Commit Graph

2178 Commits

Author SHA1 Message Date
Alan Jenkins
08df753962 policycoreutils: fixfiles: clarify exclude_dirs()
The usage of exclude_dirs() is non-obvious.

It turns out it is only used by the `-C` mode of fixfiles.  The other four
modes use the narrower list generated by exclude_dirs_from_relabelling().
Let's make this distinction more obvious.

(The purpose of the extra exclusions is not clear.  E.g. there's an
exclusion for /dev.  Whereas the `fixfiles check` mode explicitly tells you
that it's going to relabel /dev, without causing any problem.  Maybe that
part is out of date?  But without some explanation of the list, I don't
want to change anything!)
2017-05-05 13:27:05 -04:00
Alan Jenkins
aa62e3665c policycoreutils: fixfiles: remove (broken) redundant code
setfiles is now run with $exclude_dirs.
We shouldn't need to patch the file contexts as well.

This is fortunate, since the file context patching code was broken
(by the same commit which introduced the redundancy).  It takes the
list of directories to exclude from $tempdirs, but $tempdirs is
never set.

Also messages about skipping directories were printed twice.  Firstly when
exclude_dirs is generated, and secondly in the file context patching code.

Also TEMPFCFILE was only removed in one path out of several.
2017-05-05 13:27:02 -04:00
Alan Jenkins
b5610b0c6e Revert "policycoreutils: let output of fixfiles be redirected (as normal)"
This reverts commit ac7899fc3a,
which is not yet part of an officially tagged release
(or release candidate).

`LOGFILE=/proc/self/fd/1` was wrong.

`LOGFILE=$(tty)` was being relied on in one case (exclude_dirs),
to log messages from a function run specifically with stdout redirected
(captured into a variable).

Having `logit "message"` break inside redirected functions
is a nasty leaky abstraction.

This caused e.g. `fixfiles restore` to terminate early with the error

    skipping: No such file or directory

if the user had configured any excluded paths in
/etc/selinux/fixfiles_exclude_dirs
2017-05-05 13:26:57 -04:00
Nicolas Iooss
1dc95dd558 libsepol: silence false-positive -Wwrite-strings warning
When compiling with -Wwrite-strings, the compiler complains about
calling strs_add with a const char* value for a char* parameter
(DEFAULT_OBJECT is defined to "object_r"). Silence this warning by
casting the literal string to char*.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-05-05 13:09:36 -04:00
Nicolas Iooss
232ff757d4 libselinux/utils: add noreturn attribute to selinux_check_access's usage
When building libselinux, clang reports the following warning:

    selinux_check_access.c:8:1: error: function 'usage' could be
    declared with attribute 'noreturn' [-Werror,-Wmissing-noreturn]

While at it, make progname const.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-05-05 13:07:04 -04:00
Petr Lautrbach
a9b6ef426d sepolicy/gui: Update text strings to use better gettext templates
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2017-05-05 11:52:19 -04:00
Petr Lautrbach
11e9676ce1 sepolicy: info() should provide attributes for a TYPE
"attributes" used to be there when sepolicy.info() used setools3

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2017-05-05 11:52:19 -04:00
Petr Lautrbach
89399a9c8e sepolicy: Fix several issues in 'sepolicy manpage -a'
Fixes:
$ sepolicy manpage -a
Traceback (most recent call last):
  File "/usr/bin/sepolicy", line 699, in <module>
    args.func(args)
  File "/usr/bin/sepolicy", line 359, in manpage
    m = ManPage(domain, path, args.root, args.source_files, args.web)
  File "/usr/lib/python3.6/site-packages/sepolicy/manpage.py", line 408, in __init__
    self.__gen_man_page()
  File "/usr/lib/python3.6/site-packages/sepolicy/manpage.py", line 495, in __gen_man_page
    self._entrypoints()
  File "/usr/lib/python3.6/site-packages/sepolicy/manpage.py", line 903, in _entrypoints
    if len(entrypoints) > 1:
TypeError: object of type 'map' has no len()

