Commit Graph

2124 Commits

Author SHA1 Message Date
Nicolas Iooss
7fe9a7be31 libsepol/cil: use __cil_ordered_lists_destroy() to free unordered_classorder_lists
In cil_resolve_ast, unordered_classorder_lists is a list of
cil_ordered_list. It needs to be destroyed with
__cil_ordered_lists_destroy() to free all associated memory.

This has been tested with the following policy:

    (class CLASS1 ())
    (class CLASS2 ())
    (classorder (unordered CLASS1))
    (classorder (CLASS2))

This memory leak has been found by running clang's Address Sanitizer on
a set of policies generated by American Fuzzy Lop.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-02-21 13:09:22 -05:00
James Carter
9edcf28a04 libsepol/cil: Destroy cil_tree_node stacks when finished resolving AST
CIL uses separate cil_tree_node stacks for optionals and blocks to
check for statements not allowed in optionals or blocks and to know
which optional to disable when necessary. But these stacks were not
being destroyed when exiting cil_resolve_ast(). This is not a problem
normally because the stacks will be empty, but this is not the case
when exiting with an error.

Destroy both tree node stacks when exiting to ensure that they are
empty.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-02-17 10:53:52 -05:00
Nicolas Iooss
c9adfe2d26 Introduce Travis-CI tests
Add a configuration file for https://travis-ci.org/. This continuous
integration platform can build the project for several configurations on
Linux, using different compilers, linkers, Python versions and Ruby
versions. An example of build results is available on
https://travis-ci.org/fishilico/selinux/builds/185912863

Even if the SELinux userland libraries and tools project does not enable
Travis-CI integration, the .travis.yml file may be helpful for
contributors who wish to run tests in several configurations.

Current limitations:

- It does not run an OS X build. Travis-CI provides free OS X
  environments but it is quite difficult to configure a single
  .travis.yml file which defines many Linux environments and some OS X
  ones.
- It only runs Ubuntu 14.04 with an x86-64 CPU. This does not test
  Android, ARM nor 32-bit x86 configurations.
- It only builds with glibc, not musl or other light C library.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-02-08 10:48:53 -05:00
Nicolas Iooss
eeafde1351 libsepol/cil: fix type confusion in cil_copy_ast
When running secilc on the following CIL file, the program tries to free
the data associated with type X using cil_destroy_typeattribute():

    (macro sys_obj_type ((user ARG1)) (typeattribute X))

    (block B
        (type X)
        (call sys_obj_type (Y))
    )

By adding some printf statements to cil_typeattribute_init(),
cil_type_init() and cil_destroy_typeattribute(), the error message I get
when using gcc's address sanitizer is:

$ secilc -o /dev/null -f /dev/null test.cil -vvvvvv
creating TYPE 0x60400000dfd0
Parsing 2017-02-02_crashing_nulptrderef_cil.cil
Building AST from Parse Tree
creating TYPEATTR 0x60600000e420
creating TYPE 0x60400000df50
Destroying Parse Tree
Resolving AST
Failed to resolve call statement at 2017-02-02_crashing_nulptrderef_cil.cil:5
Problem at 2017-02-02_crashing_nulptrderef_cil.cil:5
Pass 8 of resolution failed
Failed to resolve ast
Failed to compile cildb: -2
Destroying TYPEATTR 0x60600000e420, types (nil) name X
Destroying TYPEATTR 0x60400000df50, types 0xbebebebe00000000 name X
ASAN:DEADLYSIGNAL
=================================================================
==30684==ERROR: AddressSanitizer: SEGV on unknown address
0x000000000000 (pc 0x7fc0539d114a bp 0x7ffc1fbcb300 sp
0x7ffc1fbcb2f0 T0)
    #0 0x7fc0539d1149 in ebitmap_destroy /usr/src/selinux/libsepol/src/ebitmap.c:356
    #1 0x7fc053b96201 in cil_destroy_typeattribute ../cil/src/cil_build_ast.c:2370
    #2 0x7fc053b42ea4 in cil_destroy_data ../cil/src/cil.c:616
    #3 0x7fc053c595bf in cil_tree_node_destroy ../cil/src/cil_tree.c:235
    #4 0x7fc053c59819 in cil_tree_children_destroy ../cil/src/cil_tree.c:201
    #5 0x7fc053c59958 in cil_tree_subtree_destroy ../cil/src/cil_tree.c:172
    #6 0x7fc053c59a27 in cil_tree_destroy ../cil/src/cil_tree.c:165
    #7 0x7fc053b44fd7 in cil_db_destroy ../cil/src/cil.c:299
    #8 0x4026a1 in main /usr/src/selinux/secilc/secilc.c:335
    #9 0x7fc0535e5290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
    #10 0x403af9 in _start (/usr/src/selinux/DESTDIR/usr/bin/secilc+0x403af9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /usr/src/selinux/libsepol/src/ebitmap.c:356 in ebitmap_destroy
==30684==ABORTING

