selinux/libsepol/src/user_record.c

#include <errno.h>
#include <stdlib.h>
#include <string.h>

#include "user_internal.h"
#include "debug.h"
#include "private.h"

struct sepol_user {
	/* This user's name */
	char *name;

	/* This user's mls level (only required for mls) */
	char *mls_level;

	/* This user's mls range (only required for mls) */
	char *mls_range;

	/* The role array */
	char **roles;

	/* The number of roles */
	unsigned int num_roles;
};

struct sepol_user_key {
	/* This user's name */
	char *name;
};

int sepol_user_key_create(sepol_handle_t * handle,
			  const char *name, sepol_user_key_t ** key_ptr)
{

	sepol_user_key_t *tmp_key =
	    (sepol_user_key_t *) malloc(sizeof(sepol_user_key_t));

	if (!tmp_key) {
		ERR(handle, "out of memory, "
		    "could not create selinux user key");
		return STATUS_ERR;
	}

	tmp_key->name = strdup(name);
	if (!tmp_key->name) {
		ERR(handle, "out of memory, could not create selinux user key");
		free(tmp_key);
		return STATUS_ERR;
	}

	*key_ptr = tmp_key;
	return STATUS_SUCCESS;
}


void sepol_user_key_unpack(const sepol_user_key_t * key, const char **name)
{

	*name = key->name;
}


int sepol_user_key_extract(sepol_handle_t * handle,
			   const sepol_user_t * user,
			   sepol_user_key_t ** key_ptr)
{

	if (sepol_user_key_create(handle, user->name, key_ptr) < 0) {
		ERR(handle, "could not extract key from user %s", user->name);
		return STATUS_ERR;
	}

	return STATUS_SUCCESS;
}

void sepol_user_key_free(sepol_user_key_t * key)
{
	if (!key)
		return;
	free(key->name);
	free(key);
}

int sepol_user_compare(const sepol_user_t * user, const sepol_user_key_t * key)
{

	return strcmp(user->name, key->name);
}

int sepol_user_compare2(const sepol_user_t * user, const sepol_user_t * user2)
{

	return strcmp(user->name, user2->name);
}

/* Name */
const char *sepol_user_get_name(const sepol_user_t * user)
{

	return user->name;
}

int sepol_user_set_name(sepol_handle_t * handle,
			sepol_user_t * user, const char *name)
{

	char *tmp_name = strdup(name);
	if (!tmp_name) {
		ERR(handle, "out of memory, could not set name");
		return STATUS_ERR;
	}
	free(user->name);
	user->name = tmp_name;
	return STATUS_SUCCESS;
}


/* MLS */
const char *sepol_user_get_mlslevel(const sepol_user_t * user)
{

	return user->mls_level;
}


int sepol_user_set_mlslevel(sepol_handle_t * handle,
			    sepol_user_t * user, const char *mls_level)
{

	char *tmp_mls_level = strdup(mls_level);
	if (!tmp_mls_level) {
		ERR(handle, "out of memory, "
		    "could not set MLS default level");
		return STATUS_ERR;
	}
	free(user->mls_level);
	user->mls_level = tmp_mls_level;
	return STATUS_SUCCESS;
}


const char *sepol_user_get_mlsrange(const sepol_user_t * user)
{

	return user->mls_range;
}


int sepol_user_set_mlsrange(sepol_handle_t * handle,
			    sepol_user_t * user, const char *mls_range)
{

	char *tmp_mls_range = strdup(mls_range);
	if (!tmp_mls_range) {
		ERR(handle, "out of memory, "
		    "could not set MLS allowed range");
		return STATUS_ERR;
	}
	free(user->mls_range);
	user->mls_range = tmp_mls_range;
	return STATUS_SUCCESS;
}


