commit 1bac758bf6cf884c112b80545d5fc5b668fc7d71 Author: Stephen Smalley Date: Fri Aug 4 09:31:00 2017 -0400 Update VERSION files for 2.7 release. Signed-off-by: Stephen Smalley commit dfda6a5b2cdd7b7e50f567522dbdaadcb2c98b14 Author: Stephen Smalley Date: Fri Jul 28 15:43:47 2017 -0400 Update VERSION files for 2.7-rc6 Signed-off-by: Stephen Smalley commit ae1cd1207605fbe57a895151039e3c3d7c98b2b8 Author: Stephen Smalley Date: Fri Jul 14 12:11:40 2017 -0400 libsepol: Define nnp_nosuid_transition policy capability Define the nnp_nosuid_transition policy capability used to enable SELinux domain transitions under NNP or nosuid if the nnp_transition permission or nosuid_transition permission is allowed between the old and new contexts. When this capability is not enabled, such transitions remain limited to bounded transitions as they were prior to the introduction of this capability. Signed-off-by: Stephen Smalley commit f80ea846989ba59caadf76b995542184b8031c8d Author: Petr Lautrbach Date: Thu Jul 27 15:10:53 2017 +0200 sepolicy: File labels used to be sorted in a man page Signed-off-by: Petr Lautrbach commit 960b943b2fbe0a3ff25802ab465bfafa0f10d5e8 Author: Petr Lautrbach Date: Thu Jul 27 15:10:52 2017 +0200 sepolicy: Make manpage and transition faster SETools4 and Python 3 versions of map() and filter() uses iterators to generates query results and these iterators can't be imply re-used. It makes manpage and transitions operations really slow as they do lot of queries. This patch changes it in the way that it caches results in lists for all types, allow rules and transitions first and use cached results to filter them using Python's filter() function. Before: $ time sepolicy manpage -d httpd_t sshd_t init_t real 0m53.486s user 0m53.171s sys 0m0.054s After: $ time sepolicy manpage -d httpd_t sshd_t init_t real 0m10.532s user 0m10.368s sys 0m0.114s Signed-off-by: Petr Lautrbach commit c624c4abaaf3fd7c7661e50be90813a3a5d0e9af Author: Petr Lautrbach Date: Thu Jul 27 15:10:51 2017 +0200 sepolicy: Fix syntax errors in 'manpage -w' Fixes: File "python/sepolicy/sepolicy/manpage.py", line 373, in _gen_css print("%s has been created") % style_css TypeError: unsupported operand type(s) for %: 'NoneType' and 'str' Signed-off-by: Petr Lautrbach commit dabb4c06ca2649b4adc8f63dd62cae2e6f5a55f0 Author: Petr Lautrbach Date: Thu Jul 27 15:10:50 2017 +0200 sepolicy: Fix minor typo in 'transition -s' test Signed-off-by: Petr Lautrbach commit 00548bd9b6f0db071d63b594daf3d6cc6a2bfce6 Author: Tom Cherry Date: Wed Jul 26 13:02:55 2017 -0700 libselinux: fix thread safety issues with lookup_common() There are two problems with lookup_common() and therefore selabel_lookup() and related functions that this patch fixes: 1) A race with the lazy compilation of regexes. Since the struct regex_data is allocated and assigned immediately to the parent struct spec, it's possible for a second thread to see that this pointer is non-NULL before the regex compilation has finished. This typically results in a -1 return from selabel_lookup() with ENOENT as errno. This is fixed by adding synchronization in compile_regex(). 2) A race with PCRE2 regex_match(). A struct pcre2_match_data is created once and used for all regex matches for a given regex. This is problematic if two threads are attempting to evaluate the same regex simultaneously. This typically results in a successful return from selabel_lookup() but with an erroneous selabel. This is fixed by adding a pthread_mutex within regex_match() for PCRE2. Note, on my system, creating new matchdata takes roughly an order of magnitude more time than locking a non-contended pthread_mutex. I don't believe programs will have enough contention on this lock to justify that cost. Bug: 63861738 Test: ueventd unit tests Change-Id: I13bf782d81d0a0b896d444e396f307ad0dbacb6a commit 7803c8ca99469efb16b7b8a27201e09ef4e1a5be Author: Dan Cashman Date: Wed Jul 26 08:04:00 2017 -0700 libsepol: cil: enable cpp compilation of cil.h. Signed-off-by: Daniel Cashman commit 9f1730fa397a2bba4254eb4e9c6bcfc2f9ca6090 Author: Stephen Smalley Date: Tue Jul 18 12:01:26 2017 -0400 Update VERSION files for 2.7-rc5 Signed-off-by: Stephen Smalley commit ebd695d5f001f8617caeee4366c31f56e38e08aa Author: Stephen Smalley Date: Tue Jul 18 08:59:50 2017 -0400 open_init_pty: restore stdin/stdout to blocking upon exit At exit, restore stdin and stdout to blocking. Test: run_init id && run_init id Test: open_init_pty bash -c 'echo hello; exec >&- 2>&- <&-; sleep 1;' Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863187 Fixes: https://bugs.gentoo.org/show_bug.cgi?id=621062 Signed-off-by: Stephen Smalley commit bea2c19dd2fd33898b84200327c6912a6c48116a Author: Stephen Smalley Date: Tue Jul 18 08:51:49 2017 -0400 Revert "open_init_pty: Do not make stdin and stdout non-blocking" Making stdin/stdout non-blocking causes open_init_pty to hang if they are closed, ala ./open_init_pty bash -c 'echo hello; exec >&- 2>&- <&-; sleep 1; ' and per https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=474956#10 This reverts commit fb081eb64b36a9de5a43f3d69d9e628b6eb1afc7. Reported-by: Laurent Bigonville Signed-off-by: Stephen Smalley commit fb081eb64b36a9de5a43f3d69d9e628b6eb1afc7 Author: Stephen Smalley Date: Mon Jul 10 13:03:01 2017 -0400 open_init_pty: Do not make stdin and stdout non-blocking It is unclear why this was being done in the first place, and it has caused multiple bugs with run_init/open_init_pty usage. Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863187 Fixes: https://bugs.gentoo.org/show_bug.cgi?id=621062 Signed-off-by: Stephen Smalley commit 83fbc0979d390686196db63d6e17d5e5997b2c02 Author: Stephen Smalley Date: Fri Jun 30 13:41:33 2017 -0400 Update VERSION files for 2.7-rc4 release. Signed-off-by: Stephen Smalley commit 57ac60769c7655f262d5655689d8ff0bd3985279 Author: Laurent Bigonville Date: Fri Jun 30 18:09:16 2017 +0200 Fix consistency of PYTHONLIBDIR variable across modules PYTHONLIBDIR is currently also used in sepolgen but has a different behaviour regarding DESTDIR. Let's try to make this consistant. Signed-off-by: Laurent Bigonville commit 1edb93c0ba6fe3f15b4c3ac1795b8132109f53d5 Author: Nicolas Iooss Date: Wed Jun 28 23:42:21 2017 +0200 Travis-CI: test defining CFLAGS, LDFLAGS, etc. on make command line Some Makefiles rely on adding values to variables like CFLAGS, LDFLAGS, etc. For example doing "LDFLAGS += -L../src" does not work fine when LDFLAGS is defined on the command line of "make". Commits 297877ab88ee ("libselinux utils: override LD{FLAGS, LIBS} for libselinux.so in Makefile") and 15f274073322 ("Makefiles: override *FLAGS and *LIBS") recently fixed such issues, by introducing keyword "override" in the relevant Makefile statements. In order to prevent the fixed issues from appearing again, add a test case in Travis-CI configuration file. This case adds on make's command line minimal definitions for CFLAGS and LDFLAGS and empty definitions for CPPFLAGS and LDLIBS. An example of build failure due to a missing override in a required CPPFLAGS addition is provided on https://travis-ci.org/fishilico/selinux/builds/245107609 Signed-off-by: Nicolas Iooss commit 6b9035ddc6a84eb81757022f3b12c66e9f3888aa Author: Nicolas Iooss Date: Wed Jun 28 23:42:20 2017 +0200 libsepol/tests: override CPPFLAGS too A build toolchain may override CPPFLAGS on the command line of "make". Doing so currently breaks libsepol/tests compilation, as it requires "-I../include/ -I$(CHECKPOLICY)" to be provided in gcc's arguments. This completes commit 15f274073322 ("Makefiles: override *FLAGS and *LIBS"). Signed-off-by: Nicolas Iooss commit 9a0279e9e9ff295daa47a302a4b98990c1eea3fc Author: Nicolas Iooss Date: Wed Jun 28 23:42:19 2017 +0200 Travis-CI: update the list of Ruby's and Python's versions Travis-CI no longer provides Ruby 2.0 in its Trusty environment (it has been updated according to https://blog.travis-ci.com/2017-06-21-trusty-updates-2017-Q2-launch). Remove this version from .travis.yml. Moreover Python 3.6 and Ruby 3.4 are available. Test building with them. Last by not least, pypy virtual environment directory has been renamed pypy2 (/home/travis/virtualenv/pypy2 is a symbolic link to pypy2-5.6.0). The updated .travis.yml file has been tested on https://travis-ci.org/fishilico/selinux/builds/248126824 Signed-off-by: Nicolas Iooss commit 2d1a6c63c6dd575621774e23d207ef06dc5a3680 Author: Stephen Smalley Date: Wed Jun 28 09:27:57 2017 -0400 libselinux,libsemanage: fix RUBYLIBS definition The RUBYLIBS definition introduced by commit f5b9bc2a06cc165e ("libselinux,libsemanage: link Ruby wrappers with -lruby") did not work on Debian. Fix it based on a patch by Nicolas Iooss. Reported-by: Laurent Bigonville Suggested-by: Nicolas Iooss Signed-off-by: Stephen Smalley commit 6fab7923ce8a256b11b16c5e8c92a3220307c07b Author: Stephen Smalley Date: Fri Jun 23 13:01:45 2017 -0400 Update VERSION files for 2.7-rc3 release. Signed-off-by: Stephen Smalley commit 43c0d1f8898d3ed5d3a104ce599b9e09a7f39346 Author: Petr Lautrbach Date: Fri Jun 23 10:20:33 2017 +0200 mcstrans: Allow overriding libsepol.a location during build Signed-off-by: Petr Lautrbach commit 2c651e0a2822368c74587efe6ec920e64e72f37b Author: Patrick Steinhardt Date: Thu Jun 22 11:45:58 2017 +0200 genhomedircon: avoid use of non-standard `getpwent_r` The `getpwent_r` function is a non-standard but reentrant version of the POSIX-defined `getpwent` function. While it should provide the benefit of being safe to use in multi-threaded environments, it disallows us from compiling with libc implementations which stick to the POSIX standard more closely. As libsemanage may be used in a multi-threaded environment, being reentrant may in fact be quite important to us. As such, simply switching out `getpwent_r` against its non-reentrant function can prove quite dangerous. But interestingly enough, the glibc implementation of `getpwent_r` does not even guarantee being reentrant. Quoting from getpwent_r(7): NOTES The function getpwent_r() is not really reentrant since it shares the reading position in the stream with all other threads. As such, it is non-reentrant in the same sense as its simple `getpwent` brother and can simply be switched out without losing any guarantees here. Signed-off-by: Patrick Steinhardt commit ca07a2ad46be141dad90d885dd33a2ac31c6559a Author: Patrick Steinhardt Date: Thu Jun 22 11:45:57 2017 +0200 libselinux: avoid redefining _FORTIFY_SOURCE Two makefiles of ours pass `-D_FORTIFY_SOURCE=2` directly to the preprocessor. While this does not pose any problems when the value has not been previously set, it can break the build if it is part of the standard build flags. The issue can easily be fixed by instead defining `_FORTIFY_SOURCE` without specifying a concrete value. In this case, gcc will not error out and simply keep using the previously defined value. On the other hand, if no value has been defined, we will now compile with `_FORTIFY_SOURCE=1`. From feature_test_macros(7): If _FORTIFY_SOURCE is set to 1, with compiler optimization level 1 (gcc -O1) and above, checks that shouldn't change the behavior of conforming programs are performed. With _FORTIFY_SOURCE set to 2, some more checking is added, but some conforming programs might fail. While this leaves us with less checks for buffer overflows, it will only enable checks that should not change behaviour of conforming programs. With _FORTIFY_SOURCE=2, the compiler may even unintentionally change behaviour of conforming programs. So in fact, one could even argue that we should only be setting the value to 1 anyway to avoid surprising side effects. So this patch changes our CFLAGS to only pass `-D_FORTIFY_SOURCE` without any concrete value, fixing the build issue. Signed-off-by: Patrick Steinhardt commit f027db4f2f6f104ade02b5345c74281378966e9e Author: Nicolas Iooss Date: Tue Jun 20 22:29:55 2017 +0200 python/sepolicy: remove definition of SYSCONFDIR This variable is not used in any Makefile in python/. Signed-off-by: Nicolas Iooss commit 47acedf06f66b6ef350e2c71fd9ed33ba9aa8bed Author: Nicolas Iooss Date: Tue Jun 20 22:29:54 2017 +0200 gui: do not create /etc selinux-gui does not install anything in /etc. Do not create this directory when building a package with "make install". Signed-off-by: Nicolas Iooss commit cdd3b1d7288915917a18a9ea11d39882a15989fc Author: Nicolas Iooss Date: Tue Jun 20 22:29:53 2017 +0200 libsemanage/tests: fix linking When -lbz2 is written before libsemanage.a in the linker command line, the linker may fail to find all needed symbols. This occurs for example when building on Ubuntu 14.04 without the gold linker (cf. Travis build result https://travis-ci.org/fishilico/selinux/builds/245072498): gcc libsemanage-tests.o test_semanage_store.o test_utilities.o utilities.o -L/home/travis/build/fishilico/selinux/installdir/usr/lib -o libsemanage-tests -lcunit -lbz2 -laudit ../src/libsemanage.a -lselinux -lsepol ../src/libsemanage.a(direct_api.o): In function `bzip': direct_api.c:(.text+0xee6): undefined reference to `BZ2_bzWriteOpen' direct_api.c:(.text+0xf11): undefined reference to `BZ2_bzWriteClose' direct_api.c:(.text+0xf79): undefined reference to `BZ2_bzWrite' direct_api.c:(.text+0xfa1): undefined reference to `BZ2_bzWriteClose' direct_api.c:(.text+0xfe0): undefined reference to `BZ2_bzWriteClose' ../src/libsemanage.a(direct_api.o): In function `bunzip': direct_api.c:(.text+0x114e): undefined reference to `BZ2_bzReadOpen' direct_api.c:(.text+0x1249): undefined reference to `BZ2_bzRead' direct_api.c:(.text+0x13b4): undefined reference to `BZ2_bzReadClose' ../src/libsemanage.a(seusers_local.o): In function `semanage_seuser_audit': seusers_local.c:(.text+0x4c5): undefined reference to `audit_open' seusers_local.c:(.text+0x5b6): undefined reference to `audit_log_semanage_message' seusers_local.c:(.text+0x5cd): undefined reference to `audit_close' As ../src/libsemanage.a is a dependency of $(EXECUTABLE) in the Makefile, use $^ to include it in the command line. While at it, put $^ after $(LDFLAGS) as other Makefiles do. Signed-off-by: Nicolas Iooss commit 7b5699bfd77d4581c6a52687ba2e3cf911348b8f Author: Stephen Smalley Date: Tue Jun 20 10:49:57 2017 -0400 Fix BINDIR/SBINDIR/... variables in Makefiles As reported by Nicolas Iooss, there are still some inconsistencies in the definitions and usage of Makefile variables related to bin and sbin directories. Since we need to still support non-usrmerge systems, we cannot completely synchronize them, but we can eliminate unnecessary differences, remove unused variables, and drop the USRSBINDIR variables. Before: $ find . -name Makefile -exec cat {} + |grep '^[A-Z_]*BINDIR' |sort -u BINDIR=$(PREFIX)/bin BINDIR ?= $(PREFIX)/bin BINDIR ?= $(PREFIX)/sbin SBINDIR ?= $(DESTDIR)/sbin SBINDIR ?= $(PREFIX)/sbin USRSBINDIR ?= $(PREFIX)/sbin After: $ find . -name Makefile -exec cat {} + | grep '^[A-Z_]*BINDIR' | sort -u BINDIR ?= $(PREFIX)/bin SBINDIR ?= $(DESTDIR)/sbin SBINDIR ?= $(PREFIX)/sbin This does not change the actual install location of any file. It does drop the legacy symlink from /usr/sbin/load_policy to /sbin/load_policy; packagers can create that separately if desired. Reported-by: Nicolas Iooss Signed-off-by: Stephen Smalley commit 15f27407332268104a411241be33f0cc2c4af2e0 Author: Jason Zaman Date: Tue Jun 20 23:16:41 2017 +0800 Makefiles: override *FLAGS and *LIBS There were several places in the makefiles where LDLIBS or CFLAGS were supposed to include options to build. They were missing the override keyword so would be skipped if these vars were set on the make cmdline. Add the override directive to fix this. Signed-off-by: Jason Zaman commit 34dc7bcc313b49acb6b296665987360b6a0f2224 Author: Patrick Steinhardt Date: Tue Jun 20 16:07:01 2017 +0200 libsepol: replace non-standard use of __BEGIN_DECLS While most header files already use the common pattern of `extern "C"` declarations to enable compiling in a C++ project, some header files in libsepol instead use the macros `__BEGIN_DECLS` and `__END_DECLS`. These macros are defined in the "sys/cdefs.h" header file, which provides some non-standard extensions for glibc. Convert usage of these declarations with the standard `extern "C"` pattern. This improves compatibility with other libc implementations, e.g. musl libc. Signed-off-by: Patrick Steinhardt commit 297877ab88eeaf2faeb23bb70a44dbb36698b442 Author: Jason Zaman Date: Sun Jun 18 15:41:49 2017 +0800 libselinux utils: override LD{FLAGS, LIBS} for libselinux.so in Makefile the utils dir link to libselinux.so which was just built, if LDFLAGS or LDLIBS were specificed on the make commandline then the search path is not appended. Add the override directive to fix this. Gentoo-Bug: https://bugs.gentoo.org/621762 Signed-off-by: Jason Zaman commit 08d4b030eaab5c2b6c0eb8feaf36e5dc432f14f9 Author: Stephen Smalley Date: Fri Jun 16 12:50:03 2017 -0400 Update VERSION files for 2.7-rc2 release. Signed-off-by: Stephen Smalley commit 2608b4d6660af0fb8ad93f2cc144bdaab3c2afa8 Author: Vit Mojzis Date: Fri Jun 16 10:29:59 2017 +0200 policycoreutils/fixfiles: do not dereference link files in tmp Files in /tmp, /var/tmp, /var/run and /var/lib/debug labeled as unlabeled_t or undefined_t are relabeled to match corresponding directory label. Stop dereferencing link files in these folders in order not to accidentally change label of other files in the system. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1458831 Signed-off-by: Vit Mojzis commit 5a553e82879e27c24410e1e52719c566eaff2374 Author: James Carter Date: Wed Jun 14 13:30:21 2017 -0400 libsepol/cil: Fix bugs when writing policy.conf rules The typebounds rules should end with a ";". The netifcon and nodecon rules should not end with a ";". The default rules are missing a "_". They should be "default_user", "default_role" and "default_type". Signed-off-by: James Carter commit f2b5aae4aa70e192a26fbf8f8cb0e621db19a25d Author: James Carter Date: Fri Jun 9 10:58:19 2017 -0400 libsepol: Fix neverallow bug when checking conditional policy Commit 9e6840e refactored neverallow checking. In the process a bug was introduced that causes enabled conditional rules to be skipped. The bug is that the avtab key is checked by comparing the specified field of the key to the value AVTAB_ALLOWED. Since enabled conditional rules have an additional bit set as well, these rules are not considered to match. The fix is to use a bitwise AND (&) to only check the desired bit. Signed-off-by: James Carter commit 9ddfb4d5446832c3a7c87e3fa37546d8abb3af91 Author: Richard Haines Date: Mon Jun 12 09:31:40 2017 +0100 secilc: Update test policy and documentation for Infiniband CIL updates to support the InfiniBand development. Signed-off-by: Richard Haines commit c8e135ba2252b93a700bf5dbfacf514c704384db Author: Richard Haines Date: Mon Jun 12 09:31:10 2017 +0100 libsepol/cil: ibendportcon fails to resolve in CIL policy Fix named ibendportcon context not resolving correctly. Signed-off-by: Richard Haines commit f6f4876dfce648e94cded4666ec5231f947e50b5 Author: Nicolas Iooss Date: Sun Jun 11 22:44:16 2017 +0200 libsepol: destroy the expanded level when mls_semantic_level_expand() fails In mls_semantic_range_expand(), when a call to mls_semantic_level_expand() fails, the function destroys the semantic level instead of the expanded one. This leads to a use-after-free which is reported by gcc's Address Sanitizer: libsepol.mls_semantic_level_expand: mls_semantic_level_expand: invalid sensitivity level found 128/0. libsepol.sepol_module_package_read: invalid module in module package (at section 0) Failed to read policy package ================================================================= ==24456==ERROR: AddressSanitizer: heap-use-after-free on address 0x60200000ee58 at pc 0x7fe6c4fb96b4 bp 0x7fffa5ea6b70 sp 0x7fffa5ea6b60 READ of size 8 at 0x60200000ee58 thread T0 #0 0x7fe6c4fb96b3 in mls_semantic_level_destroy /usr/src/selinux/libsepol/src/mls.c:755 #1 0x7fe6c4fb9b88 in mls_semantic_range_destroy /usr/src/selinux/libsepol/src/mls.c:802 #2 0x7fe6c500e8ab in user_datum_destroy /usr/src/selinux/libsepol/src/policydb.c:535 #3 0x7fe6c500e980 in user_destroy /usr/src/selinux/libsepol/src/policydb.c:1390 #4 0x7fe6c4f36c48 in hashtab_map /usr/src/selinux/libsepol/src/hashtab.c:235 #5 0x7fe6c50152da in symtabs_destroy /usr/src/selinux/libsepol/src/policydb.c:1595 #6 0x7fe6c5015433 in policydb_destroy /usr/src/selinux/libsepol/src/policydb.c:1503 #7 0x7fe6c5040e0d in sepol_policydb_free /usr/src/selinux/libsepol/src/policydb_public.c:82 #8 0x7fe6c4fbc503 in sepol_module_package_free /usr/src/selinux/libsepol/src/module.c:143 #9 0x7fe6c4fefefb in sepol_ppfile_to_module_package /usr/src/selinux/libsepol/src/module_to_cil.c:4293 #10 0x401e51 in main /usr/src/selinux/policycoreutils/hll/pp/pp.c:124 #11 0x7fe6c4add510 in __libc_start_main (/usr/lib/libc.so.6+0x20510) #12 0x402589 in _start (/usr/src/selinux/DESTDIR/usr/libexec/selinux/hll/pp+0x402589) 0x60200000ee58 is located 8 bytes inside of 16-byte region [0x60200000ee50,0x60200000ee60) freed by thread T0 here: #0 0x7fe6c5537ae0 in __interceptor_free /build/gcc-multilib/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:45 #1 0x7fe6c4fb969b in mls_semantic_level_destroy /usr/src/selinux/libsepol/src/mls.c:757 #2 0x7fe6c4f02a57 in mls_semantic_range_expand /usr/src/selinux/libsepol/src/expand.c:948 #3 0x7fe6c5007a98 in policydb_user_cache /usr/src/selinux/libsepol/src/policydb.c:939 #4 0x7fe6c4f36c48 in hashtab_map /usr/src/selinux/libsepol/src/hashtab.c:235 #5 0x7fe6c5013859 in policydb_index_others /usr/src/selinux/libsepol/src/policydb.c:1286 #6 0x7fe6c5020b65 in policydb_read /usr/src/selinux/libsepol/src/policydb.c:4342 #7 0x7fe6c4fc0cdb in sepol_module_package_read /usr/src/selinux/libsepol/src/module.c:618 #8 0x7fe6c4ff008d in sepol_ppfile_to_module_package /usr/src/selinux/libsepol/src/module_to_cil.c:4276 #9 0x401e51 in main /usr/src/selinux/policycoreutils/hll/pp/pp.c:124 #10 0x7fe6c4add510 in __libc_start_main (/usr/lib/libc.so.6+0x20510) previously allocated by thread T0 here: #0 0x7fe6c5537e40 in __interceptor_malloc /build/gcc-multilib/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:62 #1 0x7fe6c5004efc in mls_read_semantic_level_helper /usr/src/selinux/libsepol/src/policydb.c:1976 #2 0x7fe6c500f596 in mls_read_semantic_range_helper /usr/src/selinux/libsepol/src/policydb.c:2010 #3 0x7fe6c500f596 in user_read /usr/src/selinux/libsepol/src/policydb.c:3258 #4 0x7fe6c502055b in policydb_read /usr/src/selinux/libsepol/src/policydb.c:4286 #5 0x7fe6c4fc0cdb in sepol_module_package_read /usr/src/selinux/libsepol/src/module.c:618 #6 0x7fe6c4ff008d in sepol_ppfile_to_module_package /usr/src/selinux/libsepol/src/module_to_cil.c:4276 #7 0x401e51 in main /usr/src/selinux/policycoreutils/hll/pp/pp.c:124 #8 0x7fe6c4add510 in __libc_start_main (/usr/lib/libc.so.6+0x20510) SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/selinux/libsepol/src/mls.c:755 in mls_semantic_level_destroy Shadow bytes around the buggy address: 0x0c047fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa 01 fa fa fa 01 fa 0x0c047fff9db0: fa fa 01 fa fa fa 01 fa fa fa 01 fa fa fa 01 fa =>0x0c047fff9dc0: fa fa 00 00 fa fa 00 00 fa fa fd[fd]fa fa fd fd 0x0c047fff9dd0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd 0x0c047fff9de0: fa fa 04 fa fa fa 00 01 fa fa fd fd fa fa fd fd 0x0c047fff9df0: fa fa fd fd fa fa fd fd fa fa 00 00 fa fa fd fd 0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==24456==ABORTING This issue has been found while fuzzing hll/pp with the American Fuzzy Lop. Signed-off-by: Nicolas Iooss commit 2f602f6cb9b6d5e62213378cde920cefc960f7da Author: Stephen Smalley Date: Fri Jun 9 10:36:06 2017 -0400 Update VERSION files for 2.7-rc1 release. Signed-off-by: Stephen Smalley commit d1769a9b8309ec47a938a561648a1f8fff1b9627 Author: Stephen Smalley Date: Fri Jun 9 10:12:32 2017 -0400 libselinux: always unmount selinuxfs for SELINUX=disabled As reported in: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864479 using a kernel configuration with CONFIG_SECURITY_SELINUX_DISABLE=n and a /etc/selinux/config with SELINUX=disabled leads to a boot failure. Fix this by always unmounting selinuxfs if /etc/selinux/config has SELINUX=disabled even if unable to successfully disable SELinux. This will ensure that subsequent is_selinux_enabled() tests will return 0 (disabled) and userspace will therefore skip any SELinux processing. Reported-by: Christian Göttsche Reported-by: Laurent Bigonville Signed-off-by: Stephen Smalley commit f9ae34a40440d194b60fbd1ce570b8b094f1a94d Author: James Carter Date: Tue May 9 12:22:20 2017 -0400 libsepol: Expand attributes with TYPE_FLAGS_EXPAND_ATTR_TRUE set Commit 1089665e31a647a5f0ba2eabe8ac6232b384bed9 (Add attribute expansion options) adds an expandattribute rule to the policy.conf language which sets a type_datum flag. Currently the flag is used only when writing out CIL policy from a policy.conf. Make use of the flag when expanding policy to expand policy rules and remove all type associations for an attribute that has TYPE_FLAGS_EXPAND_ATTR_TRUE set. (The attribute will remain in the policy, but have no types associated with it.) Signed-off-by: James Carter commit 738db6077bab41d0d2d4c807c3135e24b9688f40 Author: James Carter Date: Mon Jun 5 11:30:14 2017 -0400 libsepol/cil: Fix bug in cil_reset_ibpkeycon() Nicolas Iooss discovered with clang's static analyzer that cil_reset_ibpkeycon() was checking that ibpkeycon->context was NULL and then passing the NULL value to cil_reset_context() which expected a non-NULL argument. Instead, cil_reset_ibpkeycon() should check if ibpkeycon->context_str is NULL. If it is non-NULL then the context field points to a named context that was created elsewhere and it will be reset there, but if the context_str field is NULL, then the context is not named and needs to be reset. Signed-off-by: James Carter commit 641d4ff55be1ded0a46cbfca1f400801e8a337a7 Author: Petr Lautrbach Date: Fri Jun 2 22:01:31 2017 +0200 sepolicy: Fix sorting of port_strings in python 3 Fixes: $ sepolicy network -d httpd_t httpd_t: tcp name_connect Traceback (most recent call last): File /usr/bin/sepolicy, line 699, in args.func(args) File /usr/bin/sepolicy, line 319, in network _print_net(d, tcp, name_connect) File /usr/bin/sepolicy, line 276, in _print_net port_strings.sort(numcmp) TypeError: must use keyword argument for key function Signed-off-by: Petr Lautrbach commit acc43466f5d5f5a14854b863e40bb48165cd6614 Author: Petr Lautrbach Date: Fri Jun 2 22:01:30 2017 +0200 sepolicy/interface: Use relative python 3 imports Fixes: Verify sepolicy interface -c -i works ... Traceback (most recent call last): File "/usr/bin/sepolicy", line 699, in args.func(args) File "/usr/bin/sepolicy", line 508, in interface print_interfaces(args.interfaces, args) File "/usr/bin/sepolicy", line 492, in print_interfaces interface_compile_test(i) File "/usr/lib/python3.6/site-packages/sepolicy/interface.py", line 226, in interface_compile_test fd.write(generate_compile_te(interface, idict)) File "/usr/lib/python3.6/site-packages/sepolicy/interface.py", line 184, in generate_compile_te from templates import test_module ModuleNotFoundError: No module named 'templates' Signed-off-by: Petr Lautrbach commit 0be11881d1b2f2fd83b85ca54ed069c07a2b0f92 Author: Steve Lawrence Date: Fri Jun 2 07:21:07 2017 -0400 libsepol/cil: fix error check in new cil_resolve_name This prevented cil_resolve_name() from returning an actual thing when a name resolved to an alias. This appears to have only affected resolution dealing with sensitivity and category aliases. Type aliases were not affected since places that dealt with types handled type aliases specifically and did not rely on this behavior from cil_resolve_name(). Signed-off-by: Steve Lawrence commit 31f532aacba06aa1110e57cc3ed14a78ca70c838 Author: Stephen Smalley Date: Thu Jun 1 15:26:53 2017 -0400 libselinux: fix selabel_lookup*() double slash bug As originally reported in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863854 , "systemd-hwdb --usr update" was assigning /lib/udev/hwdb.bin the wrong security context. This turned out to be a result of systemd-hwdb calling selabel_lookup_raw() with a path with a leading double slash (//lib/udev/hwdb.bin). While the selabel file backend already removes duplicate slashes, this was occurring after any substitution matching and replacement had occurred in the generic selabel frontend, and thus the double slash was still preventing the /lib -> /usr/lib substitution specified by file_contexts.subs_dist from occurring. As a consequence, the final path (/lib/udev/hwdb.bin) used to look up did not match the /usr/lib/udev/[^/]* entry in file_contexts. There were two options for resolving: 1) move the double slash removal to the selabel frontend code before substitutions, or 2) move the substitution processing to the selabel file backend code after double slash removal. Since substitutions are currently only supported for the file backend, and since the slash character may have no particular meaning in the keys for other backends, it seems more correct to do the latter. This has the advantage of taking all of the substitution data structures and code private to the selabel file backend. Test case: Compare the output of: selabel_lookup -r -b file -k //lib/udev/hwdb.bin versus: selabel_lookup -r -b file -k /lib/udev/hwdb.bin Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863854 Reported-by: Russell Coker Reported-by: Michael Biebl Reported-by: Laurent Bigonville Signed-off-by: Stephen Smalley commit c18ea1df62780df033ba1f698f232ccd17587081 Author: Bernhard M. Wiedemann Date: Tue May 30 16:21:32 2017 +0200 sort input files when building packages (e.g. for openSUSE Linux) (random) filesystem order of input files influences ordering of functions in the output, thus without the patch, builds (in disposable VMs) would usually differ. See https://reproducible-builds.org/ for why this matters. commit 22ac4f9bd388dc3b36d17194fe697987e49325e8 Author: Stephen Smalley Date: Wed May 31 16:14:20 2017 -0400 libsepol: Fix alloc-size-larger-than warning from gcc 7 Fixes the following warning from gcc 7: In function ‘name_list_to_string’, inlined from ‘constraint_expr_to_string’ at module_to_cil.c:1790:8: module_to_cil.c:1135:6: warning: argument 1 range [18446744071562067968, 18446744073709551615] exceeds maximum object size 9223372036854775807 [-Walloc-size-larger-than=] str = malloc(len); ~~~~^~~~~~~~~~~~~ In file included from module_to_cil.c:36:0: module_to_cil.c: In function ‘constraint_expr_to_string’: /usr/include/stdlib.h:443:14: