Commit Graph

1969 Commits

Author SHA1 Message Date
Nicolas Iooss
02a7d77ef2 libsepol: make parsing symbol table headers more robust
When hll/pp loads a policy file which has been modified so that the
nprim field of one of its non-empty symbol table was changed to zero, it
crashes with a segmentation fault. A quick analysis leads to
"p->sym_val_to_name[i] = (char **)alloc(p->symtab[i].nprim, sizeof(char
*));" in policydb_index_others(), which is not executed when
p->symtab[i].nprim is zero even though there are items in
p->symtab[i].table.

Detect such an oddity in the policy file early to exit with a clean
error message.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-11-16 09:07:10 -05:00
Nicolas Iooss
0a32f3b169 libsepol: test for ebitmap_read() negative return value
While fuzzing hll/pp, the fuzzer (AFL) crafted a policy which triggered
the following message without making the policy loading fail (the
program crashed with a segmentation fault later):

    security: ebitmap: map size 192 does not match my size 64 (high bit
    was 0)

This is because ebitmap_read() returned -EINVAL and this value was
handled as a successful return value by scope_index_read() because it
was not -1.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-11-16 09:05:18 -05:00
Nicolas Iooss
784b43b2ae libsepol: replace an assert with an error message
When fuzzing hll/pp inputs, a policy module where the value of
scope->decl_ids_len has been modified to zero makes the program abort
(when it has been compiled without -DNDEBUG).

Change the behavior to report an error message instead. This eases
fuzzing functions like policydb_read().

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-11-16 09:03:45 -05:00
Stephen Smalley
a96184bcbb Updated libsepol ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-16 08:53:27 -05:00
William Roberts
be96f05182 libsepol: fix checkpolicy dontaudit compiler bug
The combining logic for dontaudit rules was wrong, causing
a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p;
rule.

This is a reimplementation of:
commit 6201bb5e25 ("libsepol:
fix checkpolicy dontaudit compiler bug")
that avoids the cumbersome pointer assignments on alloced.

Reported-by: Nick Kralevich <nnk@google.com>
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-11-16 08:50:03 -05:00
William Roberts
5862ac5dfe Revert "libsepol: fix checkpolicy dontaudit compiler bug"
This reverts commit 6201bb5e25.
2016-11-16 08:46:21 -05:00
Stephen Smalley
d0c82f8fb9 Updated libsemanage ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-15 17:28:49 -05:00
Nicolas Iooss
398266f95f libsemanage: use a macro prefixed with SEMANAGE to protect dso.h
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-11-15 17:28:12 -05:00
Stephen Smalley
f60519edf6 Updated libsepol ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-15 17:25:14 -05:00
Stephen Smalley
7a4db1566a libsepol: cil_lexer: make warnings non-fatal for building
The flex skeleton often triggers compiler warnings; make these
non-fatal for building.  We already do likewise for checkpolicy.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-15 17:19:18 -05:00
Stephen Smalley
2ceadad8a3 Updated libselinux and libsemanage ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-15 11:14:24 -05:00
Nicolas Iooss
79db6da87f libselinux, libsemanage: swig: use SWIG_fail when an error occurs
Using SWIG_fail in the Python SWIG wrappers makes the wrapping function
destroy/free the memory which could have been dynamically allocated
before calling the wrapped function. This thus prevents possible memory
leaks in the wrappers of set*con(), set*con_raw(), security_compute_*(),
etc.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-11-15 11:11:25 -05:00
Nicolas Iooss
db17f12273 libselinux,libsemanage: fall back to gcc in exception.sh
clang does not support -aux-info option. When exception.sh is run with
CC=clang, use gcc to build selinuxswig_python_exception.i and
semanageswig_python_exception.i.

