xrange function is gone in Python3 and instead range is
xrange by default. Also it doesnt seem to be important
to have xrange used in tests on Python2.
Signed-off-by: Robert Kuska <rkuska@redhat.com>
In Python3 all strings are by default Unicode and both Unicode and String
types are removed from types module. We introduce separate
variables `bytes_type` and `string_type` to reflect Python3 understanding
of strings, on Python2 `bytes_type` refers to <str> and `string_type` to
<unicode>, on Python3 `bytes_type` are <bytes> and `string_type` <str>.
As all strings are Unicodes by default on Python3 we encode them to
bytes when needed as late as possible.
Also other attributes were replaced with their equivalents from
builtins which are available for both Python3 and Python2.
Signed-off-by: Robert Kuska <rkuska@redhat.com>
In Python3 the __cmp__ function is removed, and rich
comparison should be used instead.
Also the cmp function is gone in Python3 therefore it is
reimplemented in util.py and used if running on Python3.
Signed-off-by: Robert Kuska <rkuska@redhat.com>
sha256 hash operates with bytes and in Python3 all strings are unicode
by default, we must encode the data before hashing to ensure they
are bytes in Python3
Signed-off-by: Robert Kuska <rkuska@redhat.com>
Since Python 2.4 .sort() as well as the new sorted() function
take a key parameter which should be a function that returns
a sorting key.
Signed-off-by: Robert Kuska <rkuska@redhat.com>
In Python 3, special function attributes have been
renamed for consistency with other attributes.
__code__ attribute is also present in py2.7 and py2.6
Signed-off-by: Robert Kuska <rkuska@redhat.com>
Python 3 changes the syntax for imports from within a package,
requiring you to use the relative import syntax,
saying from . import mymodule instead of the just import mymodule.
Signed-off-by: Robert Kuska <rkuska@redhat.com>
Policy versions < 24 did not include type attributes in the types symtab,
so there can be holes in the type_val_to_struct array. Fixes a segfault
during the downgrade test performed by a make test in libsepol.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Linux 3.17 introduced a /proc/thread-self symlink that can be used
to reference the proc files of the current thread without needing to
use gettid(2). Use this symlink when it exists, falling back to
using gettid(2) when it does not. This is generally beneficial, but
was specifically motivated by https://github.com/systemd/systemd/issues/475.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Change selabel_open and label backends to take a
'const struct selinux_opt' argument. This work has already
been done for the Android version components.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
File labels assigned using the lookup_best_match() function do not
assign the best match if its regex contains metacharacters in the
binary file_contexts file version.
This change adds a new entry in the binary file with the calculated
prefix length that is then read when processing the file. This fix
also bumps SELINUX_COMPILED_FCONTEXT_MAX_VERS.
This patch relies on patch [1] that fixes the same problem
for text based file_contexts files.
[1] http://marc.info/?l=selinux&m=143576498713964&w=2
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
This patch writes policy.kern and file_contexts.local to the policy store as
well as /etc/selinux/. Additionally, policy.kern and file_contexts.local
are now parsed from the store rather than the final directory which was
the old behavior. This allows all policy related files to be kept in the
policy store.
This patch also renames /var/lib/selinux/tmp to 'final' and changes
policy.kern in the store to longer be a symlink.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
File labels assigned using the lookup_best_match() function do not
assign the best match if its regex contains metacharacters.
For non-exact regex matches, lookup_best_match() finds the closest match
by tracking the length of the matching prefix. Prefix match is tracked via
the prefix_len variable. This was previously calculated and set in
the spec_hasMetaChars() function. Commit 3cb6078 removed the
prefix_len calculation, this commit restores it.
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
If the last line of a file_contexts file is not '\n' terminated
or if any line has additional isspace(3) characters at end, it
gave an invalid file type error.
read_spec_entries now handles these situations.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
When a compressed module doesn't have two extensions with lang and
compression, 'semodule -i <module>.<lang>' fails. This changes the
language detection to allow to use modules only with .<lang>
extension.
Fixes:
libsemanage.semanage_direct_install_file: Module does not have a valid
extension. (No such file or directory).
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: Steve Lawrence <slawrence@tresys.com>
Use the libsepol bounds checking to check for and report user and
role bounds violations.
For type bounds checking, use libsepol bounds checking to determine
if there is a violation for a given type. For each violation display
an error message that includes the CIL AST from the root node to the
node of the rule causing the violation.