$ sepolicy manpage -a
Traceback (most recent call last):
  File "/usr/bin/sepolicy", line 699, in <module>
    args.func(args)
  File "/usr/bin/sepolicy", line 359, in manpage
    m = ManPage(domain, path, args.root, args.source_files, args.web)
  File "/usr/lib/python3.6/site-packages/sepolicy/manpage.py", line 408, in __init__
    self.__gen_man_page()
  File "/usr/lib/python3.6/site-packages/sepolicy/manpage.py", line 497, in __gen_man_page
    self._mcs_types()
  File "/usr/lib/python3.6/site-packages/sepolicy/manpage.py", line 927, in _mcs_types
    attributes = sepolicy.info(sepolicy.TYPE, (self.type))[0]["attributes"]
TypeError: 'generator' object is not subscriptable

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2017-05-05 11:52:19 -04:00
Petr Lautrbach
471e6b0fc9 sepolicy: setools.*Query wants a list in ruletype
This fixes a problem introduced in 18410c86 where ruletype is specified
as a string not a list.

Fixes:
>>> sepolicy.get_all_role_allows()
Traceback (most recent call last):
  File "/usr/lib64/python3.6/site-packages/setools/policyrep/util.py", line 60, in lookup
    return cls(value)
  File "/usr/lib64/python3.6/enum.py", line 291, in __call__
    return cls.__new__(cls, value)
  File "/usr/lib64/python3.6/enum.py", line 533, in __new__
    return cls._missing_(value)
  File "/usr/lib64/python3.6/enum.py", line 546, in _missing_
    raise ValueError("%r is not a valid %s" % (value, cls.__name__))
ValueError: 'a' is not a valid RBACRuletype

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2017-05-05 11:52:19 -04:00
Petr Lautrbach
be0acfb491 dbus: Use text streams in selinux_server.py
subprocess.Popen called without universal_newlines=True opens stdin,
stout and stderr as binary stream which cause problems with Python 3.

Fixes:
Traceback (most recent call last):
  File "/usr/lib64/python3.4/site-packages/sepolicy/gui.py", line 2773, in unconfined_toggle
    self.dbus.semanage("module -e unconfined")
  File "<string>", line 2, in semanage
  File "/usr/lib/python3.4/site-packages/slip/dbus/polkit.py", line 121, in _enable_proxy
    return func(*p, **k)
  File "/usr/lib64/python3.4/site-packages/sepolicy/sedbus.py", line 14, in semanage
    ret = self.dbus_object.semanage(buf, dbus_interface = "org.selinux")
  File "/usr/lib64/python3.4/site-packages/dbus/proxies.py", line 145, in __call__
    **keywords)
  File "/usr/lib64/python3.4/site-packages/dbus/connection.py", line 651, in call_blocking
    message, timeout)
dbus.exceptions.DBusException: org.freedesktop.DBus.Python.TypeError: TypeError: 'dbus.String' does not support the buffer interface

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2017-05-05 11:52:19 -04:00
Petr Lautrbach
4a7de9ffdc policycoreutils/sepolicy: Define our own cmp()
Fixes:
Traceback (most recent call last):
  File "/usr/lib/python3.5/site-packages/sepolicy/gui.py", line 1447, in stripsort
    return cmp(val1, val2)
NameError: name 'cmp' is not defined

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2017-05-05 11:52:19 -04:00
Petr Lautrbach
d9c2a15831 sepolicy/generate.py: Fix string formatting
Fixes python3 problem:

>>> print("Failed to retrieve rpm info for %s") % package
Failed to retrieve rpm info for %s
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
TypeError: unsupported operand type(s) for %: 'NoneType' and 'str'

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2017-05-05 11:52:19 -04:00
Petr Lautrbach
6dabab268c sepolicy: Simplify policy types detection
map() and filter() changed their return values from list to iterators in
Python 3. This change drops filter() and map() from gui.py to make it
work on Python 2 and 3