note: in a call to allocation function ‘malloc’ declared here extern void *malloc (size_t __size) __THROW __attribute_malloc__ __wur; ^~~~~~ While we are here, fix a few other issues too. The usage of snprintf was wrong and unnecessary; we just allocated the string to be the right size, so we should just fill it. Signed-off-by: Stephen Smalley commit f60244365c3da29f1fa1d1a2433287de36c252f8 Author: Stephen Smalley Date: Wed May 31 16:14:19 2017 -0400 libsemanage: Fix snprintf warnings from gcc 7 Fixes the following warning from gcc7 by increasing the buffer size to PATH_MAX. semanage_store.c: In function ‘semanage_remove_directory’: semanage_store.c:819:30: warning: ‘%s’ directive output may be truncated writing up to 255 bytes into a region of size 254 [-Wformat-truncation=] snprintf(s, sizeof(s), "%s/%s", path, namelist[i]->d_name); ^~ semanage_store.c:819:3: note: ‘snprintf’ output 2 or more bytes (assuming 257) into a destination of size 255 snprintf(s, sizeof(s), "%s/%s", path, namelist[i]->d_name); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Signed-off-by: Stephen Smalley commit e41ae676c253760621e81bc9745e8ecf8175f085 Author: Stephen Smalley Date: Wed May 31 16:14:18 2017 -0400 libsepol,libsemanage,libselinux: Fix fallthrough warnings from gcc 7 https://developers.redhat.com/blog/2017/03/10/wimplicit-fallthrough-in-gcc-7/ Fixes the following warnings by annotating with a /* FALLTHRU */ comment. Unfortunately, the __attribute__ ((fallthrough)); approach does not appear to work with older compilers. ../cil/src/cil_parser.c: In function ‘cil_parser’: ../cil/src/cil_parser.c:253:14: warning: this statement may fall through [-Wimplicit-fallthrough=] tok.value = tok.value+1; ~~~~~~~~~~^~~~~~~~~~~~~ ../cil/src/cil_parser.c:254:3: note: here case SYMBOL: ^~~~ ../cil/src/cil_parser.c:275:7: warning: this statement may fall through [-Wimplicit-fallthrough=] if (tok.type != END_OF_FILE) { ^ ../cil/src/cil_parser.c:279:3: note: here case END_OF_FILE: ^~~~ ../cil/src/cil_post.c: In function ‘cil_post_fc_fill_data’: ../cil/src/cil_post.c:104:5: warning: this statement may fall through [-Wimplicit-fallthrough=] c++; ~^~ ../cil/src/cil_post.c:105:3: note: here default: ^~~~~~~ regex.c: In function ‘regex_format_error’: regex.c:541:10: warning: this statement may fall through [-Wimplicit-fallthrough=] *ptr++ = '.'; ~~~~~~~^~~~~ regex.c:542:2: note: here case 3: ^~~~ regex.c:543:10: warning: this statement may fall through [-Wimplicit-fallthrough=] *ptr++ = '.'; ~~~~~~~^~~~~ regex.c:544:2: note: here case 2: ^~~~ regex.c:545:10: warning: this statement may fall through [-Wimplicit-fallthrough=] *ptr++ = '.'; ~~~~~~~^~~~~ regex.c:546:2: note: here case 1: ^~~~ regex.c: In function ‘regex_format_error’: regex.c:541:10: warning: this statement may fall through [-Wimplicit-fallthrough=] *ptr++ = '.'; ~~~~~~~^~~~~ regex.c:542:2: note: here case 3: ^~~~ regex.c:543:10: warning: this statement may fall through [-Wimplicit-fallthrough=] *ptr++ = '.'; ~~~~~~~^~~~~ regex.c:544:2: note: here case 2: ^~~~ regex.c:545:10: warning: this statement may fall through [-Wimplicit-fallthrough=] *ptr++ = '.'; ~~~~~~~^~~~~ regex.c:546:2: note: here case 1: ^~~~ modules.c: In function ‘semanage_module_get_path’: modules.c:602:7: warning: this statement may fall through [-Wimplicit-fallthrough=] if (file == NULL) file = "hll"; ^ modules.c:603:3: note: here case SEMANAGE_MODULE_PATH_CIL: ^~~~ modules.c:604:7: warning: this statement may fall through [-Wimplicit-fallthrough=] if (file == NULL) file = "cil"; ^ modules.c:605:3: note: here case SEMANAGE_MODULE_PATH_LANG_EXT: ^~~~ Signed-off-by: Stephen Smalley commit 187a44d05884c2cc06c32aa010a4af4b76945a65 Author: James Carter Date: Tue May 30 14:43:32 2017 -0400 libsepol: Fix module_to_cil's handling of type aliases Type aliases present a problem for module_to_cil because they are not in the sym_val_to_name table that it uses to write declarations. Type aliases are gathered by going through the decl_ids list and then the alias declaration is written out when the block with that scope id is handled. This doesn't work if a type alias appears in a require block, since the require cannot be distinguished from the declaration. The result is two declarations of the alias and an error when secilc compiles the policy. Because of the work cleaning up scope handling, the alias declaration will always be at the end of the decl_ids list, so now only gather the last scope id. Also, when an alias is used in a module it is required as a type and it will appear in the sym_val_to_name table. When that occurs, just skip the alias when writing out types. Signed-off-by: James Carter commit c8a7edc614ee3abe63d6f4a8d7fa9c0d342599b7 Author: James Carter Date: Tue May 30 14:22:46 2017 -0400 libsepol: Clean up scope handling Currently, when checking if an identifier is enabled, each scope in the decl_ids list is checked. This means that if any block that requires the identifier is enabled, then the identifier will be treated as being declared. Now, declarations will be kept at the end of the decl_ids list and when checking if an identifier is enabled, only the last scope will be checked (Except for roles and users which allow multiple declarations, they will have to keep the old behavior.) Signed-off-by: James Carter commit 800f6b2a89773cf0850ebd0776bcd57e38c7bd34 Author: James Carter Date: Thu Jun 1 12:43:31 2017 -0400 libsepol/cil: Remove uneeded null checks of unused parameters Issue reported by Nicola Iooss Signed-off-by: James Carter commit a522d5765d38e6377ccd64b86d6148bb78fcf7b5 Author: Nicolas Iooss Date: Wed May 31 22:06:14 2017 +0200 libsepol: do not use handle when it is marked unused Assigning NULL to handle does not perform anything useful and clang complains about this: ibendports.c:122:2: error: 'handle' was marked unused but was used [-Werror,-Wused-but-marked-unused] handle = NULL; ^ ibpkeys.c:115:2: error: 'handle' was marked unused but was used [-Werror,-Wused-but-marked-unused] handle = NULL; ^ Signed-off-by: Nicolas Iooss commit e501d3b6e8d20599feaffa0c46e49af44718804b Author: Steve Lawrence Date: Thu Jun 1 09:23:24 2017 -0400 libsepol/cil: better error message with duplicate aliases + support aliases to aliases - If two typealiasactual statements exist for the same typealias, we get a confusing error message mentioning that the actual arguement is not an alias, which is clearly allowed. This poor error occurs because the first typealiasactual statement resolves correctly, but when we resolve the alias in the second typealiasactual statement, cil_resolve_name tries to return what the alias points to, which is a type and not the required typealias. This patch creates a new function that does not perform the alias to actual conversion, used when we want an alias and not what the alias points to. This allows the cil_resolve_aliasactual to continue and reach the check for duplicate typealiasactual statements, resulting in a more meaningful error message. - Add back support for aliases to aliases (broken in 5c9fcb02e), while still ensuring that aliases point to either the correct actual flavor or alias flavor, and not something else like a typeattribute. Signed-off-by: Steve Lawrence commit 5c9fcb02ec23a7dac87986062045a91a91916b7c Author: Steve Lawrence Date: Tue May 30 12:32:06 2017 -0400 libsepol/cil: fix aliasactual resolution errors - Set rc to SEPOL_ERR if the alias part of an aliasactual statement does not resolve to the correct alias flavor (e.g. typealias, senalias, catalias) - Add an error check if the actual part of an aliasactual statement does not resolve to the correct actual flavor (type, sens, cat) Signed-off-by: Steve Lawrence commit a2fe18614bff233e663533f53e547a338b65ff32 Author: Daniel Jurgens Date: Tue May 30 16:26:41 2017 +0300 semanage: Fix manpage author for ibpkey and ibendport pages. Signed-off-by: Daniel Jurgens commit 5219dec6fef01c6573c612da9f7db3cf2feb6de6 Author: Stephen Smalley Date: Fri May 26 10:33:57 2017 -0400 python/semanage: print is a function in python3 Signed-off-by: Stephen Smalley commit 5b61d8fba886b6aa7198e1ff755ce9486b9a87d5 Author: Petr Lautrbach Date: Fri May 26 16:09:51 2017 +0200 Fix recently introduced TabError's Commits a3d2c7a 6a7a5aa introduced inconsistent use of tabs and spaces in indentation what makes python3.6 unhappy. Signed-off-by: Petr Lautrbach commit 914691cc2a8d2bffe5e31a292b90936b2b76f543 Author: Nicolas Iooss Date: Mon May 22 23:45:55 2017 +0200 libsepol: make role_list_destroy() do nothing when role_list is NULL When a function called by sepol_module_policydb_to_cil() fails before role_list_create() has been called, role_list is still NULL but is dereferenced in role_list_destroy(). Here is a gdb session on hll/pp: Unknown value for handle-unknown: 6 Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7a68a37 in role_list_destroy () at module_to_cil.c:215 215 struct list_node *curr = role_list->head; (gdb) bt #0 0x00007ffff7a68a37 in role_list_destroy () at module_to_cil.c:215 #1 sepol_module_policydb_to_cil (fp=fp@entry=0x7ffff79925e0 <_IO_2_1_stdout_>, pdb=, linked=linked@entry=0) at module_to_cil.c:4060 #2 0x00007ffff7a6ac75 in sepol_module_package_to_cil (fp=fp@entry=0x7ffff79925e0 <_IO_2_1_stdout_>, mod_pkg=0x604280) at module_to_cil.c:4080 #3 0x0000000000401a58 in main (argc=, argv=) at pp.c:150 This issue has been found while fuzzing hll/pp with the American Fuzzy Lop. Signed-off-by: Nicolas Iooss commit b217ffd77e265e1e5ca61c32443cd5b631e2102c Author: Daniel Jurgens Date: Mon May 22 16:08:31 2017 +0300 semanage: Update man pages for infiniband Update the main man page and add specific pages for ibpkeys and ibendports. Signed-off-by: Daniel Jurgens commit 9a3d2c7a9b78f7ca04977a4c5a6bda4c8875c89c Author: Daniel Jurgens Date: Mon May 22 16:08:30 2017 +0300 semanage: Update semanage to allow runtime labeling of ibendports Update libsepol and libsemanage to work with ibendport records. Add local storage for new and modified ibendport records in ibendports.local. Update semanage to parse the ibendport command options to add, modify, and delete them. Signed-off-by: Daniel Jurgens commit 6a7a5aafe52aa7dbd2daab1645829fd9821e716f Author: Daniel Jurgens Date: Mon May 22 16:08:29 2017 +0300 semanage: Update semanage to allow runtime labeling of Infiniband Pkeys Update libsepol and libsemanage to work with pkey records. Add local storage for new and modified pkey records in pkeys.local. Update semanage to parse the pkey command options to add, modify, and delete pkeys. Signed-off-by: Daniel Jurgens commit 28663ff13555894e80c3fc9795bc2b77a38a7f36 Author: Daniel Jurgens Date: Mon May 22 16:08:28 2017 +0300 libsepol: Add IB end port handling to CIL Add IB end port parsing, symbol table management, and policy generation to CIL. Signed-off-by: Daniel Jurgens commit 118c0cd1038efb8d869db70753d2ac449f4fda9b Author: Daniel Jurgens Date: Mon May 22 16:08:27 2017 +0300 libsepol: Add ibendport ocontext handling Add support for reading, writing, and copying IB end port ocontext data. Also add support for querying a IB end port sid to checkpolicy. Signed-off-by: Daniel Jurgens commit 5bc05dd2a52755b1f9d16fc12fea74e54c71bf5b Author: Daniel Jurgens Date: Mon May 22 16:08:26 2017 +0300 checkpolicy: Add support for ibendportcon labels Add checkpolicy support for scanning and parsing ibendportcon labels. Also create a new ocontext for IB end ports. Signed-off-by: Daniel Jurgens commit e564f7b5bd51d8d8272f4e564fbf0ec3fd21de68 Author: Daniel Jurgens Date: Mon May 22 16:08:25 2017 +0300 libsepol: Add Infiniband Pkey handling to CIL Add Infiniband pkey parsing, symbol table management, and policy generation to CIL. Signed-off-by: Daniel Jurgens commit 9fbb3112769a7931777f30894156d981b6933415 Author: Daniel Jurgens Date: Mon May 22 16:08:24 2017 +0300 libsepol: Add ibpkey ocontext handling Add support for reading, writing, and copying Infiniband Pkey ocontext data. Also add support for querying a Pkey sid to checkpolicy. Signed-off-by: Daniel Jurgens commit 5b203145fd7a8f4df8cfa1c4d7381d1d0a001f6e Author: Daniel Jurgens Date: Mon May 22 16:08:23 2017 +0300 checkpolicy: Add support for ibpkeycon labels Add checkpolicy support for scanning and parsing ibpkeycon labels. Also create a new ocontext for Infiniband Pkeys and define a new policydb version for infiniband support. Signed-off-by: Daniel Jurgens commit bfd61a3ec70b7d614f7d778e0959560f79fd7c4a Author: Nicolas Iooss Date: Sat May 20 12:11:41 2017 +0200 libsepol: use the number of elements in calloc first argument When allocating an array with calloc(), the first argument usually is the number of items and the second one the size of an item. Doing so silences a warning reported by clang's static analyzer: kernel_to_cil.c:2050:14: warning: Call to 'calloc' has an allocation size of 0 bytes. cond_data = calloc(sizeof(struct cond_data), num); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Signed-off-by: Nicolas Iooss commit d00cc134837c36b47c374414668b29c4489b2725 Author: Nicolas Iooss Date: Sat May 20 12:11:40 2017 +0200 libsepol: propagate calloc() failure When common_to_cil() or class_to_cil() fail to allocate an array to map a permissions hashtable (for example when permissions.nprim is too big), class_perm_to_array() gets called on a NULL pointer. Fix this. This issue has been found while fuzzing hll/pp with the American Fuzzy Lop. Signed-off-by: Nicolas Iooss commit 8fe362f0121ab6d82f646ae51948a8df4a8834c6 Author: Nicolas Iooss Date: Wed May 17 22:53:24 2017 +0200 libsepol: remove unused attribute on a used argument Since commit 58962eb3d847 ("libsepol,checkpolicy: add binary module support for xperms") function avrule_read() has been using its "p" argument even though it was previously marked unused. This makes clang report: policydb.c:3276:7: error: 'p' was marked unused but was used [-Werror,-Wused-but-marked-unused]. if (p->policyvers < MOD_POLICYDB_VERSION_XPERMS_IOCTL) { ^ Remove the attribute to make the code consistent again. Signed-off-by: Nicolas Iooss commit 5c84f24a175b92e12925799c9d9ec2bc490573b6 Author: Nicolas Iooss Date: Wed May 17 22:51:46 2017 +0200 libselinux: propagate selabel_subs_init() errors Memory allocation failures in selabel_subs_init() should be fatal, contrary to failures which come from the non-existence of the substitution files (subs or subs_dist). Modify selabel_subs_init()'s prototype in order to return the error state. This forces the pointer to the created substitution list to be moved to an output function argument. Signed-off-by: Nicolas Iooss commit 55fe40ac77b2a419cd9ade9de07e06d31ca18c5c Author: Nicolas Iooss Date: Wed May 17 22:51:45 2017 +0200 libselinux: rework selabel_subs_init() to avoid use-after-free In selabel_subs_init(), when digest_add_specfile() fails, the returned value is a pointer to data which has been freed (because label "err" frees variable "sub" which is equals to the returned variable, "list"). Moreover since since commit fd56c5230cea ("Separate out the calling of local subs and dist subs in selabel_sub"), argument "list" of selabel_subs_init() has always been NULL (rec->subs and rec->dist_subs are both initialized to NULL in selabel_open() before selabel_file_init() is called). Drop selabel_file_init()'s "list" argument and free all the list items which have been allocated in this function, when the code encounters an error. Signed-off-by: Nicolas Iooss commit 58962eb3d847bd4bfd37c6790d13f361bbe543f9 Author: Stephen Smalley Date: Mon May 15 12:21:45 2017 -0400 libsepol,checkpolicy: add binary module support for xperms Presently we support xperms rules in source policy and in CIL modules. The binary policy module format however was never extended for xperms. This limitation inhibits use of xperms in refpolicy-based policy modules (including the selinux-testsuite policy). Update libsepol to support linking, reading, and writing a new binary policy module version that supports xperms rules. Update dismod to display xperms rules in binary policy modules. Also, to support use of a non-base binary policy module with a newer version on a system using a base policy module with an older version, automatically upgrade the version during module linking. This facilitates usage of newer features in non-base modules without requiring rebuilding the base module. Tests: 1. Add an allowxperms rule to the selinux-testsuite policy and confirm that it is properly written to the binary policy module (displayed by dismod), converted to CIL (the latter was already supported), and included in the kernel policy (via dispol and kernel test). 2. Use semodule_link and semodule_expand to manually link and expand all of the .pp files via libsepol, and confirm that the allowxperms rule is correctly propagated to the kernel policy. This test is required to exercise the legacy link/expand code path for binary modules that predated CIL. Signed-off-by: Stephen Smalley commit d819de173de203223a0f30a0bc2e0fa2663ba629 Author: Nicolas Iooss Date: Fri May 12 22:13:57 2017 +0200 libselinux: close the subs file if fstat failed selabel_subs_init() returned without closing cfg when a call to fstat() failed. Fix this. Signed-off-by: Nicolas Iooss commit 4a0fab43cbe595b108e35026295130c7dbc2274b Author: Nicolas Iooss Date: Fri May 12 22:13:56 2017 +0200 libsepol/cil: do not use an uninitialized value in __cil_fqn_qualify_blocks In __cil_fqn_qualify_blocks(), when newlen >= CIL_MAX_NAME_LENGTH, cil_tree_log() is called with child_args.node as argument but this value has not been initialized yet. Use local variable node instead, which is initialized early enough in the function. This issue has been found using clang's static analyzer. Signed-off-by: Nicolas Iooss commit 9cc62ce35d099acf7897b6259228479737521709 Author: Tom Cherry Date: Thu May 11 16:50:02 2017 -0700 procattr.c: Use __BIONIC__ instead of __ANDROID__ This check is not specific to Android devices. If libselinux were used with Bionic on a normal Linux system this check would still be needed. Signed-off-by: Tom Cherry commit c3118041df74124c5b8b8d769354bb0ca4c5ac19 Author: Stephen Smalley Date: Wed May 10 10:20:05 2017 -0400 checkpolicy,libsepol: drop unnecessary usage of s6_addr32 s6_addr32 is not portable; use s6_addr instead. This obviates the need for #ifdef __APPLE__ conditionals in these cases. Signed-off-by: Stephen Smalley commit 3db61481adae53f4578af96a7ae56f55da4b9ec9 Author: Alan Jenkins Date: Sun May 7 12:05:56 2017 +0100 policycoreutils: fixfiles: use a consistent order for options to restorecon It helps see the differences (hopefully there are only intended differences now!). Signed-off-by: Alan Jenkins commit c51b99acbc38d03cbc5e9b6d451b467e6c5343b0 Author: Alan Jenkins Date: Sun May 7 12:05:55 2017 +0100 policycoreutils: fixfiles: don't ignore `-F` when run in `-C` mode This was supposedly fixed in 2009. http://selinux.fedoraproject.narkive.com/ZskMsNrx/fixfiles-f-option `-F` was mentioned again in 2013 (commit 2910ca21). It doesn't look like `-F -C` was fixed though. Signed-off-by: Alan Jenkins commit 6e289bb7bf3dc6abc9b2c46f809e83512c9f5db4 Author: Alan Jenkins Date: Sun May 7 12:05:54 2017 +0100 policycoreutils: fixfiles: remove bad modes of "relabel" command * `fixfiles -B relabel` or `fixfiles -C previouscontext relabel` would skip the code that handles e.g. `/var/tmp`, which would be run by `fixfiles relabel`. It would still remove all files in /tmp (subject to user confirmation). This is confusing, undocumented, and unlikely to be intentional. * `fixfiles relabel path1 path2` is the same, except it would only relabel the first path. * `fixfiles -R ... relabel` was equivalent to `fixfiles -R ... restore`, again contradicting the man page. Also `fixfiles onboot` would ignore paths, -C, or -R. fixfiles is mostly for users, where it should be acceptable to remove these non-sensical combinations. `fixfiles -C` is used in selinux-policy rpm install scripts. However I believe the rpms used `fixfiles -C previouscontext restore`, and did not either require user interaction or blow away /tmp without prompting. So they should still work fine. With these combinations removed, we can remove the `exit` calls which were seen in some of the (non-error) code paths in `restore()`. Signed-off-by: Alan Jenkins commit 96d11a281e47237cb651ad31036f9349b528f533 Author: Alan Jenkins Date: Sun May 7 12:05:53 2017 +0100 policycoreutils: fixfiles: un-document `-R -a` option `fixfiles -R -a` is much less useful than it was made to sound, because -R now works recursively. Therefore `fixfiles -R -a` relabels every file on the system, multiple times. On my system it took over 5 times as long as plain `fixfiles` (which takes about a minute). Signed-off-by: Alan Jenkins commit 3475893b6f369b880267e920a5604174b6eaa3cd Author: Alan Jenkins Date: Sun May 7 12:05:52 2017 +0100 policycoreutils: fixfiles: refactor into the `set -u` dialect This commit allows the use of `set -u` to detect reads of unset variables. But what I really liked was making the code more explicit about these modes. I hope that this is easier for a new reader to reason about. `fixfiles restore` has accumulated five different modes it can run in. Now use a single variable to indicate the mode, out-of-band of the variables used for the individual modes. Apparently `set -u` / `set -o nounset` doesn't work correctly with arrays. If we ever need bash arrays, we can simply remove `set -u`. The `set -u` dialect is a strict subset. See http://mywiki.wooledge.org/BashFAQ/112 Extra notes: RESTORE_MODE was created because I couldn't bring myself to use an empty FILEPATH, as a special case to indicate the default mode. Arguments to the script (paths) could be empty already, so it would mean I had to work out how we behaved in that case and decide whether it was reasonable. It turns out the `-B | -N time` mode is distinct and does not respect paths. So we can tell the user we're not going to do anything with the paths they passed. Make sure this distinction is shown in the usage error message. We already rejected the combination of `-R rpmpackage,... dir/file...`. Being aware of the different modes just causes more bogus combinations to be rejected. Signed-off-by: Alan Jenkins commit f499b02feb48803a094340b2cba6030f8ed163ad Author: Alan Jenkins Date: Sun May 7 12:05:51 2017 +0100 policycoreutils: fixfiles: if restorecon aborts, we should too New users may try something like `fixfiles restore -v /dir/file` - not realizing they are required to use `fixfiles -v restore /dir/file`. Detect that `restorecon` aborts due to being run on the non-existent file `-v`, and stop immediately. This will show the error much more clearly, instead of continuing to restore `/dir/file` *without* verbose messages. Signed-off-by: Alan Jenkins commit 2aa88f72012efbde1bcd9b35d5b4084d497ae488 Author: Alan Jenkins Date: Sun May 7 12:05:50 2017 +0100 policycoreutils: fixfiles: usage errors are fatal The idea is to print a usage error, then terminate with EXIT_FAILURE. Don't print the usage error twice when run with no command. Don't try to check for bogus extra arguments _after_ performing a long-running operation... particularly if that operation terminates the script with EXIT_SUCCESS first. Signed-off-by: Alan Jenkins commit 658800ef3d505de6cf4e73576d1377a70b53e260 Author: Alan Jenkins Date: Sun May 7 12:05:49 2017 +0100 policycoreutils: fixfiles: syntax error $ shellcheck fixfiles ... In fixfiles line 94: [[ "${i}" =~ "^[[:blank:]]*#" ]] && continue ^-- SC2076: Don't quote rhs of =~, it'll match literally rather than as a regex. Signed-off-by: Alan Jenkins commit 42f91ba2912f1c96bf2dc922803b7e3f4b0d3952 Author: Alan Jenkins Date: Sun May 7 12:05:48 2017 +0100 policycoreutils: fixfiles: remove two unused variables DIRS was suspicious because you can't store file names in a normal variable, and it's not that common to use arrays in bash. It's not actually used. While we're here, there's another variable which is never used and should just be removed. (Pointed out by `shellcheck`. It makes a couple of other points too, but I have more specific patches I want to put those in). Signed-off-by: Alan Jenkins commit ce2a7fb1436c094ba36bf7b35c05aba9989430ee Author: Alan Jenkins Date: Sun May 7 12:05:47 2017 +0100 policycoreutils: fixfiles: tidy up usage(), manpage synopsis Make sure usage() in fixfiles shows all the current options. It's printed when there's a user error, so it needs to be helpful! (Excluding the deprecated option - see below). manpage: Remove the deprecated option `-l logfile`. Add missing space in `restore|[-f] relabel`. It's not clear why `-R rpmpackagename` was considered optional in the second invocation. (If the user omits it, they are just performing the first invocation). It desn't match usage() in fixfiles either. Clean up bolding for `fixfiles onboot`. Disable justification (troff "adjustment") in the synopsis. We want the common options in the different invocations to line up consistently. Signed-off-by: Alan Jenkins commit 1089665e31a647a5f0ba2eabe8ac6232b384bed9 Author: Jeff Vander Stoep Date: Thu May 4 14:36:49 2017 -0700 Add attribute expansion options This commit adds attribute expansion statements to the policy language allowing compiler defaults to be overridden. Always expands an attribute example: expandattribute { foo } true; CIL example: (expandtypeattribute (foo) true) Never expand an attribute example: expandattribute { bar } false; CIL example: (expandtypeattribute (bar) false) Adding the annotations directly to policy was chosen over other methods as it is consistent with how targeted runtime optimizations are specified in other languages. For example, in C the "inline" command. Motivation expandattribute true: Android has been moving away from a monolithic policy binary to a two part split policy representing the Android platform and the underlying vendor-provided hardware interface. The goal is a stable API allowing these two parts to be updated independently of each other. Attributes provide an important mechanism for compatibility. For example, when the vendor provides a HAL for the platform, permissions needed by clients of the HAL can be granted to an attribute. Clients need only be assigned the attribute and do not need to be aware of the underlying types and permissions being granted. Inheriting permissions via attribute creates a convenient mechanism for independence between vendor and platform policy, but results in the creation of many attributes, and the potential for performance issues when processes are clients of many HALs. [1] Annotating these attributes for expansion at compile time allows us to retain the compatibility benefits of using attributes without the performance costs. [2] expandattribute false: Commit 0be23c3f15fd added the capability to aggresively remove unused attributes. This is generally useful as too many attributes assigned to a type results in lengthy policy look up times when there is a cache miss. However, removing attributes can also result in loss of information used in external tests. On Android, we're considering stripping neverallow rules from on-device policy. This is consistent with the kernel policy binary which also did not contain neverallows. Removing neverallow rules results in a 5-10% decrease in on-device policy build and load and a policy size decrease of ~250k. Neverallow rules are still asserted at build time and during device certification (CTS). If neverallow rules are absent when secilc is run, some attributes are being stripped from policy and neverallow tests in CTS may be violated. [3] This change retains the aggressive attribute stripping behavior but adds an override mechanism to preserve attributes marked as necessary. [1] https://github.com/SELinuxProject/cil/issues/9 [2] Annotating all HAL client attributes for expansion resulted in system_server's dropping from 19 attributes to 8. Because these attributes were not widely applied to other types, the final policy size change was negligible. [3] data_file_type and service_manager_type are stripped from AOSP policy when using secilc's -G option. This impacts 11 neverallow tests in CTS. Test: Build and boot Marlin with all hal_*_client attributes marked for expansion. Verify (using seinfo and sesearch) that permissions are correctly expanded from attributes to types. Test: Mark types being stripped by secilc with "preserve" and verify that they are retained in policy and applied to the same types. Signed-off-by: Jeff Vander Stoep commit 63aa7fc036a8a99337a4b032269065e89a7cf3fc Author: Stephen Smalley Date: Tue May 9 10:47:39 2017 -0400 libselinux: Fix CFLAGS definition commit 16c123f4b1f3c8d20b3f597df161d7e635620923 ("libselinux: support ANDROID_HOST=1 on Mac") split up warning flags in CFLAGS based on compiler support in a manner that could lead to including a subset that is invalid, e.g. upon make DESTDIR=/path/to/dest install. Fix it. Signed-off-by: Stephen Smalley commit 3376ac498e36de3094574f925f9e7b8cf3d21976 Author: Christian Göttsche Date: Sat May 6 15:08:48 2017 +0200 sestatus: show checkreqprot status Show the current active checkreqprot state in sestatus commit d1ff68ffee88c5a0958061148470d79cac060dad Author: Christian Göttsche Date: Sat May 6 15:08:47 2017 +0200 libselinux: add security_get_checkreqprot Add security_get_checkreqprot() function, returning the current active checkreqprot value commit 4d7dee28f4581f045748fc78097b72f2e2f907e4 Author: Petr Lautrbach Date: Fri May 5 12:12:33 2017 +0200 libsepol/utils: Fix build without system sepol.h fcb5d5c removed ../include from CFLAGS from libsepol/utils/Makefile so that a build tool can't find sepol/sepol.h when only libsepol is built and a system is without sepol.h in standard paths. It should use its own sepol.h file during build. `oveeride` needs to be used in order not to be overridden by values provided on a command line. Same problem applies to LDFLAGS. Fixes: $ make CFLAGS="" LDFLAGS="" make[1]: Entering directory '/root/selinux/libsepol/utils' cc chkcon.c -lsepol -o chkcon chkcon.c:1:25: fatal error: sepol/sepol.h: No such file or directory #include $ make CFLAGS="" LDFLAGS="" ... make -C utils make[1]: Entering directory '/root/selinux/libsepol/utils' cc -I../include chkcon.c -lsepol -o chkcon /usr/bin/ld: cannot find -lsepol collect2: error: ld returned 1 exit status Signed-off-by: Petr Lautrbach commit 8e9c9a20cbdd2718d478436a3d13f82fc9746912 Author: Alan Jenkins Date: Thu May 4 18:01:22 2017 +0100 policycoreutils: fixfiles: deprecate -l option ...and write log messages to standard output. Some versions of fixfiles in 2004 created a logfile by