node->prev;
- msmFreePointer((void**)&node->name);
- if (node->annotation) {
- msmFreePointer((void**)&node->annotation->name);
- msmFreePointer((void**)&node->annotation->value);
- msmFreePointer((void**)&node->annotation);
- }
- for (member = node->members; member; member = msmFreeMember(member));
- for (interface = node->interfaces; interface; interface = msmFreeInterface(interface));
- msmFreePointer((void**)&node);
- return prev;
- } else
- return NULL;
-
+ member_x *member;
+ interface_x *interface;
+
+ if (node) {
+ node_x *prev = node->prev;
+ msmFreePointer((void**)&node->name);
+ if (node->annotation) {
+ msmFreePointer((void**)&node->annotation->name);
+ msmFreePointer((void**)&node->annotation->value);
+ msmFreePointer((void**)&node->annotation);
+ }
+ for (member = node->members; member; member = msmFreeMember(member));
+ for (interface = node->interfaces; interface; interface = msmFreeInterface(interface));
+ msmFreePointer((void**)&node);
+ return prev;
+ } else
+ return NULL;
}
static dbus_x *msmFreeDBus(dbus_x *dbus)
{
- node_x *node;
-
- if (dbus) {
- dbus_x *prev = dbus->prev;
- msmFreePointer((void**)&dbus->name);
- msmFreePointer((void**)&dbus->own);
- msmFreePointer((void**)&dbus->bus);
- if (dbus->annotation) {
- msmFreePointer((void**)&dbus->annotation->name);
- msmFreePointer((void**)&dbus->annotation->value);
- msmFreePointer((void**)&dbus->annotation);
- }
- for (node = dbus->nodes; node; node = msmFreeNode(node));
- msmFreePointer((void**)&dbus);
- return prev;
- } else return NULL;
+ node_x *node;
+
+ if (dbus) {
+ dbus_x *prev = dbus->prev;
+ msmFreePointer((void**)&dbus->name);
+ msmFreePointer((void**)&dbus->own);
+ msmFreePointer((void**)&dbus->bus);
+ if (dbus->annotation) {
+ msmFreePointer((void**)&dbus->annotation->name);
+ msmFreePointer((void**)&dbus->annotation->value);
+ msmFreePointer((void**)&dbus->annotation);
+ }
+ for (node = dbus->nodes; node; node = msmFreeNode(node));
+ msmFreePointer((void**)&dbus);
+ return prev;
+ } else return NULL;
}
static provide_x *msmFreeProvide(provide_x *provide)
dbus_x *dbus;
if (provide) {
- for (ac_domain = provide->ac_domains; ac_domain; ac_domain = msmFreeACDomain(ac_domain));
- if (provide->filesystems)
- for (filesystem = provide->filesystems; filesystem; filesystem = msmFreeFilesystem(filesystem));
- msmFreePointer((void**)&provide->name);
- msmFreePointer((void**)&provide->origin);
- for (dbus = provide->dbuss; dbus; dbus = msmFreeDBus(dbus));
- msmFreePointer((void**)&provide);
+ for (ac_domain = provide->ac_domains; ac_domain; ac_domain = msmFreeACDomain(ac_domain));
+ if (provide->filesystems)
+ for (filesystem = provide->filesystems; filesystem; filesystem = msmFreeFilesystem(filesystem));
+ msmFreePointer((void**)&provide->name);
+ msmFreePointer((void**)&provide->origin);
+ for (dbus = provide->dbuss; dbus; dbus = msmFreeDBus(dbus));
+ msmFreePointer((void**)&provide);
}
return prev;
}
rpmlog(RPMLOG_DEBUG, "in msmFreeManifestXml\n");
if (mfx) {
if (mfx->provides)
- for (provide = mfx->provides; provide; provide = msmFreeProvide(provide));
- rpmlog(RPMLOG_DEBUG, "after freeing provides\n");
- if (mfx->request) {
- msmFreePointer((void**)&mfx->request->ac_domain);
- msmFreePointer((void**)&mfx->request);
- }
- rpmlog(RPMLOG_DEBUG, "after freeing requests\n");
+ for (provide = mfx->provides; provide; provide = msmFreeProvide(provide));
+ rpmlog(RPMLOG_DEBUG, "after freeing provides\n");
+ if (mfx->request) {
+ msmFreePointer((void**)&mfx->request->ac_domain);
+ msmFreePointer((void**)&mfx->request);
+ }
+ rpmlog(RPMLOG_DEBUG, "after freeing requests\n");
for (file = mfx->files; file; file = msmFreeFile(file));
- rpmlog(RPMLOG_DEBUG, "after freeing files\n");
+ rpmlog(RPMLOG_DEBUG, "after freeing files\n");
if (mfx->sw_sources) {
- LISTHEAD(mfx->sw_sources, sw_source);
- for (; sw_source; sw_source = msmFreeSWSource(sw_source));
+ LISTHEAD(mfx->sw_sources, sw_source);
+ for (; sw_source; sw_source = msmFreeSWSource(sw_source));
}
msmFreePointer((void**)&mfx->name);
- rpmlog(RPMLOG_DEBUG, "after freeing name\n");
+ rpmlog(RPMLOG_DEBUG, "after freeing name\n");
if (mfx->define) {
- msmFreePointer((void**)&mfx->define->name);
- msmFreePointer((void**)&mfx->define->policy);
- msmFreePointer((void**)&mfx->define->plist);
- if (mfx->define->d_requests) {
- LISTHEAD(mfx->define->d_requests, d_request);
- for (; d_request; d_request = msmFreeDRequest(d_request));
- }
- rpmlog(RPMLOG_DEBUG, "after freeing define requests\n");
- if (mfx->define->d_permits) {
- LISTHEAD(mfx->define->d_permits, d_permit);
- for (; d_permit; d_permit = msmFreeDPermit(d_permit));
- }
- rpmlog(RPMLOG_DEBUG, "after freeing define permits\n");
- if (mfx->define->d_provides) {
- LISTHEAD(mfx->define->d_provides, d_provide);
