The __INO_T_MATCHES_INO64_T is defined
if ino_t would be the same size as ino64_t
if -D_FILE_OFFSET_BITS=64 were not defined.
This is /exactly/ what
/* ABI backwards-compatible shim for non-LFS 32-bit systems */
#if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS == 64 && __BITS_PER_LONG < 64
is trying to get at, but currently fails because x32/RV32 are "LFS"
with 32-bit longs and 64-bit time_ts natively.
Thus, the
static_assert(sizeof(unsigned long) == sizeof(__ino_t), "inode size mismatch");
assertion fails (__ino_t is the "kernel ino_t" type,
which generally corresponds to the kernel's ulong, which is u64 on x32).
glibc headers allow us to check the condition we care about directly.
Fixes: commit 9395cc0322 ("Always build for LFS mode on 32-bit archs.")
Closes: #463
Closes: Debian#1098481
Signed-off-by: наб <nabijaczleweli@nabijaczleweli.xyz>
Cc: Alba Mendez <me@alba.sh>
In semanage_setfiles(), need to reset the restorecon handle to make
sure restorecon is not operating on old selabel data.
This fixes commit d96f27bf7c ("libsemanage: Preserve file context
and ownership in policy store") which could cause restorecon to use
old data.
Reported-by: Petr Lautrbach <lautrbach@redhat.com>
Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
In selinux_restorecon_set_sehandle(), close the old selabel handle
(if it exists) before setting the new one.
Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
The workflow name has changed for the testsuite run, so update README.md
accordingly.
Fixes: ee667ed976 ("ci: use Testing Farm for running the testsuite")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
Due to issues with the MacOS + Vagrant setup, selinux-testsuite has
migrated its CI to Testing Farm [1][2], so let's use it for running the
testsuite here, too.
We can import the test definitions from the testsuite repo and just add
a setup "test" at the beginning that builds and installs the userspace
from git.
[1] https://testing-farm.io/
[2] d75675eb0d
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Clear the identifier queue after pass 1 to void unhandled identifiers
from pass 1 leaking into pass 2 and leading to confusing error messages.
For example for the following policy the error changes from
'no user name' to 'unknown role j':
class C
sid S
class C { P }
;
user U roles j;
sid S s:l:q:q:q
While on it call set_source_file() from init_parser().
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Avoid consuming identifiers during pass 1 in functions that do not parse
them during pass 2. This currently works due to the subsequent
parse_security_context(NULL) call.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Avoid calling strdup(3) with a NULL pointer, which can happen with an
invalid policy context, e.g.:
class C
sid S
class C { P }
;
user U roles j;
sid S s:l:q:q:q
Fixes: 6f2b689f ("checkpolicy: Fix MLS users in optional blocks")
Reported-by: oss-fuzz (issue 390004173)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
In case an entry read from a textual fcontext definition is too long set
errno and the error string accordingly.
Fixes: 92306daf ("libselinux: rework selabel_file(5) database")
Reported-by: oss-fuzz (issue 389974971)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
They are redundant with README.md, and haven't been kept up to date.
For example, the CONTRIBUTING.md dependencies are missing the xmlto
dependency. Rather than try to maintain this information in two places,
just refer contributors to the README and keep the CONTRIBUTING doc
focused on high level process.
Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: James Carter <jwcart2@gmail.com>
Handle the case where either separated trailing input is empty or non-
existent by initializing the size to 0 and only call related code on
non-zero size.
Fixes: 8997f543 ("libselinux: add selabel_file(5) fuzzer")
Reported-by: oss-fuzz (issue 388319478)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Free the hashtable for nlmsg xperm rules similar to the ioctl hashtable.
Fixes: 1fd41f48 ("libsepol/cil: add support for xperms in conditional policies")
Reported-by: oss-fuzz (issue 388376332)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Update the fuzzers for the input number parameter addition.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Prior the recent selabel_file(5) rework regular expressions for a
certain stem where matched in the order given by the input.
The Reference and Fedora Policy as well as CIL and libsemanage pre-sort
the file context definitions based on the prefix stem length, so this
ordering was adopted.