/* Roles */
int sepol_user_get_num_roles(const sepol_user_t * user)
{

	return user->num_roles;
}

int sepol_user_add_role(sepol_handle_t * handle,
			sepol_user_t * user, const char *role)
{

	char *role_cp;
	char **roles_realloc = NULL;

	if (sepol_user_has_role(user, role))
		return STATUS_SUCCESS;

	role_cp = strdup(role);
	if (!role_cp)
		goto omem;

	roles_realloc = reallocarray(user->roles,
				     user->num_roles + 1,
				     sizeof(char *));
	if (!roles_realloc)
		goto omem;

	user->num_roles++;
	user->roles = roles_realloc;
	user->roles[user->num_roles - 1] = role_cp;

	return STATUS_SUCCESS;

      omem:
	ERR(handle, "out of memory, could not add role %s", role);
	free(role_cp);
	free(roles_realloc);
	return STATUS_ERR;
}


int sepol_user_has_role(const sepol_user_t * user, const char *role)
{

	unsigned int i;

	for (i = 0; i < user->num_roles; i++)
		if (!strcmp(user->roles[i], role))
			return 1;
	return 0;
}


int sepol_user_set_roles(sepol_handle_t * handle,
			 sepol_user_t * user,
			 const char **roles_arr, unsigned int num_roles)
{

	unsigned int i;
	char **tmp_roles = NULL;

	if (num_roles > 0) {

		/* First, make a copy */
		tmp_roles = (char **)calloc(1, sizeof(char *) * num_roles);
		if (!tmp_roles)
			goto omem;

		for (i = 0; i < num_roles; i++) {
			tmp_roles[i] = strdup(roles_arr[i]);
			if (!tmp_roles[i])
				goto omem;
		}
	}

	/* Apply other changes */
	for (i = 0; i < user->num_roles; i++)
		free(user->roles[i]);
	free(user->roles);
	user->roles = tmp_roles;
	user->num_roles = num_roles;
	return STATUS_SUCCESS;

      omem:
	ERR(handle, "out of memory, could not allocate roles array for"
	    "user %s", user->name);

	if (tmp_roles) {
		for (i = 0; i < num_roles; i++) {
			if (!tmp_roles[i])
				break;
			free(tmp_roles[i]);
		}
	}
	free(tmp_roles);
	return STATUS_ERR;
}

int sepol_user_get_roles(sepol_handle_t * handle,
			 const sepol_user_t * user,
			 const char ***roles_arr, unsigned int *num_roles)
{

	unsigned int i;
	const char **tmp_roles =
	    (const char **)calloc(user->num_roles, sizeof(char *));
	if (!tmp_roles)
		goto omem;

	for (i = 0; i < user->num_roles; i++)
		tmp_roles[i] = user->roles[i];

	*roles_arr = tmp_roles;
	*num_roles = user->num_roles;
	return STATUS_SUCCESS;

      omem:
	ERR(handle, "out of memory, could not "
	    "allocate roles array for user %s", user->name);
	free(tmp_roles);
	return STATUS_ERR;
}


void sepol_user_del_role(sepol_user_t * user, const char *role)
{

	unsigned int i;
	for (i = 0; i < user->num_roles; i++) {
		if (!strcmp(user->roles[i], role)) {
			free(user->roles[i]);
			user->roles[i] = NULL;
			user->roles[i] = user->roles[user->num_roles - 1];
			user->num_roles--;
		}
	}
}

/* Create */
int sepol_user_create(sepol_handle_t * handle, sepol_user_t ** user_ptr)
{

	sepol_user_t *user = (sepol_user_t *) malloc(sizeof(sepol_user_t));

	if (!user) {
		ERR(handle, "out of memory, "
		    "could not create selinux user record");
		return STATUS_ERR;
	}

	user->roles = NULL;
	user->num_roles = 0;
	user->name = NULL;
	user->mls_level = NULL;
	user->mls_range = NULL;

	*user_ptr = user;
	return STATUS_SUCCESS;
}


/* Deep copy clone */
int sepol_user_clone(sepol_handle_t * handle,
		     const sepol_user_t * user, sepol_user_t ** user_ptr)
{

	sepol_user_t *new_user = NULL;
	unsigned int i;

	if (sepol_user_create(handle, &new_user) < 0)
		goto err;

	if (sepol_user_set_name(handle, new_user, user->name) < 0)
		goto err;

	for (i = 0; i < user->num_roles; i++) {
		if (sepol_user_add_role(handle, new_user, user->roles[i]) < 0)
			goto err;
	}

	if (user->mls_level &&
	    (sepol_user_set_mlslevel(handle, new_user, user->mls_level) < 0))
		goto err;

	if (user->mls_range &&
	    (sepol_user_set_mlsrange(handle, new_user, user->mls_range) < 0))
		goto err;