- for (; d_provide; d_provide = msmFreeDProvide(d_provide));
- }
- rpmlog(RPMLOG_DEBUG, "after freeing provides\n");
- msmFreePointer((void**)&mfx->define);
+ msmFreePointer((void**)&mfx->define->name);
+ msmFreePointer((void**)&mfx->define->policy);
+ msmFreePointer((void**)&mfx->define->plist);
+ if (mfx->define->d_requests) {
+ LISTHEAD(mfx->define->d_requests, d_request);
+ for (; d_request; d_request = msmFreeDRequest(d_request));
+ }
+ rpmlog(RPMLOG_DEBUG, "after freeing define requests\n");
+ if (mfx->define->d_permits) {
+ LISTHEAD(mfx->define->d_permits, d_permit);
+ for (; d_permit; d_permit = msmFreeDPermit(d_permit));
+ }
+ rpmlog(RPMLOG_DEBUG, "after freeing define permits\n");
+ if (mfx->define->d_provides) {
+ LISTHEAD(mfx->define->d_provides, d_provide);
+ for (; d_provide; d_provide = msmFreeDProvide(d_provide));
+ }
+ rpmlog(RPMLOG_DEBUG, "after freeing provides\n");
+ msmFreePointer((void**)&mfx->define);
}
-
- rpmlog(RPMLOG_DEBUG, "after freeing defines \n");
- msmFreePointer((void**)&mfx);
+ rpmlog(RPMLOG_DEBUG, "after freeing defines \n");
+ msmFreePointer((void**)&mfx);
}
return mfx;
}
manifest_x *mfx = NULL;
reader = xmlReaderForMemory(buffer, size, NULL, NULL, 0);
-
if (reader) {
mfx = calloc(1, sizeof(manifest_x));
if (mfx) {
mfx->name = strdup(packagename);
if (msmProcessManifest(reader, mfx, current) < 0) {
- /* error in parcing. Let's display some hint where we failed */
+ /* error in parcing. Let's display some hint where we failed */
rpmlog(RPMLOG_DEBUG, "Syntax error in processing manifest in the above line\n");
mfx = msmFreeManifestXml(mfx);
}
manifest_x *mfx = NULL;
reader = xmlReaderForFile(filename, NULL, 0);
-
if (reader) {
mfx = calloc(1, sizeof(manifest_x));
if (mfx) {
d_provide_x *provide = NULL;
if ((mfx) && (label) && (mfx->define) && (mfx->define->d_provides)) {
- for (provide = mfx->define->d_provides; provide; provide = provide->prev) {
- if ( strcmp(provide->label_name, label) == 0 )
- return 0;
- }
+ for (provide = mfx->define->d_provides; provide; provide = provide->prev) {
+ if (strcmp(provide->label_name, label) == 0)
+ return 0;
+ }
}
rpmlog(RPMLOG_ERR, "Label %s hasn't been provided in the manifest\n", label);
return -1;
int ret = 0;
if (!smack_accesses) return ret;
-
for (ac_domain = ac_domains; ac_domain; ac_domain = ac_domain->prev) {
if (ac_domain->allowed) {
ret = smack_accesses_add(smack_accesses, aid, ac_domain->name, "rw");
}*/
}
return ret;
-
}
static int msmIsProvideAllowed(ac_domain_x *provided, sw_source_x *sw_source, const char *origin)
for (; sw_source; sw_source = sw_source->next) {
if (!sw_source->newer) {
for (ac_domain = provide->ac_domains; ac_domain; ac_domain = ac_domain->prev) {
- ac_domain->allowed = msmIsProvideAllowed(ac_domain, sw_source, ac_domain->origin);
- rpmlog(RPMLOG_DEBUG, "%s ac_domain %s provided in %s for %s\n", (ac_domain->allowed ? "allowing" : "not allowing"),
- ac_domain->name, ac_domain->sw_source->name, sw_source->name);
+ ac_domain->allowed = msmIsProvideAllowed(ac_domain, sw_source, ac_domain->origin);
+ rpmlog(RPMLOG_DEBUG, "%s ac_domain %s provided in %s for %s\n", (ac_domain->allowed ? "allowing" : "not allowing"),
+ ac_domain->name, ac_domain->sw_source->name, sw_source->name);
}
if (smack_accesses)
ret = msmSetSmackRules(smack_accesses, provide->ac_domains, sw_source->name);
else
- ret = 0;
+ ret = 0;
}
}
return ret;
}
}
} else {
-
/* config processing */
ret = msmSetupPackages(NULL, sw_source->packages, NULL);
if (ret) {
if (phase >= 0) {
if (dbus->own) {
- snprintf(data, sizeof(data),
+ snprintf(data, sizeof(data),
" <policy context=\"default\">\n"
" <deny own=\"%s\"/>\n"
" </policy>\n"
" <allow own=\"%s\"/>\n"
" </policy>\n",
dbus->name, dbus->own, dbus->name);
- if (fputs(data, file) == EOF) {
- rpmlog(RPMLOG_ERR, "Failed to write %s: %s\n",
- path, strerror(errno));
- goto exit;
- }
+ if (fputs(data, file) == EOF) {
+ rpmlog(RPMLOG_ERR, "Failed to write %s: %s\n",
+ path, strerror(errno));
+ goto exit;
+ }
}
if (dbus->annotation) {
- msmSetupDBusRule(file, dbus->annotation->value, DBUS_SERVICE,
- NULL, dbus->name, NULL, NULL, mfx);
+ msmSetupDBusRule(file, dbus->annotation->value, DBUS_SERVICE,
+ NULL, dbus->name, NULL, NULL, mfx);
}
for (node = dbus->nodes; node; node = node->prev) {
if (node->annotation) {
- msmSetupDBusRule(file, node->annotation->value, DBUS_PATH,
- dbus->name, node->name, NULL, NULL, mfx);
+ msmSetupDBusRule(file, node->annotation->value, DBUS_PATH,
+ dbus->name, node->name, NULL, NULL, mfx);
}
for (member = node->members; member; member = member->prev) {
if (member->annotation) {
- msmSetupDBusRule(file, member->annotation->value, member->type,
- dbus->name, member->name,
- "path", node->name, mfx);
+ msmSetupDBusRule(file, member->annotation->value, member->type,
+ dbus->name, member->name,