Do not alter the order by the input of regex specifications, and search
on matches on regex specifications in in parent nodes, which might
contain specifications with definitions defined later in the source
file.
This restores backward compatibility, especially for Android.
Reported-by: Takaya Saeki <takayas@chromium.org>
Closes: https://lore.kernel.org/selinux/CAH9xa6eFO6BNeGko90bsq8CuDba9eO+qdDoF+7zfyAUHEDpH9g@mail.gmail.com/
Fixes: 92306da ("libselinux: rework selabel_file(5) database")
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Mute error messages produced by selinux_restorecon when rebuilding the
policy store to avoid error messages in containers, image mode, etc.
Fixes:
#podman build --security-opt=label=disable --cap-add=all --device /dev/fuse -t quay.io/jlebon/fedora-bootc:tier-x . --build-arg MANIFEST=fedora-tier-x.yaml --from quay.io/fedora/fedora:rawhide
...
Could not set context for /etc/selinux/targeted/tmp/modules/100/rtas/lang_ext: Operation not supported
Could not set context for /etc/selinux/targeted/tmp/modules/100/rtas: Operation not supported
Could not set context for /etc/selinux/targeted/tmp/modules/100/rtkit/cil: Operation not supported
Could not set context for /etc/selinux/targeted/tmp/modules/100/rtkit/hll: Operation not supported
...
https://bugzilla.redhat.com/show_bug.cgi?id=2326348
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Commit 89dd0b23 ("libselinux: avoid memory allocation in common file
label lookup") added an additional parameter to lookup_all() for an
optional buffer the return value might be placed into. Update the
fuzzing related code accordingly.
Fixes: 89dd0b23 ("libselinux: avoid memory allocation in common file label lookup")
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
The concatenation of the multi line error messages misses a separating
space between the boundary words.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Maintains the type signature of the existing matchpathcon_filespec_add()
entry point on 32-bit archs but maps the API to a new
matchpathcon_filespec_add64() entry point that takes a 64-bit ino_t argument
instead.
Software on 32-bit Linux ports which historically use a 32-bit time_t (thus
affected by the y2038 problem) have, as a precondition of migrating to
64-bit time_t, that they also migrate to large filesystem support because
glibc does not provide entry points for the cross-product of
(LFS: yes, LFS: no) x (time_t: 32, time_t: 64).
In order to support smooth migration of such operating systems from 32-bit
time_t to 64-bit time_t, it is useful for libselinux to:
- provide entry points on 32-bit systems for both LFS and non-LFS variants
of the API (as glibc itself does)
- use LFS internally for all filesystem calls (just in case)
- map the API call to the correct implementation based on the build
environment of the caller.
Signed-off-by: Steve Langasek <steve.langasek@canonical.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
When a file name in type transition rule used in an interface is same as
a keyword, it needs to be M4 escaped so that the keyword is not expanded
by M4, e.g.
- filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, "interface")
+ filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, ``"interface"'')
But sepolgen-ifgen could not parse such string:
# sepolgen-ifgen
Illegal character '`'
This change allows M4 escaping inside quoted strings and fixed described
problem.
https://bugzilla.redhat.com/show_bug.cgi?id=2254206
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
The two asserts following qsort(3) where useful during development to
ensure the comparison function and the corresponding pointer handling
were correct. They however do not take into account an empty file
context definition file containing no definitions and thus `stab->nel`
being NULL. Drop the two asserts.
Also return early to not depend on whether calloc(3) called with a size
of zero returns NULL or a special value.
Reported-by: Petr Lautrbach <lautrbach@redhat.com>
Closes: https://lore.kernel.org/selinux/87jzchqck5.fsf@redhat.com/
Fixes: 92306daf ("libselinux: rework selabel_file(5) database")
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Tested-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Drop the host bits in the IPV6 address defined via a CIDR notation in
define_ipv6_cidr_node_context(), similar to
define_ipv4_cidr_node_context(). Otherwise the kernel will never match
this entry since the host bits from the actual address will be zeroed
before comparison, see
security/selinux/ss/services.c:match_ipv6_addrmask().