This does not solve the issue of building libselinux and libsemanage
Python wrappers on a system without gcc. However parsing the result of
"gcc -aux-info" is easier than parsing the header files so stay with
this command at least for now.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-11-15 11:10:57 -05:00
Stephen Smalley
f1db7b75e0 Updated secilc ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-15 11:10:21 -05:00
Nicolas Iooss
672f96f012 secilc: do not build secilc man page if it is up to date
When running "make all" several times in the root directory of the
project, the following lines always appear (and the command takes some
seconds to complete on my system with a slow hard drive):

    xmlto man secilc.8.xml
    Note: Writing secilc.8

This is because "make man" always builds secilc.8 even though
secilc.8.xml has not been modified. Introduce an intermediate target to
avoid this behavior.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-11-15 11:08:50 -05:00
Stephen Smalley
2c1ae0f029 Updated libselinux and libsemanage ChangeLogs
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-15 11:07:20 -05:00
Nicolas Iooss
bb98da0948 libselinux,libsemanage: link Python wrapper with Python
When linking with -Wl,-no-undefined in LDFLAGS (in order to find
possible link-time errors), the Python wrapper module needs to be
linked with the right libpython.so. This library is found using
pkg-config in a new PYLIBS variable.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-11-15 11:04:00 -05:00
Nicolas Iooss
ad3aa7f52f libsemanage: query for python site-packages dir directly
Use the python interpreter to find the install directory, like commit
8162f10e67 ("libselinux: query for python site-packages dir directly")
did for libselinux.

While at it, do not install semanage.py (generated by SWIG) with
executable permission bits.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-11-15 11:04:00 -05:00
Nicolas Iooss
f5b9bc2a06 libselinux,libsemanage: link Ruby wrapper with -lruby
When linking with -Wl,-no-undefined in LDFLAGS (in order to find
possible link-time errors), the Ruby wrapper module needs to be linked
with the libruby.so which is used by $(RUBY). Introduce a new RUBYLIBS
variable to find this library.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-11-15 11:04:00 -05:00
Nicolas Iooss
22e3ad6633 libselinux,libsemanage: use Ruby to define RUBYINC
This makes building libselinux and libsemanage  more robust on systems
with several versions of Ruby installed: when building, only RUBY needs
to be set, without wondering about PKG_CONFIG_PATH or other environment
variables.

Using RbConfig::CONFIG["rubyarchhdrdir"] only works with Ruby >= 2.0 but
since previous Ruby versions are retired since 2015-02-23 this should
not have any impact
(https://www.ruby-lang.org/en/news/2015/02/23/support-for-ruby-1-9-3-has-ended/).

While at it, in libsemanage, use RbConfig::CONFIG["vendorarchdir"] to
install the Ruby extension, like commit 1cd80faa53 ("libselinux:
versioned ruby pkg-config and query vendorarchdir properly") did for
libselinux.

My main motivation with this patch is to make the build configuration
easier to define on Travis-CI or other continuous integration platforms.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-11-15 11:04:00 -05:00
Stephen Smalley
df3ba03b9f Updated policycoreutils ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-15 10:56:24 -05:00
Laurent Bigonville
917f398d7c policycoreutils: Use GObject introspection binding instead of python-gobject in selinux_server.py
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2016-11-15 10:54:18 -05:00
Laurent Bigonville
1270be188a policycoreutils: Force GTK3.0 for sepolicy gui
This removes the following warning when running sepolicy gui command:

/usr/lib/python3/dist-packages/sepolicy/gui.py:29: PyGIWarning: Gtk was imported without specifying a version first. Use gi.require_version('Gtk', '3.0') before import to ensure that the right version gets loaded.

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2016-11-15 10:54:13 -05:00
Stephen Smalley
0339318a26 Updated libsepol ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-15 10:49:13 -05:00
dcashman
4750ec2ed5 libsepol: cil: remove double-free.
Test: Untested patch.
Bug: https://code.google.com/p/android/issues/detail?id=226519
Change-Id: Icaf992ba1487098f2c4f16ac1017012f611281e9
Signed-off-by: Daniel Cashman <dcashman@android.com>
2016-11-15 10:48:26 -05:00
Stephen Smalley
e0882cdbed Updated libsemanage ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-14 13:15:28 -05:00
Nicolas Iooss
b372170058 libsemanage: semanage_seuser_key_create: copy name
When removing a login using semanage with Python 3 the following error
occurs:

    # semanage login -l | grep my_user
    my_user                   user_u

    # semanage login --delete my_user
    ValueError: Login mapping for my_user is not defined

This is due to a use-after-free in the swig-generated code for python3
bindings.

