libsepol: stop translating deprecated intial SIDs to strings

Many of the initial SIDs are no longer used by the kernel, so translating them to the legacy names doesn't bring much value. Clear the legacy names from the table and let the code translate them to the fallback "unknown" names instead. Note that this only affects the generated text output when converting policies from binary to text form. The text policy languages let the policy define its own names for the initial SIDs based on the order in which they are declared, so the table is never used to convert from name to SID. Thus this is just a cosmetic change and has no functional impact. Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Acked-by: James Carter <jwcart2@gmail.com>
2025-03-11 04:37:29 +00:00 · 2023-06-12 11:31:06 +02:00 · 2023-06-12 11:31:06 +02:00 · 55b75a2c7d
commit 55b75a2c7d
parent 48306c4ef3
4 changed files with 23 additions and 23 deletions
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@ -568,7 +568,7 @@ static int write_sids_to_cil(FILE *out, const char *const *sid_to_str,

 	for (isid = isids; isid != NULL; isid = isid->next) {
 		i = isid->sid[0];
-		if (i < num_sids) {
+		if (i < num_sids && sid_to_str[i]) {
 			sid = (char *)sid_to_str[i];
 		} else {
 			snprintf(unknown, 18, "%s%u", "UNKNOWN", i);
@ -2578,7 +2578,7 @@ static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const

 	for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) {
 		i = isid->sid[0];
-		if (i < num_sids) {
+		if (i < num_sids && sid_to_str[i]) {
 			sid = (char *)sid_to_str[i];
 		} else {
 			snprintf(unknown, 18, "%s%u", "UNKNOWN", i);
--- a/libsepol/src/kernel_to_common.h
+++ b/libsepol/src/kernel_to_common.h
@ -13,33 +13,33 @@
 // initial sid names aren't actually stored in the pp files, need to a have
 // a mapping, taken from the linux kernel
 static const char * const selinux_sid_to_str[] = {
-	"null",
+	NULL,
 	"kernel",
 	"security",
 	"unlabeled",
-	"fs",
+	NULL,
 	"file",
-	"file_labels",
-	"init",
+	NULL,
+	NULL,
 	"any_socket",
 	"port",
 	"netif",
 	"netmsg",
 	"node",
-	"igmp_packet",
-	"icmp_socket",
-	"tcp_socket",
-	"sysctl_modprobe",
-	"sysctl",
-	"sysctl_fs",
-	"sysctl_kernel",
-	"sysctl_net",
-	"sysctl_net_unix",
-	"sysctl_vm",
-	"sysctl_dev",
-	"kmod",
-	"policy",
-	"scmp_packet",
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
 	"devnull",
 };

--- a/libsepol/src/kernel_to_conf.c
+++ b/libsepol/src/kernel_to_conf.c
@ -465,7 +465,7 @@ static int write_sids_to_conf(FILE *out, const char *const *sid_to_str,

 	for (isid = isids; isid != NULL; isid = isid->next) {
 		i = isid->sid[0];
-		if (i < num_sids) {
+		if (i < num_sids && sid_to_str[i]) {
 			sid = (char *)sid_to_str[i];
 		} else {
 			snprintf(unknown, sizeof(unknown), "%s%u", "UNKNOWN", i);
@ -2446,7 +2446,7 @@ static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, cons

 	for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) {
 		i = isid->sid[0];
-		if (i < num_sids) {
+		if (i < num_sids && sid_to_str[i]) {
 			sid = (char *)sid_to_str[i];
 		} else {
 			snprintf(unknown, sizeof(unknown), "%s%u", "UNKNOWN", i);
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@ -2536,7 +2536,7 @@ static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_

 	for (isid = isids; isid != NULL; isid = isid->next) {
 		i = isid->sid[0];
-		if (i < num_sids) {
+		if (i < num_sids && sid_to_string[i]) {
 			sid = (char*)sid_to_string[i];
 		} else {
 			snprintf(unknown, 18, "%s%u", "UNKNOWN", i);