systemd escapes luks uid so that mount points contain '\' and grep
should not consider this as regexp
Fixes:
$ cat /proc/self/mounts | sort | uniq | awk '{print $2}'
/run/credentials/systemd-cryptsetup@luks\134x2d6d1f41e6\134x2d5538\134x2d41a0\134x2db383\134x2cd41c2ddcacaa.service
$ sudo fixfiles -B onboot
grep: Invalid back reference
grep: Invalid back reference
System will relabel on next boot
Suggested-by: Christopher Tubbs <ctubbsii@fedoraproject.org>
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
man 2 flock:
Since Linux 2.6.12, NFS clients support flock() locks by emulating
them as fcntl(2) byte-range locks on the entire file. This means
that fcntl(2) and flock() locks do interact with one another
over NFS. It also means that in order to place an exclusive lock,
the file must be opened for writing.
Fixes:
# semanage fcontext -d -e /home /tmp/testdir
libsemanage.semanage_get_lock: Error obtaining direct transaction lock at /var/lib/selinux/targeted/semanage.trans.LOCK. (Bad file descriptor).
OSError: Bad file descriptor
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Add some tests to verify assertion checking works for extended
permissions in conditional policies.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Indent the printed allow rule that triggered an assertion by two spaces
to improve readability.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Add support for extended permission rules in conditional policies.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Add support for extended permission rules in conditional policies.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Add support for extended permission rules in conditional policies by
adding a new policy version and adjusting writing and validating
policies accordingly.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Use const parameters where applicable to signal immutability.
Rename the passed iterator avrule from avrule to narule, to make clear
its the neverallow rule to assert against, not the allow rule to check.
Drop needless branch in check_assertions(), since in the case avrules is
NULL the for loop won't execute and errors will stay at 0, so 0 will be
returned regardless. Also there is no call to free() as mentioned in the
outdated comment.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Example policy generated by fuzzer:
class s
sid k
class s { i }
optional{
require{
attribute i;
}
}
type m;
typealias m alias i;
typeai
Reported-by: oss-fuzz (issue 377576480)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
If declare_symbol() returns 1 the id and the datum are already defined
and not consumed by the function, so it they must be free'd by the
caller.
Example policy (generated by fuzzer):
class s sid e class s{i}optional{require{bool K;}bool K true;
Reported-by: oss-fuzz (issue 377544445)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Support the parallel usage of the translated label lookup via
selabel_lookup(3) in multi threaded applications by locking the step
of computing the translated context and the validation state.
A potential use case might can usage from a Rust application via FFI.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Add two fuzzers reading and performing lookup on selabel_file(5)
databases. One fuzzer takes input in form of a textual fcontext
definition, the other one takes compiled fcontexts definitions. The
lookup key and whether to lookup any or a specific file type is also
part of the generated input.
CC: Evgeny Vereshchagin <evverx@gmail.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Due to the selabel_file(5) rework this code is no longer used.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Currently the database for file backend of selabel stores the file
context specifications in a single long array. This array is sorted by
special precedence rules, e.g. regular expressions without meta
character first, ordered by length, and the remaining regular
expressions ordered by stem (the prefix part of the regular expressions
without meta characters) length.
This results in suboptimal lookup performance for two reasons;
File context specifications without any meta characters (e.g.
'/etc/passwd') are still matched via an expensive regular expression
match operation.
All such trivial regular expressions are matched against before any non-
trivial regular expression, resulting in thousands of regex match
operations for lookups for paths not matching any of the trivial ones.
Rework the internal representation of the database in two ways:
Convert regular expressions without any meta characters and containing
only supported escaped characters (e.g. '/etc/rc\.d/init\.d') into
literal strings, which get compared via strcmp(3) later on.
Store the specifications in a tree structure to reduce the to number of
specifications that need to be checked.
Since the internal representation is completely rewritten introduce a
new compiled file context file format mirroring the tree structure.
The new format also stores all multi-byte data in network byte-order, so
that such compiled files can be cross-compiled, e.g. for embedded
devices with read-only filesystems (except for the regular expressions,
which are still architecture-dependent, but ignored on architecture mis-
match).
