Commit Graph

488 Commits

Author SHA1 Message Date
Stephen Smalley 20c9b4971e Update VERSION files to 2.8-rc3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2018-05-10 11:08:22 -04:00
Stephen Smalley 3ca8762efd libsepol: cil: prevent stack buffer overflow in cil_expr_to_string
Fix the test to prevent overflowing the stack buffer for
boolean expressions.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2018-05-09 11:22:46 -04:00
Stephen Smalley 38e49c7187 libsepol: remove unused function and type
Fix the following build warning:
policydb.c: In function ‘get_symtab_destroy_func’:
policydb.c:1581:9: error: cast between incompatible function types from ‘int (*)(char *, void *, void *)’ to ‘void (*)(char *, void *, void *)’ [-Werror=cast-function-type]
  return (hashtab_destroy_func_t) destroy_f[sym_num];
         ^

It turns out that this function and type are long unused in libsepol
and are not exported APIs for the shared library, so just remove them.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2018-05-08 08:11:58 -04:00
Stephen Smalley dc03bae194 Update VERSION files to 2.8-rc2.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2018-04-26 13:20:40 -04:00
Stephen Smalley f04d64012a Update VERSION files to 2.8-rc1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2018-04-19 10:40:16 -04:00
Nicolas Iooss 3dd5dd8a07 libsepol: ensure the level context is not empty
When load_users() parses an invalid line with an empty level context
(ie. nothing between "level" and "range" keywords), it allocates memory
with malloc(0) and uses it. The behavior of malloc() in this case is
an unspecified behavior: it might return NULL, which would lead to a
segmentation fault.

Fix this issue by reporting the invalid entry instead. While at it,
ensure that the character before "range" is a space, and change the
logic slightly in order to avoid using "--p; ... p++;".

This issue is reported by clang's static analyzer with the following
message:

    genusers.c:222:11: warning: Use of zero-allocated memory
                                            *r++ = *s;
                                                 ^
    genusers.c:225:7: warning: Use of zero-allocated memory
                            *r = 0;
                               ^

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-04-17 13:55:57 -07:00
Nicolas Iooss 9fc2301047 libsepol: do not dereference NULL if stack_init fails
In cond_expr_to_cil(), when stack_init() fails to allocate a stack, the
function calls stack_pop() with stack = NULL. Then stack_pop()
dereferences the pointer ("if (stack->pos == -1) {"), which is NULL.

Fix this by moving the stack cleaning loop in a "if (stack != NULL)"
block.

This issue is reported by clang's static analyzer with the following
message:

    module_to_cil.c:463:6: warning: Access to field 'pos' results in a
    dereference of a null pointer (loaded from variable 'stack')
        if (stack->pos == -1) {
            ^~~~~~~~~~

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-04-17 13:55:57 -07:00
James Carter 4ba19b541d libsepol/cil: Improve processing of context rules
Improve the processing of netifcon, genfscon, ibpkeycon, ibendportcon,
portcon, nodecon, fsuse, filecon, iomemcon, ioportcon, pcidevicecon,
and devicetreecon rules.

If the multiple-decls option is not used then report errors if duplicate
context rules are found. If it is used then remove duplicate context rules
and report errors when two rules are identical except for the context.

This also changes the ordering of portcon and filecon rules. The protocol
of portcon rules will be compared if the port numbers are the same and the
path strings of filecon rules will be compared if the number of meta
characters, the stem length, string length and file types are the same.

Based on an initial patch by Pierre-Hugues Husson (phh@phh.me)

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2018-03-29 15:53:18 -04:00
Tri Vo ea8d689b53 Resolve conflicts in expandattribute.
This commit resolves conflicts in values of expandattribute statements
in policy language and expandtypeattribute in CIL.

For example, these statements resolve to false in policy language:
 expandattribute hal_audio true;
 expandattribute hal_audio false;

Similarly, in CIL these also resolve to false.
 (expandtypeattribute (hal_audio) true)
 (expandtypeattribute (hal_audio) false)

A warning will be issued on this conflict.