When copying the AST tree in cil_resolve_call1(),
__cil_copy_node_helper() calls cil_copy_typeattribute() to grab type X
in the symbol table of block B, and creates a node with the data of X
but with CIL_TYPEATTRIBUTE flavor.

This example is a "type confusion" bug between cil_type and
cil_typeattribute structures. It can be generalized to any couple of
structures sharing the same symbol table (an easy way of finding other
couples is by reading the code of cil_flavor_to_symtab_index()).

Fix this issue in a "generic" way in __cil_copy_node_helper(), by
verifying that the flavor of the found data is the same as expected and
triggering an error when it is not.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-02-08 10:48:40 -05:00
James Carter
1f312a9247 policycoreutils/semodule: fix -Wwrite-strings warnings
Nicolass Iooss reports that when building with "clang -Wwrite-strings",
the compiler complains about initializing the char* array
genhomedirconargv with literal strings.

Make genhomedirconargv an array of pointers to const char and cast it
as non-const when assigning it to argv.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-02-06 11:06:42 -05:00
Nicolas Iooss
68a4203f87 libsemanage/tests: fix -Wwrite-strings warnings
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-02-06 11:06:10 -05:00
Nicolas Iooss
c33fd02db5 libsepol/tests: fix -Wwrite-strings warnings
Since fd9e5ef7b7 ("libsepol: use constant keys in hashtab functions")
it is possible to call hashtab_search() with a const char* key value.
Doing so fixes compiler warnings about non-const char* string literals
(-Wwrite-strings flag).

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-02-06 11:06:04 -05:00
Nicolas Iooss
9c770fe87e semodule_deps: hide -Wwrite-strings warnings
generate_requires() may use a non-freable strings, BASE_NAME, as key in
a hashtable. The compiler complains about this small abuse of
hashtab_insert() interface (because its argument key is char* without
"const"). Nevertheless this is all right because the hashtab keys are
never freed directly (this behavior is documented in a comment in
free_requires()).

Therefore, hide the compiler warning by casting BASE_NAME to char*.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-02-06 11:05:59 -05:00
Nicolas Iooss
0df0b25d95 mcstrans: fix -Wwrite-strings warnings
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-02-06 11:05:52 -05:00
Nicolas Iooss
2f94ac47d5 policycoreutils/hll/pp: fix -Wwrite-strings warnings
In main(), variable ifile can be made const char*. While at it, make
ofile const char* too.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-02-06 11:05:42 -05:00
Nicolas Iooss
a51b30ae23 libsemanage: make lang_ext parameter const in semanage_direct_write_langext()
When building with "clang -Wwrite-strings", the compiler reports the
following warnings:

    direct_api.c:1030:46: error: passing 'const char [4]' to parameter
    of type 'char *' discards qualifiers
    [-Werror,-Wincompatible-pointer-types-discards-qualifiers]
                    status = semanage_direct_write_langext(sh, "cil", modinfo);
                                                               ^~~~~
    direct_api.c:898:11: note: passing argument to parameter 'lang_ext'
    here
                                    char *lang_ext,
                                          ^
    direct_api.c:1030:46: error: passing 'const char [4]' to parameter
    of type 'char *' discards qualifiers
    [-Werror,-Wincompatible-pointer-types-discards-qualifiers]
                    status = semanage_direct_write_langext(sh, "cil", modinfo);
                                                               ^~~~~
    direct_api.c:898:11: note: passing argument to parameter 'lang_ext'
    here
                                    char *lang_ext,
                                          ^