The improved lookup performance will also benefit SELinux aware daemons,
which create files with their default context, e.g. systemd.
Fedora 41 (pre-compiled regular expressions are omitted on Fedora):
file_contexts.bin: 567248 -> 413191 (bytes)
file_contexts.homedirs.bin: 20677 -> 13107 (bytes)
Debian Sid (pre-compiled regular expressions are included):
file_contexts.bin: 7790690 -> 3646256 (bytes)
file_contexts.homedirs.bin: 835950 -> 708793 (bytes)
(selabel_lookup -b file -k /bin/bash)
Fedora 41 in VM:
text: time: 7.2 ms -> 3.5 ms
peak heap: 2.33M -> 1.81M
peak rss: 6.64M -> 6.37M
compiled: time: 5.9 ms -> 1.6 ms
peak heap: 2.14M -> 1.23M
peak rss: 6.76M -> 5.91M
Debian Sid on Raspberry Pi 3:
text: time: 33.4 ms -> 21.2 ms
peak heap: 10.59M -> 607.32K
peak rss: 6.55M -> 4.46M
compiled: time: 38.3 ms -> 23.5 ms
peak heap: 13.28M -> 2.00M
peak rss: 12.21M -> 7.60M
(restorecon -vRn /)
Fedora 41 in VM:
9.6 s -> 1.3 s
Debian Sid on Raspberry Pi 3:
94.6 s -> 12.1 s
(restorecon -vRn -T0 /)
Fedora 39 in VM (8 cores):
10.9 s -> 1.0 s
Debian Sid on Raspberry Pi 3 (4 cores):
58.9 s -> 12.6 s
(note: I am unsure why the parallel runs on Fedora are slower)
There might be subtle differences in lookup results which evaded my
testing, because some precedence rules are oblique. For example
`/usr/(.*/)?lib(/.*)?` has to have a higher precedence than
`/usr/(.*/)?bin(/.*)?` to match the current Fedora behavior. Please
report any behavior changes.
The maximum node depth in the database is set to 3, which seems to give
the best performance to memory usage ratio. Might be tweaked for
systems with different filesystem hierarchies (Android?).
I am not that familiar with the selabel_partial_match(3),
selabel_get_digests_all_partial_matches(3) and
selabel_hash_all_partial_matches(3) related interfaces, so I only did
some rudimentary tests for them.
CC: Petr Lautrbach <plautrba@redhat.com>
CC: James Carter <jwcart2@gmail.com>
CC: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Add sidtab_context_lookup() to just lookup a context, not inserting
non-existent ones.
Tweak sidtab_destroy() to accept a zero'ed struct sidtab.
Remove redundant lookup in sidtab_context_to_sid() after insertion by
returning the newly created node directly from sidtab_insert().
Drop declaration of only internal used sidtab_insert().
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Reinterpret the currently unused - and always initialized to 1 - member
refcnt of the struct security_id to hold a unique number identifying
the sidtab entry. This identifier can be used instead of the full
context string within other data structures to minimize memory usage.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Use type unsigned for hash values, as returned by sidtab_hash().
Use size_t for buffer length and counting variables.
Constify stats parameter.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Add a utility around selabel_cmp(3).
Can be used by users to compare a pre-compiled fcontext file to an
original text-based file context definition file.
Can be used for development to verify compilation and parsing of the
pre-compiled fcontext format works correctly.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Introduce a helper to remove SELinux file security contexts.
Mainly for testing label operations, and only for SELinux disabled
systems, since removing file contexts is not supported by SELinux.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Certain roles (user_r, staff_r, sysadm_r, system_r, unconfined_r,
auditadm_r, and secadm_r) have always been handled in a special
way when converting a policy module to CIL to avoid having
duplicate role declarations. By optionally allowing duplicate role
declarations in CIL and by creating an option in libsemanage to
make use of duplicate declaration support, the special handling of
these roles can be removed.
Remove the special handling of certain roles in module_to_cil.c.
Signed-off-by: James Carter <jwcart2@gmail.com>
Add a configuration option that when set to "true" allows duplicate
type, type attribute, and role declarations and duplicate context
rules.
