Commit Graph

330 Commits

Author SHA1 Message Date
James Carter
58f892399b Updated libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-10-19 10:46:42 -04:00
dcashman
d7cb38ff87 libsepol: cil: cil_strpool: Allow multiple strpool users.
cil_strpool currently provides an interface to a statically stored
global data structure.  This interface does not accomodate multiple
consumers, however, as two calls to cil_strpool_init() will lead to a
memory leak and a call to cil_strpool_destroy() by one consumer will
remove data from use by others, and subsequently lead to a segfault on
the next cil_strpool_destroy() invocation.

Add a reference counter so that the strpool is only initialized once and
protect the exported interface with a mutex.

Tested by calling cil_db_init() on two cil_dbs and then calling
cil_db_destroy() on each.

Signed-off-by: Daniel Cashman <dcashman@android.com>
2016-10-19 10:17:03 -04:00
James Carter
ff47e2d921 Updated libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-10-19 10:10:07 -04:00
James Carter
410634d650 libsepol/cil: Verify neither child nor parent in a bounds is an attribute
Nicolas Iooss found while fuzzing secilc with AFL that using an attribute
as a child in a typebounds statement will cause a segfault.

This happens because the child datum is assumed to be part of a cil_type
struct when it is really part of a cil_typeattribute struct. The check to
verify that it is a type and not an attribute comes after it is used.

This bug effects user and role bounds as well because they do not check
whether a datum refers to an attribute or not.

Add checks to verify that neither the child nor the parent datum refer
to an attribute before using them in user, role, and type bounds.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-10-19 10:08:15 -04:00
James Carter
0fcc430add libsepol/cil: Verify alias in aliasactual statement is really an alias
Nicolas Iooss found while fuzzing secilc with AFL that the statement
"(sensitivityaliasactual SENS SENS)" will cause a segfault.

The segfault occurs because when the aliasactual is resolved the first
identifier is assumed to refer to an alias structure, but it is not.

Add a check to verify that the datum retrieved is actually an alias
and exit with an error if it is not.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-10-19 10:08:09 -04:00
James Carter
166b260d75 libsepol/cil: Check that permission is not an empty list
Nicolas Iooss found while fuzzing secilc with AFL that the statement
"(class C (()))" will cause a segfault.

CIL expects a list of permissions in the class declaration and "(())"
is a valid list. Each item of the list is expected to be an identifier
and as the list is processed each item is checked to see if it is a
list. An error is given if it is a list, otherwise the item is assumed
to be an identifier. Unfortunately, the check only works if the list
is not empty. In this case, the item passes the check and is assumed
to be an identifier and a NULL is passed as the string for name
verification. If name verification assumes that a non-NULL value will
be passed in, a segfault will occur.

Add a check for an empty list when processing a permission list and
improve the error handling for permissions when building the AST.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-10-19 10:08:02 -04:00
James Carter
3aa292620c libsepol/cil: Check if identifier is NULL when verifying name
Nicolas Iooss found while fuzzing secilc with AFL that the statement
"(class C (()))" will cause a segfault.

When CIL checks the syntax of the class statement it sees "(())" as a
valid permission list, but since "()" is not an identifier a NULL is
passed as the string for name verification. A segfault occurs because
name verification assumes that the string being checked is non-NULL.

Check if identifier is NULL when verifying name.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-10-19 10:07:51 -04:00
James Carter
da51020d6f libsepol/cil: Use an empty list to represent an unknown permission
Nicolas Iooss found while fuzzing secilc with AFL that the statement
"(classpermissionset CPERM (CLASS (and unknow PERM)))" will cause a
segfault.

In order to support a policy module package using a permission that
does not exist on the system it is loaded on, CIL will only give a
warning when it fails to resolve an unknown permission. CIL itself will
just ignore the unknown permission. This means that an expression like
"(and UNKNOWN p1)" will look like "(and p1)" to CIL, but, since syntax
checking has already been done, CIL won't know that the expression is not
well-formed. When the expression is evaluated a segfault will occur
because all expressions are assumed to be well-formed at evaluation time.