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-02-06 11:05:38 -05:00
Nicolas Iooss
d6b5b037f9 libsepol: fix -Wwrite-strings warnings
When compiling with -Wwrite-strings, clang reports some warnings like:

    module_to_cil.c:784:13: error: assigning to 'char *' from 'const
    char [5]' discards qualifiers
    [-Werror,-Wincompatible-pointer-types-discards-qualifiers]
                    statement = "type";
                              ^ ~~~~~~
    module_to_cil.c:787:13: error: assigning to 'char *' from 'const
    char [5]' discards qualifiers
    [-Werror,-Wincompatible-pointer-types-discards-qualifiers]
                    statement = "role";
                              ^ ~~~~~~

Add a const type attribute to local variables which only handle constant
strings.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-02-06 11:05:33 -05:00
James Carter
192153db43 checkpolicy: Make print_error_msg() static
The function print_error_msg() in module_compiler.c is not called
externally, so make it static.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-02-06 11:01:32 -05:00
James Carter
5d56c2679d checkpolicy: Remove uneeded return check in require_symbol()
Since symtab_insert() no longer returns -2 in the case of a
declaration of an identifier followed by a require of the same
symbol, remove the uneeded check.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-02-03 14:02:32 -05:00
James Carter
8adbd615c1 libsepol: Return +1 when declaration is followed by a require
A check is made in symtab_insert() for the case when an identifier
had already been declared and was now being required. This meant
that a declaration followed by a require was treated differently
from a require followed by a declaration.

Remove that check and treat both cases the same (which means
returning +1).

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-02-03 14:02:32 -05:00
James Carter
b6f3e0086f checkpolicy: Improve check for identifier flavor mismatch
An identifier flavor mismatch occurs when an identifier is
declared or required as a regular role or type in one place but as
an attribute in another place.

Currently there is only a check for an identifier flavor mismatch
when a type has already been declared and there is a require of
the same type in the same scope. There are no checks if the require
comes first and there are no checks for roles.

Check for an identifier flavor mismatch for both roles and types
whenever a declaration or requirement tries to add an identifier
that is already in the symtab.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-02-03 14:02:32 -05:00
James Carter
d676e7ce3c checkpolicy: Move common require and declare code into new function
Move common code from declare_symbol() and require_symbol() to a new
function named create_symbol().

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-02-03 14:02:24 -05:00
James Carter
a7a0678999 checkpolicy: Cleanup error messages
Add the new function print_error_msg() to print an error message
based on the local error number and symbol_type. Remove the
duplicate switch statements used throughout module_complier.c
to display error messages.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-02-03 14:01:28 -05:00
James Carter
a141c0d19f checkpolicy: Create common function for user declares and requires
Move common code out of declare_user() and require_user() into the
new function create_user().

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-02-03 14:01:21 -05:00
James Carter
bd05768057 checkpolicy: Create common function for role declares and requires
Move common code out of declare_role() and require_role_or_attribute()
    into the new function create_role().

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-02-03 13:54:05 -05:00
James Carter
daaaf28bfb checkpolicy: Create common function for type declares and requires
Move common code out of declare_type() and require_type_or_attribute()
into the new function create_type().

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-02-03 13:53:23 -05:00
Stephen Smalley
cfea39714c policycoreutils: remove deprecated -o option from fixfiles verify
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-01-27 09:53:30 -05:00
Richard Haines
454768f56d setfiles: Fix setfiles progress indicator
This fixes the following bug:
UX regression: setfiles progress indicator is now misleading and
confusing in fixfiles.