Example error report:
Child type b_t3_c exceeds bounds of parent b_t3
(allow b_t3_c b_tc (file (write)))
<root>
booleanif at line 148633 of cil.conf.bounds
true at line 148634 of cil.conf.bounds
allow at line 148636 of cil.conf.bounds
(allow b_t3_c b_tc (file (read write)))
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
These values are stored in the CIL db so they can be used to
determine how much memory is needed for mapping libsepol values
to CIL data.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Use the libsepol neverallow checking to determine if a given neverallow
rule is violated. If a violation is found, use the function
cil_find_matching_avrule_in_ast() to find the AST node of the particular
rule that violates the neverallow. This allows CIL to provide a more
informative error message that includes the file and line number of the
node and all of its parents.
Example error report:
Neverallow check failed at line 31285 of cil.conf.neverallow
(neverallow typeset4 self (memprotect (mmap_zero)))
<root>
booleanif at line 152094 of cil.conf.neverallow
true at line 152095 of cil.conf.neverallow
allow at line 152096 of cil.conf.neverallow
(allow ada_t self (memprotect (mmap_zero)))
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
The search will be considered a success if any rule is found that
at least partially matches all parts (src type, tgt type, and class-
perms) of the target rule.
For example, for a target of (allow domain file_type (file (read write)
the rule (allow init_t init_exec_t (file (read exec)) will match.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
The largest change to the user and role bounds checking was to put
them in their own functions, so they could be called independently.
The type bounds checking was changed to check one type bounds at
a time. An expanded avtab is still created, but now only the rules
of the parent type are expanded. If violations are discovered,
a list of avtab_ptr_t's provides details. This list is used to
display error messages for backwards compatibility and will be
used by CIL to provide a more detailed error message.
Memory usage is reduced from 9,355M to 126M and time is reduced
from 9 sec to 2 sec.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Instead of creating an expanded avtab, generating all of the avtab
keys corresponding to a neverallow rule and searching for a match,
walk the nodes in the avtab and use the attr_type_map and ebitmap
functions to find matching rules.
Memory usage is reduced from 370M to 125M and time is reduced from
14 sec to 2 sec. (Bounds checking commented out in both cases.)
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Types are treated as attributes that contain only themselves. This
is how types are already treated in the type_attr_map.
Treating types this way makes finding rules that apply to a given
type much easier. This simplifies the implementation of neverallow
checking in assertion.c and bounds checking in hierarchy.c.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
If you add some local file contexts via semanage fcontext -a and
later delete them all via semanage fcontext -D, you get an empty
file_contexts.local file. Then when you try to load it, getline()
returns 0 and we fall through to the out path without having set rc.
In label_file.c, rc will always be non-zero at this point because
we will have failed the load_mmap() call. In sefcontext_compile,
rc may contain random garbage at this point. Explicitly set rc
before the loop.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Update file contexts generation and loading to use common code.
Remove "status = 0; after "status = sort_specs(data);" otherwise
the function will never indicate a failure.
The file labeling code also has minor formatting, white space
removal etc. changes.
label_file.c - Move process_line function to label_file.h
sefcontext_compile.c - Update to use common process_line code. Now frees
all malloc'ed memory, checked by valgrind. Also added optional -o output
file parameter - updated man page to reflect this change.
V2 - Revert to using compat_validate instead of selabel_validate.
V3 - Revert to using callback for validation now the problem has been
fixed by commit e889148494
("libselinux: build sefcontext_compile with static libselinux")
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
sefcontext_compile depends on libselinux internals, so it might
as well use static libselinux. Hide read_spec_entries as this is not
intended as a public interface for shared library users.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Fix memory issues flagged by valgrind.
These changes bring the property service in line with Android [1]
V2 reverts to original upstream %u when logging errors. Android needs
these corrections also.
[1] https://android-review.googlesource.com/#/c/153580/
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
The ioctl operations code is being renamed to the more generic
"extended permissions." This commit brings the policy compiler
up to date with the kernel patch.
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Fixes compiler warnings all similar to the following:
host C: checkpolicy <= external/selinux/checkpolicy/policy_define.c
external/selinux/checkpolicy/policy_define.c:1572:2: warning: comparison of integers of different signs: 'int' and 'uint32_t' (aka 'unsigned int') [-Wsign-compare]
ebitmap_for_each_bit(&tclasses, node, i) {
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
external/selinux/checkpolicy/../libsepol/include/sepol/policydb/ebitmap.h:76:39: note: expanded from macro 'ebitmap_for_each_bit'
for (bit = ebitmap_start(e, &n); bit < ebitmap_length(e); bit = ebitmap_next(&n, bit)) \
^ ~~~~~~~~~~~~~~~~~
Signed-off-by: Nick Kralevich <nnk@google.com>
