checkpolicy: Remove support for role dominance rules

Role dominance has been deprecated for a very, very long time (since at least August 2008) and has never been used in any widely deployed policy. Remove support for compiling role dominance rules. Support will remain, for now, in libsepol for backwards compatibility. Signed-off-by: James Carter <[email protected]> Acked-by: Petr Lautrbach <[email protected]>
stephensmalley · Aug 16, 2023 · e609391 · e609391
1 parent 17c2247
commit e609391
Show file tree

Hide file tree

Showing 3 changed files with 0 additions and 200 deletions.
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
@@ -2902,190 +2902,6 @@ int define_roleattribute(void)
 	return 0;
 }
 
-role_datum_t *merge_roles_dom(role_datum_t * r1, role_datum_t * r2)
-{
-	role_datum_t *new;
-
-	if (pass == 1) {
-		return (role_datum_t *) 1;	/* any non-NULL value */
-	}
-
-	new = malloc(sizeof(role_datum_t));
-	if (!new) {
-		yyerror("out of memory");
-		return NULL;
-	}
-	memset(new, 0, sizeof(role_datum_t));
-	new->s.value = 0;		/* temporary role */
-	if (ebitmap_or(&new->dominates, &r1->dominates, &r2->dominates)) {
-		yyerror("out of memory");
-		free(new);
-		return NULL;
-	}
-	if (ebitmap_or(&new->types.types, &r1->types.types, &r2->types.types)) {
-		yyerror("out of memory");
-		free(new);
-		return NULL;
-	}
-	if (!r1->s.value) {
-		/* free intermediate result */
-		type_set_destroy(&r1->types);
-		ebitmap_destroy(&r1->dominates);
-		free(r1);
-	}
-	if (!r2->s.value) {
-		/* free intermediate result */
-		yyerror("right hand role is temporary?");
-		type_set_destroy(&r2->types);
-		ebitmap_destroy(&r2->dominates);
-		free(r2);
-	}
-	return new;
-}
-
-/* This function eliminates the ordering dependency of role dominance rule */
-static int dominate_role_recheck(hashtab_key_t key __attribute__ ((unused)),
-				 hashtab_datum_t datum, void *arg)
-{
-	role_datum_t *rdp = (role_datum_t *) arg;
-	role_datum_t *rdatum = (role_datum_t *) datum;
-	ebitmap_node_t *node;
-	uint32_t i;
-
-	/* Don't bother to process against self role */
-	if (rdatum->s.value == rdp->s.value)
-		return 0;
-
-	/* If a dominating role found */
-	if (ebitmap_get_bit(&(rdatum->dominates), rdp->s.value - 1)) {
-		ebitmap_t types;
-		ebitmap_init(&types);
-		if (type_set_expand(&rdp->types, &types, policydbp, 1)) {
-			ebitmap_destroy(&types);
-			return -1;
-		}
-		/* raise types and dominates from dominated role */
-		ebitmap_for_each_positive_bit(&rdp->dominates, node, i) {
-			if (ebitmap_set_bit(&rdatum->dominates, i, TRUE))
-				goto oom;
-		}
-		ebitmap_for_each_positive_bit(&types, node, i) {
-			if (ebitmap_set_bit(&rdatum->types.types, i, TRUE))
-				goto oom;
-		}
-		ebitmap_destroy(&types);
-	}
-
-	/* go through all the roles */
-	return 0;
-      oom:
-	yyerror("Out of memory");
-	return -1;
-}
-
-role_datum_t *define_role_dom(role_datum_t * r)
-{
-	role_datum_t *role;
-	char *role_id;
-	ebitmap_node_t *node;
-	unsigned int i;
-	int ret;
-
-	if (pass == 1) {
-		role_id = queue_remove(id_queue);
-		free(role_id);
-		return (role_datum_t *) 1;	/* any non-NULL value */
-	}
-
-	yywarn("Role dominance has been deprecated");
-
-	role_id = queue_remove(id_queue);
-	if (!is_id_in_scope(SYM_ROLES, role_id)) {
-		yyerror2("role %s is not within scope", role_id);
-		free(role_id);
-		return NULL;
-	}
-	role = (role_datum_t *) hashtab_search(policydbp->p_roles.table,
-					       role_id);
-	if (!role) {
-		role = (role_datum_t *) malloc(sizeof(role_datum_t));
-		if (!role) {
-			yyerror("out of memory");
-			free(role_id);
-			return NULL;
-		}
-		memset(role, 0, sizeof(role_datum_t));
-		ret =
-		    declare_symbol(SYM_ROLES, (hashtab_key_t) role_id,
-				   (hashtab_datum_t) role, &role->s.value,
-				   &role->s.value);
-		switch (ret) {
-		case -3:{
-				yyerror("Out of memory!");
-				goto cleanup;
-			}
-		case -2:{
-				yyerror2("duplicate declaration of role %s",
-					 role_id);
-				goto cleanup;
-			}
-		case -1:{
-				yyerror("could not declare role here");
-				goto cleanup;
-			}
-		case 0:
-		case 1:{
-				break;
-			}
-		default:{
-				assert(0);	/* should never get here */
-			}
-		}
-		if (ebitmap_set_bit(&role->dominates, role->s.value - 1, TRUE)) {
-			yyerror("Out of memory!");
-			goto cleanup;
-		}
-	}
-	if (r) {
-		ebitmap_t types;
-		ebitmap_init(&types);
-		ebitmap_for_each_positive_bit(&r->dominates, node, i) {
-			if (ebitmap_set_bit(&role->dominates, i, TRUE))
-				goto oom;
-		}
-		if (type_set_expand(&r->types, &types, policydbp, 1)) {
-			ebitmap_destroy(&types);
-			return NULL;
-		}
-		ebitmap_for_each_positive_bit(&types, node, i) {
-			if (ebitmap_set_bit(&role->types.types, i, TRUE))
-				goto oom;
-		}
-		ebitmap_destroy(&types);
-		if (!r->s.value) {
-			/* free intermediate result */
-			type_set_destroy(&r->types);
-			ebitmap_destroy(&r->dominates);
-			free(r);
-		}
-		/*
-		 * Now go through all the roles and escalate this role's
-		 * dominates and types if a role dominates this role.
-		 */
-		hashtab_map(policydbp->p_roles.table,
-			    dominate_role_recheck, role);
-	}
-	return role;
-      cleanup:
-	free(role_id);
-	role_datum_destroy(role);
-	free(role);
-	return NULL;
-      oom:
-	yyerror("Out of memory");
-	goto cleanup;
-}
-
 static int role_val_to_name_helper(hashtab_key_t key, hashtab_datum_t datum,
 				   void *p)
 {