The outputting of * is replaced by the number of files in 1k increments
as the previous versions. If "/" is specified on the pathname, then this
will indicate a mass relabel, an example output will be:
restorecon -nRp /etc /tmp /boot /
/etc 100.0%
/tmp 100.0%
/boot 100.0%
3.2%

Also setfiles(8) and restorecon(8) versions that are implemented using
the selinux_restorecon(3) function do not support the [-o filename]
option as this was deprecated. This has now been made clear by displaying
a message to stderr.

The documentation has also been updated to reflect these changes.

Reported-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2017-01-27 09:39:22 -05:00
Lokesh Mandvekar
b9213c7f1a libselinux: selinux_restorecon.3 man page typo fix
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
2017-01-25 15:51:45 -05:00
Steve Lawrence
1ef665cb92 libsepol: fix pp module to cil nodecon statement
Policy modules do not have the concept of named IP addresses like CIL
does. So when converting nodecode statements from pp policy modules to
CIL, we need to wrap the IP address and mask parameters in parentheses
so that the CIL compiler does not try to resolve them as named
addresses, but instead treats them as anonymous.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2017-01-25 14:47:16 -05:00
Thomas Petazzoni
05abcb1d13 libselinux/src/regex.c: support old compilers for the endian check
libselinux 2.6 has added some code in regex.c that uses __BYTE_ORDER__
to determine the system endianness. Unfortunately, this definition
provided directly by the compiler doesn't exist in older gcc versions
such as gcc 4.4.

In order to address this, this commit extends the logic to use
<endian.h> definitions if __BYTE_ORDER__ is not provided by the
compiler. This allows libselinux to build properly with gcc 4.4.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-01-25 09:18:16 -05:00
Stephen Smalley
b88c4a4707 libselinux: disable filespec hash table stats on non-debug builds
Disable generating filespec hash table stats on non-debug builds,
as they are not useful information for users and cause fixfiles
check to produce noisy output.

Reported-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-01-24 14:45:24 -05:00
Stephen Smalley
bd4ffeb435 policycoreutils/setfiles: set up a logging callback for libselinux
Define a logging callback for libselinux so that any informational
or error messages generated by libselinux functions are properly
prefixed with the program name and routed to the proper output stream.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-01-24 14:38:40 -05:00
Alan Jenkins
ac7899fc3a policycoreutils: let output of fixfiles be redirected (as normal)
fixfiles was redirecting log output to `tty`.  This overrides user intent
e.g. when shell redirection is used.

Redirect it to stdout, using /proc.  `tty` equally depended on /proc.
We do not depend on /dev/stdout: it might not be present, if a rescue
system is booted with devtmpfs (no udev daemon).

By default, log messages were redirected into the void when not run from a
tty.  We consider this a bug, which is now fixed.

1. If calling scripts happen to require the old behaviour, they can easily
   write the same code themselves.

2. When fixfiles is run from Fedora's selinux-autorelabel.service,
   the calling script is specifically run from a tty.

   Also Fedora's calling script chooses to redirect stdout and stderr to
   /dev/null.  This redirection will now suceed, improving the transparency
   of the code.  The previous behaviour may be obtained by choosing not
   to redirect the progress messages of this long-running process to
   /dev/null.  A patch has been submitted to Fedora to suggest this novel
   approach:  https://bugzilla.redhat.com/show_bug.cgi?id=1415674

Complete disclosure:

* Remove unused variable LOGGER.
* Fix logfiles containing spaces.

Disclaimer:

1. "Log" output may contain escape sequences (backspace?) e.g. in
   `fixfiles -l log.txt restore`.  This is not the usual understanding
   of a log file.

2.  For some reason, not all informative messages are sent to `-l` e.g.
   the list of filesystems, and "cleaning up labels on /tmp".

3. `function logit` is retained, but the logfile is also written to
   outside this function.  Implementing support for the system log
   would require another function which accepts piped input.
   Also see point 1.