Use an empty list to represent an unknown permission so that expressions
will continue to be well-formed and expression evaluation will work but
the unknown permission will still be ignored.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-10-19 10:07:43 -04:00
James Carter
1b3b36aeec libsepol/cil: Use empty list for category expression evaluated as empty
Nicolas Iooss found while fuzzing secilc with AFL that the following
policy will cause a segfault.

(category c0)
(category c1)
(categoryorder (c0 c1))
(sensitivity s0)
(sensitivitycategory s0 (not (all)))

The expression "(not (all))" is evaluated as containing no categories.
There is a check for the resulting empty list and the category datum
expression is set to NULL. The segfault occurs because the datum
expression is assumed to be non-NULL after evaluation.

Assign the list to the datum expression even if it is empty.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-10-19 10:07:36 -04:00
James Carter
1fc2f2f5ca libsepol/cil: Check for improper category range
Nicolas Iooss found while fuzzing secilc with AFL that the following
policy will cause a segfault.

(category c0)
(category c1)
(categoryorder (c0 c1))
(sensitivity s0)
(sensitivitycategory s0 (range c1 c0))

The category range "(range c1 c0)" is invalid because c1 comes after c0
in order.

The invalid range is evaluated as containing no categories. There is a
check for the resulting empty list and the category datum expression is
set to NULL. The segfault occurs because the datum expression is assumed
to be non-NULL after evaluation.

Add a check for an invalid range when evaluating category ranges.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-10-19 10:07:22 -04:00
Stephen Smalley
5edd70ff9b Updated libselinux and libsepol ChangeLogs
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-10-18 14:03:21 -04:00
William Roberts
3340d851df libsepol: build on mac
Correct the build issues on mac, mostly flags for tools.
libsepol and cil now build completley on Mac with a
simple make command.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-10-18 13:49:36 -04:00
William Roberts
e71e9891e4 libsepol/cil: disable symver on Mac builds
symver does not work on Mac, so like Android, just
disable it.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-10-18 13:48:53 -04:00
Stephen Smalley
b4cca24240 Update VERSION and ChangeLog files for 2.6 final release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-10-14 11:31:26 -04:00
Stephen Smalley
4257778f18 Update VERSION and ChangeLog files for 2.6-rc2 release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-10-06 10:23:40 -04:00
Stephen Smalley
82f994550f Updated ChangeLogs
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-10-05 13:04:36 -04:00
Stephen Smalley
b514885063 libsepol, libsemanage: fix linker scripts / map files
The local: * entry should only be in the base entry, not in each of them.
This is part of resolving gold linker build failures reported by
Jason Zaman.

Reported-by: Jason Zaman <jason@perfinion.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-10-05 12:54:46 -04:00
James Carter
90dd84b133 Updated libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-10-04 10:32:31 -04:00
Nicolas Iooss
ac12826c11 libsepol/cil: fix memory leak in __cil_fill_expr()
__cil_fill_expr() initializes 'cil_list *sub_expr' but does not destroy
it when __cil_fill_expr_helper() fails. This list is therefore leaked
when __cil_fill_expr() returns.

This occurs when secilc compiles the following policy:

    (class CLASS (PERM))
    (classorder (CLASS))
    (sid SID)
    (sidorder (SID))
    (user USER)
    (role ROLE)
    (type TYPE)
    (category CAT)
    (categoryorder (CAT))
    (sensitivity SENS)
    (sensitivityorder (SENS))
    (sensitivitycategory SENS (CAT))
    (allow TYPE self (CLASS (PERM)))
    (roletype ROLE TYPE)
    (userrole USER ROLE)
    (userlevel USER (SENS))
    (userrange USER ((SENS)(SENS (CAT))))
    (sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))

    (categoryset cats (not (range unknown)))

This bug has been found using gcc address sanitizer.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-10-04 10:28:27 -04:00
Nicolas Iooss
81c9ca5f96 libsepol/cil: fix double-free in cil categories parser
When cil_fill_cats() fails to parse an expression and destroys a
category set, it fails to reset *cats to NULL. This makes this object be
destroyed again in cil_destroy_catset().