Fixes:
Traceback (most recent call last):
  File "/bin/sepolicy", line 700, in <module>
    args.func(args)
  File "/bin/sepolicy", line 326, in gui_run
    sepolicy.gui.SELinuxGui(args.domain, args.test)
  File "/usr/lib/python3.5/site-packages/sepolicy/gui.py", line 238, in __init__
    if self.populate_system_policy() < 2:
  File "/usr/lib/python3.5/site-packages/sepolicy/gui.py", line 835, in populate_system_policy
    types = map(lambda x: x[1], filter(lambda x: x[0] == selinux_path, os.walk(selinux_path)))[0]
TypeError: 'map' object is not subscriptable

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2017-05-05 11:52:19 -04:00
Petr Lautrbach
54eb348c0c sepolicy: Don't return filter(), use [ ] notation instead
filter() changed it's behavior among python 2 and python 3

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2017-05-05 11:52:19 -04:00
Petr Lautrbach
2a0102a270 sepolicy: Adapt to new the semodule list output
semodule in policycoreutils-2.4 changed the list format. With this
patch, org.selinux.semodule_list uses 'semodule --list=full' and the
code using this was adapted to the new format.

Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1281309

Fixes:
File "/usr/lib64/python3.4/site-packages/sepolicy/gui.py", line 670, in lockdown_init
  self.enable_unconfined_button.set_active(not self.module_dict["unconfined"]["Disabled"])
KeyError: 'unconfined'

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2017-05-05 11:52:19 -04:00
Miroslav Grepl
f82771c105 Fix typo in executable.py template.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2017-05-05 11:52:19 -04:00
Dan Walsh
1353988d58 sepolicy: We should be creating _exec interfaces when we create the domtrans interface
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2017-05-05 11:52:19 -04:00
Miroslav Grepl
8dfdb38db9 sepolicy: ptrace should be a part of deny_ptrace boolean in TEMPLATETYPE_admin
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2017-05-05 11:52:19 -04:00
Dan Walsh
c0ec882bfa Fix up generation of application policy
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2017-05-05 11:52:19 -04:00
Petr Lautrbach
1db83be583 policycoreutils/sepolicy: boolean.png is in help/
Fixes:
(sepolicy:2183): Gtk-WARNING **: Could not load image 'images/booleans.png': Failed to open file '/usr/lib64/python3.4/site-packages/sepolicy/images/booleans.png': No such file or directory

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2017-05-05 11:52:19 -04:00
Dan Walsh
590e765dce sepolicy: Move svirt man page out of libvirt into its own
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2017-05-05 11:52:19 -04:00
Dan Walsh
63283b81bb sepolicy: Add manpages for typealiased types
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2017-05-05 11:52:19 -04:00
Petr Lautrbach
cfbb79736d sepolicy: Fix spelling mistakes in commands in generated manpages
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2017-05-05 11:52:19 -04:00
Dan Walsh
443b84e4df policycoreutils/sepolicy: Add documentation for MCS separated domains
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2017-05-05 11:52:19 -04:00
Richard Haines
ef95c6ddf9 libselinux: Remove util/selinux_restorecon.c
Remove util/selinux_restorecon.c and tidy up. This is removed as
the functionality is now in policycoreutils/setfiles.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2017-05-02 11:03:06 -04:00
Richard Haines
a63858b52f libselinux: Add selinux_check_access utility
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2017-05-02 10:58:22 -04:00
Richard Haines
9cba8f6151 libselinux: Add permissive= entry to avc audit log
Add audit log entry to specify whether the decision was made in
permissive mode/permissive domain or enforcing mode.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2017-04-28 09:42:37 -04:00
Colin Walters
f3a264c2e1 config: Don't finalize mount state in selinux_set_policy_root()
This breaks every further call to e.g. `is_selinux_enabled()` after a policy
root has been set.  This tripped up some code landed in libostree:
https://github.com/ostreedev/ostree/pull/797
Since in some cases we initialize a policy twice in process, and we'd
call `is_selinux_enabled()` each time.

