Commit 55b75a2c ("libsepol: stop translating deprecated intial SIDs to
strings") dropped several names of obsolete initial sids ans replaced
them with NULL. This leads to their printable string being dynamically
allocated but not free'd.
Instead of keeping track of which name was allocated dynamically and
which not, allocate all on the heap, which simplifies the later cleanup.
While on it also free the name in case of a strs_add_at_index() failure.
Reported-by: oss-fuzz (issue 60271)
Fixes: 55b75a2c ("libsepol: stop translating deprecated intial SIDs to strings")
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
This patch implements the support for prefix/suffix filename transitions
in the CIL structures as well as in the CIL policy parser.
Syntax of the new prefix/suffix filename transition rule:
(typetransition source_type_id target_type_id class_id object_name match_type default_type_id)
where match_type is either the keyword "prefix" or "suffix".
Examples:
(typetransition ta tb CLASS01 "file01" prefix td)
(typetransition td te CLASS01 "file02" suffix tf)
Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Juraj Marcin <juraj@jurajmarcin.com>
Acked-by: James Carter <jwcart2@gmail.com>
This patch extends the structures for module and base policy (avrule_t)
to support prefix/suffix transitions. In addition to this, it implements
the necessary changes to functions for reading and writing the binary
policy, as well as parsing the policy conf.
Syntax of the new prefix/suffix filename transition rule:
type_transition source_type target_type : class default_type object_name match_type;
where match_type is either keyword "prefix" or "suffix"
Examples:
type_transition ta tb:CLASS01 tc "file01" prefix;
type_transition td te:CLASS01 tf "file02" suffix;
Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Juraj Marcin <juraj@jurajmarcin.com>
Acked-by: James Carter <jwcart2@gmail.com>
Currently, filename type transitions support only exact name matching.
However, in practice, the names contain variable parts. This leads to
many duplicated rules in the policy that differ only in the part of the
name, or it is even impossible to cover all possible combinations.
This patch extends the filename type transitions structures to include
new types of filename transitions - prefix and suffix filename
transitions. It also implements the reading and writing of those rules
in the kernel binary policy format together with increasing its version.
Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Juraj Marcin <juraj@jurajmarcin.com>
Acked-by: James Carter <jwcart2@gmail.com>
Implement a new module policy format that closely matches the new
internal representation of avrule introduced in the previous patch.
This patch bumps the maximum module policy version and implements
reading/writing functions such that the module binary policy structure
matches its internal representation, namely, the object name attribute
used for the filename transition rules.
These changes have no significant effect on the size of the module
policy file (tested with Fedora policy).
Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Juraj Marcin <juraj@jurajmarcin.com>
Acked-by: James Carter <jwcart2@gmail.com>
Implement a new binary policy format that closely matches the new
internal representation introduced in the previous patch.
This patch bumps the maximum kernel policy version and implements
reading/writing functions such that kernel binary policy structure
matches internal representation.
These changes can cause the binary policy to grow in size due to
effectively undoing the benefits of the commit 8206b8cb ("libsepol:
implement POLICYDB_VERSION_COMP_FTRANS "), but this will be mitigated by
adding the prefix/suffix support as described in the previous patch.
Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Juraj Marcin <juraj@jurajmarcin.com>
Acked-by: James Carter <jwcart2@gmail.com>
Similarly to the previous patch, filename transition rules are stored
and parsed separately from other type enforcement rules. Moving them to
avrule makes it consistent with the filename transitions in avtab and
makes future improvements easier to implement.
This patch adds an optional object name attribute to the avrule
structure and uses this new attribute to move filename transition rules
to avrule. It also updates functions for parsing type enforcement rules
to accept rules with a filename as their last argument (filename
transition rules), separate functions for parsing filename transitions
are therefore no longer needed.
Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Juraj Marcin <juraj@jurajmarcin.com>
Acked-by: James Carter <jwcart2@gmail.com>
Currently, filename transitions are stored separately from other type
enforcement rules. This leads to possibly sub-optimal performance and
makes further improvements cumbersome.
This patch adds a symbol table with filename transitions to the
transition structure added to avtab in the previous patch. It also
implements functions required for reading and writing filename
transitions (either binary or source formats) and updates the code for
expanding attributes. Last but not least, it updates the conflict check
in the conditional avtab to account for empty transitions in the
non-conditional avtab.