This bug can be triggered by the following policy:

    (class CLASS (PERM))
    (classorder (CLASS))
    (sid SID)
    (sidorder (SID))
    (user USER)
    (role ROLE)
    (type TYPE)
    (category CAT)
    (categoryorder (CAT))
    (sensitivity SENS)
    (sensitivityorder (SENS))
    (sensitivitycategory SENS (CAT))
    (allow TYPE self (CLASS (PERM)))
    (roletype ROLE TYPE)
    (userrole USER ROLE)
    (userlevel USER (SENS))
    (userrange USER ((SENS)(SENS (CAT))))
    (sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))

    (categoryset cats (range unknown))

This bug has been found by fuzzing secilc with american fuzzy lop.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-10-04 10:28:27 -04:00
Nicolas Iooss
f1ba58a199 libsepol/cil: make cil_resolve_name() fail for '.'
This CIL policy makes secilc crash with a NULL pointer dereference:

    (class CLASS (PERM))
    (classorder (CLASS))
    (sid SID)
    (sidorder (SID))
    (user USER)
    (role ROLE)
    (type TYPE)
    (category CAT)
    (categoryorder (CAT))
    (sensitivity SENS)
    (sensitivityorder (SENS))
    (sensitivitycategory SENS (CAT))
    (allow TYPE self (CLASS (PERM)))
    (roletype ROLE TYPE)
    (userrole USER ROLE)
    (userlevel USER (SENS))
    (userrange USER ((SENS)(SENS (CAT))))
    (sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))

    (allow . self (CLASS (PERM)))

Using "." in the allow statement makes strtok_r() return NULL in
cil_resolve_name() and this result is then used in a call to
cil_symtab_get_datum(), which is thus invalid.

Instead of crashing, make secilc fail with an error message.

This bug has been found by fuzzing secilc with american fuzzy lop.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-10-04 10:28:18 -04:00
James Carter
5694d26839 libsepol: Add support for converting extended permissions to CIL
Checkpolicy has an option to produce CIL output and is dependent on
the policydb-to-CIL conversion in libsepol for that option. Add
support for converting extended permissions to CIL so that checlpolicy
can generate CIL.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-10-04 10:05:20 -04:00
James Carter
b461051bc4 Updated libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-10-03 14:59:54 -04:00
Gary Tierney
48965c602c libsepol/cil: create user and role caches when building binary policy
Pre-expands the role and user caches used in context validation when
conerting a cildb to a binary policydb.  This is currently only done
when loading a binary policy and prevents context validation from
working correctly with a newly built policy (i.e., when semanage builds
a new policy and then runs genhomedircon).

Also adds declarations for the hashtable mapping functions used:
policydb_role_cache and policydb_user_cache().

Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
2016-10-03 14:59:23 -04:00
Stephen Smalley
0cea223d33 Update VERSION and ChangeLog files for 2.6-rc1 release.
Intentionally jumping versions in sepolgen to make it consistent
with the rest.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-30 12:15:08 -04:00
Stephen Smalley
091de57ec2 Updated ChangeLogs
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-30 08:35:22 -04:00
bowgotsai
9bd073afc6 Remove Android.mk files and only keep them in Android tree
The corresponding repository in Android tree:
  https://android.googlesource.com/platform/external/selinux/
2016-09-30 08:32:55 -04:00
James Carter
68885c80ea Updated libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-09-29 14:49:34 -04:00
James Carter
c303ca910a libsepol/cil: Check for too many permissions in classes and commons
Fixes bug found by Nicolas Iooss as described below in the way suggested by Steve Lawrence.