default. Apparently they also used `tee` to log to standard output at the same time. We're also told that the logfile was implemented because there was too much output generated for use on a tty, and it scrolled out of reach. https://bugzilla.redhat.com/show_bug.cgi?id=131707 In the current version, none of these original reasons for `-l` remain. The logfile is not created by default. If no log file is specified, messages are written to stdin [sic]... if and only stdin is a tty. If stdin is not a tty, the log defaults to /dev/null. When a user runs fixfiles on a tty and finds there is too much output, she is likely to try redirecting standard output and/or standard error using the shell. She will find this doesn't help, because fixfiles is writing the verbose log messages to standard input. I tried to fix the problem non-intrusively, by changing the default log file to `/dev/stdout`. Sadly, this breaks down where you have `echo >>$LOGFILE "Log message"` inside a specific function, which is run with output redirected in order to "return" a string value (captured into a variable). exclude_dirs_from_relabelling() was such a function. I was trying to abstract over writing to both normal files and stdout, but my abstraction "leaks" in a non-obvious way. There is a simple solution. We can write the log messages to standard output. When we are passed `-l` by a legacy script, we can redirect standard output to the logfile. This removes any distinctions between the logfile and "non-log" messages. Some calls to restorecon were missing redirections to the log file. "Cleaning out /tmp" was written to the log file, but "Cleaning out labels on /tmp" was not. There were no comments to explain these distinctions. commit 48d425e7c6615ac28d7de820e0a02d49bf726176 Author: Alan Jenkins Date: Thu May 4 18:01:21 2017 +0100 policycoreutils: fixfiles: move logit call outside of redirected function Move call to logit() outside a function which has its output redirected. See next commit for explanation. The logit calls are moved into a new function LogExcluded(), similar to LogReadOnly(). I don't see a pretty way to resolve this, so I just went for the most explicit approach I could think of. Behaviour change: diff_filecontext will now log *all* excluded paths. I think that approach is an improvement, because e.g. the fact that `-C` mode excludes `/home` was not previouslly documented anywhere. commit 55f220122fbb1b96aec8df95a42df730c7052c53 Author: Alan Jenkins Date: Thu May 4 18:01:20 2017 +0100 policycoreutils: fixfiles: fix logging about R/O filesystems The LogReadOnly() call which warns the user about R/O filesystems, applies to the `-B` mode (newer() function), and the `fixfiles check` mode (no paths). Make sure to print it for these modes, and these modes only. commit 08df7539621a86d7e47c68b5dcc50b3b828ccd20 Author: Alan Jenkins Date: Thu May 4 18:01:19 2017 +0100 policycoreutils: fixfiles: clarify exclude_dirs() The usage of exclude_dirs() is non-obvious. It turns out it is only used by the `-C` mode of fixfiles. The other four modes use the narrower list generated by exclude_dirs_from_relabelling(). Let's make this distinction more obvious. (The purpose of the extra exclusions is not clear. E.g. there's an exclusion for /dev. Whereas the `fixfiles check` mode explicitly tells you that it's going to relabel /dev, without causing any problem. Maybe that part is out of date? But without some explanation of the list, I don't want to change anything!) commit aa62e3665cba36be866d8d779c7a9ef103d85bbd Author: Alan Jenkins Date: Thu May 4 18:01:18 2017 +0100 policycoreutils: fixfiles: remove (broken) redundant code setfiles is now run with $exclude_dirs. We shouldn't need to patch the file contexts as well. This is fortunate, since the file context patching code was broken (by the same commit which introduced the redundancy). It takes the list of directories to exclude from $tempdirs, but $tempdirs is never set. Also messages about skipping directories were printed twice. Firstly when exclude_dirs is generated, and secondly in the file context patching code. Also TEMPFCFILE was only removed in one path out of several. commit b5610b0c6e7e0b384a2f305578ff34fd7bc2afaa Author: Alan Jenkins Date: Thu May 4 18:01:17 2017 +0100 Revert "policycoreutils: let output of `fixfiles` be redirected (as normal)" This reverts commit ac7899fc3ad6221e195dd13cdf14b346897314ae, which is not yet part of an officially tagged release (or release candidate). `LOGFILE=/proc/self/fd/1` was wrong. `LOGFILE=$(tty)` was being relied on in one case (exclude_dirs), to log messages from a function run specifically with stdout redirected (captured into a variable). Having `logit "message"` break inside redirected functions is a nasty leaky abstraction. This caused e.g. `fixfiles restore` to terminate early with the error skipping: No such file or directory if the user had configured any excluded paths in /etc/selinux/fixfiles_exclude_dirs commit 1dc95dd5588bee62a39a96fb8ba5e57ace94051a Author: Nicolas Iooss Date: Wed May 3 22:58:02 2017 +0200 libsepol: silence false-positive -Wwrite-strings warning When compiling with -Wwrite-strings, the compiler complains about calling strs_add with a const char* value for a char* parameter (DEFAULT_OBJECT is defined to "object_r"). Silence this warning by casting the literal string to char*. Signed-off-by: Nicolas Iooss commit 232ff757d41b1d3ed34959277159b945010d3ddc Author: Nicolas Iooss Date: Wed May 3 22:58:01 2017 +0200 libselinux/utils: add noreturn attribute to selinux_check_access's usage When building libselinux, clang reports the following warning: selinux_check_access.c:8:1: error: function 'usage' could be declared with attribute 'noreturn' [-Werror,-Wmissing-noreturn] While at it, make progname const. Signed-off-by: Nicolas Iooss commit a9b6ef426d4dc88d16ac1f076182852be225b5f6 Author: Petr Lautrbach Date: Wed May 3 12:30:36 2017 +0200 sepolicy/gui: Update text strings to use better gettext templates Signed-off-by: Petr Lautrbach commit 11e9676ce1d156e8af8169f28f9b22a3ffc21905 Author: Petr Lautrbach Date: Wed May 3 12:30:35 2017 +0200 sepolicy: info() should provide attributes for a TYPE "attributes" used to be there when sepolicy.info() used setools3 Signed-off-by: Petr Lautrbach commit 89399a9c8e5ac4f16fe33624baaf02a478b450aa Author: Petr Lautrbach Date: Wed May 3 12:30:34 2017 +0200 sepolicy: Fix several issues in 'sepolicy manpage -a' Fixes: $ sepolicy manpage -a Traceback (most recent call last): File "/usr/bin/sepolicy", line 699, in args.func(args) File "/usr/bin/sepolicy", line 359, in manpage m = ManPage(domain, path, args.root, args.source_files, args.web) File "/usr/lib/python3.6/site-packages/sepolicy/manpage.py", line 408, in __init__ self.__gen_man_page() File "/usr/lib/python3.6/site-packages/sepolicy/manpage.py", line 495, in __gen_man_page self._entrypoints() File "/usr/lib/python3.6/site-packages/sepolicy/manpage.py", line 903, in _entrypoints if len(entrypoints) > 1: TypeError: object of type 'map' has no len() $ sepolicy manpage -a Traceback (most recent call last): File "/usr/bin/sepolicy", line 699, in args.func(args) File "/usr/bin/sepolicy", line 359, in manpage m = ManPage(domain, path, args.root, args.source_files, args.web) File "/usr/lib/python3.6/site-packages/sepolicy/manpage.py", line 408, in __init__ self.__gen_man_page() File "/usr/lib/python3.6/site-packages/sepolicy/manpage.py", line 497, in __gen_man_page self._mcs_types() File "/usr/lib/python3.6/site-packages/sepolicy/manpage.py", line 927, in _mcs_types attributes = sepolicy.info(sepolicy.TYPE, (self.type))[0]["attributes"] TypeError: 'generator' object is not subscriptable Signed-off-by: Petr Lautrbach commit 471e6b0fc968c66edd95a36be000bb2537a7bf71 Author: Petr Lautrbach Date: Wed May 3 12:30:33 2017 +0200 sepolicy: setools.*Query wants a list in ruletype This fixes a problem introduced in 18410c86 where ruletype is specified as a string not a list. Fixes: >>> sepolicy.get_all_role_allows() Traceback (most recent call last): File "/usr/lib64/python3.6/site-packages/setools/policyrep/util.py", line 60, in lookup return cls(value) File "/usr/lib64/python3.6/enum.py", line 291, in __call__ return cls.__new__(cls, value) File "/usr/lib64/python3.6/enum.py", line 533, in __new__ return cls._missing_(value) File "/usr/lib64/python3.6/enum.py", line 546, in _missing_ raise ValueError("%r is not a valid %s" % (value, cls.__name__)) ValueError: 'a' is not a valid RBACRuletype Signed-off-by: Petr Lautrbach commit be0acfb491dff3e0a9c8ad7320f3d69260337c1e Author: Petr Lautrbach Date: Wed May 3 12:30:32 2017 +0200 dbus: Use text streams in selinux_server.py subprocess.Popen called without universal_newlines=True opens stdin, stout and stderr as binary stream which cause problems with Python 3. Fixes: Traceback (most recent call last): File "/usr/lib64/python3.4/site-packages/sepolicy/gui.py", line 2773, in unconfined_toggle self.dbus.semanage("module -e unconfined") File "", line 2, in semanage File "/usr/lib/python3.4/site-packages/slip/dbus/polkit.py", line 121, in _enable_proxy return func(*p, **k) File "/usr/lib64/python3.4/site-packages/sepolicy/sedbus.py", line 14, in semanage ret = self.dbus_object.semanage(buf, dbus_interface = "org.selinux") File "/usr/lib64/python3.4/site-packages/dbus/proxies.py", line 145, in __call__ **keywords) File "/usr/lib64/python3.4/site-packages/dbus/connection.py", line 651, in call_blocking message, timeout) dbus.exceptions.DBusException: org.freedesktop.DBus.Python.TypeError: TypeError: 'dbus.String' does not support the buffer interface Signed-off-by: Petr Lautrbach commit 4a7de9ffdc18828eb91fdbe23579eaea217ea711 Author: Petr Lautrbach Date: Wed May 3 12:30:31 2017 +0200 policycoreutils/sepolicy: Define our own cmp() Fixes: Traceback (most recent call last): File "/usr/lib/python3.5/site-packages/sepolicy/gui.py", line 1447, in stripsort return cmp(val1, val2) NameError: name 'cmp' is not defined Signed-off-by: Petr Lautrbach commit d9c2a15831eecb50f4c57dd961e4fe0251f2fa0b Author: Petr Lautrbach Date: Wed May 3 12:30:30 2017 +0200 sepolicy/generate.py: Fix string formatting Fixes python3 problem: >>> print("Failed to retrieve rpm info for %s") % package Failed to retrieve rpm info for %s Traceback (most recent call last): File "", line 1, in TypeError: unsupported operand type(s) for %: 'NoneType' and 'str' Signed-off-by: Petr Lautrbach commit 6dabab268c2ca0f1b0a9dcddbff514e55aed7fb8 Author: Petr Lautrbach Date: Wed May 3 12:30:29 2017 +0200 sepolicy: Simplify policy types detection map() and filter() changed their return values from list to iterators in Python 3. This change drops filter() and map() from gui.py to make it work on Python 2 and 3 Fixes: Traceback (most recent call last): File "/bin/sepolicy", line 700, in args.func(args) File "/bin/sepolicy", line 326, in gui_run sepolicy.gui.SELinuxGui(args.domain, args.test) File "/usr/lib/python3.5/site-packages/sepolicy/gui.py", line 238, in __init__ if self.populate_system_policy() < 2: File "/usr/lib/python3.5/site-packages/sepolicy/gui.py", line 835, in populate_system_policy types = map(lambda x: x[1], filter(lambda x: x[0] == selinux_path, os.walk(selinux_path)))[0] TypeError: 'map' object is not subscriptable Signed-off-by: Petr Lautrbach commit 54eb348c0cfcf14150c5fe62a823bb799bb16f34 Author: Petr Lautrbach Date: Wed May 3 12:30:28 2017 +0200 sepolicy: Don't return filter(), use [ ] notation instead filter() changed it's behavior among python 2 and python 3 Signed-off-by: Petr Lautrbach commit 2a0102a27052ba99b42199c99a1caa6f9444e5e1 Author: Petr Lautrbach Date: Wed May 3 12:30:27 2017 +0200 sepolicy: Adapt to new the semodule list output semodule in policycoreutils-2.4 changed the list format. With this patch, org.selinux.semodule_list uses 'semodule --list=full' and the code using this was adapted to the new format. Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1281309 Fixes: File "/usr/lib64/python3.4/site-packages/sepolicy/gui.py", line 670, in lockdown_init self.enable_unconfined_button.set_active(not self.module_dict["unconfined"]["Disabled"]) KeyError: 'unconfined' Signed-off-by: Petr Lautrbach commit f82771c1059fd07b5d68faae70bd5e487f818341 Author: Miroslav Grepl Date: Wed May 3 12:30:26 2017 +0200 Fix typo in executable.py template. Signed-off-by: Petr Lautrbach commit 1353988d58520e07f831e24ec3db412e47f80c27 Author: Dan Walsh Date: Wed May 3 12:30:25 2017 +0200 sepolicy: We should be creating _exec interfaces when we create the domtrans interface Signed-off-by: Petr Lautrbach commit 8dfdb38db9797d4303ce64929069342eeead7b97 Author: Miroslav Grepl Date: Wed May 3 12:30:24 2017 +0200 sepolicy: ptrace should be a part of deny_ptrace boolean in TEMPLATETYPE_admin Signed-off-by: Dan Walsh commit c0ec882bfaafbb5150d07113cf8b3c96e3f09558 Author: Dan Walsh Date: Wed May 3 12:30:23 2017 +0200 Fix up generation of application policy Signed-off-by: Dan Walsh commit 1db83be583e1cbf4630cea3b98b0a22561930282 Author: Petr Lautrbach Date: Wed May 3 12:30:22 2017 +0200 policycoreutils/sepolicy: boolean.png is in help/ Fixes: (sepolicy:2183): Gtk-WARNING **: Could not load image 'images/booleans.png': Failed to open file '/usr/lib64/python3.4/site-packages/sepolicy/images/booleans.png': No such file or directory Signed-off-by: Petr Lautrbach commit 590e765dce0e00e2ea3fd21428812e881dfa8a99 Author: Dan Walsh Date: Wed May 3 12:30:21 2017 +0200 sepolicy: Move svirt man page out of libvirt into its own Signed-off-by: Petr Lautrbach commit 63283b81bb4bd9ee8318198df4243d7329c8ecc8 Author: Dan Walsh Date: Wed May 3 12:30:20 2017 +0200 sepolicy: Add manpages for typealiased types Signed-off-by: Petr Lautrbach commit cfbb79736d50e3e95c0287547a7054b034553ed1 Author: Petr Lautrbach Date: Wed May 3 12:30:19 2017 +0200 sepolicy: Fix spelling mistakes in commands in generated manpages Signed-off-by: Petr Lautrbach commit 443b84e4df8e2f60c4475db1ee27ec56573e2d0f Author: Dan Walsh Date: Wed May 3 12:30:18 2017 +0200 policycoreutils/sepolicy: Add documentation for MCS separated domains Signed-off-by: Petr Lautrbach commit ef95c6ddf9498d05e94397af52e272856c933f11 Author: Richard Haines Date: Mon May 1 14:21:17 2017 +0100 libselinux: Remove util/selinux_restorecon.c Remove util/selinux_restorecon.c and tidy up. This is removed as the functionality is now in policycoreutils/setfiles. Signed-off-by: Richard Haines commit a63858b52f9013a127ec616a026ec227e0300008 Author: Richard Haines Date: Mon May 1 14:20:14 2017 +0100 libselinux: Add selinux_check_access utility Signed-off-by: Richard Haines commit 9cba8f61515b07982a7ce8bf6359ab9278de9228 Author: Richard Haines Date: Fri Apr 28 14:05:16 2017 +0100 libselinux: Add permissive= entry to avc audit log Add audit log entry to specify whether the decision was made in permissive mode/permissive domain or enforcing mode. Signed-off-by: Richard Haines commit f3a264c2e1d7d070f3606bbdb0d11382df71c6a5 Author: Colin Walters Date: Wed Apr 26 16:26:21 2017 -0400 config: Don't finalize mount state in selinux_set_policy_root() This breaks every further call to e.g. `is_selinux_enabled()` after a policy root has been set. This tripped up some code landed in libostree: https://github.com/ostreedev/ostree/pull/797 Since in some cases we initialize a policy twice in process, and we'd call `is_selinux_enabled()` each time. More info in: http://marc.info/?l=selinux&m=149323809332417&w=2 Signed-off-by: Stephen Smalley commit 89ce96cac6ce5eeed78cb39c58514cd68494d7aa Author: Jason Zaman Date: Tue Apr 25 01:59:59 2017 +0800 policycoreutils: make audit and pam support configurable Signed-off-by: Jason Zaman commit 9a7763e18604c4649ff67ea6d43a730f90311592 Author: Jason Zaman Date: Tue Apr 25 01:59:58 2017 +0800 Add includes for DESTDIR only in root Makefile Signed-off-by: Jason Zaman commit 74093beab0c605641ec413be81e31e6b2f55d8d4 Author: Jason Zaman Date: Tue Apr 25 01:59:57 2017 +0800 restorecond: get pcre cflags/libs from pkg-config Signed-off-by: Jason Zaman commit fcb5d5cc721187b3e3a19b44155d5b824d7be7e6 Author: Jason Zaman Date: Tue Apr 25 01:59:56 2017 +0800 Makefiles: drop -L/-I to system paths The toolchain automatically handles them and they break cross compiling. LDFLAGS should also come before object files, some flags (eg, -Wl,as-needed) can break things if they are in the wrong place) Gentoo-Bug: https://bugs.gentoo.org/500674 Signed-off-by: Jason Zaman commit b5fe48da2090ceb9f427822fce6ee3da165b77f2 Author: Jason Zaman Date: Tue Apr 25 01:59:55 2017 +0800 libselinux: PCRE_LDFLAGS is actually LDLIBS >From Make's manual: LDFLAGS Extra flags to give to compilers when they are supposed to invoke the linker, ‘ld’, such as -L. Libraries (-lfoo) should be added to the LDLIBS variable instead. LDLIBS Library flags or names given to compilers when they are supposed to invoke the linker, ‘ld’. Non-library linker flags, such as -L, should go in the LDFLAGS variable. https://www.gnu.org/software/make/manual/html_node/Implicit-Variables.html Signed-off-by: Jason Zaman commit 3eebfc287372d08a915b69a5dcb1ab277b7c91e8 Author: Jason Zaman Date: Tue Apr 25 01:59:54 2017 +0800 libselinux: get pcre CFLAGS/LDFLAGS from pkg-config Gentoo-Bug: https://bugs.gentoo.org/500674 Signed-off-by: Jason Zaman commit 584e32a23bc3ae39b0ee39d5ac345b4933f923f1 Author: Jason Zaman Date: Tue Apr 25 01:59:53 2017 +0800 policycoreutils: honour LINGUAS variable If the user has the $LINGUAS environment variable set, only translations for those languages should be installed to the system. The gettext manual [1] says: "Internationalized packages have usually many ll.po files. Unless translations are disabled, all those available are installed together with the package. However, the environment variable LINGUAS may be set, prior to configuration, to limit the installed set. LINGUAS should then contain a space separated list of two-letter codes, stating which languages are allowed." [1]: https://www.gnu.org/software/gettext/manual/html_node/Installers.html#Installers Signed-off-by: Jason Zaman commit 8702a865e08b5660561e194a83e4a363061edc03 Author: Stephen Smalley Date: Mon Apr 10 15:20:37 2017 -0400 libsemanage: Save linked policy, skip re-link when possible In commit b61922f727d5643265e27654a2d626bcae5d894c ("libsemanage: revert "Skip policy module re-link when only setting booleans"), we reverted an optimization for setting booleans since it produced incorrect behavior. This incorrect behavior was due to operating on the policy with local changes already merged. However, reverting this change leaves us with undesirable overhead for setsebool -P. We also have long wanted to support the same optimization for making other changes that do not truly require module re-compilation/re-linking. If we save the linked policy prior to merging local changes, we can skip re-linking the policy modules in most cases, thereby significantly improvement the performance and memory overhead of semanage and setsebool -P commands. Save the linked policy in the policy sandbox and use it when we are not making a change that requires recompilation of the CIL modules. With this change, a re-link is not performed when setting booleans or when adding, deleting, or modifying port, node, interface, user, login (seusers) or fcontext mappings. We save linked versions of the kernel policy, seusers, and users_extra produced from the CIL modules before any local changes are merged. This has an associated storage cost, primarily storing an extra copy of the kernel policy file. Before: $ time setsebool -P zebra_write_config=1 real 0m8.714s user 0m7.937s sys 0m0.748s After: $ time setsebool -P zebra_write_config=1 real 0m1.070s user 0m0.343s sys 0m0.703s Resolves: https://github.com/SELinuxProject/selinux/issues/50 Reported-by: Carlos Rodrigues Signed-off-by: Stephen Smalley commit 64afa1aff1cd610d2493f780e2a44b551f668b84 Author: Nick Kralevich Date: Sun Dec 11 09:30:16 2016 -0800 libselinux: add O_CLOEXEC Makes libselinux safer and less likely to leak file descriptors when used as part of a multithreaded program. Signed-off-by: Nick Kralevich commit 35af4592202cc4e7d7f605ce5d51dce5827cd55a Author: Nicolas Iooss Date: Tue Apr 11 23:46:03 2017 +0200 policycoreutils: newrole: always initialize pw fields In extract_pw_data(), if "getpwuid(uid)" fails, the function returns an error value without initializing main's pw.pw_name. This leads main() to call "free(pw.pw_name)" on an uninitialized value. Use memset() to initialize structure pw in main(). This issue has been found using clang's static analyzer. Signed-off-by: Nicolas Iooss commit bfe40222e2bd5955b13c83149a369335721a58d2 Author: Nicolas Iooss Date: Tue Apr 11 23:46:02 2017 +0200 policycoreutils: newrole: do not free pw strings twice In main(), if "extract_pw_data(&pw)" returns a failed value, it has already freed pw.pw_name, pw.pw_dir and pw.pw_shell. These fields are freed a second time in main's err_free label, which is incorrect. Work around this by setting them to NULL after they are freed. This issue has been found using clang's static analyzer. While at it, make extract_pw_data() static. Signed-off-by: Nicolas Iooss commit bb3f428c081fb7dd61453ce8cc749d1bf9162c94 Author: Nicolas Iooss Date: Tue Apr 11 23:46:01 2017 +0200 libselinux: getsebool: always free names When getsebool's main() fails to allocate memory for the boolean names, it returns without freeing variables first, even though other errors do this (with label "out"). This silences a warning reported by clang's static analyzer. Signed-off-by: Nicolas Iooss commit a9094fae2c7bcd14af7263f9bb7fbacff5bc761c Author: Nicolas Iooss Date: Tue Apr 11 23:46:00 2017 +0200 libselinux: avoid calling strcmp() on a NULL pointer When curcon is NULL, calling strcmp(curcon, newcon) produces an undefined behavior. Avoid this by checking whether curcon is NULL beforehand. This issue has been found using clang's static analyzer. Signed-off-by: Nicolas Iooss commit b63eb892f93249ac217ab878c29245f2cae2dc76 Author: Nicolas Iooss Date: Tue Apr 11 23:45:59 2017 +0200 libsepol: cil: check cil_fill_list return value cil_gen_default() and cil_gen_defaultrange() call cil_fill_list() without checking its return value. If it failed, propagate the return value to the caller. This issue has been found using clang's static analyzer. It reported "warning: Value stored to 'rc' is never read" four times. Signed-off-by: Nicolas Iooss commit ea175157dd312aba3c98b756aaf5d66fa00d4f9c Author: James Carter Date: Wed Apr 12 13:46:53 2017 -0400 secilc: Add options to control the expansion of attributes Added "-G, --expand_generated" option to specify that all automatically generated attributes should be expanded and removed. Added "-X, --expand_size " option to specify which attributes are expanded when building a kernel policy. All attributes that have less types assigned to it than SIZE will be expanded when writing AV rules. Signed-off-by: James Carter commit 0be23c3f15fdbef35a57d8586aeeae9b1f7606cc Author: James Carter Date: Wed Apr 12 13:45:32 2017 -0400 libsepol/cil: Add ability to expand some attributes in binary policy Originally, all type attributes were expanded when building a binary policy. As the policy grew, binary policy sizes became too large, so changes were made to keep attributes in the binary policy to minimize policy size. Keeping attributes works well as long as each type does not have too many attributes. If an access check fails for types t1 and t2, then additional checks must be made for every attribute that t1 is a member of against t2 and all the attributes that t2 is a member of. This is O(n*m) behavior and there are cases now where this is becoming a performance issue. Attributes are more aggressively removed than before. An attribute will now be removed if it only appears in rules where attributes are always expanded (typetransition, typechange, typemember, roletransition, rangetransition, roletype, and AV Rules with self). Attributes that are used in constraints are always kept because the attribute name is stored for debugging purposes in the binary policy. Attributes that are used in neverallow rules, but not in other AV rules, will be kept unless the attribute is auto-generated. Attributes that are only used in AV rules other than neverallow rules are kept unless the number of types assigned to them is less than the value of attrs_expand_size in the CIL db. The default is 1, which means that any attribute that has no types assigned to it will be expanded (and the rule removed from the policy), which is CIL's current behavior. The value can be set using the function cil_set_attrs_expand_size(). Auto-generated attributes that are used only in neverallow rules are always expanded. The rest are kept by default, but if the value of attrs_expand_generated in the CIL db is set to true, they will be expanded. The function cil_set_attrs_expand_generated() can be used to set the value. When creating the binary policy, CIL will expand all attributes that are being removed and it will expand all attributes with less members than the value specified by attrs_expand_size. So even if an attribute is used in a constraint or neverallow and the attribute itself will be included in the binary policy, it will be expanded when writing AV rules if it has less members than attrs_expand_size. Signed-off-by: James Carter commit 473753f21a44496107e491dc265cf2236599766c Author: Nicolas Iooss Date: Mon Apr 10 21:11:49 2017 +0200 libsepol: correct spelling errors in module_to_cil.c comments Signed-off-by: Nicolas Iooss commit d88657bc4d3407208d4f37665d12715368810561 Author: Nicolas Iooss Date: Mon Apr 10 21:11:48 2017 +0200 libsepol: do not leak memory when an error occurs name_list_to_string() and constraint_expr_to_string() both define an exit label to clean-up dynamically-allocated memory when an error occurs, but they miss some variables. Free the missing ones too. This issue has been found using clang's static analyzer. Signed-off-by: Nicolas Iooss commit 8ccd0db8609cc372eaf96beb48f09decd3106b6a Author: Nicolas Iooss Date: Mon Apr 10 21:11:47 2017 +0200 libsepol: do not free attr_name twice When set_to_names() fails to allocate *names, it frees variable attr_name even though it either came from attr_list or was newly created and added to attr_list. By doing so, the name is freed a second time when attr_list is destroyed (with "attr_list_destroy(&attr_list)"). Avoid this double free by not freeing attr_name when it belongs to attr_list. This issue has been found using clang's static analyzer. Signed-off-by: Nicolas Iooss commit 3e7fd1daba5d3d8c861606ab8d706269634022ad Author: Nicolas Iooss Date: Fri Apr 7 22:44:31 2017 +0200 libsepol: do not wrap integers when checking bound Some invalid policies might have p->p_types.nprim = 0. When parsing such a policy, "i > p->p_types.nprim - 1" is always false even though reading p->type_val_to_struct[i] triggers a segmentation fault. Make type_set_expand() return an error when parsing such a policy by handling correctly when p->p_types.nprim is zero. This issue has been found while fuzzing semodule_package with the American Fuzzy Lop. Signed-off-by: Nicolas Iooss commit 42e32227da3db728ca8ead4690a1147183fb223c Author: Nicolas Iooss Date: Fri Apr 7 22:44:30 2017 +0200 libsepol: refuse to load policies with no block Some functions assumes that p->global is not NULL. For example range_read() contains: p->global->enabled->range_tr_rules = rtr; However p->global may currently be NULL when loading a policy module with no avrule block. Avoid a NULL pointer dereference by making such a policy invalid. Signed-off-by: Nicolas Iooss commit 9d3091a6d3f1c4e40b67716aca740031699150a2 Author: Nicolas Iooss Date: Fri Apr 7 22:44:29 2017 +0200 libselinux: ensure that 4 columns are read from /proc/mounts If exclude_non_seclabel_mounts() ever gets run on a kernel where /proc/mounts only contains three columns, mount_info[3] will be used "without being initialized in "strtok(mount_info[3], ",")" because variable index would be 3 at the end of this loop: index = 0; item = strtok(buf, " "); while (item != NULL) { mount_info[index] = item; if (index == 3) break; index++; item = strtok(NULL, " "); } Swap the condition on index and its increment so that it gets to 4 only when there are at least four columns. This issue has been found using clang's static analyzer. Signed-off-by: Nicolas Iooss commit c09fb32384ec3808a9dd668bed4c605f4c28f420 Author: Nicolas Iooss Date: Fri Apr 7 22:44:28 2017 +0200 libselinux: make process_boolean() fail on invalid lines When security_load_booleans() calls process_boolean() to parse a boolean definition, process_boolean() returns a successful value when it fails to use strtok_r() (e.g. when there is no "=" in the parsed line). This leads security_load_booleans() to use uninitialized name and/or val when setting the boolean into the policy. This issue has been found using clang's static analyzer and is similar to the one which has been fixed in libsepol with commit 76f8c04c197f ("libsepol: make process_boolean() fail on invalid lines"). Fix it in the same way. Signed-off-by: Nicolas Iooss commit 86e6ae67fd17e0812036a8bc7df72e9b223846c8 Author: Nicolas Iooss Date: Fri Apr 7 22:44:27 2017 +0200 libsemanage: drop checks on semanage_module_info_destroy() value semanage_module_info_destroy() always returns 0. Nevertheless semanage_direct_list_all() uses its return value in a surprising way: cleanup: if (priorities != NULL) { /* ... */ free(priorities); } /* ... */ ret = semanage_module_info_destroy(sh, modinfo_tmp); if (ret != 0) { status = -1; goto cleanup; } The last "goto cleanup;" leads clang's static analyzer to believe a double free is possible. Even though this is a false positive, the body of condition "if (ret != 0)" contains dead code. Remove it. Signed-off-by: Nicolas Iooss commit 55b5b7a646589f2eb3b77ab4f58ccc1d2b010727 Author: Nicolas Iooss Date: Fri Apr 7 22:44:26 2017 +0200 libselinux: do not dereference a NULL pointer when calloc() fails selabel_is_digest_set() contains the following code: digest = calloc(1, sizeof(*digest)); if (!digest) goto err; /* ... */ err: free(digest->digest); If calloc() failed, digest is NULL but is dereferenced when the execution jumps to label err. Check that digest is not NULL before freeing its fields. This issue has been found using clang's static analyzer. Signed-off-by: Nicolas Iooss commit 682e01f79db6f175996be029319154b2600f40c3 Author: Luis Ressel Date: Fri Apr 7 14:05:07 2017 +0200 policycoreutils/load_policy: Drop is_selinux_enabled() check This check is a remnant of the libselinux <2.5 era, back when