+ "path", node->name, mfx);
}
}
for (interface = node->interfaces; interface; interface = interface->prev) {
if (interface->annotation) {
- msmSetupDBusRule(file, interface->annotation->value, DBUS_INTERFACE,
- dbus->name, interface->name, NULL, NULL, mfx);
+ msmSetupDBusRule(file, interface->annotation->value, DBUS_INTERFACE,
+ dbus->name, interface->name, NULL, NULL, mfx);
}
for (member = interface->members; member; member = member->prev) {
if (member->annotation) {
- msmSetupDBusRule(file, member->annotation->value, member->type,
- dbus->name, member->name,
- "interface", interface->name, mfx);
+ msmSetupDBusRule(file, member->annotation->value, member->type,
+ dbus->name, member->name,
+ "interface", interface->name, mfx);
}
}
}
if (file) fclose(file);
if (ret) unlink(path);
msmFreePointer((void**)&sysconfdir);
-
return ret;
}
static int msmIsRequestAllowed(manifest_x *mfx, ac_domain_x *provided)
-{
-
+{
if (mfx->sw_source == provided->sw_source) {
/* allowed always if ac domain is provided in the same sw source */
return 1;
if (defined_ac_domain->type) {
if (strcmp(defined_ac_domain->type, "restricted") == 0) {
- if (defined_ac_domain->plist) {
- tmp = calloc(strlen(defined_ac_domain->plist) + 1, sizeof(char));
- if (!tmp) return -1;
- strncpy(tmp, defined_ac_domain->plist, strlen(defined_ac_domain->plist));
- pch = strtok (tmp, ", ");
- while (pch != NULL)
- {
- if (strcmp(pch, mfx->name) == 0) {
- found = 1;
- break;
- }
- pch = strtok(NULL, ", ");
- }
- msmFreePointer((void**)&tmp);
- }
- if (found != 1) {
- rpmlog(RPMLOG_ERR, "Request for a domain name %s isn't allowed ", mfx->request->ac_domain);
- rpmlog(RPMLOG_ERR, "because ac domain is marked as restricted\n");
- return -1;
- }
+ if (defined_ac_domain->plist) {
+ tmp = calloc(strlen(defined_ac_domain->plist) + 1, sizeof(char));
+ if (!tmp) return -1;
+ strncpy(tmp, defined_ac_domain->plist, strlen(defined_ac_domain->plist));
+ pch = strtok (tmp, ", ");
+ while (pch != NULL) {
+ if (strcmp(pch, mfx->name) == 0) {
+ found = 1;
+ break;
+ }
+ pch = strtok(NULL, ", ");
+ }
+ msmFreePointer((void**)&tmp);
+ }
+ if (found != 1) {
+ rpmlog(RPMLOG_ERR, "Request for a domain name %s isn't allowed ", mfx->request->ac_domain);
+ rpmlog(RPMLOG_ERR, "because ac domain is marked as restricted\n");
+ return -1;
+ }
} else if (strcmp(defined_ac_domain->type, "shared") == 0) {
- return 0;
+ return 0;
} else {
- // domain hasn't been marked as shared
- rpmlog(RPMLOG_ERR, "Request for a domain name %s isn't allowed ", mfx->request->ac_domain);
- rpmlog(RPMLOG_ERR, "because ac domain is marked as private\n");
- return -1;
- }
- } else {
+ // domain hasn't been marked as shared
+ rpmlog(RPMLOG_ERR, "Request for a domain name %s isn't allowed ", mfx->request->ac_domain);
+ rpmlog(RPMLOG_ERR, "because ac domain is marked as private\n");
+ return -1;
+ }
+ } else {
// by default ac domains are private
rpmlog(RPMLOG_ERR, "Request for a domain name %s isn't allowed ", mfx->request->ac_domain);
rpmlog(RPMLOG_ERR, "because ac domain is marked as private\n");
return -1;
- }
-
- return 0;
+ }
+ return 0;
}
int msmSetupRequests(manifest_x *mfx)
{
+ ac_domain_x *defined_ac_domain = NULL;
- ac_domain_x *defined_ac_domain = NULL;
-
- if ((!mfx) || (!mfx->request) || (!mfx->request->ac_domain))
- return -1;
-
- HASH_FIND(hh, all_ac_domains, mfx->request->ac_domain, strlen(mfx->request->ac_domain), defined_ac_domain);
- if (!defined_ac_domain){ // request for a undefined domain.
- rpmlog(RPMLOG_ERR, "Request for a domain name %s that hasn't been yet defined by any package\n", mfx->request->ac_domain);
- return -1;
- }
-
- //now check that the package can join the requested AC domain
-
- if (mfx->define){
- rpmlog(RPMLOG_DEBUG, "mfx->define->name %s mfx->request->ac_domain %s\n", mfx->define->name, mfx->request->ac_domain);
- if (strcmp(mfx->define->name, mfx->request->ac_domain) == 0)
- //ac domain is requested from the same package where it was define. This case is always allowed
- return 0;
- }
-
- //need to check if developer allowed other packages to join this domain
- if (msmCheckDomainJoinPossibility(mfx, defined_ac_domain) < 0 )
- return -1;
+ if ((!mfx) || (!mfx->request) || (!mfx->request->ac_domain))
+ return -1;
- // now checking if security policy allows to join this domain
- if (msmIsRequestAllowed(mfx, defined_ac_domain)) {
- rpmlog(RPMLOG_DEBUG, "Request for a domain name %s is allowed based on package sw source\n", mfx->request->ac_domain);
- return 0;
-
- } else {
- rpmlog(RPMLOG_ERR, "Request for a domain name %s isn't allowed based on package sw source\n", mfx->request->ac_domain);
- return -1;
- }
+ HASH_FIND(hh, all_ac_domains, mfx->request->ac_domain, strlen(mfx->request->ac_domain), defined_ac_domain);
+ if (!defined_ac_domain){ // request for a undefined domain.