Motivation
When Android combines multiple .cil files from system.img and vendor.img
it's possible to have conflicting expandattribute statements.

This change deals with this scenario by resolving the value of the
corresponding expandtypeattribute to false. The rationale behind this
override is that true is used for reduce run-time lookups, while
false is used for tests which must pass.

Signed-off-by: Tri Vo <trong@android.com>
Acked-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: William Roberts <william.c.roberts@intel.com>
Acked-by: James Carter <jwcart2@tycho.nsa.gov>
2018-03-26 12:29:37 -07:00
James Carter c99739a6aa libsepol: Prevent freeing unitialized value in ibendport handling
Nicolas Iooss reports:
In sepol_ibendport_key_create(), if sepol_ibendport_alloc_ibdev_name()
fails to allocate tmp_key->ibdev_name, sepol_ibendport_key_free() is
called to free the memory associated with tmp_key, which results in
free() being called on uninitialized tmp_key->ibdev_name.

This issue is reported by clang's static analyzer with the following
message:

    ibendport_record.c:115:2: warning: 1st function call argument is an
    uninitialized value
            free(key->ibdev_name);
            ^~~~~~~~~~~~~~~~~~~~~

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2018-03-19 12:39:20 -04:00
Richard Haines via Selinux cf0ab12414 selinux: Add support for the SCTP portcon keyword
Update libsepol, checkpolicy and the CIL compiler to support the SCTP
portcon keyword.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2018-03-19 12:34:29 -04:00
Stephen Smalley 5576912170 libsepol: Export sepol_polcap_getnum/name functions
Export the sepol_polcap_getnum/name() functions to users of
the shared library.  This will enable SETools to stop depending
on the static library.

Note that we may want to move polcaps.h up one level since
the convention is that headers directly under include/sepol are
shared library APIs while headers under include/sepol/policydb
are limited to static users.  However, this will unnecessarily
break the build for existing static users so it is deferred.

Suggested-by: Chris PeBenito <pebenito@ieee.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2018-03-15 13:52:55 -07:00
Nicolas Iooss 2bd82070ef libsepol: cil: show an error when cil_expr_to_string() fails
cil_tree_print_expr() calls cil_expr_to_string() in order to compute a
string expression into expr_str. If this function fails, expr_str is
left unitialized but its value is dereferenced with:

    cil_log(CIL_INFO, "%s)", expr_str);

Prevent such an issue by checking cil_expr_to_string()'s return value
before using expr_str.

This issue has been found with clang's static analyzer.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-03-08 14:36:32 -05:00
Marcus Folkesson f8532f1773 libsepol: build: follow standard semantics for DESTDIR and PREFIX
This patch solves the following issues:
- The pkg-config files generates odd paths when using DESTDIR without PREFIX
- DESTDIR is needed during compile time to compute library and header paths which it should not.
- Installing with both DESTDIR and PREFIX set gives us odd paths
- Make usage of DESTDIR and PREFIX more standard

Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
2018-02-14 15:59:36 +01:00
James Carter 2d49a4b41c libsepol/cil: Create new keep field for type attribute sets
Daniel Cashman <dcashman@android.com> discovered the following:
When using cil_db multiple_decls, the different cil_attribute nodes
all point to the same underlying cil_attribute struct.  This leads
to problems, though, when modifying the used value in the struct.
__cil_post_db_attr() changes the value of the field to based on
the output of cil_typeattribute_used(), for use later in
cil_typeattribute_to_policydb and cil_typeattribute_to_bitmap, but
due to the multiple declarations, cil_typeattribute_used() could be
called again by a second node.  In this second call, the value used
is the modifed value of CIL_TRUE or CIL_FALSE, not the flags actually
needed. This could result in the field being reset again, to an
incorrect CIL_FALSE value.