The default is set to "true" to support the removal of the special
handling of certain roles when converting a policy module to CIL
without causing problems for existing policies.
Signed-off-by: James Carter <jwcart2@gmail.com>
Allow duplicate role declarations (along with duplicate type and
type attribute declarations and context rules) if the multiple_decls
field in the CIL db has been set. This field can be set by a call to
cil_set_multiple_decls().
Signed-off-by: James Carter <jwcart2@gmail.com>
Without nonblocking IO, g_io_channel_read_chars waits indefinitely for more
data without ever returning control to the event loop.
Set the IO channels to nonblocking to fix SIGTERM handling.
Signed-off-by: Fabian Vogt <fvogt@suse.de>
Acked-by: James Carter <jwcart2@gmail.com>
By default, GIO channels use UTF-8 as encoding, which causes issues when
reading binary data such as inotify events.
Signed-off-by: Fabian Vogt <fvogt@suse.de>
Acked-by: James Carter <jwcart2@gmail.com>
When a user is created in an optional block, a user datum is added
to both the avrule_decl's symtab and the policydb's symtab, but
the semantic MLS information is only added to the avrule_decl's
user datum. This causes an error to occur during policy expansion
when user_copy_callback() is called. If this error did not occur
then the policydb's user datum would be written without any MLS
info and the policy would fail validation when read later.
When creating a user datum, search for a user datum with the same
key in the policydb's symtab. If that datum has no MLS information,
then copy the MLS information from the avrule_decl's datum. If it
does, then compare the default level, low level, and high level
sensitivities and give an error if they do not match. There is not
enough information to expand the categories for the high and low
levels, so merge the semantic categories. If the two category sets
are not equal an error will occur during the expansion phase.
A minimum policy to demonstrate the bug:
class CLASS1
sid kernel
class CLASS1 { PERM1 }
sensitivity SENS1;
dominance { SENS1 }
level SENS1;
mlsconstrain CLASS1 { PERM1 } ((h1 dom h2) and (l1 domby h1));
type TYPE1;
allow TYPE1 self : CLASS1 PERM1;
role ROLE1;
role ROLE1 types TYPE1;
optional {
require {
role ROLE1;
}
user USER2 roles ROLE1 level SENS1 range SENS1;
}
user USER1 roles ROLE1 level SENS1 range SENS1;
sid kernel USER1:ROLE1:TYPE1:SENS1
Signed-off-by: James Carter <jwcart2@gmail.com>
The following statement is always true if read_len is unsigned:
(read_len = read(fd, data_read + data_read_len, max_len - data_read_len)) > 0
Fixes:
Error: INTEGER_OVERFLOW (CWE-190): [#def19] [important]
libsemanage-3.7/src/direct_api.c:598:2: tainted_data_return: Called function "read(fd, data_read + data_read_len, max_len - data_read_len)", and a possible return value may be less than zero.
libsemanage-3.7/src/direct_api.c:598:2: cast_underflow: An assign of a possibly negative number to an unsigned type, which might trigger an underflow.
libsemanage-3.7/src/direct_api.c:599:3: overflow: The expression "data_read_len += read_len" is deemed underflowed because at least one of its arguments has underflowed.
libsemanage-3.7/src/direct_api.c:598:2: overflow: The expression "max_len - data_read_len" is deemed underflowed because at least one of its arguments has underflowed.
libsemanage-3.7/src/direct_api.c:598:2: overflow_sink: "max_len - data_read_len", which might have underflowed, is passed to "read(fd, data_read + data_read_len, max_len - data_read_len)". [Note: The source code implementation of the function has been overridden by a builtin model.]
\# 596| }
\# 597|
\# 598|-> while ((read_len = read(fd, data_read + data_read_len, max_len - data_read_len)) > 0) {
\# 599| data_read_len += read_len;
\# 600| if (data_read_len == max_len) {
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Fixes:
Error: RESOURCE_LEAK (CWE-772):
libselinux-3.6/src/matchpathcon.c:519: alloc_arg: "lgetfilecon_raw" allocates memory that is stored into "con". [Note: The source code implementation of the function has been overridden by a user model.]
libselinux-3.6/src/matchpathcon.c:528: leaked_storage: Variable "con" going out of scope leaks the storage it points to.
