Commit Graph

2358 Commits

Author SHA1 Message Date
Nicolas Iooss
29636c5ddc
libsepol: remove unused variable
sepol_ppfile_to_module_package() does not use its variable "FILE *f =
NULL;" but to fclose() it. This variable has been unneeded since the
introduction of function ppfile_to_module_package() in commit
893851c0a146 ("policycoreutils: add a HLL compiler to convert policy
packages (.pp) to CIL").

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-05-30 22:00:10 +02:00
Nicolas Iooss
db921c0601
libsepol: do not call malloc with 0 byte
clang's static analyzer reports that ebitmap_to_names() can call
malloc(0) when the bitmap is empty. If malloc() returns NULL, this
triggers a misleading "Out of memory" error.

Work around this by treating empty bitmaps as appropriate.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-05-30 22:00:06 +02:00
Nicolas Iooss
1f8e748187
libsepol: remove some dead assignments
clang's static analyzer warns about dead assignments to local variables.
In module_to_cil.c, there are some which are quite straightforward to
review. Remove them.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-05-30 22:00:03 +02:00
Nicolas Iooss
2dc6406a30
libsepol: do not leak memory if list_prepend fails
When list_prepend() returns an error, it always means it failed to
allocate some memory and does not hold any reference to its argument
data. This argument needs to be freed by the caller in order to prevent
a memory leak.

While reviewing list_prepend() callers, I spend quite some time
understanding why typealiases_gather_map() does not need to strdup(key)
or free(key) when calling list_prepend(..., key) even though "key" comes
from pdb->p_types.table: because typealias_list_destroy() does not free
the inserted items. Add a comment to make this clearer in the code.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-05-30 21:59:59 +02:00
Nicolas Iooss
57e1ab328c
libsepol: cil: silence clang analyzer false positive
In cil_tree_print_expr(), "rc < 0" is equivalent to "rc != 0" but
clang's static analyzer does not know about this. Help it.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-05-30 21:59:52 +02:00
Stephen Smalley
a9f8a101fd Update VERSIONs to 2.8 for release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2018-05-24 14:21:09 -04:00
Jason Zaman
b2d710d959 travis.yml: add ruby 2.5 to the test matrix
Ruby 2.5 is not installed by default, force reinstall with rvm

Signed-off-by: Jason Zaman <jason@perfinion.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-05-22 23:47:20 +08:00
Jason Zaman
f1735ebbec genhomedircon: sysconf can return -1 without failure
from getpwnam_r(3): "The call sysconf(_SC_GETPW_R_SIZE_MAX) returns
either -1, without changing errno, or an initial suggested size for buf.
(If this size is too small, the call fails with ERANGE, in which case
the caller can retry with a larger buffer.)"

The same can happen for _SC_GETGR_R_SIZE_MAX. 1024 appears to be a good
fallback but may need revisiting in the future.

This triggered an error on musl libc but could happen other places too.

Signed-off-by: Jason Zaman <jason@perfinion.com>
2018-05-17 13:08:34 +08:00
Jason Zaman
178c552e46 restorecond: Musl compatibility for GLOB_BRACE and GLOB_TILDE
musl doesn't implement GLOB_BRACE and GLOB_TILDE, so simply don't use
them there. This affects restorecond -u but braces are not used in the
example configs. GLOB_TILDE is on the roadmap[1] for musl 1.1.21 so
restorecond -u should be fine soon.

[1]: https://wiki.musl-libc.org/roadmap.html

Signed-off-by: Jason Zaman <jason@perfinion.com>
2018-05-17 13:08:34 +08:00
Luis Ressel
310470235a setfiles: Musl compatibility for GLOB_BRACE and GLOB_TILDE
musl doesn't implement GLOB_BRACE and GLOB_TILDE, so simply don't use
them there. This only affects "setfiles -f", which I don't expect many
people use, and it's undocumented anyway that it expands globs.

Signed-off-by: Luis Ressel <aranea@aixah.de>
Signed-off-by: Jason Zaman <jason@perfinion.com>
2018-05-17 13:07:33 +08:00
Jason Zaman
ab0e27003e libselinux: enable linking to musl-fts
Musl libc does not include the fts(3) functions so need to link to the
musl-fts library
https://github.com/pullmoll/musl-fts

Signed-off-by: Jason Zaman <jason@perfinion.com>
2018-05-17 13:07:33 +08:00
Jason Zaman
42f0376228 sestatus: include limits.h for PATH_MAX
compile fails on musl libc because it cant find PATH_MAX.