Nicolass reported:

When compiling a CIL policy with more than 32 items in a class (e.g. in
(class capability (chown ...)) with many items),
cil_classorder_to_policydb() overflows perm_value_to_cil[class_index]
array. As this array is allocated on the heap through
calloc(PERMS_PER_CLASS+1, sizeof(...)), this makes secilc crash with the
following message:

    *** Error in `/usr/bin/secilc': double free or corruption (!prev): 0x000000000062be80 ***
    ======= Backtrace: =========
    /usr/lib/libc.so.6(+0x70c4b)[0x7ffff76a7c4b]
    /usr/lib/libc.so.6(+0x76fe6)[0x7ffff76adfe6]
    /usr/lib/libc.so.6(+0x777de)[0x7ffff76ae7de]
    /lib/libsepol.so.1(+0x14fbda)[0x7ffff7b24bda]
    /lib/libsepol.so.1(+0x152db8)[0x7ffff7b27db8]
    /lib/libsepol.so.1(cil_build_policydb+0x63)[0x7ffff7af8723]
    /usr/bin/secilc[0x40273b]
    /usr/lib/libc.so.6(__libc_start_main+0xf1)[0x7ffff7657291]
    /usr/bin/secilc[0x402f7a]

This bug has been found by fuzzing secilc with american fuzzy lop.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-09-29 13:59:45 -04:00
Stephen Smalley
3a48f6ff90 Updated libsepol ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-29 13:02:23 -04:00
Jeff Vander Stoep
6ccfa46ad4 libsepol: fix xperm mapping between avrule and avtab
Commit 915fa8f08f moves the xperm specified value directly from
avrule to avtab. The mapping between them is currently the same,
but may not always be. Instead these values should be mapped using
values defined in av_extended_perms_t and avtab_extended_perms_t.

Fixes: 915fa8f08f ("checkpolicy: switch operations to extended perms")

Change-Id: Ic9f4031c9381b2ff6cc46043fb1602758ef4c224
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
2016-09-29 13:01:12 -04:00
Stephen Smalley
3638935b46 Updated libsepol ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-26 11:09:51 -04:00
Nicolas Iooss
ea941ee14d libsepol/tests: fix mispelling of optimization option
In CFLAGS, -o0 means "output in file 0", not "compile at optimization
level 0".

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-09-26 11:08:53 -04:00
Stephen Smalley
1a17785446 Updated libsepol ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-26 10:35:41 -04:00
William Roberts
d97cd6a203 libsepol: fix unitialized variable 'nread' on mac build
Fix this:
genusers.c:63:14: warning: variable 'nread' is uninitialized when used here [-Wuninitialized]
                if (buffer[nread - 1] == '\n')
                           ^~~~~
genusers.c:40:15: note: initialize the variable 'nread' to silence this warning
        ssize_t nread;
                     ^
                      = 0

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-09-26 10:32:19 -04:00
William Roberts
87c5afdad2 libsepol: fix unused variable 'len' on mac build
Fix this:
genusers.c:39:9: warning: unused variable 'len' [-Wunused-variable]
        size_t len = 0;

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-09-26 10:32:19 -04:00
William Roberts
e729fbe9b4 libsepol: fix unused variable 'size' on mac build
Fix this on Mac build:
genbools.c:71:9: warning: unused variable 'size' [-Wunused-variable]
        size_t size = 0;
               ^
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-09-26 10:32:19 -04:00
James Carter
c1d873e971 Updated libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-09-06 13:48:20 -04:00
Guido Trentalancia
e7fbb8b401 Produce more meaningful error messages when conflicting type rules are found by libsepol.
Fixes Debian bug #832331 (https://bugs.debian.org/832331).

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-09-06 13:46:32 -04:00
Stephen Smalley
542b528703 Updated checkpolicy and libsepol ChangeLogs
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-06 11:14:09 -04:00
Nicolas Iooss
2489b50a91 libsepol: make "make test" fails when a CUnit test fails
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-09-06 10:49:56 -04:00
Nicolas Iooss
3666bd9a99 libsepol: tests: fix g_b_role_2 test
Even though g_b_role_2 is used both in
tests/policies/test-linker/small-base.conf and
tests/policies/test-linker/module1.conf, it seems to only exists in the
scope of the base policy.