Add the field "keep" to struct cil_typeattributeset, set its value
using cil_typeattribute_used(), and use it when determining whether
the attribute is to be kept or if it should be expanded.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-11-22 11:49:19 -05:00
Jan Zarsky 4da8fcc21a libsepol: free ibendport device names
When reading policy, ibendport device names are allocated in
ocontext_read_selinux() but they are not freed when calling
sepol_policydb_free();

Fix this by freeing them in ocontext_selinux_free().

Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
2017-10-25 16:07:37 -04:00
Jan Zarsky 77059c39e8 libsepol: fix memory leak in sepol_bool_query()
When sepol_bool_query() returns NULL response, variable name is not
freed. Fix this by calling free() before returning.

Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
2017-09-20 16:29:31 -04:00
Nicolas Iooss 13e5fa3b6b libsepol/cil: drop wrong unused attribute
cil_gen_node() has been using its argument "db" since commit
fafe4c212b ("libsepol: cil: Add ability to redeclare
types[attributes]"). Drop attribute "unused" on this argument.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-09-05 12:37:23 -04:00
Nicolas Iooss 12f3ef8280 libsepol/cil: fix -Wwrite-strings warning
cil_defaults_to_policy() defines its third argument as non-const "char
*kind" even though it is called with literal strings. This makes gcc
report the following warning when compiling with -Wwrite-strings:

    ../cil/src/cil_policy.c: In function ‘cil_gen_policy’:
    ../cil/src/cil_policy.c:1931:60: error: passing argument 3 of
    ‘cil_defaults_to_policy’ discards ‘const’ qualifier from pointer
    target type [-Werror=discarded-qualifiers]

      cil_defaults_to_policy(out, lists[CIL_LIST_DEFAULT_USER],
                             "default_user");
                             ^~~~~~~~~~~~~~

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-09-05 12:37:20 -04:00
Nicolas Iooss 3ab3a218f2 libsepol/cil: __cil_post_db_neverallow_attr_helper() does not use extra_args
Since commit 67b410e80f ("libsepol/cil: Keep attributes used by
generated attributes in neverallow rules") gcc reports the following
warning when building libsepol:

    ../cil/src/cil_post.c: In function
    ‘__cil_post_db_neverallow_attr_helper’:
    ../cil/src/cil_post.c:1322:17: error: unused variable ‘db’
    [-Werror=unused-variable]
      struct cil_db *db = extra_args;
                     ^~

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-09-05 12:37:16 -04:00
Nicolas Iooss 51bc21036c libsepol: use IN6ADDR_ANY_INIT to initialize IPv6 addresses
When compiling libsepol with clang and some warning flags, the compiler
complains about the way IPv6 addresses are initialized:

    kernel_to_cil.c:2795:35: error: suggest braces around initialization
    of subobject [-Werror,-Wmissing-braces]
            struct in6_addr subnet_prefix = {0};
                                             ^
                                             {}

When replacing the initializer as suggested, gcc 4.8.4 complains:

    kernel_to_cil.c: In function ‘write_selinux_ibpkey_rules_to_cil’:
    kernel_to_cil.c:2795:9: error: missing initializer for field
    ‘__in6_u’ of ‘struct in6_addr’ [-Werror=missing-field-initializers]
      struct in6_addr subnet_prefix = {};
             ^

Thankfully netinet/in.h provides a macro to initialize struct in6_addr
variables:

    #define IN6ADDR_ANY_INIT { { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 } } }

Both clang and gcc no longer report warnings when using this macro.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-09-05 12:37:13 -04:00
James Carter 67b410e80f libsepol/cil: Keep attributes used by generated attributes in neverallow rules
In order to reduce policy size, CIL removes attributes that are not used
by a policy rule in the generated binary policy. However, CIL keeps
attributes used by neverallow rules (which are checked at compile time
and not in the binary policy) even if the attribute is not used anywhere
else in the policy. This behavior is useful to Google who pulls neverallow
rules out of the original policy.conf for compatibility testing, but
converts the policy.conf to CIL and uses the CIL compiler to generate
policy. Without this behavior, the generated binary policy might not have
an attribute referred to by one of the neverallow rules used for testing.