Signed-off-by: Jason Zaman <jason@perfinion.com>
2018-05-16 16:27:17 +08:00
Alan Jenkins
5ddfc0371a policycoreutils: fixfiles: failure to create /.autorelabel is fatal
Fix the following ambiguous output (from booting with init=/bin/sh):

    # /usr/sbin/fixfiles onboot
    /usr/sbin/fixfiles: line 313: /.autorelabel: Read-only file system
    /usr/sbin/fixfiles: line 317: /.autorelabel: Read-only file system
    System will relabel on next boot

System will not relabel on next boot if we couldn't create ./autorelabel

(In case anyone reading this description is still confused: To run
`fixfiles onboot` after booting with init=/bin/sh, you must first run
`mount / -oremount,rw`).
2018-05-15 13:51:04 -04:00
Stephen Smalley
20c9b4971e Update VERSION files to 2.8-rc3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2018-05-10 11:08:22 -04:00
Stephen Smalley
3ca8762efd libsepol: cil: prevent stack buffer overflow in cil_expr_to_string
Fix the test to prevent overflowing the stack buffer for
boolean expressions.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2018-05-09 11:22:46 -04:00
Stephen Smalley
84b19ae72e libsemanage: prevent string overflow on final paths
Verify that the final path does not exceed the size of the
buffer before copying.  This can only occur if an alternate
path for the policy root and/or the policy store root has been
specified and if the resulting path would exceed PATH_MAX. A
similar check is already applied by semanage_make_final().

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2018-05-08 10:24:00 -04:00
Vit Mojzis
9a9b0e9d61 python/semanage/seobject.py: Fix undefined store check
self.store is always a string (actual store name or "") because of
semanageRecords.__init__. Fix check for not defined store.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1559174#c3

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-05-08 08:13:24 -04:00
Stephen Smalley
c41633b90e libselinux: audit2why: fix build warnings
Fix the following build warnings.

audit2why.c: In function ‘__policy_init’:
audit2why.c:207:22: warning: ‘%s’ directive output may be truncated writing up to 4095 bytes into a region of size 4081 [-Wformat-truncation=]
      "unable to open %s:  %s\n",
                      ^~
      path, strerror(errno));
      ~~~~
audit2why.c:206:4: note: ‘snprintf’ output 20 or more bytes (assuming 4115) into a destination of size 4096
    snprintf(errormsg, sizeof(errormsg),
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      "unable to open %s:  %s\n",
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~
      path, strerror(errno));
      ~~~~~~~~~~~~~~~~~~~~~~
audit2why.c:253:28: warning: ‘%s’ directive output may be truncated writing up to 4095 bytes into a region of size 4074 [-Wformat-truncation=]
     "invalid binary policy %s\n", path);
                            ^~     ~~~~
audit2why.c:252:3: note: ‘snprintf’ output between 24 and 4119 bytes into a destination of size 4096
   snprintf(errormsg, sizeof(errormsg),
   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     "invalid binary policy %s\n", path);
     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2018-05-08 08:11:58 -04:00
Stephen Smalley
e76569f863 libselinux: avcstat: fix build warning
Fix the following build warning.

avcstat.c: In function ‘main’:
avcstat.c:113:4: error: ‘strncpy’ specified bound 4096 equals destination size [-Werror=stringop-truncation]
    strncpy(avcstatfile, optarg, sizeof avcstatfile);
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2018-05-08 08:11:58 -04:00
Stephen Smalley
8467979d41 libselinux: fix build warning in save_booleans()
Fix the following warning in save_booleans().  We could likely drop
the function altogether, either ignoring or returning EINVAL if
a non-zero permanent argument is passed to security_set_boolean_list(),
since setting persistent booleans is now handled via libsemanage.  This
code and the corresponding security_load_booleans() code is legacy from
RHEL4 days and could be removed although we would need to keep the ABI
for compatibility.