Signed-off-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
2017-01-24 13:34:57 -05:00
Nicolas Iooss
7da9bc00f2 checkpolicy: do not leak memory when a class is not found in an avrule
While checkmodule tries to compile the following policy file and fails
because class "process" is not found, it does not free some allocated
memory:

    module ckpol_leaktest 1.0.0;
    require {type TYPE1;}
    allow TYPE1 self:process fork;

clang memory sanitier output is:

=================================================================
==16050==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 136 byte(s) in 1 object(s) allocated from:
    #0 0x7f8bd8127608 in malloc (/usr/lib/clang/3.9.1/lib/linux/libclang_rt.asan-x86_64.so+0xf6608)
    #1 0x41a620 in define_te_avtab_helper /usr/src/selinux/checkpolicy/policy_define.c:2450:24
    #2 0x41b6c8 in define_te_avtab /usr/src/selinux/checkpolicy/policy_define.c:2621:6
    #3 0x40522b in yyparse /usr/src/selinux/checkpolicy/policy_parse.y:470:10
    #4 0x411816 in read_source_policy /usr/src/selinux/checkpolicy/parse_util.c:64:6
    #5 0x7f8bd7cb3290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)

Direct leak of 8 byte(s) in 1 object(s) allocated from:
    #0 0x7f8bd8127608 in malloc (/usr/lib/clang/3.9.1/lib/linux/libclang_rt.asan-x86_64.so+0xf6608)
    #1 0x411c87 in insert_id /usr/src/selinux/checkpolicy/policy_define.c:120:18

Indirect leak of 24 byte(s) in 1 object(s) allocated from:
    #0 0x7f8bd8127608 in malloc (/usr/lib/clang/3.9.1/lib/linux/libclang_rt.asan-x86_64.so+0xf6608)
    #1 0x43133c in ebitmap_set_bit /usr/src/selinux/libsepol/src/ebitmap.c:321:27

Indirect leak of 18 byte(s) in 1 object(s) allocated from:
    #0 0x7f8bd80b5eb0 in __interceptor___strdup (/usr/lib/clang/3.9.1/lib/linux/libclang_rt.asan-x86_64.so+0x84eb0)
    #1 0x41a6e5 in define_te_avtab_helper /usr/src/selinux/checkpolicy/policy_define.c:2460:28
    #2 0x41b6c8 in define_te_avtab /usr/src/selinux/checkpolicy/policy_define.c:2621:6
    #3 0x40522b in yyparse /usr/src/selinux/checkpolicy/policy_parse.y:470:10
    #4 0x411816 in read_source_policy /usr/src/selinux/checkpolicy/parse_util.c:64:6
    #5 0x7f8bd7cb3290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)

SUMMARY: AddressSanitizer: 186 byte(s) leaked in 4 allocation(s).

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-23 11:26:44 -05:00
Nicolas Iooss
42658e729f checkpolicy: add a missing free(id) in define_roleattribute()
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-23 11:26:40 -05:00
Nicolas Iooss
0a0d055283 checkpolicy: fix memory leaks in define_filename_trans()
When parsing type_transition statements with names, the memory allocated
by the type set bitmaps of variable stypes and ttypes was never freed.

Call type_set_destroy() to free this memory and, while at it, make the
function exits without leaking memory when exiting with an error.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-23 11:26:34 -05:00
Nicolas Iooss
aa1a8a3c84 checkpolicy: always free id in define_type()
In function define_type(), some error conditions between "id =
queue_remove(id_queue)" and "get_local_type(id, attr->s.value, 1)"
returned without freeing id. Fix theses memory leaks.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-23 11:26:30 -05:00
Karl MacMillan
4a05e95f19 libsepol compilation fixes for macOS.
ln on macOS doesn't support --relative, so use the gnu version by default.

Also document how to build on macOS.

Signed-off-by: Karl MacMillan <karlwmacmillan@gmail.com>
2017-01-20 13:19:57 -05:00
Vit Mojzis
cdc653a447 policycoreutils/hll/pp: Fix pp crash when processing base module
Policy module structure created by libsepol out of base module
contains NULL in module name, which results in segfault in "pp"
compiler. Add NULL check.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1350806

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2017-01-19 12:30:21 -05:00
Nicolas Iooss
6c853f3fb9 libselinux: fix argument order in get_default_context_with_rolelevel() doc
libselinux/src/get_context_list.c defines

    get_default_context_with_rolelevel(user, role, level...

libselinux/utils/getdefaultcon.c uses

    get_default_context_with_rolelevel(seuser, role, level...

but libselinux/include/selinux/get_context_list.h declares

    get_default_context_with_rolelevel(user, level, role...

and libselinux/man/man3/get_ordered_context_list.3 follows this
declaration.