The one exception to this behavior is for attributes generated in
module_to_cil (these have an "_typeattr_" in the middle of their name).
Since these attributes are only created because CIL does not allow a
type expression in an AV rule, they are removed if they only appear in
a neverallow rule (which is the case for most of them) or if the
option to expand generated attributes (-G or --expand-generated) is
specified for secilc when compiling the policy.

Removing generated attributes causes a problem, however, if the type
expression that the generated attribute is replacing uses an attribute
that is removed. In this case, the original neverallow rule will refer
to an attribute that does not exist in the generated binary policy.

Now any non-generated attribute used in a typeattributeset rule for a
generated attribute which is used in a neverallow rule will be treated
like it was used in a neverallow rule.

This does not change the behavior of an expandtypeattribute rule for
the attribute. That rule, if it exists, will take precedence.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-08-31 14:44:59 -04:00
Dan Cashman fafe4c212b libsepol: cil: Add ability to redeclare types[attributes]
Modify cil_gen_node() to check to see if the cil_db supports multiple
declarations, and if so, to check whether or not the
repeated symbol is eligible to share the existing, already-stored datum. The
only types considered so far are CIL_TYPE and CIL_TYPEATTRIBUTE, both of
which intall empty datums during AST building, so they automatically return
true.

Test: Build policy with multilpe type and attribute declarations, and
without. Policies are binary-identical.

Signed-off-by: Dan Cashman <dcashman@android.com>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-08-31 14:42:25 -04:00
Jan Zarsky 1346746d82 libsepol: reset pointer after free
In cil_strpool_destroy(), cil_strpool_tab is freed but it is not reset to NULL.
When cil_strpool_init() is called again it assumes that cil_strpool_tab was
already initialized. Other functions then work with invalid data.

Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
2017-08-28 15:50:13 -04:00
Stephen Smalley 53bb2a11c2 checkpolicy,libselinux,libsepol,policycoreutils: Update my email address
Update my email address since epoch.ncsc.mil no longer exists.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-08-17 14:17:12 -04:00
Stephen Smalley 1bac758bf6 Update VERSION files for 2.7 release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-08-04 09:31:00 -04:00
Stephen Smalley dfda6a5b2c Update VERSION files for 2.7-rc6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-07-28 15:43:47 -04:00
Stephen Smalley ae1cd12076 libsepol: Define nnp_nosuid_transition policy capability
Define the nnp_nosuid_transition policy capability used to enable
SELinux domain transitions under NNP or nosuid if the
nnp_transition permission or nosuid_transition permission is
allowed between the old and new contexts. When this capability is not
enabled, such transitions remain limited to bounded transitions as they
were prior to the introduction of this capability.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-07-28 15:42:36 -04:00
Dan Cashman 7803c8ca99 libsepol: cil: enable cpp compilation of cil.h.
Signed-off-by: Daniel Cashman <dcashman@google.com>
2017-07-26 13:24:22 -04:00
Stephen Smalley 9f1730fa39 Update VERSION files for 2.7-rc5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-07-18 12:01:26 -04:00
Stephen Smalley 83fbc0979d Update VERSION files for 2.7-rc4 release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-30 13:41:33 -04:00
Nicolas Iooss 6b9035ddc6 libsepol/tests: override CPPFLAGS too
A build toolchain may override CPPFLAGS on the command line of "make".
Doing so currently breaks libsepol/tests compilation, as it requires
"-I../include/ -I$(CHECKPOLICY)" to be provided in gcc's arguments.

This completes commit 15f2740733 ("Makefiles: override *FLAGS and
*LIBS").

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-06-30 08:56:43 -04:00
Stephen Smalley 6fab7923ce Update VERSION files for 2.7-rc3 release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-23 13:01:45 -04:00
Jason Zaman 15f2740733 Makefiles: override *FLAGS and *LIBS
There were several places in the makefiles where LDLIBS or CFLAGS were
supposed to include options to build. They were missing the override
keyword so would be skipped if these vars were set on the make cmdline.
Add the override directive to fix this.