+ rpmlog(RPMLOG_ERR, "Request for a domain name %s that hasn't been yet defined by any package\n", mfx->request->ac_domain);
+ return -1;
+ }
+ //now check that the package can join the requested AC domain
+ if (mfx->define){
+ rpmlog(RPMLOG_DEBUG, "mfx->define->name %s mfx->request->ac_domain %s\n", mfx->define->name, mfx->request->ac_domain);
+ if (strcmp(mfx->define->name, mfx->request->ac_domain) == 0)
+ //ac domain is requested from the same package where it was define. This case is always allowed
+ return 0;
+ }
+ //need to check if developer allowed other packages to join this domain
+ if (msmCheckDomainJoinPossibility(mfx, defined_ac_domain) < 0 )
+ return -1;
+ // now checking if security policy allows to join this domain
+ if (msmIsRequestAllowed(mfx, defined_ac_domain)) {
+ rpmlog(RPMLOG_DEBUG, "Request for a domain name %s is allowed based on package sw source\n", mfx->request->ac_domain);
+ return 0;
+ } else {
+ rpmlog(RPMLOG_ERR, "Request for a domain name %s isn't allowed based on package sw source\n", mfx->request->ac_domain);
+ return -1;
+ }
}
static int msmSetupProvides(struct smack_accesses *smack_accesses, package_x *package)
ac_domain->origin = provide->origin;
HASH_FIND(hh, all_ac_domains, ac_domain->name, strlen(ac_domain->name), current_d);
-
if (current_d) { /* ac domain has been previously defined */
-
if (strcmp(ac_domain->pkg_name, current_d->pkg_name) == 0) { /* check that it was provided by same package */
- HASH_DELETE(hh, all_ac_domains, current_d);
- HASH_ADD_KEYPTR(hh, all_ac_domains, ac_domain->name, strlen(ac_domain->name), ac_domain);
- current_d->newer = ac_domain;
- ac_domain->older = current_d;
- rpmlog(RPMLOG_DEBUG, "package %s upgraded ac domain %s\n", ac_domain->pkg_name, ac_domain->name);
-
+ HASH_DELETE(hh, all_ac_domains, current_d);
+ HASH_ADD_KEYPTR(hh, all_ac_domains, ac_domain->name, strlen(ac_domain->name), ac_domain);
+ current_d->newer = ac_domain;
+ ac_domain->older = current_d;
+ rpmlog(RPMLOG_DEBUG, "package %s upgraded ac domain %s\n", ac_domain->pkg_name, ac_domain->name);
} else {
rpmlog(RPMLOG_ERR, "package %s can't upgrade ac domain %s previously defined in package %s\n",
ac_domain->pkg_name, ac_domain->name, current_d->pkg_name);
}
}
int ret = msmSetSmackProvide(smack_accesses, provide, package->sw_source);
-
if (ret < 0) {
- rpmlog(RPMLOG_ERR, "Failed to set smack rules for provide\n");
- return -1;
+ rpmlog(RPMLOG_ERR, "Failed to set smack rules for provide\n");
+ return -1;
}
}
return 0;
int msmSetupDBusPolicies(package_x *package, manifest_x *mfx)
{
+ dbus_x *session = NULL;
+ dbus_x *system = NULL;
+ provide_x *provide;
+ dbus_x *dbus;
- dbus_x *session = NULL;
- dbus_x *system = NULL;
- provide_x *provide;
- dbus_x *dbus;
-
- for (provide = package->provides; provide; provide = provide->prev) {
- for (dbus = provide->dbuss; dbus; dbus = dbus->prev) {
- if (!strcmp(dbus->bus, "session")) {
- msmSetupDBusConfig(package, dbus, session ? 1 : 0, mfx);
- session = dbus;
- } else if (!strcmp(dbus->bus, "system")) {
- msmSetupDBusConfig(package, dbus, system ? 1 : 0, mfx);
- system = dbus;
- } else return -1;
- }
- if (session) msmSetupDBusConfig(package, session, -1, mfx);
- if (system) msmSetupDBusConfig(package, system, -1, mfx);
+ for (provide = package->provides; provide; provide = provide->prev) {
+ for (dbus = provide->dbuss; dbus; dbus = dbus->prev) {
+ if (!strcmp(dbus->bus, "session")) {
+ msmSetupDBusConfig(package, dbus, session ? 1 : 0, mfx);
+ session = dbus;
+ } else if (!strcmp(dbus->bus, "system")) {
+ msmSetupDBusConfig(package, dbus, system ? 1 : 0, mfx);
+ system = dbus;
+ } else return -1;
+ }
+ if (session) msmSetupDBusConfig(package, session, -1, mfx);
+ if (system) msmSetupDBusConfig(package, system, -1, mfx);
session = system = NULL;
- }
- return 0;
-
+ }
+ return 0;
}
static int msmCheckDomainRequestOrPermit(manifest_x *mfx, const char* domain)
{
+ ac_domain_x *defined_ac_domain = NULL;
+ char* name = NULL;
- ac_domain_x *defined_ac_domain = NULL;
- char* name = NULL;
-
- if ((!mfx) || (!domain))
- return -1;
+ if ((!mfx) || (!domain))
+ return -1;
- name = calloc(strlen(domain) + 1, sizeof(char));
- if (!name) return -1;
- strncpy(name, domain, strlen(domain));
- strtok(name, ":"); // remove label name if present
- rpmlog(RPMLOG_DEBUG, "label name %s domain name %s \n", domain, name);
+ name = calloc(strlen(domain) + 1, sizeof(char));
+ if (!name) return -1;
+ strncpy(name, domain, strlen(domain));
+ strtok(name, ":"); // remove label name if present
+ rpmlog(RPMLOG_DEBUG, "label name %s domain name %s \n", domain, name);
- HASH_FIND(hh, all_ac_domains, name, strlen(name), defined_ac_domain);
- if (!defined_ac_domain) { // request or permit for an undefined domain.
