checkpolicy: Fail if module name different than output base filename

Since CIL treats files as modules and does not have a separate
module statement it can cause confusion when a Refpolicy module
has a name that is different than its base filename because older
SELinux userspaces will refer to the module by its module name while
a CIL-based userspace will refer to it by its filename.

Because of this, have checkmodule fail when compiling a module and
the output base filename is different than the module name.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
This commit is contained in:
James Carter 2016-04-06 13:46:05 -04:00
parent 8fb088a33d
commit c6acfae4bc
1 changed files with 20 additions and 0 deletions

View File

@ -19,6 +19,7 @@
#include <stdio.h> #include <stdio.h>
#include <errno.h> #include <errno.h>
#include <sys/mman.h> #include <sys/mman.h>
#include <libgen.h>
#include <sepol/module_to_cil.h> #include <sepol/module_to_cil.h>
#include <sepol/policydb/policydb.h> #include <sepol/policydb/policydb.h>
@ -258,6 +259,25 @@ int main(int argc, char **argv)
} }
} }
if (policy_type != POLICY_BASE && outfile) {
char *mod_name = modpolicydb.name;
char *out_path = strdup(outfile);
if (out_path == NULL) {
fprintf(stderr, "%s: out of memory\n", argv[0]);
exit(1);
}
char *out_name = basename(out_path);
char *separator = strrchr(out_name, '.');
if (separator) {
*separator = '\0';
}
if (strcmp(mod_name, out_name) != 0) {
fprintf(stderr, "%s: Module name %s is different than the output base filename %s\n", argv[0], mod_name, out_name);
exit(1);
}
free(out_path);
}
if (modpolicydb.policy_type == POLICY_BASE && !cil) { if (modpolicydb.policy_type == POLICY_BASE && !cil) {
/* Verify that we can successfully expand the base module. */ /* Verify that we can successfully expand the base module. */
policydb_t kernpolicydb; policydb_t kernpolicydb;