• James Carter's avatar
    checkpolicy: Do not automatically upgrade when using "-b" flag · 750cc113
    James Carter authored
    When reading a binary policy, do not automatically change the version
    to the max policy version supported by libsepol or, if specified, the
    value given using the "-c" flag.
    
    If the binary policy version is less than or equal to version 23
    (POLICYDB_VERSION_PERMISSIVE) than do not automatically upgrade the
    policy and if a policy version is specified by the "-c" flag, only set
    the binary policy to the specified version if it is lower than the
    current version.
    
    If the binary policy version is greater than version 23 than it should
    be set to the maximum version supported by libsepol or, if specified,
    the value given by the "-c" flag.
    
    The reason for this change is that policy versions 20
    (POLICYDB_VERSION_AVTAB) to 23 have a more primitive support for type
    attributes where the datums are not written out, but they exist in the
    type_attr_map. This means that when the binary policy is read by
    libsepol, there will be gaps in the type_val_to_struct and
    p_type_val_to_name arrays and policy rules can refer to those gaps.
    Certain libsepol functions like sepol_kernel_policydb_to_conf() and
    sepol_kernel_policydb_to_cil() do not support this behavior and need
    to be able to identify these policies. Policies before version 20 do not
    support attributes at all and can be handled by all libsepol functions.
    Signed-off-by: default avatarJames Carter <jwcart2@gmail.com>
    750cc113
Name
Last commit
Last update
..
ru Loading commit data...
test Loading commit data...
.gitignore Loading commit data...
COPYING Loading commit data...
Makefile Loading commit data...
VERSION Loading commit data...
checkmodule.8 Loading commit data...
checkmodule.c Loading commit data...
checkpolicy.8 Loading commit data...
checkpolicy.c Loading commit data...
checkpolicy.h Loading commit data...
module_compiler.c Loading commit data...
module_compiler.h Loading commit data...
parse_util.c Loading commit data...
parse_util.h Loading commit data...
policy_define.c Loading commit data...
policy_define.h Loading commit data...
policy_parse.y Loading commit data...
policy_scan.l Loading commit data...
queue.c Loading commit data...
queue.h Loading commit data...