\# 526|
\# 527| if (!hnd && (matchpathcon_init_prefix(NULL, NULL) < 0))
\# 528|-> return -1;
\# 529|
\# 530| if (selabel_lookup_raw(hnd, &fcontext, path, mode) != 0) {
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Fixes:
Error: IDENTICAL_BRANCHES (CWE-398):
libselinux-3.6/src/setexecfilecon.c:45: implicit_else: The code from the above if-then branch is identical to the code after the if statement.
libselinux-3.6/src/setexecfilecon.c:43: identical_branches: The same code is executed when the condition "rc < 0" is true or false, because the code in the if-then branch and after the if statement is identical. Should the if statement be removed?
\# 41|
\# 42| rc = setexeccon(newcon);
\# 43|-> if (rc < 0)
\# 44| goto out;
\# 45| out:
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
commit ba7945a250 added support for nlmsg extended permissions in the
policy. The assertion validation was not updated which lead to false
positives when evaluated. The optimization update was also missing. Add
support for the new extended permission for optimization and assertions.
Fixes: ba7945a250
Signed-off-by: Thiébaud Weksteen <tweek@google.com>
Acked-by: James Carter <jwcart2@gmail.com>
The value of "strs" was not always initialized before being used by
strs_destroy.
Fixes:
Error: UNINIT (CWE-457):
libsepol-3.7/src/kernel_to_cil.c:1439:2: var_decl: Declaring variable "strs" without initializer.
libsepol-3.7/src/kernel_to_cil.c:1487:2: uninit_use_in_call: Using uninitialized value "strs" when calling "strs_destroy".
\# 1485|
\# 1486| exit:
\# 1487|-> strs_destroy(&strs);
\# 1488|
\# 1489| if (rc != 0) {
Error: UNINIT (CWE-457):
libsepol-3.7/src/kernel_to_conf.c:1422:2: var_decl: Declaring variable "strs" without initializer.
libsepol-3.7/src/kernel_to_conf.c:1461:2: uninit_use_in_call: Using uninitialized value "strs" when calling "strs_destroy".
\# 1459|
\# 1460| exit:
\# 1461|-> strs_destroy(&strs);
\# 1462|
\# 1463| if (rc != 0) {
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
tmp.node was not always initialized before being used by
ebitmap_destroy.
Fixes:
Error: UNINIT (CWE-457):
libsepol-3.7/cil/src/cil_post.c:1309:2: var_decl: Declaring variable "tmp" without initializer.
libsepol-3.7/cil/src/cil_post.c:1382:6: uninit_use_in_call: Using uninitialized value "tmp.node" when calling "ebitmap_destroy".
\# 1380| if (rc != SEPOL_OK) {
\# 1381| cil_log(CIL_INFO, "Failed to apply operator to bitmaps\n");
\# 1382|-> ebitmap_destroy(&tmp);
\# 1383| goto exit;
\# 1384| }
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
In case of malloc error, ctx1, or ctx2 may be pointing to uninitialized
space and context_destroy should not be used on it.
Fixes:
Error: UNINIT (CWE-457):
libsepol-3.7/src/mls.c:673:2: alloc_fn: Calling "malloc" which returns uninitialized memory.
libsepol-3.7/src/mls.c:673:2: assign: Assigning: "ctx1" = "malloc(64UL)", which points to uninitialized data.
libsepol-3.7/src/mls.c:699:2: uninit_use_in_call: Using uninitialized value "ctx1->range.level[0].cat.node" when calling "context_destroy".
\# 697| ERR(handle, "could not check if mls context %s contains %s",
\# 698| mls1, mls2);
\# 699|-> context_destroy(ctx1);
\# 700| context_destroy(ctx2);
\# 701| free(ctx1);
Error: UNINIT (CWE-457):
libsepol-3.7/src/mls.c:674:2: alloc_fn: Calling "malloc" which returns uninitialized memory.
libsepol-3.7/src/mls.c:674:2: assign: Assigning: "ctx2" = "malloc(64UL)", which points to uninitialized data.
libsepol-3.7/src/mls.c:700:2: uninit_use_in_call: Using uninitialized value "ctx2->range.level[0].cat.node" when calling "context_destroy".