Copy the user name in semanage_seuser_key_create() and free it in
semanage_seuser_key_free(), like commit eac6f1f1b5 ("libsepol:
sepol_{bool|iface|user}_key_create: copy name") did.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-11-14 13:14:33 -05:00
Stephen Smalley
bfe9360ca5 Updated libselinux ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-14 13:11:28 -05:00
Stephen Smalley
bbc930c756 libselinux: fix subdir build and usage of cmdline CFLAGS
commit 16c123f4b1 ("libselinux:
support ANDROID_HOST=1 on Mac") broke the ability to run make
in the src subdirectory of libselinux (because OS and COMPILER
were not defined) and also caused some warning flags that could
be overridden via command-line CFLAGS to be mandatory.  Fix it.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-14 13:10:51 -05:00
Stephen Smalley
a0149f6f4f Updated libsepol ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-14 12:45:57 -05:00
Stephen Smalley
6201bb5e25 libsepol: fix checkpolicy dontaudit compiler bug
The combining logic for dontaudit rules was wrong, causing
a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p;
rule.

Reported-by: Nick Kralevich <nnk@google.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-14 12:43:32 -05:00
Stephen Smalley
30ef8d0993 Updated libsepol ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-08 10:53:42 -05:00
Stephen Smalley
eac6f1f1b5 libsepol: sepol_{bool|iface|user}_key_create: copy name
The sepol_{bool|iface|user}_key_create() functions were not
copying the name.  This produces a use-after-free in the
swig-generated code for python3 bindings.  Copy the name
in these functions, and free it upon sepol_{bool|iface|user}_key_free().

Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-08 10:46:14 -05:00
Stephen Smalley
5e911ee825 Updated policycoreutils ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-08 10:34:47 -05:00
Laurent Bigonville
2d7ca0b862 policycoreutils: Make sepolicy work with python3
Add python3 support for sepolicy

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2016-11-08 10:34:08 -05:00
Stephen Smalley
71ee7217d7 Updated policycoreutils ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-08 10:07:45 -05:00
Laurent Bigonville
eed0e4259f Sandbox: Use next() over the sepolicy.info() result
sepolicy.info() now returns a generator, use next() to get the results.

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2016-11-08 10:05:39 -05:00
Stephen Smalley
b42a293978 Updated libselinux and libsemanage ChangeLogs
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-07 16:02:42 -05:00
Nicolas Iooss
70b986539e libselinux, libsemanage: remove *swig_python_exception.i if its creation failed
When compiling libselinux with CC=clang, "make pywrap" reports the
following message:

    bash exception.sh > selinuxswig_python_exception.i
    clang-3.9: error: no such file or directory: 'temp.aux'
    awk: fatal: cannot open file `temp.aux' for reading (No such file or
    directory)

This does not make the build fail as exception.sh returns an "OK"
status. Use "bash -e" with this script to make it return an error value.

In order not to keep an empty selinuxswig_python_exception.i file after
a build fails (which would make a second run of "make pywrap" incorrectly
succeed), remove the file when exception.sh fails.

As libsemanage uses the same code to build
semanageswig_python_exception.i, modify its Makefile too.