Signed-off-by: Jason Zaman <jason@perfinion.com>
2017-06-20 12:15:04 -04:00
Patrick Steinhardt 34dc7bcc31 libsepol: replace non-standard use of __BEGIN_DECLS
While most header files already use the common pattern of `extern "C"`
declarations to enable compiling in a C++ project, some header files in
libsepol instead use the macros `__BEGIN_DECLS` and `__END_DECLS`. These
macros are defined in the "sys/cdefs.h" header file, which provides
some non-standard extensions for glibc.

Convert usage of these declarations with the standard `extern "C"`
pattern. This improves compatibility with other libc implementations,
e.g. musl libc.

Signed-off-by: Patrick Steinhardt <ps@pks.im>
2017-06-20 11:03:12 -04:00
Stephen Smalley 08d4b030ea Update VERSION files for 2.7-rc2 release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-16 12:50:03 -04:00
James Carter 5a553e8287 libsepol/cil: Fix bugs when writing policy.conf rules
The typebounds rules should end with a ";".

The netifcon and nodecon rules should not end with a ";".

The default rules are missing a "_". They should be "default_user",
"default_role" and "default_type".

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-06-15 13:21:53 -04:00
James Carter f2b5aae4aa libsepol: Fix neverallow bug when checking conditional policy
Commit 9e6840e refactored neverallow checking. In the process a bug
was introduced that causes enabled conditional rules to be skipped.
The bug is that the avtab key is checked by comparing the specified
field of the key to the value AVTAB_ALLOWED. Since enabled conditional
rules have an additional bit set as well, these rules are not
considered to match.

The fix is to use a bitwise AND (&) to only check the desired bit.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-06-14 11:05:11 -04:00
Richard Haines c8e135ba22 libsepol/cil: ibendportcon fails to resolve in CIL policy
Fix named ibendportcon context not resolving correctly.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2017-06-12 11:13:25 -04:00
Nicolas Iooss f6f4876dfc libsepol: destroy the expanded level when mls_semantic_level_expand() fails
In mls_semantic_range_expand(), when a call to
mls_semantic_level_expand() fails, the function destroys the semantic
level instead of the expanded one. This leads to a use-after-free which
is reported by gcc's Address Sanitizer:

libsepol.mls_semantic_level_expand: mls_semantic_level_expand: invalid sensitivity level found 128/0.
libsepol.sepol_module_package_read: invalid module in module package (at section 0)
Failed to read policy package
=================================================================
==24456==ERROR: AddressSanitizer: heap-use-after-free on address 0x60200000ee58 at pc 0x7fe6c4fb96b4 bp 0x7fffa5ea6b70 sp 0x7fffa5ea6b60
READ of size 8 at 0x60200000ee58 thread T0
    #0 0x7fe6c4fb96b3 in mls_semantic_level_destroy /usr/src/selinux/libsepol/src/mls.c:755
    #1 0x7fe6c4fb9b88 in mls_semantic_range_destroy /usr/src/selinux/libsepol/src/mls.c:802
    #2 0x7fe6c500e8ab in user_datum_destroy /usr/src/selinux/libsepol/src/policydb.c:535
    #3 0x7fe6c500e980 in user_destroy /usr/src/selinux/libsepol/src/policydb.c:1390
    #4 0x7fe6c4f36c48 in hashtab_map /usr/src/selinux/libsepol/src/hashtab.c:235
    #5 0x7fe6c50152da in symtabs_destroy /usr/src/selinux/libsepol/src/policydb.c:1595
    #6 0x7fe6c5015433 in policydb_destroy /usr/src/selinux/libsepol/src/policydb.c:1503
    #7 0x7fe6c5040e0d in sepol_policydb_free /usr/src/selinux/libsepol/src/policydb_public.c:82
    #8 0x7fe6c4fbc503 in sepol_module_package_free /usr/src/selinux/libsepol/src/module.c:143
    #9 0x7fe6c4fefefb in sepol_ppfile_to_module_package /usr/src/selinux/libsepol/src/module_to_cil.c:4293
    #10 0x401e51 in main /usr/src/selinux/policycoreutils/hll/pp/pp.c:124
    #11 0x7fe6c4add510 in __libc_start_main (/usr/lib/libc.so.6+0x20510)
    #12 0x402589 in _start (/usr/src/selinux/DESTDIR/usr/libexec/selinux/hll/pp+0x402589)

