The 'matches' member of 'struct spec' may be written to by different
threads, so it needs to be accessed using the proper atomic constructs.
Since the actual count of matches doesn't matter and is not used,
convert this field to a bool and just atomically set/read it using GCC
__atomic builtins (which are already being used in another place).
If the compiler lacks support for __atomic builtins (which seem to have
been introduced in GCC 4.1), just fail the compilation. I don't think
it's worth tryin to invent a workaround to support a 15 years old
compiler.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Mark local functions static.
Export functions of mcscolor.c in mcscolor.h and avoid bare extern
function declarations.
Drop unused function emit_whitespace().
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
The source code line content, saved to improve error reporting, might
get truncated, as the current Bison source buffer is 8192 bytes long and
only 254 bytes (plus NUL-terminator) are reserved.
As the saved string is only used for improving error reports and source
lines longer than 254 character are quite uncommon, simply silence the
GCC warning.
In file included from /usr/include/string.h:519,
from lex.yy.c:20:
In function ‘strncpy’,
inlined from ‘yylex’ at policy_scan.l:63:7:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:91:10: warning: ‘__builtin_strncpy’ output may be truncated copying 255 bytes from a string of length 8190 [-Wstringop-truncation]
91 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Enable some extra compiler warnings in the global Makefile. These are
supported by GCC and Clang. The global Makefile is almost solely used by
developers and the CI, so the interaction with the preexisting -Werror
flag is desirable.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Use string literal as format string so that compilers can validate the
count and types of the inherent arguments.
sestatus.c: In function ‘printf_tab’:
sestatus.c:175:16: error: format not a string literal, argument types not checked [-Werror=format-nonliteral]
175 | printf(buf, outp);
| ^~~
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Use string literals as format strings so that compilers can validate the
count and types of the inherent arguments.
kernel_to_cil.c: In function ‘class_constraint_rules_to_strs’:
kernel_to_cil.c:301:17: error: format not a string literal, argument types not checked [-Werror=format-nonliteral]
301 | rc = strs_create_and_add(strs, format_str, 3, classkey, perms+1, expr);
| ^~
kernel_to_cil.c: In function ‘class_validatetrans_rules_to_strs’:
kernel_to_cil.c:341:17: error: format not a string literal, argument types not checked [-Werror=format-nonliteral]
341 | rc = strs_create_and_add(strs, format_str, 2, classkey, expr);
| ^~
kernel_to_cil.c: In function ‘cats_ebitmap_to_str’:
kernel_to_cil.c:1068:40: error: format not a string literal, argument types not checked [-Werror=format-nonliteral]
1068 | val_to_name[start], val_to_name[i]);
| ^~~~~~~~~~~
kernel_to_conf.c: In function ‘class_constraint_rules_to_strs’:
kernel_to_conf.c:301:42: error: format not a string literal, argument types not checked [-Werror=format-nonliteral]
301 | flavor, classkey, perms+1, expr);
| ^~~~~~
kernel_to_conf.c: In function ‘cats_ebitmap_to_str’:
kernel_to_conf.c:1059:40: error: format not a string literal, argument types not checked [-Werror=format-nonliteral]
1059 | val_to_name[start], sep, val_to_name[i]);
| ^~~~~~~~~~~
kernel_to_conf.c:1062:25: error: format not a string literal, argument types not checked [-Werror=format-nonliteral]
1062 | len = snprintf(p, remaining, fmt, val_to_name[start]);
| ^~~
module_to_cil.c: In function ‘cond_expr_to_cil’:
module_to_cil.c:1340:25: error: format not a string literal, argument types not checked [-Werror=format-nonliteral]
1340 | rlen = snprintf(new_val, len, fmt_str, op, val1, val2);
| ^~~~
module_to_cil.c: In function ‘constraint_expr_to_string’:
module_to_cil.c:1881:25: error: format not a string literal, argument types not checked [-Werror=format-nonliteral]
1881 | rlen = snprintf(new_val, len, fmt_str, op, val1, val2);
| ^~~~
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
The two variables policydb_lineno and source_lineno are both of the type
unsigned long; use the appropriate format specifier.
Found by Cppcheck
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
See: RFC 2606
foo.com seems to be privately owned.
Signed-off-by: Markus Linnala <Markus.Linnala@knowit.fi>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
memcpy(3) might be annotated with the function attribute nonnull and
UBSan then complains:
module.c:296:3: runtime error: null pointer passed as argument 2, which is declared to never be null
#0 0x7f2468efa5b3 in link_netfilter_contexts ./libsepol/src/module.c:296
#1 0x7f2468efa5b3 in sepol_link_packages ./libsepol/src/module.c:337
#2 0x562331e9e123 in main ./semodule-utils/semodule_link/semodule_link.c:145
#3 0x7f2467e247ec in __libc_start_main ../csu/libc-start.c:332
#4 0x562331e9d2a9 in _start (./destdir/usr/bin/semodule_link+0x32a9)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Glibc 2.34 added an access function attribute to pthread_setspecific(3).
This leads to the following GCC warnings:
In file included from matchpathcon.c:5:
matchpathcon.c: In function ‘matchpathcon_init_prefix’:
selinux_internal.h:38:25: error: ‘pthread_setspecific’ expecting 1 byte in a region of size 0 [-Werror=stringop-overread]
38 | pthread_setspecific(KEY, VALUE); \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
matchpathcon.c:359:9: note: in expansion of macro ‘__selinux_setspecific’
359 | __selinux_setspecific(destructor_key, (void *)1);
| ^~~~~~~~~~~~~~~~~~~~~
In file included from selinux_internal.h:2,
from matchpathcon.c:5:
/usr/include/pthread.h:1167:12: note: in a call to function ‘pthread_setspecific’ declared with attribute ‘access (none, 2)’
1167 | extern int pthread_setspecific (pthread_key_t __key,
| ^~~~~~~~~~~~~~~~~~~
The actual value and the validity of the passed pointer is irrelevant,
since it does not gets accessed internally by glibc and
pthread_getspecific(3) is not used.