More info in: http://marc.info/?l=selinux&m=149323809332417&w=2

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-04-27 08:38:58 -04:00
Jason Zaman
89ce96cac6 policycoreutils: make audit and pam support configurable
Signed-off-by: Jason Zaman <jason@perfinion.com>
2017-04-25 08:32:11 -04:00
Jason Zaman
9a7763e186 Add includes for DESTDIR only in root Makefile
Signed-off-by: Jason Zaman <jason@perfinion.com>
2017-04-25 08:31:10 -04:00
Jason Zaman
74093beab0 restorecond: get pcre cflags/libs from pkg-config
Signed-off-by: Jason Zaman <jason@perfinion.com>
2017-04-25 08:27:44 -04:00
Jason Zaman
fcb5d5cc72 Makefiles: drop -L/-I to system paths
The toolchain automatically handles them and they break cross compiling.

LDFLAGS should also come before object files, some flags (eg,
-Wl,as-needed) can break things if they are in the wrong place)

Gentoo-Bug: https://bugs.gentoo.org/500674

Signed-off-by: Jason Zaman <jason@perfinion.com>
2017-04-25 08:27:05 -04:00
Jason Zaman
b5fe48da20 libselinux: PCRE_LDFLAGS is actually LDLIBS
>From Make's manual:

LDFLAGS
Extra flags to give to compilers when they are supposed to invoke the
linker, ‘ld’, such as -L. Libraries (-lfoo) should be added to the
LDLIBS variable instead.

LDLIBS
Library flags or names given to compilers when they are supposed to
invoke the linker, ‘ld’. Non-library linker flags, such as -L, should go
in the LDFLAGS variable.

https://www.gnu.org/software/make/manual/html_node/Implicit-Variables.html

Signed-off-by: Jason Zaman <jason@perfinion.com>
2017-04-25 08:23:45 -04:00
Jason Zaman
3eebfc2873 libselinux: get pcre CFLAGS/LDFLAGS from pkg-config
Gentoo-Bug: https://bugs.gentoo.org/500674

Signed-off-by: Jason Zaman <jason@perfinion.com>
2017-04-25 08:21:50 -04:00
Jason Zaman
584e32a23b policycoreutils: honour LINGUAS variable
If the user has the $LINGUAS environment variable set, only translations
for those languages should be installed to the system.

The gettext manual [1] says:

"Internationalized packages have usually many ll.po files. Unless
translations are disabled, all those available are installed together
with the package. However, the environment variable LINGUAS may be set,
prior to configuration, to limit the installed set. LINGUAS should then
contain a space separated list of two-letter codes, stating which
languages are allowed."

[1]: https://www.gnu.org/software/gettext/manual/html_node/Installers.html#Installers

Signed-off-by: Jason Zaman <jason@perfinion.com>
2017-04-25 08:12:18 -04:00
Stephen Smalley
8702a865e0 libsemanage: Save linked policy, skip re-link when possible
In commit b61922f727 ("libsemanage: revert
"Skip policy module re-link when only setting booleans"), we reverted
an optimization for setting booleans since it produced incorrect behavior.
This incorrect behavior was due to operating on the policy with local
changes already merged. However, reverting this change leaves us with
undesirable overhead for setsebool -P.  We also have long wanted
to support the same optimization for making other changes that do
not truly require module re-compilation/re-linking.

If we save the linked policy prior to merging local changes, we
can skip re-linking the policy modules in most cases, thereby
significantly improvement the performance and memory overhead of
semanage and setsebool -P commands.  Save the linked policy in the
policy sandbox and use it when we are not making a change that requires
recompilation of the CIL modules.  With this change, a re-link
is not performed when setting booleans or when adding, deleting, or
modifying port, node, interface, user, login (seusers) or fcontext
mappings.  We save linked versions of the kernel policy, seusers,
and users_extra produced from the CIL modules before any local
changes are merged.  This has an associated storage cost, primarily
storing an extra copy of the kernel policy file.