- rpmlog(RPMLOG_ERR, "A domain name %s hasn't been yet defined by any package. Can't verify if it is allowed\n", name);
- msmFreePointer((void**)&name);
- return -1;
- }
-
- //now check that this ac_domain can be requested
-
- if ((mfx->define) && (mfx->define->name)) {
- rpmlog(RPMLOG_DEBUG, "mfx->define->name %s domain %s\n", mfx->define->name, name);
- if (strcmp(mfx->define->name, name) == 0) {
- // AC domain access is requested or permitted from the same package where it was defined.
- // This case is always allowed
- msmFreePointer((void**)&name);
- return 0;
- }
- }
+ HASH_FIND(hh, all_ac_domains, name, strlen(name), defined_ac_domain);
+ if (!defined_ac_domain) { // request or permit for an undefined domain.
+ rpmlog(RPMLOG_ERR, "A domain name %s hasn't been yet defined by any package. Can't verify if it is allowed\n", name);
+ msmFreePointer((void**)&name);
+ return -1;
+ }
- // no need to check if developer allowed other packages to request/permit this domain
- // because this isn't a request to belong to a domain, but request/permit for domain access
-
- if (msmIsRequestAllowed(mfx, defined_ac_domain)) {
- // request or permit is allowed by domain policy
- rpmlog(RPMLOG_DEBUG, "Request/Permit to access a domain name %s is allowed based on package sw source\n", name);
- msmFreePointer((void**)&name);
- return 0;
-
- } else {
- rpmlog(RPMLOG_ERR, "Request/Permit to access a domain name %s isn't allowed based on package sw source\n", name);
- msmFreePointer((void**)&name);
- return -1;
- }
+ //now check that this ac_domain can be requested
+ if ((mfx->define) && (mfx->define->name)) {
+ rpmlog(RPMLOG_DEBUG, "mfx->define->name %s domain %s\n", mfx->define->name, name);
+ if (strcmp(mfx->define->name, name) == 0) {
+ // AC domain access is requested or permitted from the same package where it was defined.
+ // This case is always allowed
+ msmFreePointer((void**)&name);
+ return 0;
+ }
+ }
+
+ // no need to check if developer allowed other packages to request/permit this domain
+ // because this isn't a request to belong to a domain, but request/permit for domain access
+ if (msmIsRequestAllowed(mfx, defined_ac_domain)) {
+ // request or permit is allowed by domain policy
+ rpmlog(RPMLOG_DEBUG, "Request/Permit to access a domain name %s is allowed based on package sw source\n", name);
+ msmFreePointer((void**)&name);
+ return 0;
+ } else {
+ rpmlog(RPMLOG_ERR, "Request/Permit to access a domain name %s isn't allowed based on package sw source\n", name);
+ msmFreePointer((void**)&name);
+ return -1;
+ }
}
int msmSetupDefine(struct smack_accesses *smack_accesses, manifest_x *mfx)
HASH_FIND(hh, all_ac_domains, mfx->define->name, strlen(mfx->define->name), defined_ac_domain);
if ((defined_ac_domain) && (defined_ac_domain->pkg_name)) { // this domain has been previously defined
- if (strcmp(defined_ac_domain->pkg_name, mfx->name) != 0) {
- rpmlog(RPMLOG_ERR, "Attempt to define a domain name %s that has been already defined by package %s\n",
- mfx->define->name, defined_ac_domain->pkg_name);
- return -1;
- }
-
+ if (strcmp(defined_ac_domain->pkg_name, mfx->name) != 0) {
+ rpmlog(RPMLOG_ERR, "Attempt to define a domain name %s that has been already defined by package %s\n",
+ mfx->define->name, defined_ac_domain->pkg_name);
+ return -1;
+ }
}
if (mfx->define->d_requests) {
- for (d_request = mfx->define->d_requests; d_request; d_request = d_request->prev) {
- // first check if the current's package sw source can grant access to requested domain
- if ( msmCheckDomainRequestOrPermit(mfx, d_request->label_name) < 0 )
- return -1;
- if ( smack_accesses_add(smack_accesses, mfx->define->name, d_request->label_name, d_request->ac_type) < 0 ) {
- rpmlog(RPMLOG_ERR, "Failed to set smack rules for domain requests\n");
- return -1;
- }
-
- }
+ for (d_request = mfx->define->d_requests; d_request; d_request = d_request->prev) {
+ // first check if the current's package sw source can grant access to requested domain
+ if (msmCheckDomainRequestOrPermit(mfx, d_request->label_name) < 0)
+ return -1;
+ if (smack_accesses_add(smack_accesses, mfx->define->name, d_request->label_name, d_request->ac_type) < 0) {
+ rpmlog(RPMLOG_ERR, "Failed to set smack rules for domain requests\n");
+ return -1;
+ }
+ }
}
if (mfx->define->d_permits) {
- for (d_permit = mfx->define->d_permits; d_permit; d_permit = d_permit->prev) {
- // first check if the current's package sw source can grant access to permited domain
- if ( msmCheckDomainRequestOrPermit(mfx, d_permit->label_name) < 0 )
- return -1;
- if (!d_permit->to_label_name)
