checkpolicy: Fail if module name different than output base filename

Since CIL treats files as modules and does not have a separate module statement it can cause confusion when a Refpolicy module has a name that is different than its base filename because older SELinux userspaces will refer to the module by its module name while a CIL-based userspace will refer to it by its filename. Because of this, have checkmodule fail when compiling a module and the output base filename is different than the module name. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-04-06 13:46:05 -04:00 · 2016-04-06 13:46:05 -04:00 · c6acfae4bc
parent 8fb088a33d
commit c6acfae4bc
1 changed files with 20 additions and 0 deletions
--- a/checkpolicy/checkmodule.c
+++ b/checkpolicy/checkmodule.c
@ -19,6 +19,7 @@
 #include <stdio.h>
 #include <errno.h>
 #include <sys/mman.h>
+#include <libgen.h>

 #include <sepol/module_to_cil.h>
 #include <sepol/policydb/policydb.h>
@ -258,6 +259,25 @@ int main(int argc, char **argv)
 		}
 	}

+	if (policy_type != POLICY_BASE && outfile) {
+		char *mod_name = modpolicydb.name;
+		char *out_path = strdup(outfile);
+		if (out_path == NULL) {
+			fprintf(stderr, "%s:  out of memory\n", argv[0]);
+			exit(1);
+		}
+		char *out_name = basename(out_path);
+		char *separator = strrchr(out_name, '.');
+		if (separator) {
+			*separator = '\0';
+		}
+		if (strcmp(mod_name, out_name) != 0) {
+			fprintf(stderr,	"%s:  Module name %s is different than the output base filename %s\n", argv[0], mod_name, out_name);
+			exit(1);
+		}
+		free(out_path);
+	}
+
 	if (modpolicydb.policy_type == POLICY_BASE && !cil) {
 		/* Verify that we can successfully expand the base module. */
 		policydb_t kernpolicydb;