	*user_ptr = new_user;
	return STATUS_SUCCESS;

      err:
	ERR(handle, "could not clone selinux user record");
	sepol_user_free(new_user);
	return STATUS_ERR;
}

/* Destroy */
void sepol_user_free(sepol_user_t * user)
{

	unsigned int i;

	if (!user)
		return;

	free(user->name);
	for (i = 0; i < user->num_roles; i++)
		free(user->roles[i]);
	free(user->roles);
	free(user->mls_level);
	free(user->mls_range);
	free(user);
}
initial import from svn trunk revision 2950 2008-08-19 19:30:36 +00:00			`#include <errno.h>`
			`#include <stdlib.h>`
			`#include <string.h>`

			`#include "user_internal.h"`
			`#include "debug.h"`
libsepol: use mallocarray wrapper to avoid overflows Use a wrapper to guard `malloc(a * b)` type allocations, to detect multiplication overflows, which result in too few memory being allocated. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> 2021-12-09 16:49:00 +00:00			`#include "private.h"`
initial import from svn trunk revision 2950 2008-08-19 19:30:36 +00:00
			`struct sepol_user {`
			`/* This user's name */`
			`char *name;`

			`/* This user's mls level (only required for mls) */`
			`char *mls_level;`

			`/* This user's mls range (only required for mls) */`
			`char *mls_range;`

			`/* The role array */`
			`char **roles;`

			`/* The number of roles */`
			`unsigned int num_roles;`
			`};`

			`struct sepol_user_key {`
			`/* This user's name */`
libsepol: sepol_{bool\|iface\|user}_key_create: copy name The sepol_{bool\|iface\|user}_key_create() functions were not copying the name. This produces a use-after-free in the swig-generated code for python3 bindings. Copy the name in these functions, and free it upon sepol_{bool\|iface\|user}_key_free(). Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2016-11-08 15:46:14 +00:00			`char *name;`
initial import from svn trunk revision 2950 2008-08-19 19:30:36 +00:00			`};`

			`int sepol_user_key_create(sepol_handle_t * handle,`
			`const char name, sepol_user_key_t * key_ptr)`
			`{`

			`sepol_user_key_t *tmp_key =`
			`(sepol_user_key_t *) malloc(sizeof(sepol_user_key_t));`

			`if (!tmp_key) {`
			`ERR(handle, "out of memory, "`
			`"could not create selinux user key");`
			`return STATUS_ERR;`
			`}`

libsepol: sepol_{bool\|iface\|user}_key_create: copy name The sepol_{bool\|iface\|user}_key_create() functions were not copying the name. This produces a use-after-free in the swig-generated code for python3 bindings. Copy the name in these functions, and free it upon sepol_{bool\|iface\|user}_key_free(). Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2016-11-08 15:46:14 +00:00			`tmp_key->name = strdup(name);`
			`if (!tmp_key->name) {`
			`ERR(handle, "out of memory, could not create selinux user key");`
			`free(tmp_key);`
			`return STATUS_ERR;`
			`}`
initial import from svn trunk revision 2950 2008-08-19 19:30:36 +00:00
			`*key_ptr = tmp_key;`
			`return STATUS_SUCCESS;`
			`}`


			`void sepol_user_key_unpack(const sepol_user_key_t * key, const char **name)`
			`{`

			`*name = key->name;`
			`}`


			`int sepol_user_key_extract(sepol_handle_t * handle,`
			`const sepol_user_t * user,`
			`sepol_user_key_t ** key_ptr)`
			`{`

			`if (sepol_user_key_create(handle, user->name, key_ptr) < 0) {`
			`ERR(handle, "could not extract key from user %s", user->name);`
			`return STATUS_ERR;`
			`}`