These changes are expected to cause higher memory usage, as now there
needs to be a filename transition structure for every stype. This patch
effectively undoes most of the commit 42ae834a ("libsepol,checkpolicy:
optimize storage of filename transitions"), but this will be mitigated
by providing support for matching prefix/suffix of the filename for
filename transitions in future patches which will reduce to need to have
so many of them.
Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Juraj Marcin <juraj@jurajmarcin.com>
Acked-by: James Carter <jwcart2@gmail.com>
To move filename transitions to be part of avtab, we need to create
space for it in the avtab_datum structure which holds the rule for
a certain combination of stype, ttype and tclass.
As only type transitions have a special variant that uses a filename, it
would be suboptimal to add a (mostly empty) pointer to some structure to
all avtab rules.
Therefore, this patch adds a new structure to the avtab_datum and moves
the otype of the transition to this structure. In the next patch, this
structure will also hold filename transitions for the combination of
stype, ttype and tclass.
Reviewed-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Juraj Marcin <juraj@jurajmarcin.com>
Acked-by: James Carter <jwcart2@gmail.com>
It confuses translators and new lines are dropped by parser module anyway.
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
If a string contains more than one unnamed argument it's hard for
translators to proper localize as they don't know which value is
represented by a unnamed argument. It also blocks them to use a
different order of arguments which would make better sense in other
languages.
Fixes:
$ xgettext --default-domain=python -L Python --keyword=_ --keyword=N_ ../audit2allow/audit2allow ../chcat/chcat ../semanage/semanage ../semanage/seobject.py ../sepolgen/src/sepolgen/interfaces.py ../sepolicy/sepolicy/generate.py ../sepolicy/sepolicy/gui.py ../sepolicy/sepolicy/__init__.py ../sepolicy/sepolicy/interface.py ../sepolicy/sepolicy.py
../chcat/chcat:220: warning: 'msgid' format string with unnamed arguments cannot be properly localized:
The translator cannot reorder the arguments.
Please consider using a format string with named arguments,
and a mapping instead of a tuple for the arguments.
../semanage/seobject.py:1178: warning: 'msgid' format string with unnamed arguments cannot be properly localized:
The translator cannot reorder the arguments.
Please consider using a format string with named arguments,
and a mapping instead of a tuple for the arguments.
...
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
This adds more exceptions to be handled by the except clause in
`get_os_version()`:
* If the `distro` package is not installed, then `import distro` raises
a `ModuleNotFoundError` exception.
* The distro documentation[1] lists `OSError` and `UnicodeError` as
exceptions that can be raised.
* Older versions of distro (<= 1.6.0) may also raise
`subprocessCalledProcessError`[2].
[1]: https://github.com/python-distro/distro/blob/v1.8.0/src/distro/distro.py#L749-L753
[2]: https://github.com/python-distro/distro/blob/v1.6.0/distro.py#L726-L728
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
Check the return value of calloc() to avoid null pointer reference.
Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
Instead, a new action, 'v' for printing the policy (and/or
module) version in batch mode is added.
Signed-off-by: Masatake YAMATO <yamato@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
* fix minus self formatting in neverallow rules, avoiding `~ - self`
* show neverallow and neverallowxperm rules
* whitespace improvements in output
- avoid duplicate whitespaces before permission list, since
sepol_av_to_string() already adds a trailing one
- avoid duplicate whitespace after wildcard type
- unify indentation for xperm rules
* drop unused global variables
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Add the command line argument `-N/--disable-neverallow`, similar to
secilc(8), to checkpolicy(8) and checkmodule(8) to skip the check of
neverallow rule violations.
This is mainly useful in development, e.g. to quickly add rules to a
policy without fulfilling all neverallow rules or build policies with
known violations.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Resurrect the naming of the "init" initial SID, as it has been
reintroduced in the kernel. Also add the new "userspace_initial_context"
policy capability that is used to enable the new semantics for this
initial SID.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Many of the initial SIDs are no longer used by the kernel, so
translating them to the legacy names doesn't bring much value. Clear the
legacy names from the table and let the code translate them to the
fallback "unknown" names instead.
Note that this only affects the generated text output when converting
policies from binary to text form. The text policy languages let the
policy define its own names for the initial SIDs based on the order in
which they are declared, so the table is never used to convert from name
to SID. Thus this is just a cosmetic change and has no functional
impact.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Use "semanage user -a/-d" in spec file generated by "sepolicy generate"
even when SELinux is disabled. The command works properly when SELinux
is disabled and with this change the user will be present once SELinux
is re-enabled.