Before:
$ time setsebool -P zebra_write_config=1
real	0m8.714s
user	0m7.937s
sys	0m0.748s

After:
$ time setsebool -P zebra_write_config=1
real	0m1.070s
user	0m0.343s
sys	0m0.703s

Resolves: https://github.com/SELinuxProject/selinux/issues/50
Reported-by: Carlos Rodrigues <cefrodrigues@gmail.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-04-12 14:56:29 -04:00
Nick Kralevich
64afa1aff1 libselinux: add O_CLOEXEC
Makes libselinux safer and less likely to leak file descriptors when
used as part of a multithreaded program.

Signed-off-by: Nick Kralevich <nnk@google.com>
2017-04-12 14:51:41 -04:00
Nicolas Iooss
35af459220 policycoreutils: newrole: always initialize pw fields
In extract_pw_data(), if "getpwuid(uid)" fails, the function returns an
error value without initializing main's pw.pw_name. This leads main() to
call "free(pw.pw_name)" on an uninitialized value.

Use memset() to initialize structure pw in main().

This issue has been found using clang's static analyzer.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-04-12 14:48:36 -04:00
Nicolas Iooss
bfe40222e2 policycoreutils: newrole: do not free pw strings twice
In main(), if "extract_pw_data(&pw)" returns a failed value, it has
already freed pw.pw_name, pw.pw_dir and pw.pw_shell. These fields are
freed a second time in main's err_free label, which is incorrect. Work
around this by setting them to NULL after they are freed.

This issue has been found using clang's static analyzer.

While at it, make extract_pw_data() static.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-04-12 14:47:45 -04:00
Nicolas Iooss
bb3f428c08 libselinux: getsebool: always free names
When getsebool's main() fails to allocate memory for the boolean names,
it returns without freeing variables first, even though other errors do
this (with label "out").

This silences a warning reported by clang's static analyzer.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-04-12 14:46:02 -04:00
Nicolas Iooss
a9094fae2c libselinux: avoid calling strcmp() on a NULL pointer
When curcon is NULL, calling strcmp(curcon, newcon) produces an undefined
behavior. Avoid this by checking whether curcon is NULL beforehand.

This issue has been found using clang's static analyzer.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-04-12 14:44:55 -04:00
Nicolas Iooss
b63eb892f9 libsepol: cil: check cil_fill_list return value
cil_gen_default() and cil_gen_defaultrange() call cil_fill_list()
without checking its return value. If it failed, propagate the return
value to the caller.

This issue has been found using clang's static analyzer. It reported
"warning: Value stored to 'rc' is never read" four times.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-04-12 14:40:16 -04:00
James Carter
ea175157dd secilc: Add options to control the expansion of attributes
Added "-G, --expand_generated" option to specify that all automatically
generated attributes should be expanded and removed.

Added "-X, --expand_size <SIZE>" option to specify which attributes
are expanded when building a kernel policy. All attributes that have
less types assigned to it than SIZE will be expanded when writing AV
rules.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-04-12 14:33:55 -04:00
James Carter
0be23c3f15 libsepol/cil: Add ability to expand some attributes in binary policy
Originally, all type attributes were expanded when building a binary
policy. As the policy grew, binary policy sizes became too large, so
changes were made to keep attributes in the binary policy to minimize
policy size.

Keeping attributes works well as long as each type does not have too
many attributes. If an access check fails for types t1 and t2, then
additional checks must be made for every attribute that t1 is a member
of against t2 and all the attributes that t2 is a member of. This is
O(n*m) behavior and there are cases now where this is becoming a
performance issue.

