The macro basic_ubac_conditions is an example of using an m4 macro to
manipulate text rather than as an interface. Removing it makes the
constraints file easier to parse.
---
policy/constraints | 29 +++++++++++++++--------------
1 file changed, 15 insertions(+), 14 deletions(-)
diff --git a/policy/constraints b/policy/constraints
index 155883b..b901c9f 100644
--- a/policy/constraints
+++ b/policy/constraints
@@ -25,21 +25,15 @@
# name_list : name | name_list name
#
-define(`basic_ubac_conditions',`
- ifdef(`enable_ubac',`
- u1 == u2
- or u1 == system_u
- or u2 == system_u
- or t1 != ubac_constrained_type
- or t2 != ubac_constrained_type
- ')
-')
-
define(`basic_ubac_constraint',`
ifdef(`enable_ubac',`
constrain $1 all_$1_perms
(
- basic_ubac_conditions
+ u1 == u2
+ or u1 == system_u
+ or u2 == system_u
+ or t1 != ubac_constrained_type
+ or t2 != ubac_constrained_type
);
')
')
@@ -48,7 +42,11 @@ define(`exempted_ubac_constraint',`
ifdef(`enable_ubac',`
constrain $1 all_$1_perms
(
- basic_ubac_conditions
+ u1 == u2
+ or u1 == system_u
+ or u2 == system_u
+ or t1 != ubac_constrained_type
+ or t2 != ubac_constrained_type
or t1 == $2
);
')
@@ -82,7 +80,11 @@ constrain dir_file_class_set { create relabelto relabelfrom }
ifdef(`enable_ubac',`
constrain process { sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setrlimit }
(
- basic_ubac_conditions
+ u1 == u2
+ or u1 == system_u
+ or u2 == system_u
+ or t1 != ubac_constrained_type
+ or t2 != ubac_constrained_type
or t1 == ubacproc
);
')
@@ -241,5 +243,4 @@ basic_ubac_constraint(peer)
undefine(`basic_ubac_constraint')
-undefine(`basic_ubac_conditions')
undefine(`exempted_ubac_constraint')
--
James Carter <[email protected]>
National Security Agency
On 08/24/10 15:50, James Carter wrote:
> The macro basic_ubac_conditions is an example of using an m4 macro to
> manipulate text rather than as an interface. Removing it makes the
> constraints file easier to parse.
I suppose this is ok, though it would be nice to have a way to keep the
policy reuse there.
> ---
> policy/constraints | 29 +++++++++++++++--------------
> 1 file changed, 15 insertions(+), 14 deletions(-)
>
> diff --git a/policy/constraints b/policy/constraints
> index 155883b..b901c9f 100644
> --- a/policy/constraints
> +++ b/policy/constraints
> @@ -25,21 +25,15 @@
> # name_list : name | name_list name
> #
>
> -define(`basic_ubac_conditions',`
> - ifdef(`enable_ubac',`
> - u1 == u2
> - or u1 == system_u
> - or u2 == system_u
> - or t1 != ubac_constrained_type
> - or t2 != ubac_constrained_type
> - ')
> -')
> -
> define(`basic_ubac_constraint',`
> ifdef(`enable_ubac',`
> constrain $1 all_$1_perms
> (
> - basic_ubac_conditions
> + u1 == u2
> + or u1 == system_u
> + or u2 == system_u
> + or t1 != ubac_constrained_type
> + or t2 != ubac_constrained_type
> );
> ')
> ')
> @@ -48,7 +42,11 @@ define(`exempted_ubac_constraint',`
> ifdef(`enable_ubac',`
> constrain $1 all_$1_perms
> (
> - basic_ubac_conditions
> + u1 == u2
> + or u1 == system_u
> + or u2 == system_u
> + or t1 != ubac_constrained_type
> + or t2 != ubac_constrained_type
> or t1 == $2
> );
> ')
> @@ -82,7 +80,11 @@ constrain dir_file_class_set { create relabelto relabelfrom }
> ifdef(`enable_ubac',`
> constrain process { sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setrlimit }
> (
> - basic_ubac_conditions
> + u1 == u2
> + or u1 == system_u
> + or u2 == system_u
> + or t1 != ubac_constrained_type
> + or t2 != ubac_constrained_type
> or t1 == ubacproc
> );
> ')
> @@ -241,5 +243,4 @@ basic_ubac_constraint(peer)
>
>
> undefine(`basic_ubac_constraint')
> -undefine(`basic_ubac_conditions')
> undefine(`exempted_ubac_constraint')
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com