is_selinux_enabled() checked whether a policy had been loaded. Nowadays it only checks whether selinuxfs is mounted, and "load_policy -i" therefore incorrectly refuses operation when selinuxfs is mounted, but no policy has been loaded yet. While it doesn't make much sense to call selinux_init_load_policy() twice, there's no harm in doing so either, so let's just drop this safeguard instead of fixing it. Signed-off-by: Stephen Smalley commit b61922f727d5643265e27654a2d626bcae5d894c Author: Stephen Smalley Date: Mon Apr 10 10:19:04 2017 -0400 libsemanage: revert "Skip policy module re-link when only setting booleans." commit e5aaa01f81afa278cce79bd59ebfdb80a32e4e5a ("Skip policy module re-link when only setting booleans.") can lead to duplicate entries (e.g. portcon entries) being added into the kernel policy because the existing linked policy already includes the local customizations. Revert this commit until we can come up with an approach that handles this properly. This means that setsebool -P triggers a full policy rebuild. From the original bug report: I've noticed a strange interaction with custom ports and booleans. After setting a boolean, the list of ports for a particular type (which has been customized) shows duplicate entries. Example: $ semanage port -a -t http_port_t -p tcp 12345 $ semanage port -l | grep http_port_t http_port_t tcp 12345, 80, 81, ... $ setsebool -P zebra_write_config false $ semanage port -l | grep http_port_t http_port_t tcp 12345, 12345, 80, 81, ... $ setsebool -P zebra_write_config false $ semanage port -l | grep http_port_t http_port_t tcp 12345, 12345, 12345, 80, 81, ... As can be seen, each time a boolean is set persistently (it doesn't matter which boolean or which state), the custom port 12345 is duplicated. Running "semodule -B" clears the duplicates. However, if only the local customizations are listed, the port is always listed only once: $ semanage port -l -C SELinux Port Type Proto Port Number http_port_t tcp 12345 Resolves: https://github.com/SELinuxProject/selinux/issues/50 Reported-by: Carlos Rodrigues Signed-off-by: Stephen Smalley commit e6edc424555d4f8d1d6a968072e137a77656d480 Author: Stephen Smalley Date: Fri Apr 7 11:01:52 2017 -0400 libsepol: do not seg fault on sepol_*_key_free(NULL) sepol_*_key_free(NULL) should just be a no-op just like free(NULL). Fix several instances that did not handle this correctly and would seg fault if called with NULL. Test: setsebool -P zebra_write_config=1 while non-root Signed-off-by: Stephen Smalley commit 92f22e193a7e78702178bf9960f03167ba3ea1df Author: James Carter Date: Wed Mar 29 14:04:11 2017 -0400 libsepol: In module_to_cil create one attribute for each unique set CIL does not allow type or role sets in certain rules (such as allow rules). It does, however, allow sets in typeattributeset and roleattributeset statements. Because of this, when module_to_cil translates a policy into CIL, it creates a new attribute for each set that it encounters. But often the same set is used multiple times which means that more attributes are created then necessary. As the number of attributes increases the time required for the kernel to make each policy decision increases which can be a problem. To help reduce the number of attributes in a kernel policy, when module_to_cil encounters a role or type set search to see if the set was encountered already and, if it was, use the previously generated attribute instead of creating a new one. Testing on Android and Refpolicy policies show that this reduces the number of attributes generated by about 40%. Signed-off-by: James Carter commit 13c27d6cc9bcc39fdd7aa1805cd1595b18b513cd Author: James Carter Date: Tue Mar 21 16:00:30 2017 -0400 checkpolicy: Add options to convert binary policy to CIL or a policy.conf Use the same option "-C" used to ouput CIL from a policy.conf, but now generate CIL from a binary policy instead of giving an error.i Use the option "-F" to generate a policy.conf file from a binary policy. Signed-off-by: James Carter commit 0a08fd1e69797d6ab315ee17d797ef12dae25ce9 Author: James Carter Date: Tue Mar 21 15:59:35 2017 -0400 libsepol: Add ability to convert binary policy to policy.conf file It would sometimes be helpful for debugging or verification purposes to be able to convert a binary policy to a human-readable form. Create new function, sepol_kernel_policydb_to_conf(), that takes a policydb created from a binary policy and writes a policy.conf file to the provided FILE pointer. Signed-off-by: James Carter commit 70a480bfcd46214a1cc0fc2cc6c13b72f567480a Author: James Carter Date: Tue Mar 21 15:58:38 2017 -0400 libsepol: Add ability to convert binary policy to CIL It would sometimes be helpful for debugging or verification purposes to be able to convert a binary policy to a human-readable form. Create new function, sepol_kernel_policydb_to_cil(), that takes a policydb created from a binary policy and writes CIL policy to the provided FILE pointer. Signed-off-by: James Carter commit 03298a22f7dc6f45885307976d09c9a2f070f9fd Author: Nicolas Iooss Date: Tue Mar 28 23:41:52 2017 +0200 libsemanage: genhomedircon: fix possible double-free When write_contexts() frees variables context and new_context_str after a line has been successfully emitted, these variables are not reset to NULL. This leads the function to free them again if an error occurs when processing the next line. Fix this by always resetting these variables at the beginning of the loop. This issue has been found using clang's static analyzer. Signed-off-by: Nicolas Iooss commit 85da6194ea6777dc840dc7c9e6770043e9633674 Author: Nicolas Iooss Date: Tue Mar 28 23:41:51 2017 +0200 libsemanage: do not dereference a NULL pointer when calloc() fails If "names = calloc(num_modinfos, sizeof(*names))" fails in semanage_get_cil_paths(), the function tries to frees items in array "names" even though it is NULL. Avoid this by returning directly. This issue has been found using clang's static analyzer. Signed-off-by: Nicolas Iooss commit 0438d5c4212e1f306525c5142619ac79a8b20e02 Author: Nicolas Iooss Date: Tue Mar 28 23:41:50 2017 +0200 libsemanage: do not close uninitialized file descriptors When pipe() fails in semanage_pipe_data(), this function closes all file descriptors in variables output_fd, err_fd and input_fd even when they have not been initialized. Fix this by initializing the file descriptors to -1. This issue has been found using clang's static analyzer. Signed-off-by: Nicolas Iooss commit b251dbba9845e36b93b59b7489ddfd9113009283 Author: Nicolas Iooss Date: Tue Mar 28 23:41:49 2017 +0200 libsepol: fix use-after-free in sepol_user_clone() When sepol_user_add_role() fails to allocate memory for role_cp but succeeds in reallocating user->roles memory, it frees this reallocated memory, thus leaving user->roles referencing a free memory block. When sepol_user_clone() calls sepol_user_free(new_user) because the allocation failure made sepol_user_add_role() fail, the following code is executed: for (i = 0; i < user->num_roles; i++) free(user->roles[i]); free(user->roles); As user->roles has been freed, this code frees pointers which may be invalid and then tries to free user->roles again. Fix this flaw by returning right after strdup() failed in sepol_user_add_role(). This issue has been found using clang's static analyzer. Signed-off-by: Nicolas Iooss commit b6579d262e20e3ac82218abf3a2ce153e15f86a0 Author: Nicolas Iooss Date: Tue Mar 28 23:41:48 2017 +0200 libsepol: constify sepol_genbools()'s boolpath parameter This allows removing an unnecessary cast to (char *) in libselinux. Signed-off-by: Nicolas Iooss commit 76f8c04c197f1e53610cd68d372daafab11f82b7 Author: Nicolas Iooss Date: Tue Mar 28 23:41:47 2017 +0200 libsepol: make process_boolean() fail on invalid lines When load_booleans() calls process_boolean() to parse a boolean definition, process_boolean() returns a successful value when it fails to use strtok_r() (e.g. when there is no "=" in the parsed line). This leads load_booleans() to use uninitialized name and/or val when setting the boolean into the policy. Rework process_boolean() in order to report errors when a boolean definition is incorrect. This issue has been found using clang's static analyzer. Signed-off-by: Nicolas Iooss commit a83f1cfd7e3513896d95828326d45362f53268d2 Author: Nicolas Iooss Date: Tue Mar 28 23:41:46 2017 +0200 libsepol: do not dereference a NULL pointer when stack_init() fails In cond_expr_to_cil() when stack_init(&stack) fails, stack is set to NULL and the execution flow jumps to label "exit". This triggers a call to stack_pop(stack) which dereferences a NULL pointer in "if (stack->pos == -1)". This issue has been found using clang's static analyzer. Signed-off-by: Nicolas Iooss commit 5ed45797df92494a137e16eafb64d54490b1d0d5 Author: Alan Jenkins Date: Sun Mar 26 17:22:45 2017 +0100 policycoreutils: fixfiles: remove useless use of cat Don't force output through a pipe - let them access the TTY. When run interactively, this acts as a workaround for "Output of fixfiles gets garbled?" https://bugzilla.redhat.com/show_bug.cgi?id=1435894 E.g. it would also be useful if restorecon ever decides it doesn't want to output backspace characters on non-TTY outputs. Signed-off-by: Alan Jenkins commit 1ac883f1bf81de5bc88118d7db6bfe9c7d698a1d Author: Alan Jenkins Date: Sun Mar 26 17:22:44 2017 +0100 policycoreutils/setfiles: don't scramble stdout and stderr together https://bugzilla.redhat.com/show_bug.cgi?id=1435894 When output to a non-tty (as caused by the implementation of fixfiles), stdout is fully buffered. stdout should be flushed before writes to stderr. See e.g. https://news.ycombinator.com/item?id=1271015 Signed-off-by: Alan Jenkins commit 1da6fb0610ef6af3ef535ef0fc060d71882d41a5 Author: Alan Jenkins Date: Sun Mar 26 17:22:43 2017 +0100 policycoreutils/setfiles: stdout messages don't need program prefix I suggested that if you run a command for its informational output (by passing `-v`), you don't expect it to be prefixed with the program name. Prefixing is used for error messages, so you can tell where your shell script blew up :). If a script is running a command for its informational output, it's usually the script's responsibility to make sure it's in context, e.g. providing headers if there are multiple sections of output. Removing the program name from setfiles/restorecon output is particularly useful because it generates very long lines. But also, it actually helps highlight where there are error messages - the prefix will make them stand out visually. Signed-off-by: Alan Jenkins commit d0fafe035da3ae203a9b0cf271d775103ff9af7d Author: Alan Jenkins Date: Sun Mar 26 15:35:51 2017 +0100 policycoreutils: fixfiles: handle unexpected spaces in command I accidently ran `fixfiles "a b"` during testing. Let's fix this too. Before: /sbin/fixfiles: line 394: [: a: binary operator expected Usage: ... After: Usage: ... Signed-off-by: Alan Jenkins commit 8c662db964cd1abe4891d9bd609f45a93b87c236 Author: Alan Jenkins Date: Sun Mar 26 15:35:50 2017 +0100 policycoreutils: fixfiles should handle path arguments more robustly E.g. `fixfiles restore -v /usr` - before: Warning: Skipping the following R/O filesystems: /sys/fs/cgroup Progress and Verbose mutually exclusive usage: /sbin/restorecon [-iFnprRv0] [-e excludedir] pathname... usage: /sbin/restorecon [-iFnprRv0] [-e excludedir] -f filename Warning: Skipping the following R/O filesystems: /sys/fs/cgroup 229k after: Warning: Skipping the following R/O filesystems: /sys/fs/cgroup /sbin/restorecon: lstat(-v) failed: No such file or directory Warning: Skipping the following R/O filesystems: /sys/fs/cgroup 229k This matches the usage shown in the manual page. While we're in there, we should handle spaces as well e.g `fixfiles restore "a b"`. Before: Warning: Skipping the following R/O filesystems: /sys/fs/cgroup /sbin/restorecon: lstat(b) failed: No such file or directory After: Warning: Skipping the following R/O filesystems: /sys/fs/cgroup /sbin/restorecon: lstat(a b) failed: No such file or directory Signed-off-by: Alan Jenkins commit 6e3c3595b15d8656780af24b37e0efd68a32abf5 Author: Nicolas Iooss Date: Sat Mar 25 14:48:42 2017 +0100 libsepol/cil: do not dereference a NULL pointer when calloc() fails When list_init() fails to allocate a list with calloc(), it calls list_destroy(&l) with l = NULL. This functions starts by dereferencing its argument ("(*list)->head"), which does not work well when it is NULL. This bug can be fixed by returning directly in list_init() when calloc() fails. Doing so allows making list_init() implementation shorter by removing label "exit" and local variable "rc". This issue has been found using clang's static analyzer. Signed-off-by: Nicolas Iooss commit 4ccc267f7ce23cfe0abcd973fe3394b5dc1482ca Author: Nikola Forró Date: Fri Mar 24 15:27:50 2017 +0100 mcstrans: fix typo in mcstransd.8 man page Signed-off-by: Nikola Forró commit af0ce03ec7411ebfec365e668bb4c2ca20cb8bbd Author: James Carter Date: Wed Mar 22 14:52:46 2017 -0400 libsepol/cil: Add hexadecimal support for Xen ioportcon statements Add hexadecimal support for Xen ioportcon statements which was left out of commit c408c70. Signed-off-by: James Carter commit da2f2316a3b42466334842e2b6f901077996ec8b Author: James Carter Date: Mon Mar 20 11:11:42 2017 -0400 libsepol/cil: Use hexadecimal numbers when writing Xen rules When writing a policy.conf file from CIL source, use hexadecimal numbers in ioportcon, iomemcon, and pcidevicecon rules. Signed-off-by: James Carter commit 526d0dadb844d022bc10e0c30c0a0c639ded6105 Author: James Carter Date: Mon Mar 20 11:08:53 2017 -0400 libsepol: Update module_to_cil to output hexadecimal for Xen rules When generating CIL, use hexadecimal numbers in ioportcon, iomemcon, and pcidevicecon statements. Signed-off-by: James Carter commit c408c70b0ad93b16c115c2770b4c626e41bbdfef Author: James Carter Date: Mon Mar 20 11:06:29 2017 -0400 libsepol/cil: Allow hexadecimal numbers in Xen context rules Allow the use of hexadecimal numbers in iomemcon, ioportcon, and pcidevicecon statements. The use of hexadecimal numbers is often the natural choice for these rules. A zero base is now passed to strtol() and strtoull() which will assume base 16 if the string has a prefix of "0x", base 8 if the string starts with "0", and base 10 otherwise. Signed-off-by: James Carter commit dd11ab6f7f412fc6d20885fedc9fe5b12fccd49c Author: James Carter Date: Fri Mar 17 15:58:29 2017 -0400 checkpolicy: Fix minor memory leak in checkpolicy sepol_set_sidtab() is called without calling sepol_sidtab_destroy(). This is not a big deal, since checkpolicy does not run for long, but it does add noise when checking for other, more important, leaks. Call sepol_sidtab_destroy() before exiting if not in debug mode. Signed-off-by: James Carter commit 9087bb9c5a7bb89553b3e9c67346a60c08ac429f Author: Nicolas Iooss Date: Fri Mar 17 23:10:03 2017 +0100 checkpolicy: dereference rangehead after checking it was not NULL Signed-off-by: Nicolas Iooss commit 6707526f1f0ee255342f275651d46f800d18a334 Author: Nicolas Iooss Date: Fri Mar 17 22:30:40 2017 +0100 libsepol/cil: avoid freeing uninitialized values cil_resolve_ast() begins by checking whether one of its parameters is NULL and "goto exit;" when it is the case. As extra_args has not been initialized there, this leads to calling cil_destroy_tree_node_stack(), __cil_ordered_lists_destroy()... on garbage values. In practise this cannot happen because cil_resolve_ast() is only called by cil_compile() after cil_build_ast() succeeded. As the if condition exists nonetheless, fix the body of the if block in order to silence a warning reported by clang Static Analyzer. Signed-off-by: Nicolas Iooss commit 0864814583a1f334c05231fd73cfb8fed6002a92 Author: Nicolas Iooss Date: Fri Mar 17 22:05:26 2017 +0100 libsepol/cil: make reporting conflicting type transitions work When compiling a CIL policy which defines conflicting type transitions, secilc crashes when trying to format an error message with uninitialized values. This is caused by __cil_typetransition_to_avtab() not initializing the ..._str fields of its local variable "struct cil_type_rule trans" before calling __cil_type_rule_to_avtab(). While at it, make the error report clearer about what is wrong by showing the types and classes which got expanded in __cil_type_rule_to_avtab(). Here is an example of the result: Conflicting type rules (scontext=testuser_emacs.subj tcontext=fs.tmpfs.fs tclass=dir result=users.generic_tmpfs.user_tmpfs_file), existing=emacs.tmpfs.user_tmpfs_file Expanded from type rule (scontext=ARG1 tcontext=fs tclass=ARG3 result=ARG2) Reported-By: Dominick Grift Signed-off-by: Nicolas Iooss commit 317743bbe2a235a5c68f1066b4153e0726a3118f Author: Stephen Smalley Date: Wed Mar 15 13:10:18 2017 -0400 python/semanage: fix export of fcontext socket entries Fixes https://github.com/SELinuxProject/selinux/issues/49 (#49). Signed-off-by: Stephen Smalley commit fba9d0103562c1435e4ab72753accf755f9729f7 Author: Ville Skyttä Date: Thu Mar 9 11:09:35 2017 +0200 Python 3.6 invalid escape sequence deprecation fixes https://docs.python.org/3/whatsnew/3.6.html#deprecated-python-behavior A backslash-character pair that is not a valid escape sequence now generates a DeprecationWarning. Although this will eventually become a SyntaxError, that will not be for several Python releases. The problem appears when you use '-W error': $ python3 -W error -c 'import re; re.findall("[^a-zA-Z0-9_\-\.]", " *%$")' File "", line 1 SyntaxError: invalid escape sequence \- Signed-off-by: Ville Skyttä [ Edited commit message as per suggestion from Petr Lautrbach ] Signed-off-by: Stephen Smalley commit 718bc4bcdf7a9f9d5654f843a38bc208fca78598 Author: Vit Mojzis Date: Fri Mar 3 10:52:56 2017 +0100 python/sepolicy: fix obtaining domain name in HTMLManPages HTMLManPages got domain name by splitting name of selinux manpage on "_selinux" which doesn't work properly when domain name contains "_selinux". Signed-off-by: Vit Mojzis commit cd20f9c257e7e86fde2259f698677c914c35cfee Author: Nicolas Iooss Date: Sun Mar 5 18:13:05 2017 +0100 policycoreutils: add noreturn attribute to usage() Signed-off-by: Nicolas Iooss commit 28a6a560fa0dbc6f2f45f2cc8773f6baa0652ac7 Author: Nicolas Iooss Date: Sun Mar 5 18:13:04 2017 +0100 semodule-utils: add noreturn attribute to usage() Signed-off-by: Nicolas Iooss commit 2f8926f755cb4eb97eb9c0fdbd9e15af8515bdef Author: Nicolas Iooss Date: Sun Mar 5 18:13:03 2017 +0100 mcstrans: add noreturn attribute to usage() Signed-off-by: Nicolas Iooss commit 840a7c9180e26391869d8b0f4d01f0028a714f6a Author: Nicolas Iooss Date: Sun Mar 5 18:13:02 2017 +0100 secilc: add noreturn attribute to usage() While at it, make usage() static and mark its argument as const. Signed-off-by: Nicolas Iooss commit ef61dd7d4b6d9acb480201670a4c540ba6521fa4 Author: Nicolas Iooss Date: Sun Mar 5 18:13:01 2017 +0100 checkpolicy: add noreturn attribute to usage() While at it, make usage() static and mark its argument as const. Signed-off-by: Nicolas Iooss commit e720859f57fcc36dd23a1a4fb66e5f75a0edf26c Author: Nicolas Iooss Date: Sun Mar 5 18:13:00 2017 +0100 restorecond: add noreturn attribute to exitApp() This makes it possible for static analyzers such as clang's one to understand that strings_list_add() cannot dereference a NULL pointer in the following code: if (!newptr) exitApp("Out of Memory"); newptr->string = strdup(string); Signed-off-by: Nicolas Iooss commit 43b24f0132bc7e48044af062b25cf009c6f136d7 Author: Stephen Smalley Date: Tue Feb 28 10:26:48 2017 -0500 libsepol: Define cgroup_seclabel policy capability Define the new cgroup_seclabel policy capability used to enable userspace setting of security labels on cgroup files via setfscreatecon() aka /proc/self/attr/fscreate and/or setfilecon() aka setxattr(). Signed-off-by: Stephen Smalley commit ded385d37787c78d5cb5857085d07f850bb09db4 Author: Nicolas Iooss Date: Mon Feb 27 21:39:35 2017 +0100 libselinux: initialize temp value in SWIG wrapper to prevent freeing garbage Currently this Python program triggers a segmentation fault in libselinux SWIG wrapper: import selinux selinux.get_ordered_context_list() gdb shows that the segmentation fault occurs when freeing some memory: Reading symbols from python...(no debugging symbols found)...done. Starting program: /usr/bin/python -c import\ selinux\;selinux.get_ordered_context_list\(\) [Thread debugging using libthread_db enabled] Using host libthread_db library "/usr/lib/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x00007ffff789a304 in free () from /usr/lib/libc.so.6 (gdb) bt #0 0x00007ffff789a304 in free () from /usr/lib/libc.so.6 #1 0x00007ffff6011499 in freeconary (con=0x7ffff6ac5d00) at freeconary.c:14 #2 0x00007ffff6296899 in _wrap_get_ordered_context_list (self=, args=) at selinuxswig_wrap.c:6185 #3 0x00007ffff741891f in _PyCFunction_FastCallDict () from /usr/lib/libpython3.6m.so.1.0 ... SWIG generated the following code for _wrap_get_ordered_context_list(): char ***arg3 = (char ***) 0 ; char **temp3 ; arg3 = &temp3; if (!PyArg_ParseTuple(args, "OO:get_ordered_context_list",&obj0,&obj1)) SWIG_fail; /* ... */ fail: if (*arg3) freeconary(*arg3); If PyArg_ParseTuple fails, freeconary() is called on the value of "temp3", which has not been initialized. Fix this by initializing temp to NULL in the SWIG template. A similar issue exists with security_get_boolean_names(). Fix it too. This issue has been found using clang's static analyzer, on a system which uses SWIG 3.0.12. Signed-off-by: Nicolas Iooss commit 6305bfbc005532e0b1fbc500d59880a9e92569c5 Author: Nicolas Iooss Date: Mon Feb 27 21:39:34 2017 +0100 mcstrans: do not dereference color_str if it is NULL This bug has been found using clang static analyzer. Signed-off-by: Nicolas Iooss commit ccfbd9aa17ff69eca4cd01d8a5689a82d754ddbb Author: Nicolas Iooss Date: Mon Feb 27 21:39:33 2017 +0100 libsemanage/tests: include libsepol headers from $DESTDIR When building and running tests on a system without SELinux with a command similar to "make DESTDIR=/tmp/destdir install test", libsemanage tests fail to build with the following error: In file included from utilities.h:20:0, from utilities.c:24: ../src/handle.h:29:26: fatal error: sepol/handle.h: No such file or directory #include ^ Fix this by adding the newly-installed directory under $DESTDIR (using variable $PREFIX) in the search paths of the compiler. Signed-off-by: Nicolas Iooss commit 4176a292354c77787237a093af41eb7b528c9cc5 Author: Nicolas Iooss Date: Mon Feb 27 21:39:32 2017 +0100 libsemanage: never call memcpy with a NULL value clang's static analyzer reports "Argument with 'nonnull' attribute passed null" in append_str(), because argument t may be NULL but is used in a call to memcpy(). Make append_str() do nothing when called with t=NULL. Signed-off-by: Nicolas Iooss commit ddaf0afec7c640c752979de2ed7ff8991aaef6f8 Author: Nicolas Iooss Date: Mon Feb 27 21:39:31 2017 +0100 libsepol/cil: do not dereference args before checking it was not null Signed-off-by: Nicolas Iooss commit 322888962031c787327bad9dfd925d8123223476 Author: Nicolas Iooss Date: Mon Feb 27 21:39:30 2017 +0100 semodule_package: do not leak memory when using -u or -s When using -u and -s options, semodule_package's main() allocates user_extra and seusers to hold the argument values. These allocated memory blocks are not freed when main() exits, which leads gcc's Address Sanitizer to report a memory leak. This occurs for example when building refpolicy base.pp module. Signed-off-by: Nicolas Iooss commit ed51e23f159a6af69d0b1ed89b1e237ed180aa21 Author: Vit Mojzis Date: Tue Feb 21 15:41:23 2017 +0100 sepolgen: strip non-printable characters when parsing audit messages Strip the following characters \x1c File Separator \x1d Group Separator \x1e Record Separator \x85 Next Line (C1 Control Code) from audit message fields to make sure they are not evaluated as part of some identifier (eg. ausearch used insert \x1d into --raw output resulting in "unrecognized class" error messages). This is done as part of str.split() in python3. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1406328 commit 1cd3e1a40ad261ce9db8d7febd8091ad5cda1023 Author: Nicolas Iooss Date: Sun Feb 19 22:53:29 2017 +0100 libselinux, libsemanage: make PYPREFIX computation more robust On systems where $PYTHON is python3.5 (instead of python2 or python3), pkg-config fails to find the Python package because it is named with a dash (e.g. python-3.5). Moreover the build system may have been using the pkg-config configuration files for the wrong Python version when several Python with the same major version number are installed (e.g. using python-3.5 on a system with both python-3.4 and python-3.5 and where /usr/lib/pkgconfig/python3.pc is a symlink to python-3.5.pc). In order to fix these two issues, compute $PYPREFIX from $PYTHON by using the full major.minor version. Moreover update Travis-Ci configuration to grab the relevant configuration files for pkg-config from /opt/python (for example /opt/python/3.5.2/lib/pkgconfig/python-3.5.pc) instead of using system-provided files (/usr/lib/x86_64-linux-gnu/pkgconfig/python3.pc and /usr/lib/x86_64-linux-gnu/pkgconfig/python2.pc). Signed-off-by: Nicolas Iooss commit a2d40aaeba75762f690c07a4d01fff9da9416fa3 Author: James Carter Date: Tue Feb 21 13:11:15 2017 -0500 libsepol/cil: Move initialization of bitmap in __cil_permx_to_bitmap() Nicolas Iooss reports: When __cil_permx_to_bitmap() calls __cil_permx_str_to_int() on an invalid number, local variablt "bitmap" is left initialized when the function returns and its memory is leaked. This memory leak has been found by running clang's Address Sanitizer on a set of policies generated by American Fuzzy Lop. Move the initialization of bitmap to right before ebitmap_set_bit() and after the call to __cil_permx_str_to_int(). Signed-off-by: James Carter commit 95e5c103f30db12b8cd0d9f77bb525782831fa10 Author: Nicolas Iooss Date: Sun Feb 19 11:30:58 2017 +0100 libsepol/cil: free bitmaps in cil_level_equals() cil_level_equals() builds two bitmap and compare them but does not destroy them before returning the result. This memory leak has been found by running clang's Address Sanitizer on a set of policies generated by American Fuzzy Lop. Signed-off-by: Nicolas Iooss commit 9feaf0380db5872a3120f537b0a26627d179bcec Author: Nicolas Iooss Date: Sun Feb 19 11:30:57 2017 +0100 libsepol/cil: do not leak left-hand side of an invalid constraint __cil_fill_constraint_expr() does not destroy the list associated with the first operand of a two-operand operation when the second operand is invalid. This memory leak can be reproduced with the following policy: (constrain (files (read)) (not (or (and (eq t1 exec_t) (%q t2 bin_t)) (eq r1 r2)))) This memory leak has been found by running clang's Address Sanitizer on a set of policies generated from secilc/test/policy.cil by American Fuzzy Lop. Signed-off-by: Nicolas Iooss commit 602385d70c769f2f65166079ae588957bc384030 Author: Nicolas Iooss Date: Sun Feb 19 11:30:56 2017 +0100 libsepol/cil: free the first operand if the second one is invalid When __cil_expr_to_bitmap() fails to parse the second operand of an operation with two operands, it returns an error without destroying the bitmap which has been created for the first operand. Fix this memory leak. This has been tested with the following policy: (class CLASS (PERM)) (classorder (CLASS)) (sid SID) (sidorder (SID)) (user USER) (role ROLE) (type TYPE) (category CAT) (categoryorder (CAT)) (sensitivity SENS) (sensitivityorder (SENS)) (sensitivitycategory SENS (CAT)) (allow TYPE self (CLASS (PERM))) (roletype ROLE TYPE) (userrole USER ROLE) (userlevel USER (SENS)) (userrange USER ((SENS)(SENS (CAT)))) (sidcontext SID (USER ROLE TYPE ((SENS)(SENS)))) (permissionx ioctl_test (ioctl CLASS (and (range 0x1600 0x19FF) (.ot (range 0x1750 0x175F))))) This memory leak has been found by running clang's Address Sanitizer on a set of policies generated from secilc/test/policy.cil by American Fuzzy Lop. Signed-off-by: Nicolas Iooss commit 7fe9a7be312b6889840f8e05db16da848aca0e10 Author: Nicolas Iooss Date: Sun Feb 19 11:30:54 2017 +0100 libsepol/cil: use __cil_ordered_lists_destroy() to free unordered_classorder_lists In cil_resolve_ast, unordered_classorder_lists is a list of cil_ordered_list. It needs to be destroyed with __cil_ordered_lists_destroy() to free all associated memory. This has been tested with the following policy: (class CLASS1 ()) (class CLASS2 ()) (classorder (unordered CLASS1)) (classorder (CLASS2)) This memory leak has been found by running clang's Address Sanitizer on a set of policies generated by American Fuzzy Lop. Signed-off-by: Nicolas Iooss commit 9edcf28a042f406cfb5eee50daafb6f3c18e4181 Author: James Carter Date: Wed Feb 8 10:58:04 2017 -0500 libsepol/cil: Destroy cil_tree_node stacks when finished resolving AST CIL uses separate cil_tree_node stacks for optionals and blocks to check for statements not allowed in optionals or blocks and to know which optional to disable when necessary. But these stacks were not being destroyed when exiting cil_resolve_ast(). This is not a problem normally because the stacks will be empty, but this is not the case when exiting with an error. Destroy both tree node stacks when exiting to ensure that they are empty. Signed-off-by: James Carter commit c9adfe2d2653d2ecc75098b66a824b4aa0d98f4e Author: Nicolas Iooss Date: Sun Feb 5 12:40:01 2017 +0100 Introduce Travis-CI tests Add a configuration file for https://travis-ci.org/. This continuous integration platform can build the project for several configurations on Linux, using different compilers, linkers, Python versions and Ruby versions. An example of build results is available on https://travis-ci.org/fishilico/selinux/builds/185912863 Even if the SELinux userland libraries and tools project does not enable Travis-CI integration, the .travis.yml file may be helpful for contributors who wish to run tests in several configurations. Current limitations: - It does not run an OS X build. Travis-CI provides free OS X environments but it is quite difficult to configure a single .travis.yml file which defines many Linux environments and some OS X ones. - It only runs Ubuntu 14.04 with an x86-64 CPU. This does not test Android, ARM nor 32-bit x86 configurations. - It only builds with glibc, not musl or other light C library. Signed-off-by: Nicolas Iooss commit eeafde13513b105376f52f93b1fd836d524545f0 Author: Nicolas Iooss Date: Sun Feb 5 15:14:01 2017 +0100 libsepol/cil: fix type confusion in cil_copy_ast When running secilc on