- ret = smack_accesses_add(smack_accesses, d_permit->label_name, mfx->define->name, d_permit->ac_type);
- else {
- if ( msmCheckLabelProvisioning(mfx, d_permit->to_label_name) < 0 )
- return -1;
- ret = smack_accesses_add(smack_accesses, d_permit->label_name, d_permit->to_label_name, d_permit->ac_type);
- }
- if (ret < 0) {
- rpmlog(RPMLOG_ERR, "Failed to set smack rules for domain permits\n");
- return -1;
- }
- }
- }
-
+ for (d_permit = mfx->define->d_permits; d_permit; d_permit = d_permit->prev) {
+ // first check if the current's package sw source can grant access to permited domain
+ if (msmCheckDomainRequestOrPermit(mfx, d_permit->label_name) < 0)
+ return -1;
+ if (!d_permit->to_label_name)
+ ret = smack_accesses_add(smack_accesses, d_permit->label_name, mfx->define->name, d_permit->ac_type);
+ else {
+ if (msmCheckLabelProvisioning(mfx, d_permit->to_label_name) < 0)
+ return -1;
+ ret = smack_accesses_add(smack_accesses, d_permit->label_name, d_permit->to_label_name, d_permit->ac_type);
+ }
+ if (ret < 0) {
+ rpmlog(RPMLOG_ERR, "Failed to set smack rules for domain permits\n");
+ return -1;
+ }
+ }
+ }
return 0;
}
rpmlog(RPMLOG_DEBUG, "smack rule file path %s, SmackEnabled %d\n", buffer, SmackEnabled);
if (flag == SMACK_UNINSTALL) { /* uninstallation case */
- FILE* fd = fopen(buffer, "r");
- if (fd) {
- rpmlog(RPMLOG_DEBUG, "uninstall case \n");
- struct smack_accesses *old_rule_set = NULL;
- ret = smack_accesses_new(&old_rule_set);
- if (ret != 0) return -1;
- ret = smack_accesses_add_from_file(old_rule_set, fileno(fd));
- if (ret == 0) {
- if (SmackEnabled == 1)
- ret = smack_accesses_clear(old_rule_set); /* deletes rules from kernel */
-
+ FILE* fd = fopen(buffer, "r");
+ if (fd) {
+ rpmlog(RPMLOG_DEBUG, "uninstall case \n");
+ struct smack_accesses *old_rule_set = NULL;
+ ret = smack_accesses_new(&old_rule_set);
+ if (ret != 0) return -1;
+ ret = smack_accesses_add_from_file(old_rule_set, fileno(fd));
+ if (ret == 0) {
+ if (SmackEnabled == 1)
+ ret = smack_accesses_clear(old_rule_set); /* deletes rules from kernel */
+ }
+ smack_accesses_free(old_rule_set);
+ fclose(fd);
+ remove(buffer); /* delete rules file from system */
}
- smack_accesses_free(old_rule_set);
- fclose(fd);
- remove(buffer); /* delete rules file from system */
- }
} else { /*installation case */
/* first attempt to clean previous version of rules, if exists */
- FILE* fd = fopen(buffer, "r");
- if (fd) {
- struct smack_accesses *old_rule_set = NULL;
- ret = smack_accesses_new(&old_rule_set);
- if (ret != 0) return -1;
- ret = smack_accesses_add_from_file(old_rule_set, fileno(fd));
- if (ret == 0) {
+ FILE* fd = fopen(buffer, "r");
+ if (fd) {
+ struct smack_accesses *old_rule_set = NULL;
+ ret = smack_accesses_new(&old_rule_set);
+ if (ret != 0) return -1;
+ ret = smack_accesses_add_from_file(old_rule_set, fileno(fd));
+ if (ret == 0) {
if (SmackEnabled == 1)
ret = smack_accesses_clear(old_rule_set); /* deletes old rules from kernel */
}
- fclose(fd);
- smack_accesses_free(old_rule_set);
- }
+ fclose(fd);
+ smack_accesses_free(old_rule_set);
+ }
/* now write new rules to the system */
fd = fopen(buffer, "w");
- if (!fd) {
+ if (!fd) {
rpmlog(RPMLOG_ERR, "Can't write smack rules\n");
return -1;
}
rpmlog(RPMLOG_DEBUG, "ret in installation %d\n", ret);
if (!ret) {
if (SmackEnabled == 1)
- ret = smack_accesses_apply(smack_accesses);
+ ret = smack_accesses_apply(smack_accesses);
}
fclose(fd);
- }
-
+ }
free(buffer);
if (ret)
return -1;
package_x *msmCheckPackage(const char *name)
{
package_x *package = NULL;
-
if (name)
HASH_FIND(hh, allpackages, name, strlen(name), package);
-
return package;
}
}
/* need to clean up the all_ac_domain list, too */
for (provide = package->provides; provide; provide = provide->prev) {
- for (ac_domain = provide->ac_domains; ac_domain; ac_domain = ac_domain->prev)
- msmCancelACDomain(ac_domain->name);
+ for (ac_domain = provide->ac_domains; ac_domain; ac_domain = ac_domain->prev)
+ msmCancelACDomain(ac_domain->name);
}
}
}
return result;
buffer = magic_file(cookie, path);
-
rpmlog(RPMLOG_DEBUG, "buffer: %s\n", buffer);
if (buffer != NULL) {
if (!filepath) return -1;
if (mfx->name) {
package_x *package = msmCheckPackage(mfx->name);
- if (!package)
- return -1;
+ if (!package) return -1;
for (provide = package->provides; provide; provide = provide->prev) {
- for (filesystem = provide->filesystems; filesystem; filesystem = filesystem->prev) {
- if (!strcmp(filepath, filesystem->path)) {
- /* exact match */
- label = filesystem->label;
- exec_label = filesystem->exec_label;
- if (filesystem->type) type = filesystem->type;
- goto found;
- }
-