This fixes the following failure of "make -C libsepol test":

    ./libsepol-tests
         CUnit - A unit testing framework for C - Version 2.1-3
         http://cunit.sourceforge.net/
    Suite: cond
      Test: cond_expr_equal ...passed
    Suite: linker
      Test: linker_indexes ...passed
      Test: linker_types ...passed
      Test: linker_roles ...sym g_b_role_2 has 1 decls, 2 expected
    FAILED
        1. test-common.c:43  - scope->decl_ids_len == len
        2. test-common.c:52  - found == 1
      Test: linker_cond ...passed
    Suite: expander
      Test: expander_indexes ...passed
      Test: expander_attr_mapping ...passed
      Test: expander_role_mapping ...passed
      Test: expander_user_mapping ...passed
      Test: expander_alias ...passed
    Suite: deps
      Test: deps_modreq_global ...passed
      Test: deps_modreq_opt ...passed
    Suite: downgrade
      Test: downgrade ...passed

    Run Summary:    Type  Total    Ran Passed Failed Inactive
                  suites      5      5    n/a      0        0
                   tests     13     13     12      1        0
                 asserts   1274   1274   1272      2      n/a

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-09-06 10:49:56 -04:00
James Carter
0dce00d72e Updated libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-08-19 15:14:41 -04:00
James Carter
f9927d9370 libsepol: Change which attributes CIL keeps in the binary policy
The removal of attributes that are only used in neverallow rules is
hindering AOSP adoption of the CIL compiler. This is because AOSP
extracts neverallow rules from its policy.conf for use in the Android
compatibility test suite. These neverallow rules are applied against
the binary policy being tested to check for a violation. Any neverallow
rules with an attribute that has been removed cannot be checked.

Now attributes are kept unless they are not used in any allow rule and
they are auto-generated or named "cil_gen_require" or do not have any
types associated with them.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-08-19 15:13:32 -04:00
James Carter
a0f05b307b Updated libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-08-19 14:09:50 -04:00
William Roberts
fbf77104c3 libsepol: port str_read from kernel
Rather than duplicating the following sequence:
1. Read len from file
2. alloc up space based on 1
3. read the contents into the buffer from 2
4. null terminate the buffer from 2

Use the str_read() function that is in the kernel, which
collapses steps 2 and 4. This not only reduces redundant
code, but also has the side-affect of providing a central
check on zero_or_saturated lengths from step 1 when
generating string values.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-19 13:18:02 -04:00
William Roberts
fb0cc0cc64 libsepol: calloc all the *_to_val_structs
The usage patterns between these structures seem similair
to role_val_to_struct usages. Calloc these up to prevent
any unitialized usages.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-19 13:17:57 -04:00
James Carter
dbc6d6d596 Updated libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-08-17 10:10:40 -04:00
William Roberts
8673854fb8 libsepol: fix overflow and 0 length allocations
Throughout libsepol, values taken from sepolicy are used in
places where length == 0 or length == <saturated> matter,
find and fix these.

Also, correct any type mismatches noticed along the way.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-17 09:58:19 -04:00
William Roberts
02081779f3 libsepol: fix unitialized jmp and invalid dereference
When initializing role_datum_t array, initialize the array.
This corrects this issue:

==25766== Conditional jump or move depends on uninitialised value(s)
==25766==    at 0x40ABFE: context_is_valid (context.c:59)
==25766==    by 0x40AAED: policydb_context_isvalid (context.c:19)
==25766==    by 0x43CBF4: context_read_and_validate (policydb.c:1881)
==25766==    by 0x43E7B3: ocontext_read_selinux (policydb.c:2631)
==25766==    by 0x43EC4D: ocontext_read (policydb.c:2729)
==25766==    by 0x442019: policydb_read (policydb.c:3937)
==25766==    by 0x442F15: sepol_policydb_read (policydb_public.c:174)
==25766==    by 0x407ED4: init (check_seapp.c:885)
==25766==    by 0x408D83: main (check_seapp.c:1230)

Also, check for NULL when determining if a role can be associated
with a type.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-17 09:56:45 -04:00