0x60200000ee58 is located 8 bytes inside of 16-byte region [0x60200000ee50,0x60200000ee60)
freed by thread T0 here:
    #0 0x7fe6c5537ae0 in __interceptor_free /build/gcc-multilib/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:45
    #1 0x7fe6c4fb969b in mls_semantic_level_destroy /usr/src/selinux/libsepol/src/mls.c:757
    #2 0x7fe6c4f02a57 in mls_semantic_range_expand /usr/src/selinux/libsepol/src/expand.c:948
    #3 0x7fe6c5007a98 in policydb_user_cache /usr/src/selinux/libsepol/src/policydb.c:939
    #4 0x7fe6c4f36c48 in hashtab_map /usr/src/selinux/libsepol/src/hashtab.c:235
    #5 0x7fe6c5013859 in policydb_index_others /usr/src/selinux/libsepol/src/policydb.c:1286
    #6 0x7fe6c5020b65 in policydb_read /usr/src/selinux/libsepol/src/policydb.c:4342
    #7 0x7fe6c4fc0cdb in sepol_module_package_read /usr/src/selinux/libsepol/src/module.c:618
    #8 0x7fe6c4ff008d in sepol_ppfile_to_module_package /usr/src/selinux/libsepol/src/module_to_cil.c:4276
    #9 0x401e51 in main /usr/src/selinux/policycoreutils/hll/pp/pp.c:124
    #10 0x7fe6c4add510 in __libc_start_main (/usr/lib/libc.so.6+0x20510)

previously allocated by thread T0 here:
    #0 0x7fe6c5537e40 in __interceptor_malloc /build/gcc-multilib/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:62
    #1 0x7fe6c5004efc in mls_read_semantic_level_helper /usr/src/selinux/libsepol/src/policydb.c:1976
    #2 0x7fe6c500f596 in mls_read_semantic_range_helper /usr/src/selinux/libsepol/src/policydb.c:2010
    #3 0x7fe6c500f596 in user_read /usr/src/selinux/libsepol/src/policydb.c:3258
    #4 0x7fe6c502055b in policydb_read /usr/src/selinux/libsepol/src/policydb.c:4286
    #5 0x7fe6c4fc0cdb in sepol_module_package_read /usr/src/selinux/libsepol/src/module.c:618
    #6 0x7fe6c4ff008d in sepol_ppfile_to_module_package /usr/src/selinux/libsepol/src/module_to_cil.c:4276
    #7 0x401e51 in main /usr/src/selinux/policycoreutils/hll/pp/pp.c:124
    #8 0x7fe6c4add510 in __libc_start_main (/usr/lib/libc.so.6+0x20510)

SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/selinux/libsepol/src/mls.c:755 in mls_semantic_level_destroy
Shadow bytes around the buggy address:
  0x0c047fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa 01 fa fa fa 01 fa
  0x0c047fff9db0: fa fa 01 fa fa fa 01 fa fa fa 01 fa fa fa 01 fa
=>0x0c047fff9dc0: fa fa 00 00 fa fa 00 00 fa fa fd[fd]fa fa fd fd
  0x0c047fff9dd0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
  0x0c047fff9de0: fa fa 04 fa fa fa 00 01 fa fa fd fd fa fa fd fd
  0x0c047fff9df0: fa fa fd fd fa fa fd fd fa fa 00 00 fa fa fd fd
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==24456==ABORTING

This issue has been found while fuzzing hll/pp with the American Fuzzy
Lop.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-06-12 09:32:37 -04:00
Stephen Smalley 2f602f6cb9 Update VERSION files for 2.7-rc1 release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-09 10:36:06 -04:00
James Carter f9ae34a404 libsepol: Expand attributes with TYPE_FLAGS_EXPAND_ATTR_TRUE set
Commit 1089665e31 (Add attribute
expansion options) adds an expandattribute rule to the policy.conf
language which sets a type_datum flag. Currently the flag is used
only when writing out CIL policy from a policy.conf.