the following CIL file, the program tries to free the data associated with type X using cil_destroy_typeattribute(): (macro sys_obj_type ((user ARG1)) (typeattribute X)) (block B (type X) (call sys_obj_type (Y)) ) By adding some printf statements to cil_typeattribute_init(), cil_type_init() and cil_destroy_typeattribute(), the error message I get when using gcc's address sanitizer is: $ secilc -o /dev/null -f /dev/null test.cil -vvvvvv creating TYPE 0x60400000dfd0 Parsing 2017-02-02_crashing_nulptrderef_cil.cil Building AST from Parse Tree creating TYPEATTR 0x60600000e420 creating TYPE 0x60400000df50 Destroying Parse Tree Resolving AST Failed to resolve call statement at 2017-02-02_crashing_nulptrderef_cil.cil:5 Problem at 2017-02-02_crashing_nulptrderef_cil.cil:5 Pass 8 of resolution failed Failed to resolve ast Failed to compile cildb: -2 Destroying TYPEATTR 0x60600000e420, types (nil) name X Destroying TYPEATTR 0x60400000df50, types 0xbebebebe00000000 name X ASAN:DEADLYSIGNAL ================================================================= ==30684==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fc0539d114a bp 0x7ffc1fbcb300 sp 0x7ffc1fbcb2f0 T0) #0 0x7fc0539d1149 in ebitmap_destroy /usr/src/selinux/libsepol/src/ebitmap.c:356 #1 0x7fc053b96201 in cil_destroy_typeattribute ../cil/src/cil_build_ast.c:2370 #2 0x7fc053b42ea4 in cil_destroy_data ../cil/src/cil.c:616 #3 0x7fc053c595bf in cil_tree_node_destroy ../cil/src/cil_tree.c:235 #4 0x7fc053c59819 in cil_tree_children_destroy ../cil/src/cil_tree.c:201 #5 0x7fc053c59958 in cil_tree_subtree_destroy ../cil/src/cil_tree.c:172 #6 0x7fc053c59a27 in cil_tree_destroy ../cil/src/cil_tree.c:165 #7 0x7fc053b44fd7 in cil_db_destroy ../cil/src/cil.c:299 #8 0x4026a1 in main /usr/src/selinux/secilc/secilc.c:335 #9 0x7fc0535e5290 in __libc_start_main (/usr/lib/libc.so.6+0x20290) #10 0x403af9 in _start (/usr/src/selinux/DESTDIR/usr/bin/secilc+0x403af9) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /usr/src/selinux/libsepol/src/ebitmap.c:356 in ebitmap_destroy ==30684==ABORTING When copying the AST tree in cil_resolve_call1(), __cil_copy_node_helper() calls cil_copy_typeattribute() to grab type X in the symbol table of block B, and creates a node with the data of X but with CIL_TYPEATTRIBUTE flavor. This example is a "type confusion" bug between cil_type and cil_typeattribute structures. It can be generalized to any couple of structures sharing the same symbol table (an easy way of finding other couples is by reading the code of cil_flavor_to_symtab_index()). Fix this issue in a "generic" way in __cil_copy_node_helper(), by verifying that the flavor of the found data is the same as expected and triggering an error when it is not. Signed-off-by: Nicolas Iooss commit 1f312a9247dbc7120c5973e99a64fecaada68742 Author: James Carter Date: Mon Feb 6 11:06:42 2017 -0500 policycoreutils/semodule: fix -Wwrite-strings warnings Nicolass Iooss reports that when building with "clang -Wwrite-strings", the compiler complains about initializing the char* array genhomedirconargv with literal strings. Make genhomedirconargv an array of pointers to const char and cast it as non-const when assigning it to argv. Signed-off-by: James Carter commit 68a4203f8742b1d06fe7401d6ede14b14e14f3be Author: Nicolas Iooss Date: Sun Feb 5 16:58:20 2017 +0100 libsemanage/tests: fix -Wwrite-strings warnings Signed-off-by: Nicolas Iooss commit c33fd02db5012b5b3582778f80e68b703441a215 Author: Nicolas Iooss Date: Sun Feb 5 16:58:19 2017 +0100 libsepol/tests: fix -Wwrite-strings warnings Since fd9e5ef7b78b ("libsepol: use constant keys in hashtab functions") it is possible to call hashtab_search() with a const char* key value. Doing so fixes compiler warnings about non-const char* string literals (-Wwrite-strings flag). Signed-off-by: Nicolas Iooss commit 9c770fe87e34a2d55da2f043afc127e4be262e6c Author: Nicolas Iooss Date: Sun Feb 5 16:58:18 2017 +0100 semodule_deps: hide -Wwrite-strings warnings generate_requires() may use a non-freable strings, BASE_NAME, as key in a hashtable. The compiler complains about this small abuse of hashtab_insert() interface (because its argument key is char* without "const"). Nevertheless this is all right because the hashtab keys are never freed directly (this behavior is documented in a comment in free_requires()). Therefore, hide the compiler warning by casting BASE_NAME to char*. Signed-off-by: Nicolas Iooss commit 0df0b25d95ac2310cc98ae44c9b8f64c3fb592d6 Author: Nicolas Iooss Date: Sun Feb 5 16:58:17 2017 +0100 mcstrans: fix -Wwrite-strings warnings Signed-off-by: Nicolas Iooss commit 2f94ac47d5b4c8e4aa5ea8014fa630565730c172 Author: Nicolas Iooss Date: Sun Feb 5 16:58:16 2017 +0100 policycoreutils/hll/pp: fix -Wwrite-strings warnings In main(), variable ifile can be made const char*. While at it, make ofile const char* too. Signed-off-by: Nicolas Iooss commit a51b30ae23676502b63a2808456f6590ba8a3a23 Author: Nicolas Iooss Date: Sun Feb 5 16:58:14 2017 +0100 libsemanage: make lang_ext parameter const in semanage_direct_write_langext() When building with "clang -Wwrite-strings", the compiler reports the following warnings: direct_api.c:1030:46: error: passing 'const char [4]' to parameter of type 'char *' discards qualifiers [-Werror,-Wincompatible-pointer-types-discards-qualifiers] status = semanage_direct_write_langext(sh, "cil", modinfo); ^~~~~ direct_api.c:898:11: note: passing argument to parameter 'lang_ext' here char *lang_ext, ^ direct_api.c:1030:46: error: passing 'const char [4]' to parameter of type 'char *' discards qualifiers [-Werror,-Wincompatible-pointer-types-discards-qualifiers] status = semanage_direct_write_langext(sh, "cil", modinfo); ^~~~~ direct_api.c:898:11: note: passing argument to parameter 'lang_ext' here char *lang_ext, ^ Signed-off-by: Nicolas Iooss commit d6b5b037f913e2770967f480f66b06a13a72a4cd Author: Nicolas Iooss Date: Sun Feb 5 16:58:13 2017 +0100 libsepol: fix -Wwrite-strings warnings When compiling with -Wwrite-strings, clang reports some warnings like: module_to_cil.c:784:13: error: assigning to 'char *' from 'const char [5]' discards qualifiers [-Werror,-Wincompatible-pointer-types-discards-qualifiers] statement = "type"; ^ ~~~~~~ module_to_cil.c:787:13: error: assigning to 'char *' from 'const char [5]' discards qualifiers [-Werror,-Wincompatible-pointer-types-discards-qualifiers] statement = "role"; ^ ~~~~~~ Add a const type attribute to local variables which only handle constant strings. Signed-off-by: Nicolas Iooss commit 192153db43c59e5ca460b2a8cd4605de91cfd511 Author: James Carter Date: Mon Feb 6 11:01:32 2017 -0500 checkpolicy: Make print_error_msg() static The function print_error_msg() in module_compiler.c is not called externally, so make it static. Signed-off-by: James Carter commit 5d56c2679d3fff113c76bd8bd7846628a2e46f04 Author: James Carter Date: Tue Jan 31 13:47:48 2017 -0500 checkpolicy: Remove uneeded return check in require_symbol() Since symtab_insert() no longer returns -2 in the case of a declaration of an identifier followed by a require of the same symbol, remove the uneeded check. Signed-off-by: James Carter commit 8adbd615c19cfa0fd5e9b857e5ffcbfd263af82d Author: James Carter Date: Tue Jan 31 13:47:36 2017 -0500 libsepol: Return +1 when declaration is followed by a require A check is made in symtab_insert() for the case when an identifier had already been declared and was now being required. This meant that a declaration followed by a require was treated differently from a require followed by a declaration. Remove that check and treat both cases the same (which means returning +1). Signed-off-by: James Carter commit b6f3e0086fdf0ffb8a5e1ff34245596bc67007f3 Author: James Carter Date: Tue Jan 31 13:47:30 2017 -0500 checkpolicy: Improve check for identifier flavor mismatch An identifier flavor mismatch occurs when an identifier is declared or required as a regular role or type in one place but as an attribute in another place. Currently there is only a check for an identifier flavor mismatch when a type has already been declared and there is a require of the same type in the same scope. There are no checks if the require comes first and there are no checks for roles. Check for an identifier flavor mismatch for both roles and types whenever a declaration or requirement tries to add an identifier that is already in the symtab. Signed-off-by: James Carter commit d676e7ce3c618c9f3ce8d50fce9ef64772e1e677 Author: James Carter Date: Tue Jan 31 13:47:22 2017 -0500 checkpolicy: Move common require and declare code into new function Move common code from declare_symbol() and require_symbol() to a new function named create_symbol(). Signed-off-by: James Carter commit a7a0678999e3b1fd4b36743d8a3c909dc7a2ded4 Author: James Carter Date: Tue Jan 31 13:47:17 2017 -0500 checkpolicy: Cleanup error messages Add the new function print_error_msg() to print an error message based on the local error number and symbol_type. Remove the duplicate switch statements used throughout module_complier.c to display error messages. Signed-off-by: James Carter commit a141c0d19fccd1f19203e5e80ddbc74380636012 Author: James Carter Date: Tue Jan 31 13:47:11 2017 -0500 checkpolicy: Create common function for user declares and requires Move common code out of declare_user() and require_user() into the new function create_user(). Signed-off-by: James Carter commit bd0576805769a93075a79315598c4c54f55778ed Author: James Carter Date: Tue Jan 31 13:47:04 2017 -0500 checkpolicy: Create common function for role declares and requires Move common code out of declare_role() and require_role_or_attribute() into the new function create_role(). Signed-off-by: James Carter commit daaaf28bfb66c2c56cfdf500916356c0ef0373a4 Author: James Carter Date: Tue Jan 31 13:46:53 2017 -0500 checkpolicy: Create common function for type declares and requires Move common code out of declare_type() and require_type_or_attribute() into the new function create_type(). Signed-off-by: James Carter commit cfea39714cd98fb59c9851646b3732e741e1f053 Author: Stephen Smalley Date: Fri Jan 27 09:53:30 2017 -0500 policycoreutils: remove deprecated -o option from fixfiles verify Signed-off-by: Stephen Smalley commit 454768f56d7a941657d800e303994bca086b7546 Author: Richard Haines Date: Fri Jan 27 12:47:49 2017 +0000 setfiles: Fix setfiles progress indicator This fixes the following bug: UX regression: setfiles progress indicator is now misleading and confusing in fixfiles. The outputting of * is replaced by the number of files in 1k increments as the previous versions. If "/" is specified on the pathname, then this will indicate a mass relabel, an example output will be: restorecon -nRp /etc /tmp /boot / /etc 100.0% /tmp 100.0% /boot 100.0% 3.2% Also setfiles(8) and restorecon(8) versions that are implemented using the selinux_restorecon(3) function do not support the [-o filename] option as this was deprecated. This has now been made clear by displaying a message to stderr. The documentation has also been updated to reflect these changes. Reported-by: Alan Jenkins Signed-off-by: Richard Haines commit b9213c7f1af253a8b309343fde50ab9e79e33db2 Author: Lokesh Mandvekar Date: Wed Jan 25 15:46:35 2017 -0500 libselinux: selinux_restorecon.3 man page typo fix Signed-off-by: Lokesh Mandvekar commit 1ef665cb92a59f66563addb317541be986e11169 Author: Steve Lawrence Date: Wed Jan 25 12:17:16 2017 -0500 libsepol: fix pp module to cil nodecon statement Policy modules do not have the concept of named IP addresses like CIL does. So when converting nodecode statements from pp policy modules to CIL, we need to wrap the IP address and mask parameters in parentheses so that the CIL compiler does not try to resolve them as named addresses, but instead treats them as anonymous. Signed-off-by: Steve Lawrence commit 05abcb1d13a1069556d21070fa299f3ffc4a50a4 Author: Thomas Petazzoni Date: Wed Jan 25 22:44:16 2017 +1300 libselinux/src/regex.c: support old compilers for the endian check libselinux 2.6 has added some code in regex.c that uses __BYTE_ORDER__ to determine the system endianness. Unfortunately, this definition provided directly by the compiler doesn't exist in older gcc versions such as gcc 4.4. In order to address this, this commit extends the logic to use definitions if __BYTE_ORDER__ is not provided by the compiler. This allows libselinux to build properly with gcc 4.4. Signed-off-by: Thomas Petazzoni commit b88c4a4707c942028d7d0035bba9057fa031e83b Author: Stephen Smalley Date: Tue Jan 24 14:43:48 2017 -0500 libselinux: disable filespec hash table stats on non-debug builds Disable generating filespec hash table stats on non-debug builds, as they are not useful information for users and cause fixfiles check to produce noisy output. Reported-by: Alan Jenkins Signed-off-by: Stephen Smalley commit bd4ffeb435bdcb3ce7db1ddd9823986daf7638e2 Author: Stephen Smalley Date: Tue Jan 24 14:34:17 2017 -0500 policycoreutils/setfiles: set up a logging callback for libselinux Define a logging callback for libselinux so that any informational or error messages generated by libselinux functions are properly prefixed with the program name and routed to the proper output stream. Signed-off-by: Stephen Smalley commit ac7899fc3ad6221e195dd13cdf14b346897314ae Author: Alan Jenkins Date: Mon Jan 23 12:15:50 2017 +0000 policycoreutils: let output of `fixfiles` be redirected (as normal) fixfiles was redirecting log output to `tty`. This overrides user intent e.g. when shell redirection is used. Redirect it to stdout, using /proc. `tty` equally depended on /proc. We do not depend on /dev/stdout: it might not be present, if a rescue system is booted with devtmpfs (no udev daemon). By default, log messages were redirected into the void when not run from a tty. We consider this a bug, which is now fixed. 1. If calling scripts happen to require the old behaviour, they can easily write the same code themselves. 2. When fixfiles is run from Fedora's selinux-autorelabel.service, the calling script is specifically run from a tty. Also Fedora's calling script chooses to redirect stdout and stderr to /dev/null. This redirection will now suceed, improving the transparency of the code. The previous behaviour may be obtained by choosing not to redirect the progress messages of this long-running process to /dev/null. A patch has been submitted to Fedora to suggest this novel approach: https://bugzilla.redhat.com/show_bug.cgi?id=1415674 Complete disclosure: * Remove unused variable LOGGER. * Fix logfiles containing spaces. Disclaimer: 1. "Log" output may contain escape sequences (backspace?) e.g. in `fixfiles -l log.txt restore`. This is not the usual understanding of a log file. 2. For some reason, not all informative messages are sent to `-l` e.g. the list of filesystems, and "cleaning up labels on /tmp". 3. `function logit` is retained, but the logfile is also written to outside this function. Implementing support for the system log would require another function which accepts piped input. Also see point 1. Signed-off-by: Alan Jenkins commit 7da9bc00f26dc06ad3072de22563472220cdfa9f Author: Nicolas Iooss Date: Sat Jan 21 15:26:13 2017 +0100 checkpolicy: do not leak memory when a class is not found in an avrule While checkmodule tries to compile the following policy file and fails because class "process" is not found, it does not free some allocated memory: module ckpol_leaktest 1.0.0; require {type TYPE1;} allow TYPE1 self:process fork; clang memory sanitier output is: ================================================================= ==16050==ERROR: LeakSanitizer: detected memory leaks Direct leak of 136 byte(s) in 1 object(s) allocated from: #0 0x7f8bd8127608 in malloc (/usr/lib/clang/3.9.1/lib/linux/libclang_rt.asan-x86_64.so+0xf6608) #1 0x41a620 in define_te_avtab_helper /usr/src/selinux/checkpolicy/policy_define.c:2450:24 #2 0x41b6c8 in define_te_avtab /usr/src/selinux/checkpolicy/policy_define.c:2621:6 #3 0x40522b in yyparse /usr/src/selinux/checkpolicy/policy_parse.y:470:10 #4 0x411816 in read_source_policy /usr/src/selinux/checkpolicy/parse_util.c:64:6 #5 0x7f8bd7cb3290 in __libc_start_main (/usr/lib/libc.so.6+0x20290) Direct leak of 8 byte(s) in 1 object(s) allocated from: #0 0x7f8bd8127608 in malloc (/usr/lib/clang/3.9.1/lib/linux/libclang_rt.asan-x86_64.so+0xf6608) #1 0x411c87 in insert_id /usr/src/selinux/checkpolicy/policy_define.c:120:18 Indirect leak of 24 byte(s) in 1 object(s) allocated from: #0 0x7f8bd8127608 in malloc (/usr/lib/clang/3.9.1/lib/linux/libclang_rt.asan-x86_64.so+0xf6608) #1 0x43133c in ebitmap_set_bit /usr/src/selinux/libsepol/src/ebitmap.c:321:27 Indirect leak of 18 byte(s) in 1 object(s) allocated from: #0 0x7f8bd80b5eb0 in __interceptor___strdup (/usr/lib/clang/3.9.1/lib/linux/libclang_rt.asan-x86_64.so+0x84eb0) #1 0x41a6e5 in define_te_avtab_helper /usr/src/selinux/checkpolicy/policy_define.c:2460:28 #2 0x41b6c8 in define_te_avtab /usr/src/selinux/checkpolicy/policy_define.c:2621:6 #3 0x40522b in yyparse /usr/src/selinux/checkpolicy/policy_parse.y:470:10 #4 0x411816 in read_source_policy /usr/src/selinux/checkpolicy/parse_util.c:64:6 #5 0x7f8bd7cb3290 in __libc_start_main (/usr/lib/libc.so.6+0x20290) SUMMARY: AddressSanitizer: 186 byte(s) leaked in 4 allocation(s). Signed-off-by: Nicolas Iooss commit 42658e729f56481dabc7c9c98f9c1580763a8c75 Author: Nicolas Iooss Date: Sat Jan 21 15:26:12 2017 +0100 checkpolicy: add a missing free(id) in define_roleattribute() Signed-off-by: Nicolas Iooss commit 0a0d05528349ae5b13fe21a9a3bfd9ea147fa128 Author: Nicolas Iooss Date: Sat Jan 21 15:26:11 2017 +0100 checkpolicy: fix memory leaks in define_filename_trans() When parsing type_transition statements with names, the memory allocated by the type set bitmaps of variable stypes and ttypes was never freed. Call type_set_destroy() to free this memory and, while at it, make the function exits without leaking memory when exiting with an error. Signed-off-by: Nicolas Iooss commit aa1a8a3c84d9c04fcf0b53b1bfdbefa502cc22f1 Author: Nicolas Iooss Date: Sat Jan 21 15:26:10 2017 +0100 checkpolicy: always free id in define_type() In function define_type(), some error conditions between "id = queue_remove(id_queue)" and "get_local_type(id, attr->s.value, 1)" returned without freeing id. Fix theses memory leaks. Signed-off-by: Nicolas Iooss commit 4a05e95f196604495642978993bbc90766ec42f6 Author: Karl MacMillan Date: Fri Jan 20 12:15:59 2017 -0500 libsepol compilation fixes for macOS. ln on macOS doesn't support --relative, so use the gnu version by default. Also document how to build on macOS. Signed-off-by: Karl MacMillan commit cdc653a447a807298d158c22759f76c2892d9008 Author: Vit Mojzis Date: Thu Jan 19 11:34:09 2017 +0100 policycoreutils/hll/pp: Fix pp crash when processing base module Policy module structure created by libsepol out of base module contains NULL in module name, which results in segfault in "pp" compiler. Add NULL check. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1350806 Signed-off-by: Vit Mojzis commit 6c853f3fb94eca916059ff05a6b1539bb138da25 Author: Nicolas Iooss Date: Sun Jan 15 14:03:59 2017 +0100 libselinux: fix argument order in get_default_context_with_rolelevel() doc libselinux/src/get_context_list.c defines get_default_context_with_rolelevel(user, role, level... libselinux/utils/getdefaultcon.c uses get_default_context_with_rolelevel(seuser, role, level... but libselinux/include/selinux/get_context_list.h declares get_default_context_with_rolelevel(user, level, role... and libselinux/man/man3/get_ordered_context_list.3 follows this declaration. Fix the header and the man page. Signed-off-by: Nicolas Iooss commit 6351fed56080ac59c0fa2618ecf5cba481ed4e68 Author: Nicolas Iooss Date: Sun Jan 15 14:03:58 2017 +0100 libselinux: always free catalog in db_init() This variable may be leaked in some error paths. Signed-off-by: Nicolas Iooss commit 69ec21ce6a530a34044793609b2378c8ceda8db0 Author: Nicolas Iooss Date: Sun Jan 15 14:03:57 2017 +0100 libsepol: remove useless assignments There is no point in initializing a variable which gets almost-immediately assigned an other value. Signed-off-by: Nicolas Iooss commit ebe24ad20bfd5b071f0ea4c0802608f9c2392ccf Author: Nicolas Iooss Date: Sun Jan 15 14:03:56 2017 +0100 libsepol: verify the right variable after calling calloc() After "otype = calloc(1, sizeof(*otype))", it is reasonable to check the value of otype, not ft. Signed-off-by: Nicolas Iooss commit fd9e5ef7b78b34a7bd3ffc786bdd785f4fa29beb Author: Nicolas Iooss Date: Sun Jan 15 14:03:55 2017 +0100 libsepol: use constant keys in hashtab functions Even though "hashtab_key_t" is an alias for "char *", "const hashtab_key_t" is not an alias for "(const char) *" but means "(char *) const". Introduce const_hashtab_key_t to map "(const char) *" and use it in hashtab_search() and hashtab key comparison functions. Signed-off-by: Nicolas Iooss commit dcd135cc06abd8cd662d2d7a896e368f09380dd2 Author: Nicolas Iooss Date: Sat Jan 14 15:38:25 2017 +0100 Re-link programs after libsepol.a is updated After libsepol is modified (for example while developing new features or fixing bugs), running "make install" in the top-level directory does not update the programs which use libsepol.a. Add this static library to the target dependencies in order to force their updates. This makes "make" use libsepol.a in the linking command without using LDLIBS. While at it, copy what commit 14d706434846 ("libselinux: Allow overriding libsepol.a location during build") introduced in libselinux Makefile by using a new LIBSEPOLA variable in all Makefiles. Signed-off-by: Nicolas Iooss commit baee7238b82908663d07cc025996895380abe70b Author: Nicolas Iooss Date: Sat Jan 14 15:40:24 2017 +0100 semanage, sepolicy: make tests not fail on systems without SELinux selinux.security_getenforce() triggers an exception when running tests on systems without SELinux. In order to skip tests which need SELinux in enforcing mode, test selinux.is_selinux_enabled() too, like commit 945bc8853b62 ("sandbox: make test not fail on systems without SELinux"). Signed-off-by: Nicolas Iooss commit 5b0ad2f00ec730b86eb871d30cb98661dc7a6554 Author: Nicolas Iooss Date: Sat Jan 14 12:00:11 2017 +0100 libsemanage: genhomedircon: consider SEMANAGE_FCONTEXT_DIR in fcontext_matches() When generating file_contexts.homedirs, libsemanage enumerates the users on the system and tries to find misconfiguration issues by comparing their home directories with file contexts defined in the policy. The comparison is done by fcontext_matches(). Currently this function only operates on file contexts with type ALL, but it makes sense to also operate on the DIR ones, as a comment states in the function. For example on a system with the following entry in /etc/passwd: mytestservice:x:2000:100::/var/lib/mytestservice/dir:/bin/bash and with the following file context definition: /var/lib/mytestservice/.* -d gen_context(system_u:object_r:var_lib_t,s0) "semodule -B" now shows the following warning: libsemanage.get_home_dirs: mytestservice homedir /var/lib/mytestservice/dir or its parent directory conflicts with a file context already specified in the policy. This usually indicates an incorrectly defined system account. If it is a system account please make sure its uid is less than 1000 or greater than 60000 or its login shell is /sbin/nologin. Signed-off-by: Nicolas Iooss commit 1cd972fc81757d6157afa192da99473243dfce8b Author: Stephen Smalley Date: Fri Jan 13 15:21:01 2017 -0500 libselinux: selinux_restorecon: only log no default label warning for caller-supplied pathname $ touch /tmp/foo $ chcon -t etc_t /tmp/foo $ restorecon /tmp/foo Warning no default label for /tmp/foo $ restorecon -R /tmp/foo Warning no default label for /tmp/foo $ restorecon -R /tmp Signed-off-by: Stephen Smalley commit 908898846af20acf3940f2b2c2a8865a1645a93b Author: Nick Kralevich Date: Fri Jan 13 11:15:59 2017 -0800 policy_define.c: don't free memory returned from queue_head() Unlike queue_remove(), queue_head() does not modify the queue, but rather, returns a pointer to an element within the queue. Freeing the memory associated with a value returned from that function corrupts subsequent users of the queue, who may try to reference this now-deallocated memory. This causes the following policy generation errors on Android: FAILED: out/target/product/bullhead/obj/ETC/plat_sepolicy.cil_intermediates/plat_policy_nvr.cil /bin/bash -c "out/host/linux-x86/bin/checkpolicy -M -C -c 30 -o out/target/product/bullhead/obj/ETC/plat_sepolicy.cil_intermediates/plat_policy_nvr.cil out/target/product/bullhead/obj/ETC/plat_sepolicy.cil_intermediates/plat_policy.conf" system/sepolicy/public/app.te:241:ERROR 'only ioctl extended permissions are supported' at token ';' on line 6784: #line 241 } }; checkpolicy: error(s) encountered while parsing configuration because the value of "id" in: id = queue_remove(id_queue); if (strcmp(id,"ioctl") == 0) { ... } else { yyerror("only ioctl extended permissions are supported"); ... } is now garbage. This is a partial revert of the following commit: c1ba8311 checkpolicy: free id where it was leaked Signed-off-by: Nick Kralevich commit 6a2e352de7720906fbd34413970dba8b9913325d Author: Sandeep Patil Date: Thu Jan 12 21:20:26 2017 -0800 libselinux: replace all malloc + memset by calloc in android label backend. Signed-off-by: Sandeep Patil commit d66c54e2e23729c23e8fb18b3b91090c1cc2ce2f Author: Stephen Smalley Date: Fri Jan 13 09:51:48 2017 -0500 libselinux: selinux_restorecon: only log no default label warning if recursive In commit 36f1ccbb574374 ("policycoreutils: setfiles: print error if no default label found"), a warning message was added to setfiles/restorecon if the user explicitly does a restorecon /path/to/foo and /path/to/foo does not have any matching label in file_contexts; in the case of a restorecon -R or setfiles, the warning isn't supposed to be logged. The check on the recursive flag got dropped when this logic was taken into selinux_restorecon(3) in libselinux. Restore this check so that we do not generate noisy log messages on restorecon -R or setfiles. Reported-by: Alan Jenkins Signed-off-by: Stephen Smalley commit 0e67689d52900276dcd669aff9742b02fb4497a5 Author: Alan Jenkins Date: Wed Jan 11 12:41:10 2017 +0000 restorecon manpage: link back to fixfiles fixfiles links to restorecon. However if you start with restorecon "restore file(s) default SELinux security contexts", you can easily miss the fixfiles script. fixfiles is more generally useful than `restorecon -R`. For example `restorecon -R /` is not as good as `fixfiles restore`, because the restorecon command will try to relabel `/sys` and fail noisily. Signed-off-by: Alan Jenkins commit 62f058980e443514b09895f33e3b8cb0c210852c Author: Alan Jenkins Date: Wed Jan 11 12:41:09 2017 +0000 policycoreutils, python: Fix bad manpage formatting in "SEE ALSO" Fix missing and surplus commas. Fix the following formatting errors: .BR selinux(8) renders the the "(8)" in bold as well as the "selinux". This is wrong. .B selinux (8) renders with a space between "selinux" and "(8)", this is wrong. .B selinux (8) commits both of the above mistakes. .BR selinux (8), apparmor (8) omits the space separating "selinux(8)," and "apparmor(8)", this is wrong. Correct all the above using the following markup: .BR selinux (8), .BR apparmor (8) Signed-off-by: Alan Jenkins commit c667b33a04b742472541ecba091be17943362d68 Author: Nicolas Iooss Date: Sun Jan 8 19:45:53 2017 +0100 mcstransd: fix and reorder includes - Sort included header files by their number of path components then alphabetically. - Include unistd.h and sys/types.h only once. - Include sys/uio.h to get readv() and writev() declarations when compiling with musl libc. - Include poll.h instead of sys/poll.h as building with musl results in the following message: /usr/lib/musl/include/sys/poll.h:1:2: error: #warning redirecting incorrect #include to [-Werror=cpp] #warning redirecting incorrect #include to ^~~~~~~ Signed-off-by: Nicolas Iooss commit 61f760b78d7e731a074201ce091607e509511e13 Author: Nicolas Iooss Date: Sun Jan 8 19:45:52 2017 +0100 checkpolicy: always include ctypes.h The prototype of isdigit() is provided by ctypes.h header. Without including this file, gcc fails to build checkpolicy using musl libc: checkpolicy.c: In function ‘main’: checkpolicy.c:705:8: error: implicit declaration of function ‘isdigit’ [-Werror=implicit-function-declaration] if (isdigit(ans[0])) { ^~~~~~~ Signed-off-by: Nicolas Iooss commit 3c85f9f1a08d0970cfa26a368e9f979f6993eda0 Author: Nicolas Iooss Date: Sun Jan 8 19:45:51 2017 +0100 libselinux: include errno.h instead of sys/errno.h Building with musl libc leads to some build errors: setrans_client.c: In function ‘receive_response’: setrans_client.c:147:19: error: implicit declaration of function ‘readv’ [-Werror=implicit-function-declaration] while (((count = readv(fd, resp_hdr, 3)) < 0) && (errno == EINTR)) ; ^~~~~ and: In file included from matchpathcon.c:10:0: /usr/include/sys/errno.h:1:2: error: #warning redirecting incorrect #include to [-Werror=cpp] #warning redirecting incorrect #include to ^ Fix the first one by including and the second one by using instead of . Signed-off-by: Nicolas Iooss commit d4923b49b4dbe7bf2af02cd0429c61e522c3a7de Author: Nicolas Iooss Date: Wed Jan 4 23:02:29 2017 +0100 libsepol: make capability index an unsigned int When sepol_polcap_getname() is called with a negative capnum, it dereferences polcap_names[capnum] which produces a segmentation fault most of the time. For information, here is a gdb session when hll/pp loads a policy module which has been mutated by American Fuzzy Lop: Program received signal SIGSEGV, Segmentation fault. sepol_polcap_getname (capnum=capnum@entry=-4259840) at polcaps.c:34 34 return polcap_names[capnum]; => 0x00007ffff7a8da07 : 48 8b 04 f8 mov (%rax,%rdi,8),%rax (gdb) bt #0 sepol_polcap_getname (capnum=capnum@entry=-4259840) at polcaps.c:34 #1 0x00007ffff7a7c440 in polcaps_to_cil (pdb=0x6042e0) at module_to_cil.c:2492 #2 sepol_module_policydb_to_cil (fp=fp@entry=0x7ffff79c75e0 <_IO_2_1_stdout_>, pdb=0x6042e0, linked=linked@entry=0) at module_to_cil.c:4039 #3 0x00007ffff7a7e695 in sepol_module_package_to_cil (fp=fp@entry=0x7ffff79c75e0 <_IO_2_1_stdout_>, mod_pkg=0x604280) at module_to_cil.c:4087 #4 0x0000000000401acc in main (argc=, argv=) at pp.c:150 Signed-off-by: Nicolas Iooss commit d7b0941eed3e9f4cee800eff064c9a10e038a0d7 Author: Nicolas Iooss Date: Mon Dec 26 22:18:28 2016 +0100 checkpolicy: fix memory usage in define_bool_tunable() In an error path of define_bool_tunable(), variable id is freed after being used by a successful call to declare_symbol(). This may cause trouble as this pointer may have been used as-is in the policy symtab hash table. Moreover bool_value is never freed after being used. Fix this memory leak too. This leak has been detected with gcc Address Sanitizer. Signed-off-by: Nicolas Iooss commit 14f07097c33eea67ae5c00d4e4d14d51305d89cc Author: Petr Lautrbach Date: Thu Dec 22 13:43:09 2016 +0100 libselinux: Rewrite restorecon() python method When the restorecon method was added to the libselinux swig python bindings, there was no libselinux restorecon implementation and it he had to call matchpathcon() which is deprecated in favor of selabel_lookup(). The new restorecon method uses selinux_restorecon method from libselinux and which is exported by the previous commit. https://github.com/SELinuxProject/selinux/issues/29 Fixes: >>> selinux.restorecon('/var/lib', recursive=True) Traceback (most recent call last): File "/usr/lib64/python3.5/site-packages/selinux/__init__.py", line 114, in restorecon status, context = matchpathcon(path, mode) FileNotFoundError: [Errno 2] No such file or directory Signed-off-by: Petr Lautrbach commit 0399ec64380b0cccefaf4cbee6fb3e73ef567170 Author: Petr Lautrbach Date: Thu Dec 22 13:43:08 2016 +0100 libselinux: Generate SWIG wrappers for selinux_restorecon() Signed-off-by: Petr Lautrbach commit 1004a3b3f1885e3138b4818d222fc48930ea7461 Author: Nicolas Iooss Date: Wed Jan 4 22:46:23 2017 +0100 libsemanage: increment the right index variable in for loop Signed-off-by: Nicolas Iooss commit 58fb53bc2b6ed01524717a65e3d42b63af799e48 Author: Nicolas Iooss Date: Wed Jan 4 22:46:22 2017 +0100 libsemanage: genhomedircon: remove duplicated test condition Signed-off-by: Nicolas Iooss commit aa115d00ffa362ff339be5c825ec8612cf3da6fc Author: Vit Mojzis Date: Wed Jan 4 10:59:07 2017 +0100 policycoreutils/restorecond: Decrease loglevel of termination message Decrease loglevel of termination message (eg. "restorecond[709]: terminated") to LOG_INFO because it is printed upon normal shutdown of the daemon. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1264505 Signed-off-by: Vit Mojzis commit c1ba831122be62199d98c50157b5cd5dddbcc471 Author: Nicolas Iooss Date: Mon Dec 26 22:18:32 2016 +0100 checkpolicy: free id where it was leaked Several functions in policy_define.c do not free id after handling it. Add the missing free(id) statements. The places where free(id) was missing were found both with gcc Address Sanitizer and manual code inspection. Signed-off-by: Nicolas Iooss commit 47f61b0ee9a8ed85e935941d2dd7a34e4e7a42d2 Author: Nicolas Iooss Date: Mon Dec 26 22:18:31 2016 +0100 checkpolicy: do not leak queue elements in queue_destroy() Elements which are inserted into a queue_t object are either NULL (from insert_separator()) or strings allocated with malloc() in insert_id(). They would be freed if there are still present in the queue when it is destroyed. Otherwise the memory allocated for these elements would be leaked. Signed-off-by: Nicolas Iooss commit 6ef96094d3a29679478c7ad512720d22f760992e Author: Nicolas Iooss Date: Mon Dec 26 22:18:30 2016 +0100 checkpolicy: fix memory leaks in genfscon statements parsing When parsing several genfscon statements for the same filesystem, the content of local variable "fstype" is never freed. Moreover variable "type" is never freed when define_genfs_context_helper() succeeds. Fix these leaks by calling free() appropriately. These leaks have been detected with gcc Address Sanitizer. Signed-off-by: Nicolas Iooss commit da002468279be1ce3f5ec3e9ef6e694208f85907 Author: Nicolas Iooss Date: Mon Dec 26 22:18:29 2016 +0100 checkpolicy: free id in define_port_context() Variable id is almost never freed in define_port_context(). This leak has been detected with gcc Address Sanitizer. Signed-off-by: Nicolas Iooss Signed-off-by: James Carter commit c39289c9b738355c615dfddc1cfd990093976340 Author: Nicolas Iooss Date: Mon Dec 26 22:10:44 2016 +0100 libsepol/tests: fix some memory leaks When running "make test" with the Address Sanitizer (by adding -fsanitize=address to compiler flags), a lot of memory leaks are reported from checkpolicy. Anyway some leaks come from the tests and it seems cleaner to start fixing these ones. Signed-off-by: Nicolas Iooss commit c3b8d4aa61cddc2c4c375dbcdc43e8e7cf6a5a0a Author: Nicolas Iooss Date: Mon Dec 26 22:10:43 2016 +0100 libsepol/tests: fix -Wsometimes-uninitialized clang warnings When compiling libsepol tests, clang complains about some uninitialized variables: test-common.c:171:14: error: variable 'my_primary' is used uninitialized whenever 'if' condition is false [-Werror,-Wsometimes-uninitialized] } else if (my_flavor == TYPE_ALIAS) { ^~~~~~~~~~~~~~~~~~~~~~~ test-common.c:179:30: note: uninitialized use occurs here CU_ASSERT(type->primary == my_primary); ^~~~~~~~~~ /usr/include/CUnit/CUnit.h:123:30: note: expanded from macro 'CU_ASSERT' { CU_assertImplementation((value), __LINE__, #value, __FILE__, "", CU_... ^ test-common.c:171:10: note: remove the 'if' if its condition is always true } else if (my_flavor == TYPE_ALIAS) { ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ test-common.c:153:25: note: initialize the variable 'my_primary' to silence this warning unsigned int my_primary, my_flavor, my_value; ^ = 0 test-common.c:171:14: error: variable 'my_value' is used uninitialized whenever 'if' condition is false [-Werror,-Wsometimes-uninitialized] } else if (my_flavor == TYPE_ALIAS) { ^~~~~~~~~~~~~~~~~~~~~~~ test-common.c:181:30: note: uninitialized use occurs here CU_ASSERT(type->s.value == my_value); ^~~~~~~~ /usr/include/CUnit/CUnit.h:123:30: note: expanded from macro 'CU_ASSERT' { CU_assertImplementation((value), __LINE__, #value, __FILE__, "", CU_... ^ test-common.c:171:10: note: remove the 'if' if its condition is always true } else if (my_flavor == TYPE_ALIAS) { ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ test-common.c:153:46: note: initialize the variable 'my_value' to silence this warning unsigned int my_primary, my_flavor, my_value; ^ = 0 This is because the call to CU_FAIL("not an alias") is not fatal in test_alias_datum(), and variables my_primary and my_value are indeed used uninitialized in a CU_ASSERT statement later. Silent the warning by moving the elseif condition to a CU_ASSERT statement which replaces the CU_FAIL. Signed-off-by: Nicolas Iooss commit 0abc25a3e60f26cc8371a2b2909fe4801924a304 Author: Guido Trentalancia Date: Fri Dec 23 16:19:46 2016 +0100 libsemanage: Fix unitialized variable compiler warnings Fix unitialized variable compiler warnings when using the "-O -Werror" flags on gcc6 by initializing the variables in question. It was possible for err_data_len to be used without initialization, but not cil_data_len. Signed-off-by: Guido Trentalancia Signed-off-by: James Carter commit 5db4537f644c26cd59303f5c92fb6ba12e9f1d31 Author: Guido Trentalancia Date: Fri Dec 23 16:16:54 2016 +0100 libselinux: Fix unitialized variable compiler warnings Fix unitialized variable compiler warnings when using the "-O3 -Werror" flags on gcc6 by initializing the variables in question. The variables were never used before being initialized. Signed-off-by: Guido Trentalancia Signed-off-by: James Carter commit 055d14a99a84dc482adb9eef385596c0330824f5 Author: Nicolas Iooss Date: Wed Dec 21 22:09:51 2016 +0100 libselinux/utils: do not create an empty /sbin directory When building libselinux package, "make install" creates /sbin directory without putting anything in it. Remove this from the Makefile. While at it, rename USRBINDIR variable USRSBINDIR (with an S) as it refers to /usr/sbin. Signed-off-by: Nicolas Iooss commit 920ee9ee18024c7714f1121e91854f38fa1eef73 Author: Nicolas Iooss Date: Wed Dec 21 19:21:04 2016 +0100 libsemanage: remove ustr library from Makefiles, README and pkg-config This library is no longer used by libsemanage. Signed-off-by: Nicolas Iooss commit 300b8ad4235688171f2a91e7aeb14d0ee3561c13 Author: Nicolas Iooss Date: Wed Dec 21 19:21:03 2016 +0100 libsemanage: genhomedircon: drop ustr dependency ustr library uses old (pre-C99) "extern inline" semantic. This makes it incompatible with recent versions of gcc and clang, which default to C99 standard. Distributions have shipped patched versions of this library to fix issues (e.g. Gentoo package uses this patch: https://gitweb.gentoo.org/repo/gentoo.git/tree/dev-libs/ustr/files/ustr-1.0.4-gcc_5-check.patch?id=7dea6f8820f36bf389e6315044bea7507553bed0 ) but there is no upstream solution to make ustr compatible with C99 standard. The git tree of ustr (http://www.and.org/ustr/ustr.git) has not been updated since 2008 and the developer of this project did not reply to emails. Therefore update genhomedircon implementation in order to no longer rely on ustr library. Signed-off-by: Nicolas Iooss commit 57a3b1b4b0a50a1d14f825d2933339063ced4fec Author: Nicolas Iooss Date: Wed Dec 21 19:21:02 2016 +0100 libsemanage: add semanage_str_replace() utility function This function will be used in the next commit. Signed-off-by: Nicolas Iooss commit a228bb3736c5957d41ad9e01eb1283fc6883a6e5 Author: Nicolas Iooss Date: Wed Dec 21 19:21:01 2016 +0100 libsemanage: simplify string utilities functions Use string functions from C standard library instead of ustr. This makes the code simpler and make utilities.c no longer depend on ustr library. This changes how semanage_split() behaves when delim is not empty (NULL or "") and the input string contains several successive delimiters: semanage_split("foo::::bar", ":") returned "bar" and now returns ":bar". This would not have any impact in the current code as semanage_split() is only called with delim="=" (through semanage_findval(), in libsemanage/src/genhomedircon.c), in order to split a "key=value" statement. Signed-off-by: Nicolas Iooss commit fd6bc593b809a055071edb620e9b17169c7a5c26 Author: Nicolas Iooss Date: Wed Dec 21 19:21:00 2016 +0100 libsemanage/tests: test more cases of semanage_split*() Before modifying semanage_split_on_space() and semanage_split(), test in test_utilities.c how these functions behave for example when several delimiter tokens are concatenated in the input string. While at it, fix the memory leaks which were present in libsemanage tests. Signed-off-by: Nicolas Iooss commit 9e0cf6ec8aa009c9640bcf956f212d238b32c31e Author: Nicolas Iooss Date: Wed Dec 21 19:20:59 2016 +0100 libsemanage/tests: make tests standalone In order to run libsemanage tests, libsepol and libselinux source directories need to exist next to libsemanage source directory. This prevents tests to be run when using the released package. As libsemanage tests only use public API of libselinux and libsepol, link with the shared objects which are likely to be installed on the system (or at least present in $DESTDIR). While at it, drop TESTSRC variable as it was used to find libsemanage internal headers but not the tested library (libsemanage.a). Moreover add ../src/libsemanage.a to the target dependencies of the test executable in order to rebuild it after libsemanage.a has been updated. Signed-off-by: Nicolas Iooss commit e51b23383199a1f6cfaf0ec9f46748ebaf9621aa Author: Nicolas Iooss Date: Wed Dec 21 19:20:58 2016 +0100 libsemanage/tests: make "make test" fail when a CUnit test fails When modifications to libsemanage functions break the test cases tested with the CUnit framework, "make test" currently succeeds, even though it prints an output similar to: Suite: semanage_store Test: semanage_store_access_check ...passed Test: semanage_get_lock ...passed Test: semanage_nc_sort ...passed Suite: semanage_utilities Test: semanage_is_prefix ...passed Test: semanage_split_on_space ...FAILED 1. test_utilities.c:150 - CU_ASSERT_STRING_EQUAL(temp,"baz") Test: semanage_split ...passed Test: semanage_list ...passed Test: semanage_str_count ...passed Test: semanage_rtrim ...passed Test: semanage_str_replace ...passed Test: semanage_findval ...passed Test: slurp_file_filter ...passed Like commit 2489b50a9162 ("libsepol: make "make test" fails when a CUnit test fails") did for libsepol tests, modify the logic of function do_tests() to return an error value when there has been at least one failure. This makes "make test" fail as expected. Signed-off-by: Nicolas Iooss commit bec41c4ff6d0cdf39c84c1c953ef486a056891da Author: Vit Mojzis Date: Wed Dec 21 10:03:49 2016 +0100 policycoreutils/setfiles: Mention customizable types in restorecon man page Signed-off-by: Vit Mojzis commit af18b86e0b0893636257725165e69daa6f6dd74d Author: Gary Tierney Date: Wed Dec 7 12:15:59 2016 +0000 libsepol/cil: remove avrules with no affected types Adds a check for avrules with type attributes that have a bitmap cardinality of 0 (i.e., no types in their set) before adding them to the libsepol policy in __cil_avrule_to_avtab(). Also adds an exception for neverallow rules to prevent breaking anything from AOSP mentioned in f9927d9370f90bd9d975ff933fe107ec4f93a9ac. Signed-off-by: Gary Tierney commit 7179fd8738ee036666ccb17f5e65dab7652bdb51 Author: Mike Frysinger Date: Fri Dec 9 18:33:11 2016 -0500 man: standardize spacing with pointers in prototypes The majority of prototypes don't put a space between the "*" and the parameter name. i.e. this style is incorrect: char * foo; Instead, we want: char *foo; Fix a bunch of references that use this uncommon style. Signed-off-by: Mike Frysinger commit fc3d8ceafcd6078d4035e4bd827337d5e3cb4362 Author: Mike Frysinger Date: Fri Dec 9 18:33:10 2016 -0500 selinux(8): fix display of man page references The section number shouldn't be bolded. Fix a few references in selinux(8) to match all the other man pages. Signed-off-by: Mike Frysinger commit 8fe1b0ca27652cf6b7c588d2ff7792f8e942939f Author: Vit Mojzis Date: Fri Dec 9 16:10:00 2016 +0100 python/sepolicy/sepolicy: optimise sepolicy gui loading Significantly speed up sepolicy gui loading by aggregating setools queries. Signed-off-by: Vit Mojzis commit ef387e88bd4ec23a317c01f2c87c088506318fda Author: Vit Mojzis Date: Fri Dec 9 16:09:59 2016 +0100 python/sepolicy/sepolicy: Cleanup of gui code Based on 77589dd354218f1f56d1c83747799606fa1b4899 by Dan Walsh. Speed up gui loading. Some minor bug fixes. Signed-off-by: Vit Mojzis commit d479baa82d67c9ac56c1a6fa041abfb9168aa4b3 Author: Stephen Smalley Date: Thu Dec 1 11:08:06 2016 -0500 libsepol: Define extended_socket_class policy capability Define the extended_socket_class policy capability used to enable the use of separate socket security classes for all network address families rather than the generic socket class. This also enables separate security classes for ICMP and SCTP sockets, which were previously mapped to the rawip_socket class. The legacy redhat1 policy capability that was only ever used in testing within Fedora for ptrace_child is reclaimed for this purpose; as far as I can tell, this policy capability is not enabled in any supported distro policy. Signed-off-by: Stephen Smalley commit 31fcd66d39e2be5e94d07ee8c2445efdab6cf230 Author: Vit Mojzis Date: Tue Dec 6 15:58:33 2016 +0100 python/sepolicy/sepolicy/gui: Reflect sepolicy changes into gui sepolicy.get_init_entrypoint() now returns list of Type objects instead of single string, which caused sepolicy gui to crash. Signed-off-by: Vit Mojzis commit 4791a99d67dd7b3597f58cd1e180f2ac58ec66fd Author: Vit Mojzis Date: Mon Dec 5 19:03:48 2016 +0100 python: Fix some typos Aside from typos, change the way markup is applied to a tooltip in sepolicy/gui so that the text can be translated. Signed-off-by: Vit Mojzis commit 468a0dbac8a396c16bf36aa41736642ee19cef2c Author: Kyle Walker Date: Wed Nov 30 10:47:54 2016 -0500 seobject: Handle python error returns correctly After 9406ace8 ("libsemanage: throw exceptions in python rather than return NULL"), calls to libsemanage functions return Python exceptions instead of returning negative error return codes. For systems that did not have the applicable headers installed prior to build, the difference was not seen. Following commit 9792099f ("Properly build the swig exception file even if the headers are missing"), that issue has been resolved and the underlying semanage_fcontext_query_local and semanage_fcontext_query calls now result in an OSError return. This results in the following error when attempting to modify a fcontext defined in the systems base policy. libsemanage.dbase_llist_query: could not query record value (No such file or directory). OSError: No such file or directory To resolve the error, handle the OSError exception, but retain the previous query operation. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1398427 Signed-off-by: Kyle Walker commit 9e81e611c7717384e5cbe4e0d149167bc4fd4d2d Author: James Carter Date: Tue Nov 29 14:10:55 2016 -0500 libsepol: Fix neverallow checking to also check the other types when self is included in a target type set. When neverallow checking was refactored in commit 9e6840e, self was not handled correctly. The assumption was made that self only appeared by itself as a target type, when it may appear in a list of types. Because of this, if self appears in a target type set of a neverallow, the other types in the type set are not checked. Example: allow TYPE1 TYPE2:CLASS1 { PERM1 }; neverallow TYPE1 {TYPE2 self}:CLASS1 { PERM1 }; The old assertion checking would not find a violation in the rules above because the target type TYPE2 would be ignored. This fix will cause all of the types in a target list that includes self to be checked. Signed-off-by: James Carter commit 93e677d8307874a62712918698da174071a0ebe7 Author: James Carter Date: Mon Nov 28 13:13:38 2016 -0500 secilc: Add secil2conf which creates a policy.conf from CIL policy The program secil2conf uses the libsepol function cil_write_policy_conf() to create a policy.conf file from CIL policy. By default a file called "policy.conf" will be created, but the "-o" option can be used to write to a different file. The "-M" option can be used to override the mls statement in CIL. The "-P" option will cause tunables to be treated as booleans. Signed-off-by: James Carter commit 3fe4499f7d554fee8d1f474fd7f0aec646ea403a Author: James Carter Date: Mon Nov 28 13:11:36 2016 -0500 libsepol/cil: Add ability to write policy.conf file from CIL AST The ability to create a policy.conf file from the CIL AST has been a desire from the beginning to assist in debugging and for general flexibility. Some work towards this end was started early in CIL's history, but cil_policy.c has not been remotely functional in a long time. Until now. The function cil_write_policy_conf() will write a policy.conf file from a CIL AST after cil_build_ast(), cil_resolve_ast(), cil_fqn_qualify(), and cil_post_process() have been called. Signed-off-by: James Carter commit 86e568c27bd6e6d4428b9bca67c5de6a6bdcebb2 Author: Vit Mojzis Date: Wed Nov 30 14:47:55 2016 +0100 python/semanage/semanage: Unify argument handling Missing argument checks for "fcontext" and "boolean" were performed outside of "argparse", resulting in shortened help message (without argument details) and no error description. Fix: perform these checks using "argparse" as is the case with other semanage options. Some "required argument" check were performed outside of "handle_opts" obscuring the code. Fix: Add required arguments to {fcontext boolean}_args and remove the checks from handle{Fcontext Boolean}. Remove unpaired parentheses from "semanage fcontext" usage message. Signed-off-by: Vit Mojzis commit 041e00106f9a30d9e444f0b3403ec9204c0688d2 Author: Vit Mojzis Date: Wed Nov 30 14:31:23 2016 +0100 python/sepolicy/sepolicy/gui: Fix getting python lib path Python code is not platform specific and resides always in lib (as opposed to lib64 on x64 architectures). Signed-off-by: Vit Mojzis commit 7e09f584e1f7b315abc4f55023234e3225ab9fa0 Author: Stephen Smalley Date: Tue Nov 29 15:41:18 2016 -0500 libsepol,libselinux,audit2allow: teach audit2why about type bounds failures Teach audit2why to recognize type bounds failures. This required updating libsepol sepol_compute_av_reason() to identify bounds failures, and updating libsepol context_struct_compute_av() to include the type bounds logic from the kernel. This could potentially be further augmented to provide more detailed reporting via the reason buffer to include information similar to what security_dump_masked_av() reports in the kernel. However, it is unclear if this is needed. It is already possible to get type bounds checking at policy build time by enabling expand-check=1 in /etc/selinux/semanage.conf (or by default when compiling monolithic policy). Before: type=AVC msg=audit(1480451925.038:3225): avc: denied { getattr } for pid=7118 comm="chmod" path="/home/sds/selinux-testsuite/tests/bounds/bounds_file_blue" dev="dm-2" ino=23337697 scontext=unconfined_u:unconfined_r:test_bounds_child_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:test_bounds_file_blue_t:s0 tclass=file permissive=0 Was caused by: Unknown - would be allowed by active policy Possible mismatch between this policy and the one under which the audit message was generated. Possible mismatch between current in-memory boolean settings vs. permanent ones. After: type=AVC msg=audit(1480451925.038:3225): avc: denied { getattr } for pid=7118 comm="chmod" path="/home/sds/selinux-testsuite/tests/bounds/bounds_file_blue" dev="dm-2" ino=23337697 scontext=unconfined_u:unconfined_r:test_bounds_child_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:test_bounds_file_blue_t:s0 tclass=file permissive=0 Was caused by: Typebounds violation. Add an allow rule for the parent type. Signed-off-by: Stephen Smalley commit fff90bd22b68274630a7b7448b5a0fed1578c551 Author: Stephen Smalley Date: Tue Nov 29 11:18:54 2016 -0500 libsepol: sepol_av_to_string: clear static buffer chenxiaolong reported this via https://github.com/SELinuxProject/selinux/issues/23 A nicer fix would be to rework the interface to be more like security_av_string() in libselinux, but that requires updating all callers. Signed-off-by: Stephen Smalley commit dd8d5671e2cd09d396c59beb2b8112df97546f3b Author: Stephen Smalley Date: Tue Nov 29 11:11:26 2016 -0500 libselinux: avcstat: Clean up redundant condition dcb314 reported this via https://github.com/SELinuxProject/selinux/issues/20 Signed-off-by: Stephen Smalley commit cf8625be58e3fe29e7a45331a47dde03e107b340 Author: Stephen Smalley Date: Tue Nov 29 10:57:48 2016 -0500 libsepol: do not #include ratbert90 submitted this patch via https://github.com/SELinuxProject/selinux/issues/19. Apparently musl does not provide sys/cdefs.h, see http://wiki.musl-libc.org/wiki/FAQ#Q:_I.27m_trying_to_compile_something_against_musl_and_I_get_error_messages_about_sys.2Fcdefs.h. Signed-off-by: Stephen Smalley commit c034875c144d619cd2767b012f8055d4584bbd65 Author: Vit Mojzis Date: Tue Nov 29 10:09:00 2016 +0100 policycoreutils/sepolicy/gui: fix current selinux state radiobutton Radiobutton was always set to "Permissive" and couldn't be switched. Update radiobutton together with status text in bottom left corner. Signed-off-by: Vit Mojzis commit ab270850998191a41abb47d929ab816259d3428e Author: Nicolas Iooss Date: Mon Nov 28 22:40:18 2016 +0100 libsepol,libsemanage: write file name in flex output Tools like lcov (for code coverage) does not like files named "". For example it reports errors like: genhtml: ERROR: cannot read /usr/src/selinux/libsemanage/src/ When using flex -o option, the output file name gets written in the generated C code, which solves this issue. Signed-off-by: Nicolas Iooss commit 1c187d797fc5bddcd29ce3e01d911ad36153ba15 Author: Nicolas Iooss Date: Mon Nov 28 22:40:17 2016 +0100 checkpolicy: remove -lfl from LDLIBS When building checkpolicy/test, the linker reports the following error: cc dispol.o -lfl /usr/src/selinux/DESTDIR/usr/lib/libsepol.a -L/usr/src/selinux/DESTDIR/usr/lib -o dispol /usr/lib/gcc/x86_64-pc-linux-gnu/6.2.1/../../../../lib/libfl.so: undefined reference to `yylex' collect2: error: ld returned 1 exit status According to flex documentation (https://github.com/westes/flex/blob/master/doc/flex.texi), -lfl is used to provide an implementation for yywrap(). However every flex file now uses "%option noyywrap", which makes -lfl no longer mandatory. Remove this option from checkpolicy Makefiles. Signed-off-by: Nicolas Iooss commit 527380a1930a70f4dd3df9e707d5a8b81e97bf70 Author: Nicolas Iooss Date: Mon Nov 28 22:40:16 2016 +0100 libsepol/tests: use LDFLAGS when linking Signed-off-by: Nicolas Iooss commit a206297ecef0d8dd42e6d70c99db80ee661b3cec Author: Nicolas Iooss Date: Mon Nov 28 22:40:15 2016 +0100 mcstrans/utils: make "make all" use $DESTDIR When running "make all" in the root directory on a system where SELinux is not installed and where $DESTDIR targets a directory where the libraries have been installed, the build fails in mcstrans/utils with the following error: transcon.c:7:10: fatal error: 'selinux/selinux.h' file not found and then: /usr/bin/ld: cannot find -lselinux Fix this by adding -I$(PREFIX)/include to CFLAGS and -L$(LIBDIR) to LDLIBS like other subdirectories do. While at it, remove the useless -L../src parameter. Signed-off-by: Nicolas Iooss commit fb237459c84ef843828988a953e06826435dfcae Author: Nicolas Iooss Date: Mon Nov 28 22:34:44 2016 +0100 libsepol: detect duplicated symbol IDs A valid policy would not have two symbols (classes, roles, users...) sharing the same unique identifier. Make policydb_read() rejects such policy files. When ..._val_to_name translation tables were allocated with malloc(), change to calloc() in order to initialize the tables with NULLs. Signed-off-by: Nicolas Iooss commit 9872b04a8020417664143e35925f81d4ecc5ee96 Author: Nicolas Iooss Date: Mon Nov 28 22:34:43 2016 +0100 libsepol: check decl_id bounds before using it When loading an invalid module which uses a declaration ID 0, semodule_package crashes in policydb_index_decls(): p->decl_val_to_struct[decl->decl_id - 1] = decl; gdb shows the following stack trace: #0 0x00007ffff7aa1bbd in policydb_index_decls (p=p@entry=0x605360) at policydb.c:1034 #1 0x00007ffff7aaa9fc in policydb_read (p=, fp=fp@entry=0x605090, verbose=verbose@entry=0) at policydb.c:3958 #2 0x00007ffff7ab4764 in sepol_policydb_read (p=, pf=pf@entry=0x605090) at policydb_public.c:174 #3 0x0000000000401d33 in main (argc=, argv=0x7fffffffdc88) at semodule_package.c:220 Change policydb_index_decls() to report an error instead: libsepol.policydb_index_decls: invalid decl ID 0 Signed-off-by: Nicolas Iooss commit 8fdb2255215a1f1488b613737b5fbffb873d8376 Author: Stephen Smalley Date: Wed Nov 23 09:45:20 2016 -0500 libsepol,checkpolicy: convert rangetrans and filenametrans to hashtabs range transition and name-based type transition rules were originally simple unordered lists. They were converted to hashtabs in the kernel by commit 2f3e82d694d3d7a2db019db1bb63385fbc1066f3 ("selinux: convert range transition list to a hashtab") and by commit 2463c26d50adc282d19317013ba0ff473823ca47 ("SELinux: put name based create rules in a hashtable"), but left unchanged in libsepol and checkpolicy. Convert libsepol and checkpolicy to use the same hashtabs as the kernel for the range transitions and name-based type transitions. With this change and the preceding one, it is possible to directly compare a policy file generated by libsepol/checkpolicy and the kernel-generated /sys/fs/selinux/policy pseudo file after normalizing them both through checkpolicy. To do so, you can run the following sequence of commands: checkpolicy -M -b /etc/selinux/targeted/policy/policy.30 -o policy.1 checkpolicy -M -b /sys/fs/selinux/policy -o policy.2 cmp policy.1 policy.2 Normalizing the two files via checkpolicy is still necessary to ensure consistent ordering of the avtab entries. There may still be potential for other areas of difference, e.g. xperms entries may lack a well-defined order. Signed-off-by: Stephen Smalley commit 2e47b69c534457c66f007b345f81a2e9c220dc2d Author: Stephen Smalley Date: Wed Nov 23 10:49:59 2016 -0500 libsepol: do not write object_r types to policy file Originally object_r's types bitmap was empty since we exempt object_r from the normal user-role and role-type checks. CIL however sets object_r's types to all types to avoid special case logic. However, the kernel does not load object_r types from the policy file; it predefines object_r and merely validates that the object_r definition in the policy has the expected value. Thus, the actual policy file and the /sys/fs/selinux/policy file were differing in their object_r entry. Fix this by not writing object_r's types to the policy file, since they are ignored by the kernel anyway. Signed-off-by: Stephen Smalley commit 6f32d87a2a12a63cd9f1f3fad1e99e6cd5e5706d Merge: 044f6ef 1e605e9 Author: stephensmalley Date: Mon Nov 28 09:39:10 2016 -0500 Merge pull request #35 from cgzones/semanage_fcontext_description fix semanage fcontext help message commit 044f6ef104c8a9d8f42faa8756e71a0525198f5b Author: Nick Kralevich Date: Wed Nov 23 18:47:10 2016 -0800 procattr.c: Use __ANDROID__ instead of ANDROID When code is compiled within the Android tree, the resulting binaries are intended to run either on the "host" (the machine doing the building) or the "target" (the machine running the Android operating system). "ANDROID" is defined if the code is being compiled for the host or the target, whereas "__ANDROID__" is only defined for code being compiled for the target. (yes, I agree, this is not obvious). gettid() is only declared in the target environment, not the host environment, so adjust the #ifdef to properly emit the gettid() definition for binaries targeting the host. Signed-off-by: Nick Kralevich commit bb96e1305d8c70150ef5e0946b8c82a49536622a Author: Nick Kralevich Date: Wed Nov 23 14:37:58 2016 -0800 enabled.c: Remove stdio_ext.h header This appears to be unused. Signed-off-by: Nick Kralevich commit 75b14a5de10a825348128bcca6c47fe5a29b8d31 Author: Nicolas Iooss Date: Wed Nov 23 23:06:44 2016 +0100 libsepol: ebitmap: reject loading bitmaps with incorrect high bit Currently ebitmap_load() accepts loading a bitmap with highbit=192 and one node {startbit=0, map=0x2}. When iterating over the bitmap, ebitmap_for_each_bit() is expected to only yield "1" but it gives the following bits: 1, 65, 129. This is due to two facts in ebitmap_for_each_bit() implementation: * ebitmap_next() stays on the first (and only) node of the bitmap instead of stopping the iteration. * the end condition of the for loop consists in comparing the bit with ebitmap_length() (ie. the bitmap highbit), which is above the limit of the last node here. These are not bugs when the