			`return STATUS_SUCCESS;`
			`}`

			`void sepol_user_key_free(sepol_user_key_t * key)`
			`{`
libsepol: do not seg fault on sepol__key_free(NULL) sepol__key_free(NULL) should just be a no-op just like free(NULL). Fix several instances that did not handle this correctly and would seg fault if called with NULL. Test: setsebool -P zebra_write_config=1 while non-root Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2017-04-07 15:01:52 +00:00			`if (!key)`
			`return;`
libsepol: sepol_{bool\|iface\|user}_key_create: copy name The sepol_{bool\|iface\|user}_key_create() functions were not copying the name. This produces a use-after-free in the swig-generated code for python3 bindings. Copy the name in these functions, and free it upon sepol_{bool\|iface\|user}_key_free(). Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2016-11-08 15:46:14 +00:00			`free(key->name);`
initial import from svn trunk revision 2950 2008-08-19 19:30:36 +00:00			`free(key);`
			`}`

			`int sepol_user_compare(const sepol_user_t * user, const sepol_user_key_t * key)`
			`{`

			`return strcmp(user->name, key->name);`
			`}`

			`int sepol_user_compare2(const sepol_user_t * user, const sepol_user_t * user2)`
			`{`

			`return strcmp(user->name, user2->name);`
			`}`

			`/* Name */`
			`const char sepol_user_get_name(const sepol_user_t user)`
			`{`

			`return user->name;`
			`}`

			`int sepol_user_set_name(sepol_handle_t * handle,`
			`sepol_user_t * user, const char *name)`
			`{`

			`char *tmp_name = strdup(name);`
			`if (!tmp_name) {`
			`ERR(handle, "out of memory, could not set name");`
			`return STATUS_ERR;`
			`}`
			`free(user->name);`
			`user->name = tmp_name;`
			`return STATUS_SUCCESS;`
			`}`


			`/* MLS */`
			`const char sepol_user_get_mlslevel(const sepol_user_t user)`
			`{`

			`return user->mls_level;`
			`}`


			`int sepol_user_set_mlslevel(sepol_handle_t * handle,`
			`sepol_user_t * user, const char *mls_level)`
			`{`

			`char *tmp_mls_level = strdup(mls_level);`
			`if (!tmp_mls_level) {`
			`ERR(handle, "out of memory, "`
			`"could not set MLS default level");`
			`return STATUS_ERR;`
			`}`
			`free(user->mls_level);`
			`user->mls_level = tmp_mls_level;`
			`return STATUS_SUCCESS;`
			`}`


			`const char sepol_user_get_mlsrange(const sepol_user_t user)`
			`{`

			`return user->mls_range;`
			`}`


			`int sepol_user_set_mlsrange(sepol_handle_t * handle,`
			`sepol_user_t * user, const char *mls_range)`
			`{`

			`char *tmp_mls_range = strdup(mls_range);`
			`if (!tmp_mls_range) {`
			`ERR(handle, "out of memory, "`
			`"could not set MLS allowed range");`
			`return STATUS_ERR;`
			`}`
			`free(user->mls_range);`
			`user->mls_range = tmp_mls_range;`
			`return STATUS_SUCCESS;`
			`}`


			`/* Roles */`
			`int sepol_user_get_num_roles(const sepol_user_t * user)`
			`{`

			`return user->num_roles;`
			`}`

			`int sepol_user_add_role(sepol_handle_t * handle,`
			`sepol_user_t * user, const char *role)`
			`{`

			`char *role_cp;`
libsepol: fix use-after-free in sepol_user_clone() When sepol_user_add_role() fails to allocate memory for role_cp but succeeds in reallocating user->roles memory, it frees this reallocated memory, thus leaving user->roles referencing a free memory block. When sepol_user_clone() calls sepol_user_free(new_user) because the allocation failure made sepol_user_add_role() fail, the following code is executed: for (i = 0; i < user->num_roles; i++) free(user->roles[i]); free(user->roles); As user->roles has been freed, this code frees pointers which may be invalid and then tries to free user->roles again. Fix this flaw by returning right after strdup() failed in sepol_user_add_role(). This issue has been found using clang's static analyzer. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org> 2017-03-28 21:41:49 +00:00			`char **roles_realloc = NULL;`
initial import from svn trunk revision 2950 2008-08-19 19:30:36 +00:00
			`if (sepol_user_has_role(user, role))`
			`return STATUS_SUCCESS;`

