RepoMirrors/setools
1
0
Fork 0
mirror of https://github.com/SELinuxProject/setools synced 2025-04-11 03:51:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

InitialSID: Handle absence of names in binary policy.

Browse Source
This commit is contained in:
Chris PeBenito 2018-02-25 10:36:08 -05:00
parent f012d55b11
commit a533303d04
2 changed files with 30 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
libqpol/policy_extend.c
View File

@ -310,78 +310,6 @@ static int qpol_policy_fill_attr_holes(qpol_policy_t * policy)
return STATUS_ERR; return STATUS_ERR;
} }
static const char *const sidnames[] = {
"undefined",
"kernel",
"security",
"unlabeled",
"fs",
"file",
"file_labels",
"init",
"any_socket",
"port",
"netif",
"netmsg",
"node",
"igmp_packet",
"icmp_socket",
"tcp_socket",
"sysctl_modprobe",
"sysctl",
"sysctl_fs",
"sysctl_kernel",
"sysctl_net",
"sysctl_net_unix",
"sysctl_vm",
"sysctl_dev",
"kmod",
"policy",
"scmp_packet",
"devnull"
};
/**
* Uses names from flask to fill in the isid names which are not normally
* saved. This function modified the policydb.
* @param policy Policy to which to add sid names.
* This policy will be altered by this function.
* @return 0 on success and < 0 on failure; if the call fails,
* errno will be set. On failure, the policy state may be inconsistent.
*/
static int qpol_policy_add_isid_names(qpol_policy_t * policy)
{
policydb_t *db = NULL;
ocontext_t *sid = NULL;
uint32_t val = 0;
int error = 0;
if (policy == NULL) {
ERR(policy, "%s", strerror(EINVAL));
errno = EINVAL;
return STATUS_ERR;
}
db = &policy->p->p;
for (sid = db->ocontexts[OCON_ISID]; sid; sid = sid->next) {
val = (uint32_t) sid->sid[0];
if (val > SECINITSID_NUM)
val = 0;
if (!sid->u.name) {
sid->u.name = strdup(sidnames[val]);
if (!sid->u.name) {
error = errno;
ERR(policy, "%s", strerror(error));
errno = error;
return STATUS_ERR;
}
}
}
return 0;
}
int policy_extend(qpol_policy_t * policy) int policy_extend(qpol_policy_t * policy)
{ {
@ -416,11 +344,6 @@ int policy_extend(qpol_policy_t * policy)
} }
} }
} }
retv = qpol_policy_add_isid_names(policy);
if (retv) {
error = errno;
goto err;
}
return STATUS_SUCCESS; return STATUS_SUCCESS;

31
setools/policyrep/initsid.pxi
View File

@ -18,20 +18,49 @@
# <http://www.gnu.org/licenses/>. # <http://www.gnu.org/licenses/>.
# #
#
# Constants
#
# Binary policy does not contain the SID names
SELINUX_SIDNAMES = ("undefined", "kernel", "security", "unlabeled", "fs", "file", "file_labels",
"init", "any_socket", "port", "netif", "netmsg", "node", "igmp_packet", "icmp_socket",
"tcp_socket", "sysctl_modprobe", "sysctl", "sysctl_fs", "sysctl_kernel", "sysctl_net",
"sysctl_net_unix", "sysctl_vm", "sysctl_dev", "kmod", "policy", "scmp_packet", "devnull")
XEN_SIDNAMES = ("xen", "dom0", "domxen", "domio", "unlabeled", "security", "irq", "iomem", "ioport",
"device", "domU", "domDM")
#
# Classes
#
cdef class InitialSID(Ocontext): cdef class InitialSID(Ocontext):
"""An initial SID statement.""" """An initial SID statement."""
cdef str name
@staticmethod @staticmethod
cdef factory(SELinuxPolicy policy, sepol.ocontext *symbol): cdef factory(SELinuxPolicy policy, sepol.ocontext *symbol):
"""Factory function for creating InitialSID objects.""" """Factory function for creating InitialSID objects."""
i = InitialSID() i = InitialSID()
i.policy = policy i.policy = policy
i.handle = symbol i.handle = symbol
if symbol.u.name:
i.name = intern(symbol.u.name)
elif policy.target_platform == PolicyTarget.selinux:
i.name = SELINUX_SIDNAMES[<uint32_t>symbol.sid[0]]
elif policy.target_platform == PolicyTarget.xen:
i.name = XEN_SIDNAMES[<uint32_t>symbol.sid[0]]
else:
raise NotImplementedError
return i return i
def __str__(self): def __str__(self):
return intern(self.handle.u.name) return self.name
cdef class InitialSIDIterator(OcontextIterator): cdef class InitialSIDIterator(OcontextIterator):