bitmap highbit is equals to l->startbit+MAPSIZE, where l is the last node (this is how ebitmap_set_bit() sets it). So a simple fix consists in making ebitmap_load() reject bitmaps which are loaded with an invalid highbit value. This issue has been found while fuzzing semodule_package with the American Fuzzy Lop. Signed-off-by: Nicolas Iooss commit 73313a752859c7fda03d3bd091985606b592ff05 Author: Nicolas Iooss Date: Wed Nov 23 23:06:43 2016 +0100 libsepol: do not check decl->symtab[i].nprim Commit 02a7d77ef2bf ("libsepol: make parsing symbol table headers more robust") broke refpolicy build, because checkmodule generates avrule decl blocks with "decl->symtab[i].nprim = 0" for all possible i, even when decl->symtab[SYM_ROLES] and decl->symtab[SYM_TYPES] are not empty. More precisely, decl->symtab[i].nprim seems to be only updated in libsepol/src/link.c (in *_copy_callback() functions). Revert the buggy part of commit 02a7d77ef2bf to fix this regression. Signed-off-by: Nicolas Iooss commit 86bad3dbf981b7d645d41e4c93649dcf782b1a6f Author: Nicolas Iooss Date: Wed Nov 23 23:06:42 2016 +0100 libsepol: do not modify p->p_roles.nprim in role_set_expand There is no reason to modify the number of roles defined in a policy when no role is being inserted. Signed-off-by: Nicolas Iooss commit 1e605e9905d354c2727cd65ea0f85f0e23470bf7 Author: cgzones Date: Thu Nov 24 20:01:26 2016 +0100 fix semanage fcontext help message the ftype options were incorrect commit 2907caa33cbb722ecf423aa47e43f4f5053c2723 Author: Nicolas Iooss Date: Tue Nov 22 23:23:42 2016 +0100 libsepol: fix unknown magic section number error message When running hll/pp on some invalid policy module, it can output: libsepol.sepol_module_package_read: unknown magic number at section 1, offset: 251, number: 0x The last number looks funny and was caused by using "%ux". "u" is not a prefix like "l", "h", "z"... and "%x" already expects an unsigned integer (cf. http://man7.org/linux/man-pages/man3/printf.3.html). Signed-off-by: Nicolas Iooss commit d10725649ecdc522506e8c4f640e6118502f66f0 Author: Nicolas Iooss Date: Tue Nov 22 23:23:41 2016 +0100 libsepol: make scope_index_destroy() more robust When scope_index_read() fails while attempting to allocate memory for scope_index->class_perms_map, scope_index_destroy() gets called with scope->class_perms_len != 0 and scope->class_perms_map == NULL. This triggers the following segmentation fault (in semodule_package): Program received signal SIGSEGV, Segmentation fault. ebitmap_destroy (e=0x10) at ebitmap.c:362 362 n = e->node; => 0x00007ffff79ff7f6 : 48 8b 3f mov (%rdi),%rdi (gdb) bt #0 ebitmap_destroy (e=0x10) at ebitmap.c:362 #1 0x00007ffff79e2c37 in scope_index_destroy (scope=0x608860) at avrule_block.c:87 #2 avrule_decl_destroy (x=0x608830) at avrule_block.c:103 #3 0x00007ffff7aae99c in avrule_block_read (fp=0x605090, num_scope_syms=8, block=0x6054e8, p=0x605360) at policydb.c:3598 #4 policydb_read (p=0x605360, fp=fp@entry=0x605090, verbose=verbose@entry=0) at policydb.c:3946 #5 0x00007ffff7ab4ab4 in sepol_policydb_read (p=, pf=pf@entry=0x605090) at policydb_public.c:174 #6 0x0000000000401d33 in main (argc=, argv=0x7fffffffdc88) at semodule_package.c:220 (gdb) f 1 (gdb) p *scope $1 = {scope = {{node = 0x0, highbit = 0}, {node = 0x0, highbit = 0}, {node = 0x0, highbit = 0}, {node = 0x0, highbit = 0}, {node = 0x0, highbit = 0}, {node = 0x0, highbit = 0}, {node = 0x0, highbit = 0}, {node = 0x0, highbit = 0}}, class_perms_map = 0x0, class_perms_len = 4294934272} Signed-off-by: Nicolas Iooss commit 8d31f8053ca83af7266fed71a11b7a52b16cc13a Author: Nicolas Iooss Date: Tue Nov 22 23:23:40 2016 +0100 libsepol: do not crash when block->branch_list is NULL When fuzzing hll/pp, the fuzzer created a policy module with a block which has no declaration. With block->branch_list = NULL, typealias_list_create() triggered a NULL pointer dereference when computing max_decl_id. Signed-off-by: Nicolas Iooss commit 6675e12cc17345834f14a52d260fd0bf4437d03c Author: Nicolas Iooss Date: Tue Nov 22 23:23:39 2016 +0100 libsepol: do not crash when a symbol does not exist When hll/pp reads an invalid policy module where some scopes use required symbols which are not defined, the program crashes with a segmentation fault in required_scopes_to_cil(): Program received signal SIGSEGV, Segmentation fault. required_scopes_to_cil (decl_stack=0x6040b0, block=0x607780, pdb=0x6042e0, indent=0) at module_to_cil.c:3479 3479 for (j = 0; j < scope_datum->decl_ids_len; j++) { => 0x00007ffff7a7b1a8 : 44 8b 58 10 mov 0x10(%rax),%r11d (gdb) bt #0 required_scopes_to_cil (decl_stack=0x6040b0, block=0x607780, pdb=0x6042e0, indent=0) at module_to_cil.c:3479 #1 block_to_cil (pdb=pdb@entry=0x6042e0, block=block@entry=0x607780, stack=stack@entry=0x6040b0, indent=indent@entry=0) at module_to_cil.c:3622 #2 0x00007ffff7a85a18 in global_block_to_cil (stack=0x6040b0, block=0x607780, pdb=0x6042e0) at module_to_cil.c:3738 #3 blocks_to_cil (pdb=0x6042e0) at module_to_cil.c:3764 #4 sepol_module_policydb_to_cil (fp=fp@entry=0x7ffff79d05e0 <_IO_2_1_stdout_>, pdb=0x6042e0, linked=linked@entry=0) at module_to_cil.c:4051 #5 0x00007ffff7a86b55 in sepol_module_package_to_cil (fp=fp@entry=0x7ffff79d05e0 <_IO_2_1_stdout_>, mod_pkg=0x604280) at module_to_cil.c:4080 #6 0x0000000000401acc in main (argc=, argv=) at pp.c:150 (gdb) p scope_datum $1 = (struct scope_datum *) 0x0 Detect such errors and exit with an error return value. Signed-off-by: Nicolas Iooss commit 52b3b625b653923f3994de8e84248ba1b1614422 Author: Nicolas Iooss Date: Tue Nov 22 23:23:38 2016 +0100 libsepol: do not call a NULL function in additive_scopes_to_cil() When hll/pp operates on an invalid policy module which defines blocks with non-empty decl->symtab[SYM_COMMONS], additive_scopes_to_cil_map() calls func_to_cil[SYM_COMMONS], which is NULL. In additive_scopes_to_cil(), filter out NULL elements of func_to_cil before calling additive_scopes_to_cil_map(). Signed-off-by: Nicolas Iooss commit 8f9057c2ea851b9caca23020f4cb99c84fed1d50 Author: Nick Kralevich Date: Fri Nov 18 13:58:01 2016 -0800 label_file.h: actually use the results of compat_validate process_line called compat_validate, but never actually looked at the return value. When an invalid entry is found, a warning is printed, but since the upper layers of the code don't see the error, validation appears to succeed. Steps to reproduce on Android: 1) Edit system/sepolicy/private/file_contexts and create an entry with an invalid label. 2) Recompile Android, which executes out/host/linux-x86/bin/checkfc to check if file_contexts is valid. Expected: Compile failure. Actual: Compile succeeds with warnings. Change-Id: I20fa18c7b11b5ffdd243c3274bedc4518431e1fb Signed-off-by: Stephen Smalley commit 49bfee8562b778129cb989bdf9014045e39b0916 Author: Stephen Smalley Date: Fri Nov 18 11:09:38 2016 -0500 checkpolicy: treat -self as an error checkpolicy wrongly handles "-self". At the least, it should handle it as an error. At best, it should support it correctly (which would involve libsepol support as well). At present, it looks like it will end up negating (-) the next type/attribute in the list after self, or if there are no entries after self, ignoring it entirely. This originally was raised by the Android team, which wanted to support something like the following: neverallow domain { domain -self }:dir search; to prohibit cross domain access to some resource but allow access within the same domain. This change just makes it a fatal error during compilation. Implementing real support for -self is left as future work. Signed-off-by: Stephen Smalley commit a609434b95fb5aaee9da24d2e98be7eea741b040 Author: Stephen Smalley Date: Fri Nov 18 09:48:25 2016 -0500 libselinux: normalize enforce values from the kernel Normalize enforce values received from the kernel via /sys/fs/selinux/enforce or netlink selinux notifications to ensure that we always return a 0 or 1 to userspace code. selinux_status_getenforce(), which reads the enforce value via the SELinux kernel status page (/sys/fs/selinux/status) already normalizes its result, so we do not need to update it. Signed-off-by: Stephen Smalley commit 9140de74cf3f156c7aa4e7e65882288bf3e388df Author: Nicolas Iooss Date: Thu Nov 17 22:50:18 2016 +0100 libselinux, libsemanage: use Python-specific .so extension The Makefiles currently install the Python wrapper libraries using .so suffix (_selinux.so, audit2why.so and _semanage.so). Even though this works well with CPython 2 and 3, PyPy fails to find these files because it is looking for files with a specific version token in the suffix (eg. _selinux.pypy-41.so). This suffix is advertised by the imp module. Here is the result of 'import imp;print([s for s, m, t in imp.get_suffixes() if t == imp.C_EXTENSION])' for several Python versions: Python 2.7.12: ['.so', 'module.so'] Python 3.5.2: ['.cpython-35m-x86_64-linux-gnu.so', '.abi3.so', '.so'] PyPy 5.4.1 (Python 2.7.10): ['.pypy-41.so'] PyPy3 5.5.0-alpha0 (Python 3.3.5): ['.pypy3-55.so', '.pypy3-55.so'] Define the name of the installed Python-C extension using the first extension of these lists, in order to make the Python extensions compatible with pypy. When building the Python wrappers for PyPy and PyPy3 on Linux, the following environment variables need to be set (PyPy does not provide a pkg-config file nor a platform-agnostic way to build the string "-lpypy-c"): PYTHON=pypy (or PYTHON=pypy3) PYINC=-I$($PYTHON -c 'import sys;print(sys.prefix)')/include PYLIBS=-lpypy-c (or PYLIBS= if LDFLAGS does not have -Wl,-no-undefined) Signed-off-by: Nicolas Iooss commit 489dd595d74bc926946827056fb9ddeaa9b05fb8 Author: Nicolas Iooss Date: Thu Nov 17 22:43:56 2016 +0100 libselinux: audit2why: remove unused module_state structure This structure has been empty since its introduction and makes clang complain when $(filter-out -Werror, $(CFLAGS)) is removed in the Makefile target for audit2why.lo: audit2why.c:443:1: error: empty struct has size 0 in C, size 1 in C++ [-Werror,-Wc++-compat] struct module_state { ^ 1 error generated. Signed-off-by: Nicolas Iooss commit a441d51011260652deec2acd33c6d41d7a88abd1 Author: Nicolas Iooss Date: Thu Nov 17 22:42:10 2016 +0100 mcstrans: fix global "make install" When running "make install" in the root directory of the project, with variable DESTDIR set and while being on a system without SELinux, the compiler complains while building: fatal error: selinux/selinux.h: No such file or directory Other subdirectories add -I$(PREFIX)/include to CFLAGS and -L$(LIBDIR) to the linking command line, in order to find libselinux headers and .so file. Do this too in mcstrans. While at it, mcstrans Makefile uses -I../include but this directory does not exist. Remove this option. Signed-off-by: Nicolas Iooss commit 945bc8853b62a855e46d7d5551372c876f59b487 Author: Nicolas Iooss Date: Thu Nov 17 22:20:06 2016 +0100 sandbox: make test not fail on systems without SELinux On systems without SELinux (eg. some continuous integration environments), "make test" fails with: Traceback (most recent call last): File "test_sandbox.py", line 110, in if selinux.security_getenforce() == 1: FileNotFoundError: [Errno 2] No such file or directory This is exception is thrown because the selinuxfs file system is not mounted. Detect such configurations using selinux.is_selinux_enabled() and skip the test when SELinux is disabled accordingly. Signed-off-by: Nicolas Iooss commit 4129eb499db070a001b9bb4d5286f5699db7d85f Author: William Roberts Date: Thu Nov 17 08:56:08 2016 -0800 expand_terule_helper: cleanups 1. Use the new helper to convert from AVRULE to AVTAB values. 2. Only check once for invalid AVRULE specified parameter. 3. Drop assert and just return error on invalid specification. Signed-off-by: William Roberts commit dcd473d5ae0a9f81c272a30e9e39a28cda8fc586 Author: William Roberts Date: Thu Nov 17 08:56:07 2016 -0800 expand_avrule_helper: cleanup General clean up for expand_avrule_helper: 1. Minimize the conversions of AVRULE specification to AVTAB specification, they are almost the same, the one exception is AVRULE_DONTAUDIT. 2. Clean up the if/else logic, collapse with a switch. 3. Move xperms allocation and manipulation to its own helper. 4. Only write avkey for values that change. 5. Return error rather than assert on invalid specification. Signed-off-by: William Roberts commit af9f477fb9016f313b368dc2dcfc9891795443fc Author: William Roberts Date: Thu Nov 17 08:56:06 2016 -0800 policydb.h: use AVTAB macros to avoid duplications Rather than having multiple copies of the AVTAB and AVRULE defines, consolidate them. This makes it clear that AVRULE to AVTAB conversion no longer need to occur. Signed-off-by: William Roberts commit 07ba7c6853b76ffb6db952542a3f04f72807dc7b Author: Stephen Smalley Date: Wed Nov 16 14:54:28 2016 -0500 mcstrans: Fix signed/unsigned warnings Signed-off-by: Stephen Smalley commit 7935dee8f62931159e3bdb7bc028c2fdb7ecd7da Author: Stephen Smalley Date: Wed Nov 16 12:10:58 2016 -0500 Drop ChangeLog files They can be generated as desired via git log. No need to keep maintaining them by hand. Signed-off-by: Stephen Smalley commit c094ca9662db4a3096e7e622c4e047c7333e3d2c Author: Jason Zaman Date: Wed Nov 16 22:05:22 2016 +0800 restorecond: Add gitignore Signed-off-by: Jason Zaman commit 62cb9fc1651de14960433d5d3f2eec6d5cd8bac4 Author: Jason Zaman Date: Wed Nov 16 22:05:21 2016 +0800 mcstrans: Add utils gitignore Signed-off-by: Jason Zaman commit 9123b38caedc48762bc381b4db2b09767065b732 Author: Jason Zaman Date: Wed Nov 16 22:05:20 2016 +0800 Add stub make test targets to new subdirs Signed-off-by: Jason Zaman commit 089000ad1c91ca113d0c1eb61248e0638d0d5346 Author: Jason Zaman Date: Wed Nov 16 22:05:19 2016 +0800 mcstrans: take LIBDIR from args, dont guess All the other makefiles just have LIBDIR optionally set so it can be overridden. These makefiles were autodetecting incorrectly. uname -i returns "GenuineIntel" so should have been uname -m. Signed-off-by: Jason Zaman commit 30cbe52c5b824a6a6924fec50b633ba1a3224991 Author: Jason Zaman Date: Wed Nov 16 22:05:18 2016 +0800 mcstrans: Fix Werror=shadow errors gcc -g3 -O0 -gdwarf-2 -fno-strict-aliasing -Wall -Wshadow -Werror -I../include -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -fPIE -c -o mcstrans.o mcstrans.c mcstrans.c: In function ‘violates_constraints’: mcstrans.c:551:14: error: declaration of ‘common’ shadows a previous local [-Werror=shadow] ebitmap_t common; ^ mcstrans.c:545:13: error: shadowed declaration is here [-Werror=shadow] ebitmap_t common; ^ mcstrans.c: In function ‘build_regexps’: mcstrans.c:1048:7: error: declaration of ‘i’ shadows a previous local [-Werror=shadow] int i=0; ^ mcstrans.c:993:15: error: shadowed declaration is here [-Werror=shadow] size_t n_el, i; ^ mcstrans.c: In function ‘compute_raw_from_trans’: mcstrans.c:1166:9: error: declaration of ‘rc’ shadows a previous local [-Werror=shadow] int rc = pcre_exec(g->prefix_regexp, 0, work, work_len, 0, 0, ovector, OVECCOUNT); ^ mcstrans.c:1123:6: error: shadowed declaration is here [-Werror=shadow] int rc = pcre_exec(domain->base_classification_regexp, 0, work, work_len, 0, PCRE_ANCHORED, ovector, OVECCOUNT); ^ mcstrans.c:1174:9: error: declaration of ‘rc’ shadows a previous local [-Werror=shadow] int rc = pcre_exec(g->suffix_regexp, 0, work, work_len, 0, 0, ovector, OVECCOUNT); ^ mcstrans.c:1123:6: error: shadowed declaration is here [-Werror=shadow] int rc = pcre_exec(domain->base_classification_regexp, 0, work, work_len, 0, PCRE_ANCHORED, ovector, OVECCOUNT); ^ mcstrans.c:1189:9: error: declaration of ‘rc’ shadows a previous local [-Werror=shadow] int rc = pcre_exec(g->word_regexp, 0, s, l, 0, 0, ovector, OVECCOUNT); ^ mcstrans.c:1123:6: error: shadowed declaration is here [-Werror=shadow] int rc = pcre_exec(domain->base_classification_regexp, 0, work, work_len, 0, PCRE_ANCHORED, ovector, OVECCOUNT); ^ mcstrans.c: In function ‘compute_trans_from_raw’: mcstrans.c:1328:14: error: declaration of ‘unhandled’ shadows a previous local [-Werror=shadow] ebitmap_t unhandled, orig_unhandled; ^ mcstrans.c:1291:49: error: shadowed declaration is here [-Werror=shadow] ebitmap_t bit_diff, temp, handled, nothandled, unhandled, orig_unhandled; ^ mcstrans.c:1328:25: error: declaration of ‘orig_unhandled’ shadows a previous local [-Werror=shadow] ebitmap_t unhandled, orig_unhandled; ^ mcstrans.c:1291:60: error: shadowed declaration is here [-Werror=shadow] ebitmap_t bit_diff, temp, handled, nothandled, unhandled, orig_unhandled; ^ mcstrans.c:1360:15: error: declaration of ‘handled’ shadows a previous local [-Werror=shadow] ebitmap_t handled, nothandled; ^ mcstrans.c:1291:28: error: shadowed declaration is here [-Werror=shadow] ebitmap_t bit_diff, temp, handled, nothandled, unhandled, orig_unhandled; ^ mcstrans.c:1360:24: error: declaration of ‘nothandled’ shadows a previous local [-Werror=shadow] ebitmap_t handled, nothandled; ^ mcstrans.c:1291:37: error: shadowed declaration is here [-Werror=shadow] ebitmap_t bit_diff, temp, handled, nothandled, unhandled, orig_unhandled; ^ mcstrans.c:1377:17: error: declaration of ‘temp’ shadows a previous local [-Werror=shadow] ebitmap_t temp; ^ mcstrans.c:1291:22: error: shadowed declaration is here [-Werror=shadow] ebitmap_t bit_diff, temp, handled, nothandled, unhandled, orig_unhandled; ^ mcstrans.c:1378:17: error: declaration of ‘bit_diff’ shadows a previous local [-Werror=shadow] ebitmap_t bit_diff; ^ mcstrans.c:1291:12: error: shadowed declaration is here [-Werror=shadow] ebitmap_t bit_diff, temp, handled, nothandled, unhandled, orig_unhandled; ^ mcstrans.c:1403:16: error: declaration of ‘bit_diff’ shadows a previous local [-Werror=shadow] ebitmap_t bit_diff; ^ mcstrans.c:1291:12: error: shadowed declaration is here [-Werror=shadow] ebitmap_t bit_diff, temp, handled, nothandled, unhandled, orig_unhandled; ^ mcstrans.c:1407:16: error: declaration of ‘temp’ shadows a previous local [-Werror=shadow] ebitmap_t temp; ^ mcstrans.c:1291:22: error: shadowed declaration is here [-Werror=shadow] ebitmap_t bit_diff, temp, handled, nothandled, unhandled, orig_unhandled; ^ mcstrans.c:1434:19: error: declaration of ‘g’ shadows a previous local [-Werror=shadow] word_group_t *g; ^ mcstrans.c:1335:18: error: shadowed declaration is here [-Werror=shadow] word_group_t *g; ^ cc1: all warnings being treated as errors Makefile:35: recipe for target 'mcstrans.o' failed make[2]: *** [mcstrans.o] Error 1 Signed-off-by: Jason Zaman commit 618a64aea3c533ec67181acf0537066227217b4d Author: Stephen Smalley Date: Tue Nov 15 09:50:48 2016 -0500 semodule-utils: Drop -lselinux from Makefiles. These programs do not depend on libselinux. Signed-off-by: Stephen Smalley commit 25c167a6eaaf4d607207b33876c98efa9f4b131d Author: Stephen Smalley Date: Tue Nov 15 09:23:04 2016 -0500 Add COPYING files for new subdirs. Copied from policycoreutils/COPYING, from which these originated. Signed-off-by: Stephen Smalley commit f0e61d336f1e39adabd278b976a39d6cf3ad64df Author: Stephen Smalley Date: Tue Nov 8 14:40:12 2016 -0500 Fix release script Signed-off-by: Stephen Smalley commit 44801294127f5b1e42f1a36faa0ba2700a4753ff Author: Stephen Smalley Date: Tue Nov 8 14:21:10 2016 -0500 restorecond: break source dependency on policycoreutils/setfiles Now that restorecond is separated from policycoreutils, we should not retain a build dependency on the policycoreutils/setfiles source files. Fork the restore.[ch] files for restorecond. Signed-off-by: Stephen Smalley commit 65f5868c23fcf73bf47cc31f8f4f4d2680059a0d Author: Stephen Smalley Date: Tue Nov 8 14:17:59 2016 -0500 Move policycoreutils/semodule_package to semodule-utils. Signed-off-by: Stephen Smalley commit 6bd0b553806a4c3856be3a2ec9c768b1b72c5eb5 Author: Stephen Smalley Date: Fri Nov 4 15:49:49 2016 -0400 Add VERSION files for new components Signed-off-by: Stephen Smalley commit f0cc95435f7bae2ffd8e0c9207862941671ed607 Author: Stephen Smalley Date: Fri Nov 4 15:45:16 2016 -0400 Fix release script for packages that need prefixes. We need prefixes for dbus, gui, python at least, and we'll include sandbox too. Signed-off-by: Stephen Smalley commit 1c8505dac2bfbd1f12fd0cee8e18a63d969a8278 Author: Stephen Smalley Date: Wed Nov 2 10:20:08 2016 -0400 Update release script for the new structure. Signed-off-by: Stephen Smalley commit 6e4bb702af6a77dba2c646a9563899243ad5ebd5 Author: Stephen Smalley Date: Wed Nov 2 09:58:54 2016 -0400 mcstrans: fix clang warnings Fix the following warnings from clang. mcstrans.c:1309:6: warning: variable 'groups' is used uninitialized whenever 'if' condition is true [-Wsometimes-uninitialized] if (violates_constraints(l)) { ^~~~~~~~~~~~~~~~~~~~~~~ mcstrans.c:1491:9: note: uninitialized use occurs here while (groups) ^~~~~~ mcstrans.c:1309:2: note: remove the 'if' if its condition is always false if (violates_constraints(l)) { ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ mcstrans.c:1303:6: warning: variable 'groups' is used uninitialized whenever 'if' condition is true [-Wsometimes-uninitialized] if (!l) ^~ mcstrans.c:1491:9: note: uninitialized use occurs here while (groups) ^~~~~~ mcstrans.c:1303:2: note: remove the 'if' if its condition is always false if (!l) ^~~~~~~ mcstrans.c:1299:6: warning: variable 'groups' is used uninitialized whenever 'if' condition is true [-Wsometimes-uninitialized] if (!level) ^~~~~~ mcstrans.c:1491:9: note: uninitialized use occurs here while (groups) ^~~~~~ mcstrans.c:1299:2: note: remove the 'if' if its condition is always false if (!level) ^~~~~~~~~~~ mcstrans.c:1316:2: note: variable 'groups' is declared here word_group_t *groups = NULL; ^ 3 warnings generated. mcscolor.c:334:24: warning: size argument in 'strncat' call appears to be size of the source [-Wstrncat-size] strncat(result, buf, sizeof(buf)); Signed-off-by: Stephen Smalley commit b97d959a6a79295e2b8693b453ffdac693d6b729 Author: Stephen Smalley Date: Wed Nov 2 09:52:29 2016 -0400 Move policycoreutils/sepolgen-ifgen into python/audit2allow. Signed-off-by: Stephen Smalley commit 50be5fcca4e926fcc0f15a595a4c295e7ba1916f Author: Stephen Smalley Date: Wed Nov 2 09:46:05 2016 -0400 Move sepolicy desktop and png files to gui. Signed-off-by: Stephen Smalley commit eeba5952df9b71324c8795a725864852beffba08 Author: Stephen Smalley Date: Tue Nov 1 13:52:08 2016 -0400 mcstrans: Add a relabel target. Signed-off-by: Stephen Smalley commit 233fe333f8d5d07b2def4b4f84458a5c37d62770 Author: Stephen Smalley Date: Tue Nov 1 13:15:19 2016 -0400 mcstrans: Add .gitignore file Signed-off-by: Stephen Smalley commit fe740954900645c1a7f4e7035125d2cce12bd34a Author: Stephen Smalley Date: Mon Oct 31 13:52:02 2016 -0400 Build mcstrans. We should build it by default or else it will bitrot. But you can still omit it by overriding OPT_SUBDIRS. Signed-off-by: Stephen Smalley commit 3dcdc463780a0ff4560c5b0ce8c6184d09edf11b Author: Stephen Smalley Date: Mon Oct 31 13:41:12 2016 -0400 Make it easy to omit optional components. Split optional components into their own overridable OPT_SUBDIRS definition. Then you can build without them via make OPT_SUBDIRS= or specify a subset of them in that manner. Signed-off-by: Stephen Smalley commit c9c97d6e8bace621b8d91c1f5fb1e321f8d4c326 Author: Stephen Smalley Date: Mon Oct 31 13:33:52 2016 -0400 Move policycoreutils/semodule_{deps,expand,link} to semodule-utils. Signed-off-by: Stephen Smalley commit 48dc232627d60e65b8b343036bc847df3bbef2ad Author: Stephen Smalley Date: Mon Oct 31 13:31:01 2016 -0400 Move policycoreutils/{sepolicy,audit2allow,semanage,scripts/chcat*} and sepolgen to python. Signed-off-by: Stephen Smalley commit 63e6dba9ca2bb0967c07a7f9d02fbd77a183819c Author: Stephen Smalley Date: Mon Oct 31 13:20:54 2016 -0400 Move policycoreutils/sepolicy dbus service files to dbus. Signed-off-by: Stephen Smalley commit 97bf196c8933f736c36fc0735781684a75a9c7d0 Author: Stephen Smalley Date: Mon Oct 31 13:10:55 2016 -0400 Move policycoreutils/sandbox to sandbox. Signed-off-by: Stephen Smalley commit 00be13634a886c94a1550324cadecba51a487cb8 Author: Stephen Smalley Date: Mon Oct 31 13:09:09 2016 -0400 Move policycoreutils/restorecond to restorecond. Signed-off-by: Stephen Smalley commit 4cc808671a18b5405be5707eefedd78b9c693268 Author: Stephen Smalley Date: Mon Oct 31 13:02:05 2016 -0400 Move policycoreutils/mcstrans to mcstrans. Signed-off-by: Stephen Smalley commit 2e4d0bc862a7706d25a26a0fc37c14a02a628a9a Author: Stephen Smalley Date: Mon Oct 31 13:01:14 2016 -0400 Move policycoreutils/gui to gui. Signed-off-by: Stephen Smalley commit d4387cd75fdd5281046a72925dbf5a5c4731cade Author: Stephen Smalley Date: Wed Nov 16 09:14:13 2016 -0500 Updated libsepol ChangeLog Signed-off-by: Stephen Smalley commit 02a7d77ef2bf8e9be5df04d647b39e2ddbf6af6e Author: Nicolas Iooss Date: Wed Nov 16 00:07:23 2016 +0100 libsepol: make parsing symbol table headers more robust When hll/pp loads a policy file which has been modified so that the nprim field of one of its non-empty symbol table was changed to zero, it crashes with a segmentation fault. A quick analysis leads to "p->sym_val_to_name[i] = (char **)alloc(p->symtab[i].nprim, sizeof(char *));" in policydb_index_others(), which is not executed when p->symtab[i].nprim is zero even though there are items in p->symtab[i].table. Detect such an oddity in the policy file early to exit with a clean error message. Signed-off-by: Nicolas Iooss commit 0a32f3b169d7fd8ae3d569cbd21cb67f6f019f98 Author: Nicolas Iooss Date: Wed Nov 16 00:07:22 2016 +0100 libsepol: test for ebitmap_read() negative return value While fuzzing hll/pp, the fuzzer (AFL) crafted a policy which triggered the following message without making the policy loading fail (the program crashed with a segmentation fault later): security: ebitmap: map size 192 does not match my size 64 (high bit was 0) This is because ebitmap_read() returned -EINVAL and this value was handled as a successful return value by scope_index_read() because it was not -1. Signed-off-by: Nicolas Iooss commit 784b43b2ae04bbd8a689f6c32086d4c43bc2c89e Author: Nicolas Iooss Date: Wed Nov 16 00:07:21 2016 +0100 libsepol: replace an assert with an error message When fuzzing hll/pp inputs, a policy module where the value of scope->decl_ids_len has been modified to zero makes the program abort (when it has been compiled without -DNDEBUG). Change the behavior to report an error message instead. This eases fuzzing functions like policydb_read(). Signed-off-by: Nicolas Iooss commit a96184bcbb748699107bc0b953ed76c1059ccb59 Author: Stephen Smalley Date: Wed Nov 16 08:53:27 2016 -0500 Updated libsepol ChangeLog Signed-off-by: Stephen Smalley commit be96f05182ffd934eb20776c52a88df6e51fe6df Author: William Roberts Date: Tue Nov 15 16:42:23 2016 -0800 libsepol: fix checkpolicy dontaudit compiler bug The combining logic for dontaudit rules was wrong, causing a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p; rule. This is a reimplementation of: commit 6201bb5e258e2b5bcc04d502d6fbc05c69d21d71 ("libsepol: fix checkpolicy dontaudit compiler bug") that avoids the cumbersome pointer assignments on alloced. Reported-by: Nick Kralevich Signed-off-by: William Roberts commit 5862ac5dfe3bcfc5ff1aa40b5585899b993ae446 Author: William Roberts Date: Tue Nov 15 11:40:00 2016 -0800 Revert "libsepol: fix checkpolicy dontaudit compiler bug" This reverts commit 6201bb5e258e2b5bcc04d502d6fbc05c69d21d71. commit d0c82f8fb9434e3866b19601f0f75538fe792f04 Author: Stephen Smalley Date: Tue Nov 15 17:28:49 2016 -0500 Updated libsemanage ChangeLog Signed-off-by: Stephen Smalley commit 398266f95fcdd9c20f1ec1c0b76eb1d8ded89f67 Author: Nicolas Iooss Date: Tue Nov 15 23:15:23 2016 +0100 libsemanage: use a macro prefixed with SEMANAGE to protect dso.h Signed-off-by: Nicolas Iooss commit f60519edf6da21ac8d604e543c53c73b26fdba13 Author: Stephen Smalley Date: Tue Nov 15 17:25:14 2016 -0500 Updated libsepol ChangeLog Signed-off-by: Stephen Smalley commit 7a4db1566a970788e6e83a5f083a2ffb96b66a76 Author: Stephen Smalley Date: Tue Nov 15 17:19:18 2016 -0500 libsepol: cil_lexer: make warnings non-fatal for building The flex skeleton often triggers compiler warnings; make these non-fatal for building. We already do likewise for checkpolicy. Signed-off-by: Stephen Smalley commit 2ceadad8a36cf928ebe316181aac25f2d5492307 Author: Stephen Smalley Date: Tue Nov 15 11:14:24 2016 -0500 Updated libselinux and libsemanage ChangeLog Signed-off-by: Stephen Smalley commit 79db6da87f9c71bce3c790dd42524992ea5e40f3 Author: Nicolas Iooss Date: Mon Nov 14 22:57:12 2016 +0100 libselinux, libsemanage: swig: use SWIG_fail when an error occurs Using SWIG_fail in the Python SWIG wrappers makes the wrapping function destroy/free the memory which could have been dynamically allocated before calling the wrapped function. This thus prevents possible memory leaks in the wrappers of set*con(), set*con_raw(), security_compute_*(), etc. Signed-off-by: Nicolas Iooss commit db17f12273adf7bdee4c7d86ac4d71cc8bd78d4f Author: Nicolas Iooss Date: Mon Nov 14 22:57:11 2016 +0100 libselinux,libsemanage: fall back to gcc in exception.sh clang does not support -aux-info option. When exception.sh is run with CC=clang, use gcc to build selinuxswig_python_exception.i and semanageswig_python_exception.i. This does not solve the issue of building libselinux and libsemanage Python wrappers on a system without gcc. However parsing the result of "gcc -aux-info" is easier than parsing the header files so stay with this command at least for now. Signed-off-by: Nicolas Iooss commit f1db7b75e0630ba6b475409f07228b62746d4a7d Author: Stephen Smalley Date: Tue Nov 15 11:10:21 2016 -0500 Updated secilc ChangeLog Signed-off-by: Stephen Smalley commit 672f96f012faec20a900cc192798578556f79b65 Author: Nicolas Iooss Date: Mon Nov 14 22:33:24 2016 +0100 secilc: do not build secilc man page if it is up to date When running "make all" several times in the root directory of the project, the following lines always appear (and the command takes some seconds to complete on my system with a slow hard drive): xmlto man secilc.8.xml Note: Writing secilc.8 This is because "make man" always builds secilc.8 even though secilc.8.xml has not been modified. Introduce an intermediate target to avoid this behavior. Signed-off-by: Nicolas Iooss commit 2c1ae0f029a99b5f483761ef89f2397747711924 Author: Stephen Smalley Date: Tue Nov 15 11:07:20 2016 -0500 Updated libselinux and libsemanage ChangeLogs Signed-off-by: Stephen Smalley commit bb98da094882f5936a703119f1e109b7bce7d95a Author: Nicolas Iooss Date: Mon Nov 14 22:28:17 2016 +0100 libselinux,libsemanage: link Python wrapper with Python When linking