- len = strlen(filesystem->path);
- rpmlog(RPMLOG_DEBUG, "filesystem->path: %s, length %d\n", filesystem->path, len);
- rpmlog(RPMLOG_DEBUG, "filesystem->path + len - 1: %s\n", filesystem->path + len - 1);
- if (len > match) {
- if ((!strncmp(filepath, filesystem->path, len)) && (filesystem->type)) {
- /* partial match and the directory marked as transmutable*/
- label = filesystem->label;
- exec_label = filesystem->exec_label;
- match = len;
- }
- if (!strncmp(filesystem->path + len - 1, "*", 1)) {
- if (!strncmp(filepath, filesystem->path, len - 1)) {
- /* partial match and the path is marked with wildcard*/
- label = filesystem->label;
- exec_label = filesystem->exec_label;
- match = len - 1;
- }
- }
- }
- }
+ for (filesystem = provide->filesystems; filesystem; filesystem = filesystem->prev) {
+ if (!strcmp(filepath, filesystem->path)) {
+ /* exact match */
+ label = filesystem->label;
+ exec_label = filesystem->exec_label;
+ if (filesystem->type) type = filesystem->type;
+ goto found;
+ }
+ len = strlen(filesystem->path);
+ rpmlog(RPMLOG_DEBUG, "filesystem->path: %s, length %d\n", filesystem->path, len);
+ rpmlog(RPMLOG_DEBUG, "filesystem->path + len - 1: %s\n", filesystem->path + len - 1);
+ if (len > match) {
+ if ((!strncmp(filepath, filesystem->path, len)) && (filesystem->type)) {
+ /* partial match and the directory marked as transmutable*/
+ label = filesystem->label;
+ exec_label = filesystem->exec_label;
+ match = len;
+ }
+ if (!strncmp(filesystem->path + len - 1, "*", 1)) {
+ if (!strncmp(filepath, filesystem->path, len - 1)) {
+ /* partial match and the path is marked with wildcard*/
+ label = filesystem->label;
+ exec_label = filesystem->exec_label;
+ match = len - 1;
+ }
+ }
+ }
+ }
}
} else
return -1;
- found:
- if (exec_label) {
- execLabeldefined = 1;
- if ((strcmp(exec_label, "none") == 0)
- || (strcmp(exec_label, mfx->request->ac_domain) == 0)
- || (strcmp(exec_label, mfx->define->name) == 0)) {
- // these labels are allowed
- } else {
- // ignore all other exec labels, because they aren't allowed for security reasons
- exec_label = NULL;
- rpmlog(RPMLOG_DEBUG, "It isn't allowed to label the file with smack64label other than ac domain or \"none\" value\n");
- rpmlog(RPMLOG_DEBUG, "The default ac domain label will be used instead\n");
- }
- }
- if ((!label) || (!exec_label)) {
- /* no match, use default label of AC domain */
- if (mfx->request) { //AC domain is requested in manifest
- if (mfx->request->ac_domain) {
- if (!label) label = mfx->request->ac_domain;
- if (!exec_label) exec_label = mfx->request->ac_domain;
- } else {
- rpmlog(RPMLOG_DEBUG, "Request for AC domain is empty. Can't identify default file label\n");
- rpmlog(RPMLOG_DEBUG, "File will be labelled with the label \"Isolated\"\n");
- if (!label) label = isolatedLabel;
- if (!exec_label) exec_label = isolatedLabel;
- }
- } else if (mfx->define) { // AC domain defined in manifest
- if (mfx->define->name) {
- if (!label) label = mfx->define->name;
- if (!exec_label) exec_label = mfx->define->name;
- } else {
- rpmlog(RPMLOG_DEBUG, "Define for AC domain is empty. Can't identify default file label\n");
- rpmlog(RPMLOG_DEBUG, "File will be labelled with the label \"Isolated\"\n");
- if (!label) label = isolatedLabel;
- if (!exec_label) exec_label = isolatedLabel;
- }
- } else { // no request or definition of domain
- rpmlog(RPMLOG_DEBUG, "Both define and request sections are empty. Can't identify default file label\n");
- rpmlog(RPMLOG_DEBUG, "File will be labelled with the label \"Isolated\"\n");
- if (!label) label = isolatedLabel;
- if (!exec_label) exec_label = isolatedLabel;
- }
- }
-
-
- rpmlog(RPMLOG_DEBUG, "setting SMACK64 %s for %s\n", label, filepath);
-
- if (lsetxattr(filepath, SMACK64, label, strlen(label), 0) < 0 ) {
- rpmlog(RPMLOG_ERR, "Failed to set SMACK64 %s for %s: %s\n",
- label, filepath, strerror(errno));
- }
-
- if ((is_executable(filepath, cookie)) == 0) {
- if ((exec_label) && (strcmp(exec_label, "none") == 0)) {
- // do not set SMACK64EXEC
- rpmlog(RPMLOG_DEBUG, "not setting SMACK64EXEC for %s as requested in manifest\n", filepath);
- } else {
- if ((mfx->package_type && (strcmp(mfx->package_type, "application") == 0))
- || (execLabeldefined == 1)) {
- rpmlog(RPMLOG_INFO, "setting SMACK64EXEC %s for %s\n", exec_label, filepath);
- if (lsetxattr(filepath, SMACK64EXEC, exec_label, strlen(exec_label), 0) < 0 ) {
- rpmlog(RPMLOG_ERR, "Failed to set SMACK64EXEC %s for %s: %s\n",
- exec_label, filepath, strerror(errno));
- }
- }
- }
- }
-
- if (type) { //marked as transmutable
- if ((lstat(filepath, &st) != -1) && (S_ISDIR(st.st_mode))) { //check that it is a directory