			`role_cp = strdup(role);`
libsepol: fix use-after-free in sepol_user_clone() When sepol_user_add_role() fails to allocate memory for role_cp but succeeds in reallocating user->roles memory, it frees this reallocated memory, thus leaving user->roles referencing a free memory block. When sepol_user_clone() calls sepol_user_free(new_user) because the allocation failure made sepol_user_add_role() fail, the following code is executed: for (i = 0; i < user->num_roles; i++) free(user->roles[i]); free(user->roles); As user->roles has been freed, this code frees pointers which may be invalid and then tries to free user->roles again. Fix this flaw by returning right after strdup() failed in sepol_user_add_role(). This issue has been found using clang's static analyzer. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org> 2017-03-28 21:41:49 +00:00			`if (!role_cp)`
			`goto omem;`

libsepol: use reallocarray wrapper to avoid overflows Use a wrapper to guard `realloc(p, a * b)` type allocations, to detect multiplication overflows, which result in too few memory being allocated. Use a custom implementation if the used C library does not offer one. Also use temporary variables for realloc(3) results in add_i_to_a() and fp_to_buffer(). Signed-off-by: Christian Göttsche <cgzones@googlemail.com> 2021-12-09 16:49:01 +00:00			`roles_realloc = reallocarray(user->roles,`
			`user->num_roles + 1,`
			`sizeof(char *));`
libsepol: fix use-after-free in sepol_user_clone() When sepol_user_add_role() fails to allocate memory for role_cp but succeeds in reallocating user->roles memory, it frees this reallocated memory, thus leaving user->roles referencing a free memory block. When sepol_user_clone() calls sepol_user_free(new_user) because the allocation failure made sepol_user_add_role() fail, the following code is executed: for (i = 0; i < user->num_roles; i++) free(user->roles[i]); free(user->roles); As user->roles has been freed, this code frees pointers which may be invalid and then tries to free user->roles again. Fix this flaw by returning right after strdup() failed in sepol_user_add_role(). This issue has been found using clang's static analyzer. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org> 2017-03-28 21:41:49 +00:00			`if (!roles_realloc)`
initial import from svn trunk revision 2950 2008-08-19 19:30:36 +00:00			`goto omem;`

			`user->num_roles++;`
			`user->roles = roles_realloc;`
			`user->roles[user->num_roles - 1] = role_cp;`

			`return STATUS_SUCCESS;`

			`omem:`
			`ERR(handle, "out of memory, could not add role %s", role);`
			`free(role_cp);`
			`free(roles_realloc);`
			`return STATUS_ERR;`
			`}`


			`int sepol_user_has_role(const sepol_user_t * user, const char *role)`
			`{`

			`unsigned int i;`

			`for (i = 0; i < user->num_roles; i++)`
			`if (!strcmp(user->roles[i], role))`
			`return 1;`
			`return 0;`
			`}`


			`int sepol_user_set_roles(sepol_handle_t * handle,`
			`sepol_user_t * user,`
			`const char **roles_arr, unsigned int num_roles)`
			`{`

			`unsigned int i;`
			`char **tmp_roles = NULL;`

			`if (num_roles > 0) {`

			`/* First, make a copy */`
			`tmp_roles = (char *)calloc(1, sizeof(char ) * num_roles);`
			`if (!tmp_roles)`
			`goto omem;`

			`for (i = 0; i < num_roles; i++) {`
			`tmp_roles[i] = strdup(roles_arr[i]);`
			`if (!tmp_roles[i])`
			`goto omem;`
			`}`
			`}`

			`/* Apply other changes */`
			`for (i = 0; i < user->num_roles; i++)`
			`free(user->roles[i]);`
			`free(user->roles);`
			`user->roles = tmp_roles;`
			`user->num_roles = num_roles;`
			`return STATUS_SUCCESS;`

			`omem:`
			`ERR(handle, "out of memory, could not allocate roles array for"`
			`"user %s", user->name);`