Make use of the flag when expanding policy to expand policy rules
and remove all type associations for an attribute that has
TYPE_FLAGS_EXPAND_ATTR_TRUE set. (The attribute will remain in the
policy, but have no types associated with it.)

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-06-05 13:41:21 -04:00
James Carter 738db6077b libsepol/cil: Fix bug in cil_reset_ibpkeycon()
Nicolas Iooss <nicolas.iooss@m4x.org> discovered with clang's static
analyzer that cil_reset_ibpkeycon() was checking that ibpkeycon->context
was NULL and then passing the NULL value to cil_reset_context() which
expected a non-NULL argument.

Instead, cil_reset_ibpkeycon() should check if ibpkeycon->context_str
is NULL. If it is non-NULL then the context field points to a named
context that was created elsewhere and it will be reset there, but if
the context_str field is NULL, then the context is not named and needs
to be reset.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-06-05 11:30:14 -04:00
Steve Lawrence 0be11881d1 libsepol/cil: fix error check in new cil_resolve_name
This prevented cil_resolve_name() from returning an actual thing when a
name resolved to an alias. This appears to have only affected resolution
dealing with sensitivity and category aliases. Type aliases were not
affected since places that dealt with types handled type aliases
specifically and did not rely on this behavior from cil_resolve_name().

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2017-06-02 12:18:16 -04:00
Bernhard M. Wiedemann c18ea1df62 sort input files
when building packages (e.g. for openSUSE Linux)
(random) filesystem order of input files
influences ordering of functions in the output,
thus without the patch, builds (in disposable VMs) would usually differ.

See https://reproducible-builds.org/ for why this matters.
2017-06-01 14:00:30 -04:00
Stephen Smalley 22ac4f9bd3 libsepol: Fix alloc-size-larger-than warning from gcc 7
Fixes the following warning from gcc 7:

