InitialSID: Handle absence of names in binary policy.

2025-03-19 09:44:09 +00:00 · 2018-02-25 10:36:08 -05:00 · 2018-02-25 10:36:08 -05:00 · a533303d04
commit a533303d04
parent f012d55b11
2 changed files with 30 additions and 78 deletions
--- a/libqpol/policy_extend.c
+++ b/libqpol/policy_extend.c
@ -310,78 +310,6 @@ static int qpol_policy_fill_attr_holes(qpol_policy_t * policy)
 	return STATUS_ERR;
 }

-static const char *const sidnames[] = {
-	"undefined",
-	"kernel",
-	"security",
-	"unlabeled",
-	"fs",
-	"file",
-	"file_labels",
-	"init",
-	"any_socket",
-	"port",
-	"netif",
-	"netmsg",
-	"node",
-	"igmp_packet",
-	"icmp_socket",
-	"tcp_socket",
-	"sysctl_modprobe",
-	"sysctl",
-	"sysctl_fs",
-	"sysctl_kernel",
-	"sysctl_net",
-	"sysctl_net_unix",
-	"sysctl_vm",
-	"sysctl_dev",
-	"kmod",
-	"policy",
-	"scmp_packet",
-	"devnull"
-};
-
-/**
- *  Uses names from flask to fill in the isid names which are not normally
- *  saved. This function modified the policydb.
- *  @param policy Policy to which to add sid names.
- *  This policy will be altered by this function.
- *  @return 0 on success and < 0 on failure; if the call fails,
- *  errno will be set. On failure, the policy state may be inconsistent.
- */
-static int qpol_policy_add_isid_names(qpol_policy_t * policy)
-{
-	policydb_t *db = NULL;
-	ocontext_t *sid = NULL;
-	uint32_t val = 0;
-	int error = 0;
-
-	if (policy == NULL) {
-		ERR(policy, "%s", strerror(EINVAL));
-		errno = EINVAL;
-		return STATUS_ERR;
-	}
-
-	db = &policy->p->p;
-
-	for (sid = db->ocontexts[OCON_ISID]; sid; sid = sid->next) {
-		val = (uint32_t) sid->sid[0];
-		if (val > SECINITSID_NUM)
-			val = 0;
-
-		if (!sid->u.name) {
-			sid->u.name = strdup(sidnames[val]);
-			if (!sid->u.name) {
-				error = errno;
-				ERR(policy, "%s", strerror(error));
-				errno = error;
-				return STATUS_ERR;
-			}
-		}
-	}
-
-	return 0;
-}

 int policy_extend(qpol_policy_t * policy)
 {
@ -416,11 +344,6 @@ int policy_extend(qpol_policy_t * policy)
 			}
 		}
 	}
-	retv = qpol_policy_add_isid_names(policy);
-	if (retv) {
-		error = errno;
-		goto err;
-	}

 	return STATUS_SUCCESS;

--- a/setools/policyrep/initsid.pxi
+++ b/setools/policyrep/initsid.pxi
@ -18,20 +18,49 @@
 # <http://www.gnu.org/licenses/>.
 #

+#
+# Constants
+#
+# Binary policy does not contain the SID names
+SELINUX_SIDNAMES = ("undefined", "kernel", "security", "unlabeled", "fs", "file", "file_labels",
+    "init", "any_socket", "port", "netif", "netmsg", "node", "igmp_packet", "icmp_socket",
+    "tcp_socket", "sysctl_modprobe", "sysctl", "sysctl_fs", "sysctl_kernel", "sysctl_net",
+    "sysctl_net_unix", "sysctl_vm", "sysctl_dev", "kmod", "policy", "scmp_packet", "devnull")
+
+
+XEN_SIDNAMES = ("xen", "dom0", "domxen", "domio", "unlabeled", "security", "irq", "iomem", "ioport",
+    "device", "domU", "domDM")
+
+
+#
+# Classes
+#
 cdef class InitialSID(Ocontext):

    """An initial SID statement."""

+    cdef str name
+
    @staticmethod
    cdef factory(SELinuxPolicy policy, sepol.ocontext *symbol):
        """Factory function for creating InitialSID objects."""
        i = InitialSID()
        i.policy = policy
        i.handle = symbol
+
+        if symbol.u.name:
+            i.name = intern(symbol.u.name)
+        elif policy.target_platform == PolicyTarget.selinux:
+            i.name = SELINUX_SIDNAMES[<uint32_t>symbol.sid[0]]
+        elif policy.target_platform == PolicyTarget.xen:
+            i.name = XEN_SIDNAMES[<uint32_t>symbol.sid[0]]
+        else:
+            raise NotImplementedError
+
        return i

    def __str__(self):
-        return intern(self.handle.u.name)
+        return self.name


 cdef class InitialSIDIterator(OcontextIterator):