booleans.c: In function ‘save_booleans’:
booleans.c:441:13: error: ‘%d’ directive output may be truncated writing between 1 and 11 bytes into a region of size between 0 and 8191 [-Werror=format-truncation=]
         "%s=%d\n", boolname,
             ^~
booleans.c:440:7: note: ‘snprintf’ output between 4 and 8205 bytes into a destination of size 8192
       snprintf(outbuf, sizeof(outbuf),
       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         "%s=%d\n", boolname,
         ~~~~~~~~~~~~~~~~~~~~
         boollist[i].value);
         ~~~~~~~~~~~~~~~~~~
booleans.c:454:12: error: ‘%d’ directive output may be truncated writing between 1 and 11 bytes into a region of size between 0 and 8191 [-Werror=format-truncation=]
        "%s=%d\n", boolname, val);
            ^~
booleans.c:453:6: note: ‘snprintf’ output between 4 and 8205 bytes into a destination of size 8192
      snprintf(outbuf, sizeof(outbuf),
      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        "%s=%d\n", boolname, val);
        ~~~~~~~~~~~~~~~~~~~~~~~~~

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2018-05-08 08:11:58 -04:00
Stephen Smalley
38e49c7187 libsepol: remove unused function and type
Fix the following build warning:
policydb.c: In function ‘get_symtab_destroy_func’:
policydb.c:1581:9: error: cast between incompatible function types from ‘int (*)(char *, void *, void *)’ to ‘void (*)(char *, void *, void *)’ [-Werror=cast-function-type]
  return (hashtab_destroy_func_t) destroy_f[sym_num];
         ^

It turns out that this function and type are long unused in libsepol
and are not exported APIs for the shared library, so just remove them.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2018-05-08 08:11:58 -04:00
Stephen Smalley
dc03bae194 Update VERSION files to 2.8-rc2.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2018-04-26 13:20:40 -04:00
Nicolas Iooss
531fc3d8a7 libsemanage: always check append_arg return value
When split_args() calls append_arg(), the returned value needs to be
checked in order to detect memory allocation failure. Checks were
missing in two places, which are spotted by clang's static analyzer:

    semanage_store.c:1352:7: warning: Value stored to 'rc' is never
    read
            rc = append_arg(&argv, &num_args, arg);
            ^    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    semanage_store.c:1368:3: warning: Value stored to 'rc' is never read
            rc = append_arg(&argv, &num_args, arg);
            ^    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-04-25 10:09:13 -07:00
Nicolas Iooss
20a324b591 sestatus: free process and file contexts which are checked
clang's static analyzer reports a potential memory leak because the
buffers allocated in pc and fc are not freed in main(), in sestatus.c.
Free these buffers properly.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-04-25 10:09:13 -07:00
Nicolas Iooss
0f99a3126c sestatus: resolve symlinks in path when looking for a process
"sestatus -v" uses /proc/$PID/exe symbolic link in order to find the
context of processes present in /etc/sestatus.conf. For example, this
file includes "/usr/sbin/sshd".

On Arch Linux, /bin, /sbin and /usr/sbin are symbolic links to /usr/bin,
so sshd process is seen as "/usr/bin/sshd" instead of "/usr/sbin/sshd".
This causes "sestatus -v" to show nothing in "Process contexts:" for
sshd, agetty, etc.

Use realpath() to resolve any symlink components in program paths
defined in /etc/sestatus.conf. This makes "sestatus -v" show the
expected result:

    Process contexts:
    Current context:                sysadm_u:sysadm_r:sysadm_t
    Init context:                   system_u:system_r:init_t
    /sbin/agetty                    system_u:system_r:getty_t
    /usr/sbin/sshd                  system_u:system_r:sshd_t

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-04-25 10:09:13 -07:00
Stephen Smalley
87a58b6b4e Revert "libselinux: verify file_contexts when using restorecon"
This reverts commit 814631d3ae.
As reported by Petr Lautrbach, this commit changed the behavior
of selabel_open() when SELABEL_OPT_VALIDATE is 0, and this would
be an API change.

Reported-by: Petr Lautrbach <plautrba@redhat.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2018-04-20 10:12:57 -04:00
Stephen Smalley
f04d64012a Update VERSION files to 2.8-rc1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2018-04-19 10:40:16 -04:00
Nicolas Iooss
efc77aa209 libselinux: remove unused variable usercon
In getconlist.c, main() does not use usercon. Remove this variable.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-04-17 13:55:57 -07:00
Nicolas Iooss
5f76f6b8fb libselinux: fix memory leak in getconlist
In getconlist.c's main(), "level" is duplicated from an optional
argument without being ever freed. clang's static analyzer warns about
this memory leak.