			`if (tmp_roles) {`
			`for (i = 0; i < num_roles; i++) {`
			`if (!tmp_roles[i])`
			`break;`
			`free(tmp_roles[i]);`
			`}`
			`}`
			`free(tmp_roles);`
			`return STATUS_ERR;`
			`}`

			`int sepol_user_get_roles(sepol_handle_t * handle,`
			`const sepol_user_t * user,`
			`const char **roles_arr, unsigned int num_roles)`
			`{`

			`unsigned int i;`
			`const char **tmp_roles =`
libsepol: Replace calls to mallocarray() with calls to calloc() Since calloc() will return an error if nmemb * size would overflow, just use it instead of mallocarray(). This also allows code that initializes the array to zero to be removed. Signed-off-by: James Carter <jwcart2@gmail.com> 2022-03-30 19:54:27 +00:00			`(const char *)calloc(user->num_roles, sizeof(char ));`
initial import from svn trunk revision 2950 2008-08-19 19:30:36 +00:00			`if (!tmp_roles)`
			`goto omem;`

			`for (i = 0; i < user->num_roles; i++)`
			`tmp_roles[i] = user->roles[i];`

			`*roles_arr = tmp_roles;`
			`*num_roles = user->num_roles;`
			`return STATUS_SUCCESS;`

			`omem:`
			`ERR(handle, "out of memory, could not "`
			`"allocate roles array for user %s", user->name);`
			`free(tmp_roles);`
			`return STATUS_ERR;`
			`}`


			`void sepol_user_del_role(sepol_user_t * user, const char *role)`
			`{`

			`unsigned int i;`
			`for (i = 0; i < user->num_roles; i++) {`
			`if (!strcmp(user->roles[i], role)) {`
			`free(user->roles[i]);`
			`user->roles[i] = NULL;`
			`user->roles[i] = user->roles[user->num_roles - 1];`
			`user->num_roles--;`
			`}`
			`}`
			`}`

			`/* Create */`
			`int sepol_user_create(sepol_handle_t * handle, sepol_user_t ** user_ptr)`
			`{`

			`sepol_user_t user = (sepol_user_t ) malloc(sizeof(sepol_user_t));`

			`if (!user) {`
			`ERR(handle, "out of memory, "`
			`"could not create selinux user record");`
			`return STATUS_ERR;`
			`}`

			`user->roles = NULL;`
			`user->num_roles = 0;`
			`user->name = NULL;`
			`user->mls_level = NULL;`
			`user->mls_range = NULL;`

			`*user_ptr = user;`
			`return STATUS_SUCCESS;`
			`}`


			`/* Deep copy clone */`
			`int sepol_user_clone(sepol_handle_t * handle,`
			`const sepol_user_t * user, sepol_user_t ** user_ptr)`
			`{`

			`sepol_user_t *new_user = NULL;`
			`unsigned int i;`

			`if (sepol_user_create(handle, &new_user) < 0)`
			`goto err;`

			`if (sepol_user_set_name(handle, new_user, user->name) < 0)`
			`goto err;`

			`for (i = 0; i < user->num_roles; i++) {`
			`if (sepol_user_add_role(handle, new_user, user->roles[i]) < 0)`
			`goto err;`
			`}`

			`if (user->mls_level &&`
			`(sepol_user_set_mlslevel(handle, new_user, user->mls_level) < 0))`
			`goto err;`

			`if (user->mls_range &&`
			`(sepol_user_set_mlsrange(handle, new_user, user->mls_range) < 0))`
			`goto err;`

			`*user_ptr = new_user;`
			`return STATUS_SUCCESS;`

			`err:`
			`ERR(handle, "could not clone selinux user record");`
			`sepol_user_free(new_user);`
			`return STATUS_ERR;`
			`}`

			`/* Destroy */`
			`void sepol_user_free(sepol_user_t * user)`
			`{`

			`unsigned int i;`

			`if (!user)`
			`return;`

			`free(user->name);`
			`for (i = 0; i < user->num_roles; i++)`
			`free(user->roles[i]);`
			`free(user->roles);`
			`free(user->mls_level);`
			`free(user->mls_range);`
			`free(user);`
			`}`