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Use struct initialization with designators to skip unnecessary memset(3)
calls. Since libsepol is not a security boundary uninitialized padding
is not a concern.
Also drop the dead assignment of a region to be free'd in the next line.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Instead of returning directly goto the err label, which prints a message
and closes the opened file stream.
Found by clang-analyzer.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Instead of using asprintf(3) and heavy string formatting just manually
concatenate the substitution string.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Utilize cache locality for the substitutions by storing them in
contiguous memory instead of a linked list.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Remove a memory allocation during a common file label lookup,
e.g. requested by restorecon(8)/setfiles(8), by using a local stack
buffer for a potential lookup result.
Additional minor optimization tweaks.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
If CFLAGS set by the user contains the warnings override
`-Wno-error=implicit-function-declaration` the availability check does
not work properly. Explicitly enable and treat this warnings as failure
by appending the appropriate flag.
Also include CPPFLAGS in the check.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
If CFLAGS set by the user contains the warnings override
`-Wno-error=implicit-function-declaration` the availability check does
not work properly. Explicitly enable and treat this warnings as failure
by appending the appropriate flag.
Also include CPPFLAGS in the check.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
When building libselinux from its own directory GCC complains about the
two functions free_spec_node() and sort_spec_node(), which are not tiny
and also recursive.
In file included from label_file.c:27:
In function ‘load_mmap’,
inlined from ‘process_file’ at label_file.c:1106:9:
label_file.h:816:20: error: inlining failed in call to ‘free_spec_node’: --param max-inline-insns-single limit reached [-Werror=inline]
816 | static inline void free_spec_node(struct spec_node *node)
| ^~~~~~~~~~~~~~
label_file.c:899:17: note: called from here
899 | free_spec_node(data->root);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
label_file.h:816:20: error: inlining failed in call to ‘free_spec_node’: --param max-inline-insns-single limit reached [-Werror=inline]
816 | static inline void free_spec_node(struct spec_node *node)
| ^~~~~~~~~~~~~~
label_file.c:908:17: note: called from here
908 | free_spec_node(root);
| ^~~~~~~~~~~~~~~~~~~~
In function ‘sort_specs’,
inlined from ‘init’ at label_file.c:1350:3:
label_file.h:404:20: error: inlining failed in call to ‘sort_spec_node’: --param max-inline-insns-single limit reached [-Werror=inline]
404 | static inline void sort_spec_node(struct spec_node *node, struct spec_node *parent)
| ^~~~~~~~~~~~~~
label_file.h:433:9: note: called from here
433 | sort_spec_node(data->root, NULL);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function ‘sort_specs’,
inlined from ‘init’ at label_file.c:1370:3:
label_file.h:404:20: error: inlining failed in call to ‘sort_spec_node’: --param max-inline-insns-single limit reached [-Werror=inline]
404 | static inline void sort_spec_node(struct spec_node *node, struct spec_node *parent)
| ^~~~~~~~~~~~~~
label_file.h:433:9: note: called from here
433 | sort_spec_node(data->root, NULL);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 92306daf ("libselinux: rework selabel_file(5) database")
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
openattr() supplies the simplementation for the getcon(3) interface
family. Use a short local buffer instead of descend into memory
allocation.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Use calloc(3) instead of calling malloc(3) plus a call to memset(3) or
manual zero'ing.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Consider paths with the prefix /usr for shells by including them in the
list of fallback default shells and by extending the check for a nologin
shell.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
For example fedora contains the following cdefault configuration:
[sefcontext_compile]
path = /usr/sbin/sefcontext_compile
args = -r $@
[end]
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Fedora is setting optimize-policy to 1 by default, and there seem to be
no bugs related to policy optimizations so far.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Instead of checking if a file to be deleted exists, just try to delete
it and ignore any error for it not existing in the first place.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Check that closing a file that has been written to is successful, to
avoid potential unsuccessful writes/syncs.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