Free the allocated memory properly in order to remove a warning reported
by clang's static analyzer.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-04-17 13:55:57 -07:00
Nicolas Iooss
c56bb631c4 libselinux: label_file: fix memory management in store_stem()
If store_stem() fails to expand the memory allocated on data->stem_arr,
some things go wrong:
* the memory referenced by "buf" is leaked,
* data->alloc_stems has been increased without data->stem_arr having
  been expanded. So the next time store_stem() is called, the function
  will behave as if the buffer holds enough space, and will write data
  after the end of data->stem_arr.

The first issue is being spotted by clang's static analyzer, which warns
about leaking variable "stem" in find_stem_from_spec() (this function
calls store_stem()).

This both issues by freeing buf when realloc(data->stem_arr) fails, and
by not increasing data->alloc_stems when this happens.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-04-17 13:55:57 -07:00
Nicolas Iooss
3dd5dd8a07 libsepol: ensure the level context is not empty
When load_users() parses an invalid line with an empty level context
(ie. nothing between "level" and "range" keywords), it allocates memory
with malloc(0) and uses it. The behavior of malloc() in this case is
an unspecified behavior: it might return NULL, which would lead to a
segmentation fault.

Fix this issue by reporting the invalid entry instead. While at it,
ensure that the character before "range" is a space, and change the
logic slightly in order to avoid using "--p; ... p++;".

This issue is reported by clang's static analyzer with the following
message:

    genusers.c:222:11: warning: Use of zero-allocated memory
                                            *r++ = *s;
                                                 ^
    genusers.c:225:7: warning: Use of zero-allocated memory
                            *r = 0;
                               ^

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-04-17 13:55:57 -07:00
Nicolas Iooss
9fc2301047 libsepol: do not dereference NULL if stack_init fails
In cond_expr_to_cil(), when stack_init() fails to allocate a stack, the
function calls stack_pop() with stack = NULL. Then stack_pop()
dereferences the pointer ("if (stack->pos == -1) {"), which is NULL.

Fix this by moving the stack cleaning loop in a "if (stack != NULL)"
block.

This issue is reported by clang's static analyzer with the following
message:

    module_to_cil.c:463:6: warning: Access to field 'pos' results in a
    dereference of a null pointer (loaded from variable 'stack')
        if (stack->pos == -1) {
            ^~~~~~~~~~

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-04-17 13:55:57 -07:00
Vit Mojzis
10bb459add libsemanage: do not change file mode of seusers and users_extra
Commit 8702a865e0 causes file mode of
seusers and users_extra to change based on the value defined in config
file whenever direct_commit is called and policy is not rebuilt.
(e.g. when setting a boolean).

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1512639

$ ll /var/lib/selinux/targeted/active/users_extra
-rw-------. 1 root root 101 11. dub 17.31 /var/lib/selinux/targeted/active/users_extra
$ ll /var/lib/selinux/targeted/active/seusers
-rw-------. 1 root root 73 11. dub 17.31 /var/lib/selinux/targeted/active/seusers
$ semanage boolean -m --on httpd_can_network_connect
$ ll /var/lib/selinux/targeted/active/seusers
-rw-r--r--. 1 root root 73 23. bře 16.59 /var/lib/selinux/targeted/active/seusers
$ ll /var/lib/selinux/targeted/active/users_extra
-rw-r--r--. 1 root root 101 23. bře 16.59 /var/lib/selinux/targeted/active/users_extra
$ rpm -Vq selinux-policy-targeted
.M.....T.    /var/lib/selinux/targeted/active/seusers
.M.....T.    /var/lib/selinux/targeted/active/users_extra

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-04-13 16:21:26 -04:00
Vit Mojzis
1ac7716df4 python/sepolgen: Try to translate SELinux contexts to raw
This allows sepolgen to generate policy from AVC messages that contain
contexts translated by mcstrans.