Also, do not execute the command when the package is updated, only when
it is first installed.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
The following commit
330b0fc333
changed the userdom_base_user_template, which now requires a role
corresponding to the user being created to be defined outside of the
template.
Similar change was also done to fedora-selinux/selinux-policy
e1e216b25d
Although I believe the template should define the role (just as it
defines the new user), that will require extensive changes to refpolicy.
In the meantime the role needs to be defined separately.
Fixes:
# sepolicy generate --term_user -n newuser
Created the following files:
/root/a/test/newuser.te # Type Enforcement file
/root/a/test/newuser.if # Interface file
/root/a/test/newuser.fc # File Contexts file
/root/a/test/newuser_selinux.spec # Spec file
/root/a/test/newuser.sh # Setup Script
# ./newuser.sh
Building and Loading Policy
+ make -f /usr/share/selinux/devel/Makefile newuser.pp
Compiling targeted newuser module
Creating targeted newuser.pp policy package
rm tmp/newuser.mod tmp/newuser.mod.fc
+ /usr/sbin/semodule -i newuser.pp
Failed to resolve roleattributeset statement at /var/lib/selinux/targeted/tmp/modules/400/newuser/cil:8
Failed to resolve AST
/usr/sbin/semodule: Failed!
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
Expand the description to make it more clear what "interfaces" mean
here. They're different from network interfaces used by SELinux
command `semanage interface`.
Add a note that the information comes from on-disk file which has been
installed and it doesn't necessarily match the policy loaded to the
kernel.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
Use the libsepol internal wrapper ERR() with a NULL handler to emit
error messages. ERR() will besides adding a prefix of "libsepol" also
write to stderr. One benefit is the option to suppress the messages via
sepol_debug(), although marked deprecated, e.g. in fuzzers.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Use the libsepol internal wrapper ERR() with a NULL handler to emit
error messages. ERR() will besides adding a prefix of "libsepol" also
write to stderr. One benefit is the option to suppress the messages via
sepol_debug(), although marked deprecated, e.g. in fuzzers.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
sepol_log_err() will already append a newline unconditionally.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Match surrounding code and the message were quite generic too.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Bail out on expanding levels with invalid low category.
UBSAN report:
expand.c:952:21: runtime error: unsigned integer overflow: 0 - 1 cannot be represented in type 'uint32_t' (aka 'unsigned int')
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
XEN policies with extended permissions are not supported, e.g. writing
them will fail (see write.c:avrule_write()).
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
For old style range transition rules the class defaults to process.
However the policy might not declare the process class leading to
setting a wrong bit later on via:
if (ebitmap_set_bit(&rtr->tclasses, rt->target_class - 1, 1))
UBSAN report:
policydb.c:3684:56: runtime error: unsigned integer overflow: 0 - 1 cannot be represented in type 'uint32_t' (aka 'unsigned int')
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Ensure various object context entries have a name, since they are
duplicated via strdup(3), and the order for ports and memory regions is
valid.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
The functions constraint_expr_to_str() prepare a string representation
for validatetrans and mlsvalidatetrans rules. To decide what keyword to
use the type of expression is consulted. Currently the extra target
type (CEXPR_XTARGET) is considered to be an MLS statement while its not,
e.g.:
validatetrans CLASS1 t3 == ATTR1;
Actually check for MLS expression types only.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
When setting permission bits from a wildcard or complement only set the
bits for permissions actually declared for the associated class. This
helps optimizing the policy later, since only rules are dropped with a
complete empty permission bitset. Example policy:
class CLASS1
sid kernel
class CLASS1 { PERM1 }
type TYPE1;
bool BOOL1 true;
allow TYPE1 self : CLASS1 { PERM1 };
role ROLE1;
role ROLE1 types { TYPE1 };
if ! BOOL1 { allow TYPE1 self: CLASS1 *; }
user USER1 roles ROLE1;
sid kernel USER1:ROLE1:TYPE1
Also emit a warning if a rule will have an empty permission bitset due
to an exhausting complement.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
If tunables are not preserved (the mode unconditionally used by
checkpolicy) an expression must not consist of booleans and tunables,
since such expressions are not supported during expansion (see expand.c:
discard_tunables()).
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
The token CLONE is never used in the grammar; drop it.
As side effect `clone` and `CLONE` become available as identifier names.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