Fix the header and the man page.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-19 11:52:41 -05:00
Nicolas Iooss
6351fed560 libselinux: always free catalog in db_init()
This variable may be leaked in some error paths.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-19 08:48:49 -05:00
Nicolas Iooss
69ec21ce6a libsepol: remove useless assignments
There is no point in initializing a variable which gets
almost-immediately assigned an other value.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-19 08:48:36 -05:00
Nicolas Iooss
ebe24ad20b libsepol: verify the right variable after calling calloc()
After "otype = calloc(1, sizeof(*otype))", it is reasonable to check the
value of otype, not ft.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-19 08:47:52 -05:00
Nicolas Iooss
fd9e5ef7b7 libsepol: use constant keys in hashtab functions
Even though "hashtab_key_t" is an alias for "char *", "const
hashtab_key_t" is not an alias for "(const char) *" but means "(char *)
const".

Introduce const_hashtab_key_t to map "(const char) *" and use it in
hashtab_search() and hashtab key comparison functions.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-19 08:46:19 -05:00
Nicolas Iooss
dcd135cc06 Re-link programs after libsepol.a is updated
After libsepol is modified (for example while developing new features or
fixing bugs), running "make install" in the top-level directory does not
update the programs which use libsepol.a. Add this static library to the
target dependencies in order to force their updates. This makes "make"
use libsepol.a in the linking command without using LDLIBS.

While at it, copy what commit 14d7064348 ("libselinux: Allow
overriding libsepol.a location during build") introduced in libselinux
Makefile by using a new LIBSEPOLA variable in all Makefiles.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-18 16:41:34 -05:00
Nicolas Iooss
baee7238b8 semanage, sepolicy: make tests not fail on systems without SELinux
selinux.security_getenforce() triggers an exception when running tests
on systems without SELinux. In order to skip tests which need SELinux in
enforcing mode, test selinux.is_selinux_enabled() too, like commit
945bc8853b ("sandbox: make test not fail on systems without SELinux").

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-17 16:48:46 -05:00
Nicolas Iooss
5b0ad2f00e libsemanage: genhomedircon: consider SEMANAGE_FCONTEXT_DIR in fcontext_matches()
When generating file_contexts.homedirs, libsemanage enumerates the users
on the system and tries to find misconfiguration issues by comparing
their home directories with file contexts defined in the policy. The
comparison is done by fcontext_matches().

Currently this function only operates on file contexts with type ALL,
but it makes sense to also operate on the DIR ones, as a comment states
in the function.

For example on a system with the following entry in /etc/passwd:

    mytestservice2000💯:/var/lib/mytestservice/dir:/bin/bash

and with the following file context definition:

    /var/lib/mytestservice/.* -d gen_context(system_u:object_r:var_lib_t,s0)

"semodule -B" now shows the following warning:

    libsemanage.get_home_dirs: mytestservice homedir
    /var/lib/mytestservice/dir or its parent directory conflicts with a
    file context already specified in the policy.  This usually
    indicates an incorrectly defined system account.  If it is a system
    account please make sure its uid is less than 1000 or greater than
    60000 or its login shell is /sbin/nologin.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-17 16:30:27 -05:00
Stephen Smalley
1cd972fc81 libselinux: selinux_restorecon: only log no default label warning for caller-supplied pathname
$ touch /tmp/foo
$ chcon -t etc_t /tmp/foo
$ restorecon /tmp/foo
Warning no default label for /tmp/foo
$ restorecon -R /tmp/foo
Warning no default label for /tmp/foo
$ restorecon -R /tmp

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-01-13 15:28:51 -05:00
Nick Kralevich
908898846a policy_define.c: don't free memory returned from queue_head()
Unlike queue_remove(), queue_head() does not modify the queue, but
rather, returns a pointer to an element within the queue. Freeing the
memory associated with a value returned from that function corrupts
subsequent users of the queue, who may try to reference this
now-deallocated memory.