\# 698| mls1, mls2);
\# 699| context_destroy(ctx1);
\# 700|-> context_destroy(ctx2);
\# 701| free(ctx1);
\# 702| free(ctx2);
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Set errno in open_file() if rolling_append(), which does not set errno,
failed, since transitive callers might rely on it.
Reported-by: clang-analyzer
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Use fseek(3) instead of rewind(3) to detect failures.
Reported-by: clang-analyzer
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Free the allocated line if it fails to parse via process_line() for the
X or media database.
Also declare the line_buf parameter of process_line() const, so it is
more obvious it is not modified or free'd.
Reported-by: clang-analyzer
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
In case fclose(3) might modify the global variable errno, use a wrapper
retaining the errno value. In the affected cases the success of
fclose(3) itself is not important, since the underlying descriptor is
only read from.
Reported-by: clang-analyzer
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
https://github.com/swig/swig/blob/master/CHANGES.current
"[Python] #2907 Fix returning null from functions with output
parameters. Ensures OUTPUT and INOUT typemaps are handled
consistently wrt return type.
New declaration of SWIG_Python_AppendOutput is now:
SWIG_Python_AppendOutput(PyObject* result, PyObject* obj, int is_void);
The 3rd parameter is new and the new $isvoid special variable
should be passed to it, indicating whether or not the wrapped
function returns void.
Also consider replacing with:
SWIG_AppendOutput(PyObject* result, PyObject* obj);
which calls SWIG_Python_AppendOutput with same parameters but adding $isvoid
for final parameter."
Fixes: https://github.com/SELinuxProject/selinux/issues/447
Suggested-by: Jitka Plesnikova <jplesnik@redhat.com>
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
https://github.com/swig/swig/blob/master/CHANGES.current
"[Python] #2907 Fix returning null from functions with output
parameters. Ensures OUTPUT and INOUT typemaps are handled
consistently wrt return type.
New declaration of SWIG_Python_AppendOutput is now:
SWIG_Python_AppendOutput(PyObject* result, PyObject* obj, int is_void);
The 3rd parameter is new and the new $isvoid special variable
should be passed to it, indicating whether or not the wrapped
function returns void.
Also consider replacing with:
SWIG_AppendOutput(PyObject* result, PyObject* obj);
which calls SWIG_Python_AppendOutput with same parameters but adding $isvoid
for final parameter."
Fixes: https://github.com/SELinuxProject/selinux/issues/447
selinuxswig_python_wrap.c: In function ‘_wrap_security_compute_user’:
selinuxswig_python_wrap.c:11499:17: error: too few arguments to function ‘SWIG_Python_AppendOutput’
11499 | resultobj = SWIG_Python_AppendOutput(resultobj, plist);
| ^~~~~~~~~~~~~~~~~~~~~~~~
selinuxswig_python_wrap.c:1248:1: note: declared here
1248 | SWIG_Python_AppendOutput(PyObject* result, PyObject* obj, int is_void) {
| ^~~~~~~~~~~~~~~~~~~~~~~~
selinuxswig_python_wrap.c: In function ‘_wrap_security_compute_user_raw’:
selinuxswig_python_wrap.c:11570:17: error: too few arguments to function ‘SWIG_Python_AppendOutput’
11570 | resultobj = SWIG_Python_AppendOutput(resultobj, plist);
| ^~~~~~~~~~~~~~~~~~~~~~~~
selinuxswig_python_wrap.c:1248:1: note: declared here
1248 | SWIG_Python_AppendOutput(PyObject* result, PyObject* obj, int is_void) {
| ^~~~~~~~~~~~~~~~~~~~~~~~
selinuxswig_python_wrap.c: In function ‘_wrap_security_get_boolean_names’:
selinuxswig_python_wrap.c:12470:17: error: too few arguments to function ‘SWIG_Python_AppendOutput’
12470 | resultobj = SWIG_Python_AppendOutput(resultobj, list);
| ^~~~~~~~~~~~~~~~~~~~~~~~
selinuxswig_python_wrap.c:1248:1: note: declared here
1248 | SWIG_Python_AppendOutput(PyObject* result, PyObject* obj, int is_void) {
| ^~~~~~~~~~~~~~~~~~~~~~~~
error: command '/usr/bin/gcc' failed with exit code 1
Suggested-by: Jitka Plesnikova <jplesnik@redhat.com>
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
It was originally marked for deprecation back in Feb 2020,
commit a41dfeb55d ("libselinux: deprecate security_compute_user(),
update man pages"), but the attribute was not added at the time.