- char at_true[] = "TRUE";
- rpmlog(RPMLOG_DEBUG, "setting SMACK64TRANSMUTE %s for %s\n", at_true, filepath);
- if ( lsetxattr(filepath, SMACK64TRANSMUTE, at_true, strlen(at_true), 0) < 0 ) {
- rpmlog(RPMLOG_ERR, "Failed to set SMACK64TRANSMUTE %s for %s: %s\n",
- at_true, filepath, strerror(errno));
- }
- } else {
- rpmlog(RPMLOG_DEBUG, "No setting up of transmute attr for a non-directory, path %s\n",
- filepath);
- }
-
- }
-
+ found:
+ if (exec_label) {
+ execLabeldefined = 1;
+ if ((strcmp(exec_label, "none") == 0)
+ || (strcmp(exec_label, mfx->request->ac_domain) == 0)
+ || (strcmp(exec_label, mfx->define->name) == 0)) {
+ // these labels are allowed
+ } else {
+ // ignore all other exec labels, because they aren't allowed for security reasons
+ exec_label = NULL;
+ rpmlog(RPMLOG_DEBUG, "It isn't allowed to label the file with smack64label other than ac domain or \"none\" value\n");
+ rpmlog(RPMLOG_DEBUG, "The default ac domain label will be used instead\n");
+ }
+ }
+ if ((!label) || (!exec_label)) {
+ /* no match, use default label of AC domain */
+ if (mfx->request) { //AC domain is requested in manifest
+ if (mfx->request->ac_domain) {
+ if (!label) label = mfx->request->ac_domain;
+ if (!exec_label) exec_label = mfx->request->ac_domain;
+ } else {
+ rpmlog(RPMLOG_DEBUG, "Request for AC domain is empty. Can't identify default file label\n");
+ rpmlog(RPMLOG_DEBUG, "File will be labelled with the label \"Isolated\"\n");
+ if (!label) label = isolatedLabel;
+ if (!exec_label) exec_label = isolatedLabel;
+ }
+ } else if (mfx->define) { // AC domain defined in manifest
+ if (mfx->define->name) {
+ if (!label) label = mfx->define->name;
+ if (!exec_label) exec_label = mfx->define->name;
+ } else {
+ rpmlog(RPMLOG_DEBUG, "Define for AC domain is empty. Can't identify default file label\n");
+ rpmlog(RPMLOG_DEBUG, "File will be labelled with the label \"Isolated\"\n");
+ if (!label) label = isolatedLabel;
+ if (!exec_label) exec_label = isolatedLabel;
+ }
+ } else { // no request or definition of domain
+ rpmlog(RPMLOG_DEBUG, "Both define and request sections are empty. Can't identify default file label\n");
+ rpmlog(RPMLOG_DEBUG, "File will be labelled with the label \"Isolated\"\n");
+ if (!label) label = isolatedLabel;
+ if (!exec_label) exec_label = isolatedLabel;
+ }
+ }
-
- return 0;
-
+ rpmlog(RPMLOG_DEBUG, "setting SMACK64 %s for %s\n", label, filepath);
+ if (lsetxattr(filepath, SMACK64, label, strlen(label), 0) < 0 ) {
+ rpmlog(RPMLOG_ERR, "Failed to set SMACK64 %s for %s: %s\n",
+ label, filepath, strerror(errno));
+ }
+ if ((is_executable(filepath, cookie)) == 0) {
+ if ((exec_label) && (strcmp(exec_label, "none") == 0)) {
+ // do not set SMACK64EXEC
+ rpmlog(RPMLOG_DEBUG, "not setting SMACK64EXEC for %s as requested in manifest\n", filepath);
+ } else {
+ if ((mfx->package_type && (strcmp(mfx->package_type, "application") == 0))
+ || (execLabeldefined == 1)) {
+ rpmlog(RPMLOG_INFO, "setting SMACK64EXEC %s for %s\n", exec_label, filepath);
+ if (lsetxattr(filepath, SMACK64EXEC, exec_label, strlen(exec_label), 0) < 0 ) {
+ rpmlog(RPMLOG_ERR, "Failed to set SMACK64EXEC %s for %s: %s\n",
+ exec_label, filepath, strerror(errno));
+ }
+ }
+ }
+ }
+ if (type) { //marked as transmutable
+ if ((lstat(filepath, &st) != -1) && (S_ISDIR(st.st_mode))) { //check that it is a directory
+ char at_true[] = "TRUE";
+ rpmlog(RPMLOG_DEBUG, "setting SMACK64TRANSMUTE %s for %s\n", at_true, filepath);
+ if (lsetxattr(filepath, SMACK64TRANSMUTE, at_true, strlen(at_true), 0) < 0) {
+ rpmlog(RPMLOG_ERR, "Failed to set SMACK64TRANSMUTE %s for %s: %s\n",
+ at_true, filepath, strerror(errno));
+ }
+ } else {
+ rpmlog(RPMLOG_DEBUG, "No setting up of transmute attr for a non-directory, path %s\n", filepath);
+ }
+ }
+ return 0;
}
void msmRemoveRules(struct smack_accesses *smack_accesses, manifest_x *mfx, int SmackEnabled)
return;
if ((mfx->define) || (mfx->sw_sources)) {
- /* remove smack rule file and rule set from kernel */
- rpmlog(RPMLOG_DEBUG, "removing smack rules for %s\n", mfx->name);
- msmSetupSmackRules(smack_accesses, mfx->name, SMACK_UNINSTALL, SmackEnabled);
+ /* remove smack rule file and rule set from kernel */
+ rpmlog(RPMLOG_DEBUG, "removing smack rules for %s\n", mfx->name);
+ msmSetupSmackRules(smack_accesses, mfx->name, SMACK_UNINSTALL, SmackEnabled);
}
-
for (provide = mfx->provides; provide; provide = provide->prev) {
if (provide->dbuss && !package->older)
msmRemoveDBusConfig(package, provide->dbuss);
-
}
-
}
void msmRemoveConfig(manifest_x *mfx)
projects / tools / librpm-tizen.git / commitdiff