This causes the following policy generation errors on Android:

  FAILED:
  out/target/product/bullhead/obj/ETC/plat_sepolicy.cil_intermediates/plat_policy_nvr.cil
  /bin/bash -c "out/host/linux-x86/bin/checkpolicy -M -C -c 30 -o
  out/target/product/bullhead/obj/ETC/plat_sepolicy.cil_intermediates/plat_policy_nvr.cil
  out/target/product/bullhead/obj/ETC/plat_sepolicy.cil_intermediates/plat_policy.conf"
  system/sepolicy/public/app.te:241:ERROR 'only ioctl extended permissions
  are supported' at token ';' on line 6784:
  #line 241
  } };
  checkpolicy:  error(s) encountered while parsing configuration

because the value of "id" in:

  id = queue_remove(id_queue);
  if (strcmp(id,"ioctl") == 0) {
    ...
  } else {
    yyerror("only ioctl extended permissions are supported");
    ...
  }

is now garbage.

This is a partial revert of the following commit:

  c1ba8311 checkpolicy: free id where it was leaked

Signed-off-by: Nick Kralevich <nnk@google.com>
2017-01-13 14:43:38 -05:00
Sandeep Patil
6a2e352de7 libselinux: replace all malloc + memset by calloc in android label backend.
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-01-13 10:46:29 -05:00
Stephen Smalley
d66c54e2e2 libselinux: selinux_restorecon: only log no default label warning if recursive
In commit 36f1ccbb57 ("policycoreutils: setfiles: print error if
no default label found"), a warning message was added to setfiles/restorecon
if the user explicitly does a restorecon /path/to/foo and
/path/to/foo does not have any matching label in file_contexts; in the
case of a restorecon -R or setfiles, the warning isn't supposed to be
logged.  The check on the recursive flag got dropped when this logic was
taken into selinux_restorecon(3) in libselinux.  Restore this check so
that we do not generate noisy log messages on restorecon -R or setfiles.

Reported-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-01-13 09:57:46 -05:00
Alan Jenkins
0e67689d52 restorecon manpage: link back to fixfiles
fixfiles links to restorecon.  However if you start with restorecon
"restore file(s) default SELinux security contexts", you can easily
miss the fixfiles script.  fixfiles is more generally useful than
`restorecon -R`.   For example `restorecon -R /` is not as good as
`fixfiles restore`, because the restorecon command will try to relabel
`/sys` and fail noisily.

Signed-off-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
2017-01-12 14:59:36 -05:00
Alan Jenkins
62f058980e policycoreutils, python: Fix bad manpage formatting in "SEE ALSO"
Fix missing and surplus commas.  Fix the following formatting errors:

    .BR selinux(8)

renders the the "(8)" in bold as well as the "selinux".  This is wrong.

    .B selinux
    (8)

renders with a space between "selinux" and "(8)", this is wrong.

    .B selinux (8)

commits both of the above mistakes.

    .BR selinux (8), apparmor (8)

omits the space separating "selinux(8)," and "apparmor(8)", this is wrong.
Correct all the above using the following markup:

    .BR selinux (8),
    .BR apparmor (8)

Signed-off-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
2017-01-12 14:59:31 -05:00
Nicolas Iooss
c667b33a04 mcstransd: fix and reorder includes
- Sort included header files by their number of path components then
  alphabetically.
- Include unistd.h and sys/types.h only once.
- Include sys/uio.h to get readv() and writev() declarations when
  compiling with musl libc.
- Include poll.h instead of sys/poll.h as building with musl results in
  the following message:

    /usr/lib/musl/include/sys/poll.h:1:2: error: #warning redirecting
    incorrect #include <sys/poll.h> to <poll.h> [-Werror=cpp]
     #warning redirecting incorrect #include <sys/poll.h> to <poll.h>
     ^~~~~~~

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-09 16:00:28 -05:00