diff --git a/checkpolicy/policy_define.h b/checkpolicy/policy_define.h
@@ -70,8 +70,6 @@ int define_validatetrans(constraint_expr_t *expr);
 int expand_attrib(void);
 int insert_id(const char *id,int push);
 int insert_separator(int push);
-role_datum_t *define_role_dom(role_datum_t *r);
-role_datum_t *merge_roles_dom(role_datum_t *r1,role_datum_t *r2);
 uintptr_t define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2);
 
 #endif /* _POLICY_DEFINE_H_ */
diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y
@@ -76,7 +76,6 @@ typedef int (* require_func_t)(int pass);
 %type <ptr> cond_expr cond_expr_prim cond_pol_list cond_else
 %type <ptr> cond_allow_def cond_auditallow_def cond_auditdeny_def cond_dontaudit_def
 %type <ptr> cond_transition_def cond_te_avtab_def cond_rule_def
-%type <ptr> role_def roles
 %type <valptr> cexpr cexpr_prim op role_mls_op
 %type <val> ipv4_addr_def number
 %type <val64> number64
@@ -311,7 +310,6 @@ te_rbac_decl		: te_decl
                         ;
 rbac_decl		: attribute_role_def
 			| role_type_def
-                        | role_dominance
                         | role_trans_def
  			| role_allow_def
 			| roleattribute_def
@@ -510,8 +508,6 @@ role_type_def		: ROLE identifier TYPES names ';'
 role_attr_def		: ROLE identifier opt_attr_list ';'
  			{if (define_role_attr()) return -1;}
                         ;
-role_dominance		: DOMINANCE '{' roles '}'
-			;
 role_trans_def		: ROLE_TRANSITION names names identifier ';'
 			{if (define_role_trans(0)) return -1; }
 			| ROLE_TRANSITION names names ':' names identifier ';'
@@ -520,16 +516,6 @@ role_trans_def		: ROLE_TRANSITION names names identifier ';'
 role_allow_def		: ALLOW names names ';'
 			{if (define_role_allow()) return -1; }
 			;
-roles			: role_def
-			{ $$ = $1; }
-			| roles role_def
-			{ $$ = merge_roles_dom((role_datum_t*)$1, (role_datum_t*)$2); if ($$ == 0) return -1;}
-			;
-role_def		: ROLE identifier_push ';'
-                        {$$ = define_role_dom(NULL); if ($$ == 0) return -1;}
-			| ROLE identifier_push '{' roles '}'
-                        {$$ = define_role_dom((role_datum_t*)$4); if ($$ == 0) return -1;}
-			;
 roleattribute_def	: ROLEATTRIBUTE identifier id_comma_list ';'
 			{if (define_roleattribute()) return -1;}
 			;