Fixes:

\# echo "type=USER_AVC msg=audit(1468415802.940:2199604): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0-s15:c0.c1023 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 cmdline="/usr/lib/systemd/systemd-logind" scontext=system_u:system_r:systemd_logind_t:SystemLow-SystemHigh tcontext=system_u:system_r:init_t:s0-s15:c0.c1023 tclass=system  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'" | audit2allow

libsepol.mls_from_string: invalid MLS context SystemLow-SystemHigh
libsepol.mls_from_string: could not construct mls context structure
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert
system_u:system_r:systemd_logind_t:SystemLow-SystemHigh to sid

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-04-13 13:41:46 -04:00
Yuli Khodorkovskiy
3e47c239ec libselinux: echo line number of bad label in selabel_fini()
Keep track of line numbers for each file context in
selabel_handle. If an error occurs in selabel_fini(), the
line number of an invalid file context is echoed to the user.

Signed-off-by: Yuli Khodorkovskiy <ykhodo@gmail.com>
2018-04-04 11:09:11 -05:00
Yuli Khodorkovskiy
814631d3ae libselinux: verify file_contexts when using restorecon
In permissive mode, calling restorecon with a bad label in file_contexts
does not verify the label's existence in the loaded policy. This
results in any label successfully applying to a file, as long as the
file exists.

This issue has two assumptions:

1) file_contexts must be manually updated with the invalid label.
Running `semanage fcontext` will error when attempting to add
an invalid label to file_contexts.
2) the system must be in permissive. Although applying an invalid label
in enforcing gives an error and fails, successfully labeling a file with a
bad label could cause issues during policy development in permissive.

Instead, as each context is used, verify it is valid before blindly
applying the label. If an error with validation occurs in restorecon,
application of remaining valid labels will be uninterrupted as before.

Signed-off-by: Yuli Khodorkovskiy <ykhodo@gmail.com>
2018-04-04 11:09:11 -05:00
James Carter
4ba19b541d libsepol/cil: Improve processing of context rules
Improve the processing of netifcon, genfscon, ibpkeycon, ibendportcon,
portcon, nodecon, fsuse, filecon, iomemcon, ioportcon, pcidevicecon,
and devicetreecon rules.

If the multiple-decls option is not used then report errors if duplicate
context rules are found. If it is used then remove duplicate context rules
and report errors when two rules are identical except for the context.

This also changes the ordering of portcon and filecon rules. The protocol
of portcon rules will be compared if the port numbers are the same and the
path strings of filecon rules will be compared if the number of meta
characters, the stem length, string length and file types are the same.

Based on an initial patch by Pierre-Hugues Husson (phh@phh.me)

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2018-03-29 15:53:18 -04:00
Tri Vo
ea8d689b53 Resolve conflicts in expandattribute.
This commit resolves conflicts in values of expandattribute statements
in policy language and expandtypeattribute in CIL.

For example, these statements resolve to false in policy language:
 expandattribute hal_audio true;
 expandattribute hal_audio false;

Similarly, in CIL these also resolve to false.
 (expandtypeattribute (hal_audio) true)
 (expandtypeattribute (hal_audio) false)

A warning will be issued on this conflict.

Motivation
When Android combines multiple .cil files from system.img and vendor.img
it's possible to have conflicting expandattribute statements.

This change deals with this scenario by resolving the value of the
corresponding expandtypeattribute to false. The rationale behind this
override is that true is used for reduce run-time lookups, while
false is used for tests which must pass.

Signed-off-by: Tri Vo <trong@android.com>
Acked-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: William Roberts <william.c.roberts@intel.com>
Acked-by: James Carter <jwcart2@tycho.nsa.gov>
2018-03-26 12:29:37 -07:00
Vit Mojzis
0d1fad884a policycoreutils/semodule: Allow enabling/disabling multiple modules at once
Unify behaviour for all module actions.
The same behaviour is already present for -i/-u/-r/-e switches.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1545218

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-03-26 10:19:51 -04:00
Vit Mojzis
a0c4e64238 policycoreutils/semodule: Improve man page and unify it with --help
Unify the way parameters are described in man pages and --help message.
Explain special syntax allowing the user to specify multiple modules when using
-i/u/r/E mods.
Point out that priority has to be specified in order to remove module at
different priority than 400 and that "-d" disables all instances of
given module across priorities.