In function ‘name_list_to_string’,
    inlined from ‘constraint_expr_to_string’ at module_to_cil.c:1790:8:
module_to_cil.c:1135:6: warning: argument 1 range [18446744071562067968, 18446744073709551615] exceeds maximum object size 9223372036854775807 [-Walloc-size-larger-than=]
  str = malloc(len);
  ~~~~^~~~~~~~~~~~~
In file included from module_to_cil.c:36:0:
module_to_cil.c: In function ‘constraint_expr_to_string’:
/usr/include/stdlib.h:443:14: note: in a call to allocation function ‘malloc’ declared here
 extern void *malloc (size_t __size) __THROW __attribute_malloc__ __wur;
              ^~~~~~

While we are here, fix a few other issues too.
The usage of snprintf was wrong and unnecessary; we just allocated
the string to be the right size, so we should just fill it.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-01 13:36:01 -04:00
Stephen Smalley e41ae676c2 libsepol,libsemanage,libselinux: Fix fallthrough warnings from gcc 7
https://developers.redhat.com/blog/2017/03/10/wimplicit-fallthrough-in-gcc-7/

Fixes the following warnings by annotating with a /* FALLTHRU */ comment.
Unfortunately, the __attribute__ ((fallthrough)); approach does not appear
to work with older compilers.

../cil/src/cil_parser.c: In function ‘cil_parser’:
../cil/src/cil_parser.c:253:14: warning: this statement may fall through [-Wimplicit-fallthrough=]
    tok.value = tok.value+1;
    ~~~~~~~~~~^~~~~~~~~~~~~
../cil/src/cil_parser.c:254:3: note: here
   case SYMBOL:
   ^~~~
../cil/src/cil_parser.c:275:7: warning: this statement may fall through [-Wimplicit-fallthrough=]
    if (tok.type != END_OF_FILE) {
       ^
../cil/src/cil_parser.c:279:3: note: here
   case END_OF_FILE:
   ^~~~

../cil/src/cil_post.c: In function ‘cil_post_fc_fill_data’:
../cil/src/cil_post.c:104:5: warning: this statement may fall through [-Wimplicit-fallthrough=]
    c++;
    ~^~
../cil/src/cil_post.c:105:3: note: here
   default:
   ^~~~~~~

regex.c: In function ‘regex_format_error’:
regex.c:541:10: warning: this statement may fall through [-Wimplicit-fallthrough=]
   *ptr++ = '.';
   ~~~~~~~^~~~~
regex.c:542:2: note: here
  case 3:
  ^~~~
regex.c:543:10: warning: this statement may fall through [-Wimplicit-fallthrough=]
   *ptr++ = '.';
   ~~~~~~~^~~~~
regex.c:544:2: note: here
  case 2:
  ^~~~
regex.c:545:10: warning: this statement may fall through [-Wimplicit-fallthrough=]
   *ptr++ = '.';
   ~~~~~~~^~~~~
regex.c:546:2: note: here
  case 1:
  ^~~~
regex.c: In function ‘regex_format_error’:
regex.c:541:10: warning: this statement may fall through [-Wimplicit-fallthrough=]
   *ptr++ = '.';
   ~~~~~~~^~~~~
regex.c:542:2: note: here
  case 3:
  ^~~~
regex.c:543:10: warning: this statement may fall through [-Wimplicit-fallthrough=]
   *ptr++ = '.';
   ~~~~~~~^~~~~
regex.c:544:2: note: here
  case 2:
  ^~~~
regex.c:545:10: warning: this statement may fall through [-Wimplicit-fallthrough=]
   *ptr++ = '.';
   ~~~~~~~^~~~~
regex.c:546:2: note: here
  case 1:
  ^~~~

modules.c: In function ‘semanage_module_get_path’:
modules.c:602:7: warning: this statement may fall through [-Wimplicit-fallthrough=]
    if (file == NULL) file = "hll";
       ^
modules.c:603:3: note: here
   case SEMANAGE_MODULE_PATH_CIL:
   ^~~~
modules.c:604:7: warning: this statement may fall through [-Wimplicit-fallthrough=]
    if (file == NULL) file = "cil";
       ^
modules.c:605:3: note: here
   case SEMANAGE_MODULE_PATH_LANG_EXT:
   ^~~~

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-01 13:35:45 -04:00
James Carter 187a44d058 libsepol: Fix module_to_cil's handling of type aliases
Type aliases present a problem for module_to_cil because they are not
in the sym_val_to_name table that it uses to write declarations. Type
aliases are gathered by going through the decl_ids list and then
the alias declaration is written out when the block with that scope
id is handled. This doesn't work if a type alias appears in a require
block, since the require cannot be distinguished from the declaration.
The result is two declarations of the alias and an error when secilc
compiles the policy.

Because of the work cleaning up scope handling, the alias declaration
will always be at the end of the decl_ids list, so now only gather
the last scope id.

Also, when an alias is used in a module it is required as a type and
it will appear in the sym_val_to_name table. When that occurs, just
skip the alias when writing out types.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-06-01 12:51:55 -04:00
James Carter c8a7edc614 libsepol: Clean up scope handling
Currently, when checking if an identifier is enabled, each scope in
the decl_ids list is checked. This means that if any block that
requires the identifier is enabled, then the identifier will be treated
as being declared.

Now, declarations will be kept at the end of the decl_ids list and
when checking if an identifier is enabled, only the last scope will
be checked (Except for roles and users which allow multiple declarations,
they will have to keep the old behavior.)

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-06-01 12:51:51 -04:00
James Carter 800f6b2a89 libsepol/cil: Remove uneeded null checks of unused parameters
Issue reported by Nicola Iooss <nicolas.iooss@m4x.org>

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-06-01 12:43:31 -04:00