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
In commit d95bc8b755 ("libselinux: migrating hashtab from
policycoreutils") and commit 4a420508a9 ("libselinux: adapting hashtab
to libselinux"), the hashtab implementation was copied to libselinux.
Since the same functions exist in libsepol (e.g., hashtab_create,
hashtab_destroy, etc), a compilation error is raised when both libraries
are included statically.
Prefix the libselinux internal implementation with "selinux_".
Signed-off-by: Thiébaud Weksteen <tweek@google.com>
Acked-by: James Carter <jwcart2@gmail.com>
This capability can be enabled to change the kernel's behaviour and use
the extended permissions for netlink messages.
Signed-off-by: Thiébaud Weksteen <tweek@google.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Add support for AVTAB_XPERMS_NLMSG as extended permissions for netlink
sockets. The behaviour is similar to the existing
AVTAB_XPERMS_IOCTLFUNCTION.
Signed-off-by: Thiébaud Weksteen <tweek@google.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
The ioctl extended permission structures and functions can be reused for
other extended permissions. Use the more generic term "xperm" instead of
"ioctl".
Signed-off-by: Thiébaud Weksteen <tweek@google.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
The function cil_gen_alias() is used to declare type, sensitivity,
and category aliases and the function cil_gen_aliasactual() is used
to assign an alias to the actual declared name.
Commit e55621c03 ("libsepol/cil: Add notself and other support to CIL")
added "notself" and "other" as reserved words. Previously, a check
was made in cil_gen_aliasactual() to ensure that the "self" reserved
word was not used. With the notself patch this function was upgraded
to call cil_verify_name() to verify that the other reserved words
were not used as well. This change prevents the use of dotted names
to refer to alias or actual names that are declared in blocks.
The check for a reserved word being used is not needed because that
check will be done for both the alias and the actual name when they
are declared.
Remove the call to cil_verify_name() and allow dotted names in
aliasactual rules.
Reported-by: Dominick Grift <dominick.grift@defensec.nl>
Signed-off-by: James Carter <jwcart2@gmail.com>
Make explanatory comments follow the common style of comments (Classic language / CIL)
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Acked-by: James Carter <jwcart2@gmail.com>
Avoid errors when adding comments to CIL output like in audit2allow
Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
Acked-by: James Carter <jwcart2@gmail.com>
Make sure sym_index is within the bounds of symtab array before using it
to index the array.
Fixes:
Error: OVERRUN (CWE-119):
libsepol-3.6/cil/src/cil_resolve_ast.c:3157: assignment: Assigning: "sym_index" = "CIL_SYM_UNKNOWN".
libsepol-3.6/cil/src/cil_resolve_ast.c:3189: overrun-call: Overrunning callee's array of size 19 by passing argument "sym_index" (which evaluates to 20) in call to "cil_resolve_name".
\# 3187| switch (curr->flavor) {
\# 3188| case CIL_STRING:
\# 3189|-> rc = cil_resolve_name(parent, curr->data, sym_index, db, &res_datum);
\# 3190| if (rc != SEPOL_OK) {
\# 3191| goto exit;
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
The runtime disable functionality has been removed in Linux 6.4. Thus
security_disable(3) will no longer work on these kernels.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Petr Lautrbach
Christian Göttsche
James Carter
Fabian Vogt
Vit Mojzis
Thiébaud Weksteen
Stephen Smalley
Dmitry Sharshakov