Resolves: rhbz#1320565, rhbz#1337192

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-03-26 10:19:51 -04:00
James Carter
c99739a6aa libsepol: Prevent freeing unitialized value in ibendport handling
Nicolas Iooss reports:
In sepol_ibendport_key_create(), if sepol_ibendport_alloc_ibdev_name()
fails to allocate tmp_key->ibdev_name, sepol_ibendport_key_free() is
called to free the memory associated with tmp_key, which results in
free() being called on uninitialized tmp_key->ibdev_name.

This issue is reported by clang's static analyzer with the following
message:

    ibendport_record.c:115:2: warning: 1st function call argument is an
    uninitialized value
            free(key->ibdev_name);
            ^~~~~~~~~~~~~~~~~~~~~

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2018-03-19 12:39:20 -04:00
Richard Haines via Selinux
cf0ab12414 selinux: Add support for the SCTP portcon keyword
Update libsepol, checkpolicy and the CIL compiler to support the SCTP
portcon keyword.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2018-03-19 12:34:29 -04:00
Vit Mojzis
721ccb3318 libsemanage/direct_api.c: Fix iterating over array
Fix sizeof calculation in array iteration introduced by commit
6bb8282c4c
"libsemanage: replace access() checks to make setuid programs work"

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-03-19 09:18:28 -07:00
Nicolas Iooss
07629c0a9f
libselinux,libsemanage: Replace PYSITEDIR with PYTHONLIBDIR
libselinux and libsemanage Makefiles invoke site.getsitepackages() in
order to get the path to the directory /usr/lib/pythonX.Y/site-packages
that matches the Python interpreter chosen with $(PYTHON). This method
is incompatible with Python virtual environments, as described in
https://github.com/pypa/virtualenv/issues/355#issuecomment-10250452 .
This issue has been opened for more than 5 years.

On the contrary python/semanage/ and python/sepolgen/ Makefiles use
distutils.sysconfig.get_python_lib() in order to get the site-packages
path into a variable named PYTHONLIBDIR. This way of computing
PYTHONLIBDIR is compatible with virtual environments and gives the same
result as PYSITEDIR.

As PYTHONLIBDIR works in more cases than PYSITEDIR, make libselinux and
libsemanage Makefiles use it. And as native code is installed (as part
of the SWIG wrapper), use "plat_specific=1" in order to use /usr/lib64
on systems which distinguish /usr/lib64 from /usr/lib.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
2018-03-17 09:03:33 +01:00
Stephen Smalley
5576912170 libsepol: Export sepol_polcap_getnum/name functions
Export the sepol_polcap_getnum/name() functions to users of
the shared library.  This will enable SETools to stop depending
on the static library.

Note that we may want to move polcaps.h up one level since
the convention is that headers directly under include/sepol are
shared library APIs while headers under include/sepol/policydb
are limited to static users.  However, this will unnecessarily
break the build for existing static users so it is deferred.

Suggested-by: Chris PeBenito <pebenito@ieee.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2018-03-15 13:52:55 -07:00
Vit Mojzis
6bb8282c4c libsemanage: replace access() checks to make setuid programs work
access() uses real UID instead of effective UID which causes false
negative checks in setuid programs.
Replace access() calls (mostly tests for file existence) by stat().

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1186431

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-03-13 10:57:04 +00:00
Jan Zarsky
29d84c6280 python/sepolgen: fix typo in PolicyGenerator 2018-03-08 14:56:19 -05:00
Vit Mojzis
4efa673bc0 libsemanage: remove access() check to make setuid programs work
F_OK access checks only work properly as long as all directories along
the path are accessible to real user running the program.
Replace F_OK access checks by testing return value of open, write, etc.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1186431

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-03-08 14:48:11 -05:00
Vit Mojzis
88f4710617 libsemanage: remove access() check to make setuid programs work
access() uses real UID instead of effective UID which causes false
negative checks in setuid programs. Remove redundant access() checks

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1186431

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-03-08 14:48:07 -05:00
Nicolas Iooss
2784addb14 libsemanage: silence clang static analyzer report
clang's static analyzer reports an out-of-bound array access in
semanage_user_roles() when num_roles is zero, with the following
statement:

    strcpy(roles,roles_arr[0]);

When num_roles is zero, roles_arr[0] is not uninitialized and roles is
the result of malloc(0) so this strcpy is dangerous. Make
semanage_user_roles() return an empty string instead.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-03-08 14:43:50 -05:00