By the way, on Linux clang does not seem to currently support -aux-info
so it cannot be used to craft selinuxswig_python_exception.i.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-11-07 15:58:05 -05:00
Nicolas Iooss
5c620ead20 libsemanage: remove ruby_semanage.so with "make clean"
The Python wrapper is already removed in the clean target (with
$(SWIGSO)) so remove the Ruby wrapper too.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-11-07 15:56:53 -05:00
Nicolas Iooss
581dde735a libselinux: remove rpm_execcon from SWIG wrappers
The Python wrapper of rpm_execcon() has several flaws:
* An invalid call like selinux.rpm_execcon() triggers a segmentation
  fault.
* The size of the buffer which is allocated to copy argv and envp is
  too small to hold all the values.
* This allocated memory is leaked if one argument of rpm_execon() is not
  a sequence of bytes.

The Ruby wrapper has no such flaws but can not be used as it is because
it misses some glue code to convert argv and envp arguments to char
*const [] values (even though the destructor is present!).

As it is not possible to remove rpm_execcon() without changing
libselinux soname (it would be an ABI break) like b67fefd991dd
("libselinux: set DISABLE_RPM default to y.") tried to do, disable this
interface locally in the SWIG wrappers.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-11-07 15:55:08 -05:00
Stephen Smalley
1ce3e23b89 Updated libselinux ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-04 15:41:20 -04:00
Laurent Bigonville
b8711e2eaf Revert "libselinux: support new python3 functions"
With the reverted commit applied, some functions were returning arrays
of bytes instead of python strings under python3 this was causing issues
with string manipulation functions like split().

Swig (checked with 3.0.7) is adding compatibility macros that take care
of the differences between python2 and python3.

This reverts commit 63df0f7ef12844b9b86cc293299671da772fcf84.

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2016-11-04 15:41:20 -04:00
James Carter
9a834cf877 Updated libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-11-02 12:28:58 -04:00
James Carter
2eefb20d8f libsepol/cil: Exit with an error for an unknown map permission
Nicholas Iooss discovered that using an unknown permission with a
map class will cause a segfault.

CIL will only give a warning when it fails to resolve an unknown
permission to support the use of policy module packages that use
permissions that don't exit on the current system. When resolving
the unknown map class permission an empty list is used to represent
the unknown permission. When it is evaluated later the list is
assumed to be a permission and a segfault occurs.

There is no reason to allow unknown class map permissions because
the class maps and permissions are defined by the policy.

Exit with an error when failing to resolve a class map permission.

Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-11-02 12:14:21 -04:00
Stephen Smalley
ff413bb55e Updated policycoreutils ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-02 09:13:14 -04:00
Laurent Bigonville
22e8b70867 policycoreutils: Use "new" sepolicy icon in .desktop file for sepolicy gui
New hires icons have been added to the repository end 2013 but the
sepolicy .desktop file is not using it, let's fix that.
2016-11-02 09:12:32 -04:00
Stephen Smalley
6ff9318af9 Updated ChangeLogs
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-02 09:01:38 -04:00
Stephen Smalley
a0bd296a0d libsemanage: fix kernel pathname in semanage_verify_kernel()
Building with CC=clang, we get the following errors:

semanage_store.c:2177:20: error: implicit conversion from enumeration type 'enum semanage_final_defs' to different enumeration type 'enum semanage_store_defs' [-Werror,-Wenum-conversion]
            semanage_path(SEMANAGE_FINAL_TMP, SEMANAGE_KERNEL);
            ~~~~~~~~~~~~~ ^~~~~~~~~~~~~~~~~~
semanage_store.c:2177:40: error: implicit conversion from enumeration type 'enum semanage_final_path_defs' to different enumeration type 'enum semanage_sandbox_defs' [-Werror,-Wenum-conversion]
            semanage_path(SEMANAGE_FINAL_TMP, SEMANAGE_KERNEL);
            ~~~~~~~~~~~~~                     ^~~~~~~~~~~~~~~

This is an actual bug; semanage_verify_kernel() was never updated to
use semanage_final_path() when the rest were converted.  Fix it.
This pathname is only used if a kernel policy verifier is specified
in semanage.conf, so this is not used by default.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-02 08:54:19 -04:00
Stephen Smalley
9dcbc12e1f Updated libselinux ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-01 17:31:11 -04:00