Attributes are more aggressively removed than before. An attribute
will now be removed if it only appears in rules where attributes are
always expanded (typetransition, typechange, typemember, roletransition,
rangetransition, roletype, and AV Rules with self).

Attributes that are used in constraints are always kept because the
attribute name is stored for debugging purposes in the binary policy.

Attributes that are used in neverallow rules, but not in other AV rules,
will be kept unless the attribute is auto-generated.

Attributes that are only used in AV rules other than neverallow rules
are kept unless the number of types assigned to them is less than the
value of attrs_expand_size in the CIL db. The default is 1, which means
that any attribute that has no types assigned to it will be expanded (and
the rule removed from the policy), which is CIL's current behavior. The
value can be set using the function cil_set_attrs_expand_size().

Auto-generated attributes that are used only in neverallow rules are
always expanded. The rest are kept by default, but if the value of
attrs_expand_generated in the CIL db is set to true, they will be
expanded. The function cil_set_attrs_expand_generated() can be used
to set the value.

When creating the binary policy, CIL will expand all attributes that
are being removed and it will expand all attributes with less members
than the value specified by attrs_expand_size. So even if an attribute
is used in a constraint or neverallow and the attribute itself will be
included in the binary policy, it will be expanded when writing AV
rules if it has less members than attrs_expand_size.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-04-12 14:33:49 -04:00
Nicolas Iooss
473753f21a libsepol: correct spelling errors in module_to_cil.c comments
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-04-12 14:21:32 -04:00
Nicolas Iooss
d88657bc4d libsepol: do not leak memory when an error occurs
name_list_to_string() and constraint_expr_to_string() both define an
exit label to clean-up dynamically-allocated memory when an error
occurs, but they miss some variables. Free the missing ones too.

This issue has been found using clang's static analyzer.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-04-12 14:20:30 -04:00
Nicolas Iooss
8ccd0db860 libsepol: do not free attr_name twice
When set_to_names() fails to allocate *names, it frees variable
attr_name even though it either came from attr_list or was newly created
and added to attr_list. By doing so, the name is freed a second time
when attr_list is destroyed (with "attr_list_destroy(&attr_list)").

Avoid this double free by not freeing attr_name when it belongs to
attr_list.

This issue has been found using clang's static analyzer.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-04-12 14:18:35 -04:00
Nicolas Iooss
3e7fd1daba libsepol: do not wrap integers when checking bound
Some invalid policies might have p->p_types.nprim = 0. When parsing
such a policy, "i > p->p_types.nprim - 1" is always false even though
reading p->type_val_to_struct[i] triggers a segmentation fault.

Make type_set_expand() return an error when parsing such a policy by
handling correctly when p->p_types.nprim is zero.

This issue has been found while fuzzing semodule_package with the
American Fuzzy Lop.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-04-11 14:33:48 -04:00
Nicolas Iooss
42e32227da libsepol: refuse to load policies with no block
Some functions assumes that p->global is not NULL. For example
range_read() contains:

    p->global->enabled->range_tr_rules = rtr;

However p->global may currently be NULL when loading a policy module
with no avrule block. Avoid a NULL pointer dereference by making such a
policy invalid.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-04-11 14:33:04 -04:00
Nicolas Iooss
9d3091a6d3 libselinux: ensure that 4 columns are read from /proc/mounts
If exclude_non_seclabel_mounts() ever gets run on a kernel where
/proc/mounts only contains three columns, mount_info[3] will be used
"without being initialized in "strtok(mount_info[3], ",")" because
variable index would be 3 at the end of this loop:

    index = 0;
    item = strtok(buf, " ");
    while (item != NULL) {
        mount_info[index] = item;
        if (index == 3)
            break;
        index++;
        item = strtok(NULL, " ");
    }

Swap the condition on index and its increment so that it gets to 4 only
when there are at least four columns.

This issue has been found using clang's static analyzer.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-04-11 14:32:16 -04:00