with -Wl,-no-undefined in LDFLAGS (in order to find possible link-time errors), the Python wrapper module needs to be linked with the right libpython.so. This library is found using pkg-config in a new PYLIBS variable. Signed-off-by: Nicolas Iooss commit ad3aa7f52f81f747e58f9250f968aae975dcfeef Author: Nicolas Iooss Date: Mon Nov 14 22:28:16 2016 +0100 libsemanage: query for python site-packages dir directly Use the python interpreter to find the install directory, like commit 8162f10e670d ("libselinux: query for python site-packages dir directly") did for libselinux. While at it, do not install semanage.py (generated by SWIG) with executable permission bits. Signed-off-by: Nicolas Iooss commit f5b9bc2a06cc165ed4feef89c407481f4df8a71a Author: Nicolas Iooss Date: Mon Nov 14 22:28:15 2016 +0100 libselinux,libsemanage: link Ruby wrapper with -lruby When linking with -Wl,-no-undefined in LDFLAGS (in order to find possible link-time errors), the Ruby wrapper module needs to be linked with the libruby.so which is used by $(RUBY). Introduce a new RUBYLIBS variable to find this library. Signed-off-by: Nicolas Iooss commit 22e3ad6633f7a047f513e3822d71aeadebafb1fd Author: Nicolas Iooss Date: Mon Nov 14 22:28:14 2016 +0100 libselinux,libsemanage: use Ruby to define RUBYINC This makes building libselinux and libsemanage more robust on systems with several versions of Ruby installed: when building, only RUBY needs to be set, without wondering about PKG_CONFIG_PATH or other environment variables. Using RbConfig::CONFIG["rubyarchhdrdir"] only works with Ruby >= 2.0 but since previous Ruby versions are retired since 2015-02-23 this should not have any impact (https://www.ruby-lang.org/en/news/2015/02/23/support-for-ruby-1-9-3-has-ended/). While at it, in libsemanage, use RbConfig::CONFIG["vendorarchdir"] to install the Ruby extension, like commit 1cd80faa53b6 ("libselinux: versioned ruby pkg-config and query vendorarchdir properly") did for libselinux. My main motivation with this patch is to make the build configuration easier to define on Travis-CI or other continuous integration platforms. Signed-off-by: Nicolas Iooss commit df3ba03b9f6c8cfa5b98b3b99ed808f223b32935 Author: Stephen Smalley Date: Tue Nov 15 10:56:24 2016 -0500 Updated policycoreutils ChangeLog Signed-off-by: Stephen Smalley commit 917f398d7cd2925820d51daa8a3af8030c47c787 Author: Laurent Bigonville Date: Sat Nov 12 21:20:21 2016 +0100 policycoreutils: Use GObject introspection binding instead of python-gobject in selinux_server.py Signed-off-by: Laurent Bigonville commit 1270be188afb006f2afd17856f4286da5a5b6c21 Author: Laurent Bigonville Date: Sat Nov 12 21:20:20 2016 +0100 policycoreutils: Force GTK3.0 for sepolicy gui This removes the following warning when running sepolicy gui command: /usr/lib/python3/dist-packages/sepolicy/gui.py:29: PyGIWarning: Gtk was imported without specifying a version first. Use gi.require_version('Gtk', '3.0') before import to ensure that the right version gets loaded. Signed-off-by: Laurent Bigonville commit 0339318a2618e3f830eabfd8c6c5916f0331f9ae Author: Stephen Smalley Date: Tue Nov 15 10:49:13 2016 -0500 Updated libsepol ChangeLog Signed-off-by: Stephen Smalley commit 4750ec2ed5c6c251d395efe5d6febcec7e027c7e Author: dcashman Date: Fri Nov 11 11:12:44 2016 -0800 libsepol: cil: remove double-free. Test: Untested patch. Bug: https://code.google.com/p/android/issues/detail?id=226519 Change-Id: Icaf992ba1487098f2c4f16ac1017012f611281e9 Signed-off-by: Daniel Cashman commit e0882cdbed7e4a73d360f775d41dc4a0309fa85e Author: Stephen Smalley Date: Mon Nov 14 13:15:28 2016 -0500 Updated libsemanage ChangeLog Signed-off-by: Stephen Smalley commit b372170058b2c5de57d1aacde4de37d360490e9f Author: Nicolas Iooss Date: Sat Nov 12 13:05:03 2016 +0100 libsemanage: semanage_seuser_key_create: copy name When removing a login using semanage with Python 3 the following error occurs: # semanage login -l | grep my_user my_user user_u # semanage login --delete my_user ValueError: Login mapping for my_user is not defined This is due to a use-after-free in the swig-generated code for python3 bindings. Copy the user name in semanage_seuser_key_create() and free it in semanage_seuser_key_free(), like commit eac6f1f1b512 ("libsepol: sepol_{bool|iface|user}_key_create: copy name") did. Signed-off-by: Nicolas Iooss commit bfe9360ca51869b7611fe23616492cd4f1da6b4f Author: Stephen Smalley Date: Mon Nov 14 13:11:28 2016 -0500 Updated libselinux ChangeLog Signed-off-by: Stephen Smalley commit bbc930c7569f5efaff69eba1298973de33921f15 Author: Stephen Smalley Date: Mon Nov 14 13:05:09 2016 -0500 libselinux: fix subdir build and usage of cmdline CFLAGS commit 16c123f4b1f3c8d20b3f597df161d7e635620923 ("libselinux: support ANDROID_HOST=1 on Mac") broke the ability to run make in the src subdirectory of libselinux (because OS and COMPILER were not defined) and also caused some warning flags that could be overridden via command-line CFLAGS to be mandatory. Fix it. Signed-off-by: Stephen Smalley commit a0149f6f4fa5b5902439b3a273afc1c75b91c892 Author: Stephen Smalley Date: Mon Nov 14 10:57:38 2016 -0500 Updated libsepol ChangeLog Signed-off-by: Stephen Smalley commit 6201bb5e258e2b5bcc04d502d6fbc05c69d21d71 Author: Stephen Smalley Date: Mon Nov 14 10:37:17 2016 -0500 libsepol: fix checkpolicy dontaudit compiler bug The combining logic for dontaudit rules was wrong, causing a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p; rule. Reported-by: Nick Kralevich Signed-off-by: Stephen Smalley commit 30ef8d0993750519c438f56bf9467b28dc741ea8 Author: Stephen Smalley Date: Tue Nov 8 10:53:42 2016 -0500 Updated libsepol ChangeLog Signed-off-by: Stephen Smalley commit eac6f1f1b5125fde76dedb2f3e806a69f8a3e9ff Author: Stephen Smalley Date: Tue Nov 8 10:46:14 2016 -0500 libsepol: sepol_{bool|iface|user}_key_create: copy name The sepol_{bool|iface|user}_key_create() functions were not copying the name. This produces a use-after-free in the swig-generated code for python3 bindings. Copy the name in these functions, and free it upon sepol_{bool|iface|user}_key_free(). Reported-by: Nicolas Iooss Signed-off-by: Stephen Smalley commit 5e911ee825d273050f08ae5cc5250f743e4b63c3 Author: Stephen Smalley Date: Tue Nov 8 10:34:47 2016 -0500 Updated policycoreutils ChangeLog Signed-off-by: Stephen Smalley commit 2d7ca0b862a35196d562f59bd098df011fd7f0e6 Author: Laurent Bigonville Date: Mon Nov 7 10:51:08 2016 +0100 policycoreutils: Make sepolicy work with python3 Add python3 support for sepolicy Signed-off-by: Laurent Bigonville commit 71ee7217d795e7c7ff6b609b214f26e5836cfa47 Author: Stephen Smalley Date: Tue Nov 8 10:07:45 2016 -0500 Updated policycoreutils ChangeLog Signed-off-by: Stephen Smalley commit eed0e4259f782b107df54e3fef2de9d8990ea854 Author: Laurent Bigonville Date: Mon Nov 7 09:01:16 2016 +0100 Sandbox: Use next() over the sepolicy.info() result sepolicy.info() now returns a generator, use next() to get the results. Signed-off-by: Laurent Bigonville commit b42a293978ed34c0e349e604cc05ebf81cb3754f Author: Stephen Smalley Date: Mon Nov 7 16:02:42 2016 -0500 Updated libselinux and libsemanage ChangeLogs Signed-off-by: Stephen Smalley commit 70b986539efb666785b4ac9a4712593f82dfda47 Author: Nicolas Iooss Date: Sat Nov 5 22:24:03 2016 +0100 libselinux, libsemanage: remove *swig_python_exception.i if its creation failed When compiling libselinux with CC=clang, "make pywrap" reports the following message: bash exception.sh > selinuxswig_python_exception.i clang-3.9: error: no such file or directory: 'temp.aux' awk: fatal: cannot open file `temp.aux' for reading (No such file or directory) This does not make the build fail as exception.sh returns an "OK" status. Use "bash -e" with this script to make it return an error value. In order not to keep an empty selinuxswig_python_exception.i file after a build fails (which would make a second run of "make pywrap" incorrectly succeed), remove the file when exception.sh fails. As libsemanage uses the same code to build semanageswig_python_exception.i, modify its Makefile too. By the way, on Linux clang does not seem to currently support -aux-info so it cannot be used to craft selinuxswig_python_exception.i. Signed-off-by: Nicolas Iooss commit 5c620ead200762e69e8d08f09d2ac0d37b3db93d Author: Nicolas Iooss Date: Sat Nov 5 22:01:45 2016 +0100 libsemanage: remove ruby_semanage.so with "make clean" The Python wrapper is already removed in the clean target (with $(SWIGSO)) so remove the Ruby wrapper too. Signed-off-by: Nicolas Iooss commit 581dde735af139daaefb5888bff3ec7ca2470dee Author: Nicolas Iooss Date: Sat Nov 5 21:55:32 2016 +0100 libselinux: remove rpm_execcon from SWIG wrappers The Python wrapper of rpm_execcon() has several flaws: * An invalid call like selinux.rpm_execcon() triggers a segmentation fault. * The size of the buffer which is allocated to copy argv and envp is too small to hold all the values. * This allocated memory is leaked if one argument of rpm_execon() is not a sequence of bytes. The Ruby wrapper has no such flaws but can not be used as it is because it misses some glue code to convert argv and envp arguments to char *const [] values (even though the destructor is present!). As it is not possible to remove rpm_execcon() without changing libselinux soname (it would be an ABI break) like b67fefd991dd ("libselinux: set DISABLE_RPM default to y.") tried to do, disable this interface locally in the SWIG wrappers. Signed-off-by: Nicolas Iooss commit 1ce3e23b89a129ed568841dc081f77bda0dc9ac0 Author: Stephen Smalley Date: Fri Nov 4 15:40:50 2016 -0400 Updated libselinux ChangeLog Signed-off-by: Stephen Smalley commit b8711e2eaf4f83bf943ac8ad28c35cb1db9c001f Author: Laurent Bigonville Date: Wed Nov 2 16:24:31 2016 +0100 Revert "libselinux: support new python3 functions" With the reverted commit applied, some functions were returning arrays of bytes instead of python strings under python3 this was causing issues with string manipulation functions like split(). Swig (checked with 3.0.7) is adding compatibility macros that take care of the differences between python2 and python3. This reverts commit 63df0f7ef12844b9b86cc293299671da772fcf84. Signed-off-by: Laurent Bigonville commit 9a834cf877a306e6c24fa432fa8bdab482eb0155 Author: James Carter Date: Wed Nov 2 12:28:58 2016 -0400 Updated libsepol ChangeLog. Signed-off-by: James Carter commit 2eefb20d8ff47d764e5127de2879be9e8eac4d33 Author: James Carter Date: Wed Nov 2 10:12:25 2016 -0400 libsepol/cil: Exit with an error for an unknown map permission Nicholas Iooss discovered that using an unknown permission with a map class will cause a segfault. CIL will only give a warning when it fails to resolve an unknown permission to support the use of policy module packages that use permissions that don't exit on the current system. When resolving the unknown map class permission an empty list is used to represent the unknown permission. When it is evaluated later the list is assumed to be a permission and a segfault occurs. There is no reason to allow unknown class map permissions because the class maps and permissions are defined by the policy. Exit with an error when failing to resolve a class map permission. Reported-by: Nicolas Iooss Signed-off-by: James Carter commit ff413bb55e4fbf8794deedfba6da285ab42fa394 Author: Stephen Smalley Date: Wed Nov 2 09:13:14 2016 -0400 Updated policycoreutils ChangeLog Signed-off-by: Stephen Smalley commit 22e8b70867d881123465ee6ac7bc35020a1cf571 Author: Laurent Bigonville Date: Wed Nov 2 14:04:37 2016 +0100 policycoreutils: Use "new" sepolicy icon in .desktop file for sepolicy gui New hires icons have been added to the repository end 2013 but the sepolicy .desktop file is not using it, let's fix that. commit 6ff9318af9eab6e01de8494522f89b8f6c7f0bd1 Author: Stephen Smalley Date: Wed Nov 2 09:01:38 2016 -0400 Updated ChangeLogs Signed-off-by: Stephen Smalley commit a0bd296a0d94217a06633ed2941001d61cb0f99d Author: Stephen Smalley Date: Wed Nov 2 08:54:19 2016 -0400 libsemanage: fix kernel pathname in semanage_verify_kernel() Building with CC=clang, we get the following errors: semanage_store.c:2177:20: error: implicit conversion from enumeration type 'enum semanage_final_defs' to different enumeration type 'enum semanage_store_defs' [-Werror,-Wenum-conversion] semanage_path(SEMANAGE_FINAL_TMP, SEMANAGE_KERNEL); ~~~~~~~~~~~~~ ^~~~~~~~~~~~~~~~~~ semanage_store.c:2177:40: error: implicit conversion from enumeration type 'enum semanage_final_path_defs' to different enumeration type 'enum semanage_sandbox_defs' [-Werror,-Wenum-conversion] semanage_path(SEMANAGE_FINAL_TMP, SEMANAGE_KERNEL); ~~~~~~~~~~~~~ ^~~~~~~~~~~~~~~ This is an actual bug; semanage_verify_kernel() was never updated to use semanage_final_path() when the rest were converted. Fix it. This pathname is only used if a kernel policy verifier is specified in semanage.conf, so this is not used by default. Signed-off-by: Stephen Smalley commit 9dcbc12e1fcfbac3f21a65bb22fbdf3922395ff0 Author: Stephen Smalley Date: Tue Nov 1 17:31:11 2016 -0400 Updated libselinux ChangeLog Signed-off-by: Stephen Smalley commit e4f2bcce24181131014dc18d3f948e7e2a65d6cc Author: William Roberts Date: Tue Nov 1 14:23:10 2016 -0700 libselinux/utils: fix all the noreturn errors When building with clang, multiple noreturn issues arise, for instance: selabel_partial_match.c:11:1: error: function 'usage' could be declared with attribute 'noreturn' [-Werror,-Wmissing-noreturn] Fix these. Signed-off-by: William Roberts commit 4c519cd73031a7c1711d87801be11c716e887d44 Author: Stephen Smalley Date: Tue Nov 1 16:59:47 2016 -0400 libselinux: avc_internal.c: allow building with clang Resolves the following errors from clang: avc_internal.c:105:25: error: cast from 'char *' to 'struct nlmsghdr *' increases required alignment from 1 to 4 [-Werror,-Wcast-align] struct nlmsghdr *nlh = (struct nlmsghdr *)buf; ^~~~~~~~~~~~~~~~~~~~~~ avc_internal.c:161:25: error: cast from 'char *' to 'struct nlmsghdr *' increases required alignment from 1 to 4 [-Werror,-Wcast-align] struct nlmsghdr *nlh = (struct nlmsghdr *)buf; ^~~~~~~~~~~~~~~~~~~~~~ Signed-off-by: Stephen Smalley commit 6e6134cb7e409915e759ba758a34f568cbb93382 Author: Stephen Smalley Date: Tue Nov 1 16:31:27 2016 -0400 Updated libselinux ChangeLog Signed-off-by: Stephen Smalley commit 8fee76a53877a6c5b3fcffca4f14899bdaa0e2ea Author: William Roberts Date: Tue Nov 1 13:23:24 2016 -0700 libselinux: fix compiler flags for linux + clang As reported by Nicolas Iooss, the clang + linux build seems broken: clang-3.9: warning: argument unused during compilation: '-undefined dynamic_lookup' /usr/bin/ld: unrecognised option: -install_name clang-3.9: error: linker command failed with exit code 1 (use -v to see invocation) We already have those options set for Darwin, just drop them from the clang side. Signed-off-by: William Roberts commit 9f6c6324c245c118087545b83d11f59ad7b66928 Author: Stephen Smalley Date: Mon Oct 31 12:51:11 2016 -0400 Updated libsepol ChangeLog Signed-off-by: Stephen Smalley commit 2d1380f8115643441aff6ffce77b214579b8cbfd Author: Jason Zaman Date: Mon Oct 31 23:52:27 2016 +0800 libsepol: Add symver with explicit version to build with ld.gold The blank default symver fails to compile with ld.gold. This updates the symver from blank to LIBSEPOL_1.0. The dynamic linker will first look for the symbol with the explicit version specified. If there is none, it will pick the first listed symbol so there is no breakage. This also matches how symvers are defined in libsemanage. Signed-off-by: Jason Zaman commit 3a8f55efc01ca6b7e957136a8d162fb8093f5601 Author: Stephen Smalley Date: Mon Oct 31 12:50:08 2016 -0400 Updated policycoreutils ChangeLog Signed-off-by: Stephen Smalley commit 266c16ff535a0d7fc89add6db3c13a879be6cdd5 Author: Nicolas Iooss Date: Sun Oct 30 22:27:22 2016 +0100 policycoreutils: semodule_package: do not fail with an empty fc file When running sepolgen tests on a Linux 4.7 kernel, one test fails with the following message: /usr/bin/semodule_package: Failed to mmap tmp/module_compile_test.mod.fc: Invalid argument The .fc file is empty, which is why it cannot be used with mmap(). Anyway the current code supports empty files (with if() conditions in main()) so do not try to mmap an empty file in file_to_data(). Signed-off-by: Nicolas Iooss commit cb68b534e3c6864c582560033a09e1fee742b950 Author: Nicolas Iooss Date: Sun Oct 30 20:15:08 2016 +0100 policycoreutils: restorecond: use pkg-config to find dbus-glib-1 files On Ubuntu some header files are located in /usr/lib/x86_64-linux-gnu/, not /usr/lib64/: $ pkg-config --cflags dbus-glib-1 -I/usr/include/dbus-1.0 -I/usr/lib/x86_64-linux-gnu/dbus-1.0/include -I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include Use pkg-config instead of hard-coded paths to find glib and dbus-glib headers and libraries. This is needed in order to use environments provided for example by https://travis-ci.org/. Signed-off-by: Nicolas Iooss commit 5917a96f3916eeaecc7b1900e0938a59c519297a Author: Stephen Smalley Date: Thu Oct 27 10:42:04 2016 -0400 Updated libselinux ChangeLog Signed-off-by: Stephen Smalley commit 0776dca5758af7c64435c7cead44517e768e5a52 Author: vmojzis Date: Thu Oct 27 13:52:36 2016 +0200 libselinux: fix pointer handling in realpath_not_final Loop designed for stripping leading "//" was changing the only pointer referencing block of memory allocated by "strdup", resulting in "free()" failure. The loop had no effect because "realpath" is used later on. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1376598 Signed-off-by: vmojzis commit 7a4cd7f8ff4f9fa4866b31d0e0983c5735b91486 Author: Stephen Smalley Date: Thu Oct 27 10:40:19 2016 -0400 Updated libselinux ChangeLog. Signed-off-by: Stephen Smalley commit 14d706434846f430e37787bf17403a0950266a46 Author: Laurent Bigonville Date: Thu Oct 27 00:04:30 2016 +0200 libselinux: Allow overriding libsepol.a location during build Signed-off-by: Laurent Bigonville commit f6f58732aa64e24dff9cfb44a1ffbd9a6efa8d41 Author: Stephen Smalley Date: Thu Oct 27 10:37:12 2016 -0400 Updated libselinux ChangeLog Signed-off-by: Stephen Smalley commit 640edd601b40a2340f0461649808055c3c3833d8 Author: Laurent Bigonville Date: Wed Oct 26 23:41:54 2016 +0200 libselinux: Add clean-pywrap and clean-rubywrap targets Add clean targets to just clean the python and ruby wrapper objects Also clean $(SWIGRUBYSO) and $(AUDIT2WHYLOBJ) objects Signed-off-by: Laurent Bigonville commit a610f08d2eaa2ba53840ceb3fb981f87ce986007 Author: Stephen Smalley Date: Fri Oct 21 12:59:37 2016 -0400 Updated policycoreutils ChangeLog Signed-off-by: Stephen Smalley commit 530904eaaa1d84111e59405e0f1d8c3dc87ccd26 Author: Vit Mojzis Date: Wed Oct 19 14:36:03 2016 +0200 policycoreutils/gui: fix system-config-selinux editing features Return column definitions to portsPage (gui fails to load otherwise). fcontextPage: "ftype" dropdown was filled from 2 sources (system-config-selinux.glade and fcontextPage - from seobject module) which resulted in duplicate and invalid options. When given to "semanage fcontext -f", ftype has to be converted to 1 letter argument mode. TreeView.get_selection().get_selected() can return "None" if no item is selected (the list can be empty). Test if correct iterator was acquired. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1344842 Signed-off-by: vmojzis commit 58f892399b7e6eb5bfaa31058231d3df100c13a6 Author: James Carter Date: Wed Oct 19 10:46:42 2016 -0400 Updated libsepol ChangeLog. Signed-off-by: James Carter commit d7cb38ff8714e1817e4ff35c1ded4d84a0b62f2a Author: dcashman Date: Tue Oct 18 14:31:51 2016 -0700 libsepol: cil: cil_strpool: Allow multiple strpool users. cil_strpool currently provides an interface to a statically stored global data structure. This interface does not accomodate multiple consumers, however, as two calls to cil_strpool_init() will lead to a memory leak and a call to cil_strpool_destroy() by one consumer will remove data from use by others, and subsequently lead to a segfault on the next cil_strpool_destroy() invocation. Add a reference counter so that the strpool is only initialized once and protect the exported interface with a mutex. Tested by calling cil_db_init() on two cil_dbs and then calling cil_db_destroy() on each. Signed-off-by: Daniel Cashman commit ff47e2d921586ceb4cdb0486d4e2e1d4397146ca Author: James Carter Date: Wed Oct 19 10:10:07 2016 -0400 Updated libsepol ChangeLog. Signed-off-by: James Carter commit 410634d650aef93750e58420d4d04588a6dbf43a Author: James Carter Date: Tue Oct 18 14:50:48 2016 -0400 libsepol/cil: Verify neither child nor parent in a bounds is an attribute Nicolas Iooss found while fuzzing secilc with AFL that using an attribute as a child in a typebounds statement will cause a segfault. This happens because the child datum is assumed to be part of a cil_type struct when it is really part of a cil_typeattribute struct. The check to verify that it is a type and not an attribute comes after it is used. This bug effects user and role bounds as well because they do not check whether a datum refers to an attribute or not. Add checks to verify that neither the child nor the parent datum refer to an attribute before using them in user, role, and type bounds. Signed-off-by: James Carter commit 0fcc430add4c1b5514e402f09001b07c75458344 Author: James Carter Date: Tue Oct 18 14:49:46 2016 -0400 libsepol/cil: Verify alias in aliasactual statement is really an alias Nicolas Iooss found while fuzzing secilc with AFL that the statement "(sensitivityaliasactual SENS SENS)" will cause a segfault. The segfault occurs because when the aliasactual is resolved the first identifier is assumed to refer to an alias structure, but it is not. Add a check to verify that the datum retrieved is actually an alias and exit with an error if it is not. Signed-off-by: James Carter commit 166b260d75b982e79f2369952d8ec16be042eda6 Author: James Carter Date: Tue Oct 18 14:41:41 2016 -0400 libsepol/cil: Check that permission is not an empty list Nicolas Iooss found while fuzzing secilc with AFL that the statement "(class C (()))" will cause a segfault. CIL expects a list of permissions in the class declaration and "(())" is a valid list. Each item of the list is expected to be an identifier and as the list is processed each item is checked to see if it is a list. An error is given if it is a list, otherwise the item is assumed to be an identifier. Unfortunately, the check only works if the list is not empty. In this case, the item passes the check and is assumed to be an identifier and a NULL is passed as the string for name verification. If name verification assumes that a non-NULL value will be passed in, a segfault will occur. Add a check for an empty list when processing a permission list and improve the error handling for permissions when building the AST. Signed-off-by: James Carter commit 3aa292620cc4902f5527faa581f98f775c3555ff Author: James Carter Date: Tue Oct 18 14:21:59 2016 -0400 libsepol/cil: Check if identifier is NULL when verifying name Nicolas Iooss found while fuzzing secilc with AFL that the statement "(class C (()))" will cause a segfault. When CIL checks the syntax of the class statement it sees "(())" as a valid permission list, but since "()" is not an identifier a NULL is passed as the string for name verification. A segfault occurs because name verification assumes that the string being checked is non-NULL. Check if identifier is NULL when verifying name. Signed-off-by: James Carter commit da51020d6f334e02498f9deb470159675923ac29 Author: James Carter Date: Tue Oct 18 14:20:24 2016 -0400 libsepol/cil: Use an empty list to represent an unknown permission Nicolas Iooss found while fuzzing secilc with AFL that the statement "(classpermissionset CPERM (CLASS (and unknow PERM)))" will cause a segfault. In order to support a policy module package using a permission that does not exist on the system it is loaded on, CIL will only give a warning when it fails to resolve an unknown permission. CIL itself will just ignore the unknown permission. This means that an expression like "(and UNKNOWN p1)" will look like "(and p1)" to CIL, but, since syntax checking has already been done, CIL won't know that the expression is not well-formed. When the expression is evaluated a segfault will occur because all expressions are assumed to be well-formed at evaluation time. Use an empty list to represent an unknown permission so that expressions will continue to be well-formed and expression evaluation will work but the unknown permission will still be ignored. Signed-off-by: James Carter commit 1b3b36aeecf27049b1e8bebfe1820fc6b7f3ccf4 Author: James Carter Date: Tue Oct 18 14:19:03 2016 -0400 libsepol/cil: Use empty list for category expression evaluated as empty Nicolas Iooss found while fuzzing secilc with AFL that the following policy will cause a segfault. (category c0) (category c1) (categoryorder (c0 c1)) (sensitivity s0) (sensitivitycategory s0 (not (all))) The expression "(not (all))" is evaluated as containing no categories. There is a check for the resulting empty list and the category datum expression is set to NULL. The segfault occurs because the datum expression is assumed to be non-NULL after evaluation. Assign the list to the datum expression even if it is empty. Signed-off-by: James Carter commit 1fc2f2f5ca4951e0c56019e46adec364fca515bd Author: James Carter Date: Tue Oct 18 14:17:03 2016 -0400 libsepol/cil: Check for improper category range Nicolas Iooss found while fuzzing secilc with AFL that the following policy will cause a segfault. (category c0) (category c1) (categoryorder (c0 c1)) (sensitivity s0) (sensitivitycategory s0 (range c1 c0)) The category range "(range c1 c0)" is invalid because c1 comes after c0 in order. The invalid range is evaluated as containing no categories. There is a check for the resulting empty list and the category datum expression is set to NULL. The segfault occurs because the datum expression is assumed to be non-NULL after evaluation. Add a check for an invalid range when evaluating category ranges. Signed-off-by: James Carter commit 5edd70ff9be77784b10e798d29e5500fcc38d39f Author: Stephen Smalley Date: Tue Oct 18 14:03:21 2016 -0400 Updated libselinux and libsepol ChangeLogs Signed-off-by: Stephen Smalley commit 3c3381bf8bce530704004e2dfa135b7d0f3208a8 Author: William Roberts Date: Mon Oct 17 16:24:10 2016 -0400 libselinux: add booleans.c to ANDROID_HOST=y recipe We build booleans.c with DISABLE_BOOL set on Android host and target. Add that file to the upstream Makefile. Signed-off-by: William Roberts commit a79621874991f3bffd1a15ea70d7fd6ed9f0019b Author: William Roberts Date: Mon Oct 17 16:24:09 2016 -0400 libselinux: DISABLE_BOOL move to include headers Some systems, like Mac, don't have stdio_ext.h. Since we're building with DISABLE_BOOL=y on Mac, just include the header files with the DISABLE define, and use the bare minimum headers for DISABLE_BOOL=y. Signed-off-by: William Roberts commit 16c123f4b1f3c8d20b3f597df161d7e635620923 Author: William Roberts Date: Mon Oct 17 16:24:08 2016 -0400 libselinux: support ANDROID_HOST=1 on Mac To build on mac, first build libsepol with no DESTDIR set. Secondly, build libselinux with ANDROID_HOST=y This configuration can be used to test the Android host build on Mac. Signed-off-by: William Roberts commit d7b11d7e1c87307e247cc7ab90d83a54a006ccc9 Author: William Roberts Date: Mon Oct 17 16:24:07 2016 -0400 libselinux/utils: add noreturn to sefcontext_compile When building on mac, one encounters this error: sefcontext_compile.c:270:1: error: function 'usage' could be declared with attribute 'noreturn' [-Werror,-Wmissing-noreturn] To correct this, add the attribute noreturn to the function. Signed-off-by: William Roberts commit 502b48f4db8d753de5e0fe3e4592ea4fb1f872d1 Author: William Roberts Date: Mon Oct 17 16:24:06 2016 -0400 libselinux: fix required alignment for sha1.c on mac When building on mac with ANDROID_HOST=y, clang complains: sha1.c:73:33: error: cast from 'uint8_t *' (aka 'unsigned char *') to 'CHAR64LONG16 *' increases required alignment from 1 to 4 [-Werror,-Wcast-align] CHAR64LONG16* block = (CHAR64LONG16*) workspace; Rather then casting the bytearray to the CHAR64LONG16 union, just create a stack workspace of type CHAR64LONG16. This will prevent alignment issues with the data accesses. Signed-off-by: William Roberts commit 10199be9154f13b1187d9ac82945d9a2c4a864cf Author: William Roberts Date: Mon Oct 17 16:24:05 2016 -0400 libselinux: fix mac build warning when ANDROID_HOST=y When building on Mac, outside of the Android tree, with ANDROID_HOST=y, this warning is observed: label.c:102:9: warning: implicit declaration of function 'fgets_unlocked' is invalid in C99 [-Wimplicit-function-declaration] while (fgets_unlocked(buf, sizeof(buf) - 1, cfg)) { Fix it by using the fgets_unlocked define that was introduced for Android, just apply it for mac builds as well. Signed-off-by: William Roberts commit 3340d851dfcb2c803fe470b116c5f1dff909308f Author: William Roberts Date: Mon Oct 17 16:24:04 2016 -0400 libsepol: build on mac Correct the build issues on mac, mostly flags for tools. libsepol and cil now build completley on Mac with a simple make command. Signed-off-by: William Roberts commit e71e9891e48245a9a7ab1778dfa227cb3bc6f2cc Author: William Roberts Date: Mon Oct 17 16:24:03 2016 -0400 libsepol/cil: disable symver on Mac builds symver does not work on Mac, so like Android, just disable it. Signed-off-by: William Roberts commit 02b0d42113b7fc12b56cfbabac0bfde1eebd5ce0 Author: Stephen Smalley Date: Fri Oct 14 13:41:04 2016 -0400 Updated libsemanage ChangeLog Signed-off-by: Stephen Smalley commit 4cf9b9ce2df06fd5a29e5264a6552c9b02ec0b5b Author: Stephen Smalley Date: Fri Oct 14 13:36:37 2016 -0400 libsemanage: genhomedircon: only set MLS level if MLS is enabled When a non-MLS policy was used with genhomedircon context_from_record() in sepol would report an error because an MLS level was present when MLS is disabled. Based on a patch by Gary Tierney, amended to use sepol_policydb_mls_enabled rather than semanage_mls_enabled because we are testing the temporary working policy, not the active policy. Reported-by: Jason Zaman Signed-off-by: Stephen Smalley commit 1a27b5add9daaede2bb2e3aa8936bdc0f0d112d9 Author: Stephen Smalley Date: Fri Oct 14 11:47:29 2016 -0400 scripts/release: cleanups Signed-off-by: Stephen Smalley commit b5f2652a1156f9e67e28c99741a8cc4ec33a8fd0 Author: Stephen Smalley Date: Fri Oct 14 11:36:11 2016 -0400 Fix release script Signed-off-by: Stephen Smalley