Use a pointer to a global object to please GCC.
Closes: https://github.com/SELinuxProject/selinux/issues/311
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Do not sort empty records to avoid calling qsort(3) with a NULL pointer.
qsort(3) might be annotated with the function attribute nonnull and
UBSan then complains:
database_join.c:80:2: runtime error: null pointer passed as argument 1, which is declared to never be null
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
For the first iteration `mod->perm_map[sclassi]` is NULL, thus do not
use it as source of a memcpy(3), even with a size of 0. memcpy(3) might
be annotated with the function attribute nonnull and UBSan then
complains:
link.c:193:3: runtime error: null pointer passed as argument 2, which is declared to never be null
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
An expression of the form "1 << x" is undefined if x == 31 because
the "1" is an int and cannot be left shifted by 31.
Instead, use "UINT32_C(1) << x" which will be an unsigned int of
at least 32 bits.
Signed-off-by: James Carter <jwcart2@gmail.com>
An expression of the form "1 << x" is undefined if x == 31 because
the "1" is an int and cannot be left shifted by 31.
Instead, use "UINT32_C(1) << x" which will be an unsigned int of
at least 32 bits.
Signed-off-by: James Carter <jwcart2@gmail.com>
An expression of the form "1 << x" is undefined if x == 31 because
the "1" is an int and cannot be left shifted by 31.
Instead, use "UINT32_C(1) << x" which will be an unsigned int of
at least 32 bits.
This bug was found by the secilc-fuzzer.
Signed-off-by: James Carter <jwcart2@gmail.com>
An expression of the form "1 << x" is undefined if x == 31 because
the "1" is an int and cannot be left shifted by 31.
Instead, use "UINT32_C(1) << x" which will be an unsigned int of
at least 32 bits.
Signed-off-by: James Carter <jwcart2@gmail.com>
The code doesn't check the default priority, it just looks for the
highest.
Fixes:
# semodule -E testmodule
Module 'testmodule' does not exist at the default priority '400'. Extracting at highest existing priority '400'.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Since only tunableifs need to be resolved in a macro before the macro
is copied for each call, macros were being skipped after resolving
tunableifs. Statments not allowed to be in macros would be found during
the pass that resolved tunableifs. Unfortunately, in-statments are
resolved after tunableifs and they can be used to add statements to
macros that are not allowed.
Instead, do not skip macros until after the pass that resolves in-
statements that are to be resolved after block inheritance. This
allows blocks, blockinherits, blockabstracts, and macros that were
added by an in-statement to be found and an error reported.
This bug was found by the secilc-fuzzer.
Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Type bounds are checked when creating the CIL binary using libsepol
functions on the binary policy db. The bad rule is reported and, to
provide better error reporting, a search is made for matching rules
in the CIL policy. These matching rules as well as their parents are
written out with their locations to make it easier to find the rules
that violate the type bounds.
It is possible to craft CIL policies where there are many rules
that violate a bounds check each with many matching rules as well.
This can make the error messages very difficult to deal with. For
example, if there are 100 rules in the binary policy db that violate
a type bounds and each of these rules has 100 matches, then 10,000
matching rules along with their parents will be written out as part
of the error message.
Limit the error reporting to two rules for each type bounds violation
along with two matches for each of those rules.
This problem was found with the secilc-fuzzer.
Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
GitHub is currently migrating its macos-latest runner to macOS 11:
https://github.com/actions/virtual-environments/issues/4060
Unfortunately, installing VirtualBox and Vagrant on this new version of
macOS is not easy, and the current macos-11 runner does not support
running virtual machines using Vagrant. This issue is being fixed on
https://github.com/actions/virtual-environments/pull/4010 .
Until this Pull Request is merged, use macos-10.15 runner instead of
macos-latest, to continue using Vagrant to run the SELinux testsuite in
a virtual machine.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Acked-by: Ondrej Mosnacek <omosnace@redhat.com>
The CI now uses GitHub Actions to run tests and the SELinux testsuite in
a virtual machine. Replace the Travis CI badge with the ones for these
workflows.
Fixes: https://github.com/SELinuxProject/selinux/issues/299
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Acked-by: Ondrej Mosnacek <omosnace@redhat.com>
Delay the down-cast from hashtab_datum_t, alias void*, to the actual
type once its kind has been determined.
module_compiler.c:174:19: warning: cast from 'symtab_datum_t *' (aka 'struct symtab_datum *') to 'level_datum_t *' (aka 'struct level_datum *') increases required alignment from 4 to 8 [-Wcast-align]
*dest_value = ((level_datum_t *)s)->level->sens;
^~~~~~~~~~~~~~~~~~
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
The function require_symbol takes the type hashtab_datum_t (alias void*)
as third argument. Do not cast to hashtab_datum_t* alias void**. Since
explicit casting to void* is unnecessary, drop the casts.
module_compiler.c:1002:36: warning: cast from 'cond_bool_datum_t *' (aka 'struct cond_bool_datum *') to 'hashtab_datum_t *' (aka 'void **') increases required alignment from 4 to 8 [-Wcast-align]
require_symbol(SYM_BOOLS, id, (hashtab_datum_t *) booldatum,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
module_compiler.c:1092:40: warning: cast from 'cat_datum_t *' (aka 'struct cat_datum *') to 'hashtab_datum_t *' (aka 'void **') increases required alignment from 4 to 8 [-Wcast-align]
retval = require_symbol(SYM_CATS, id, (hashtab_datum_t *) cat,
^~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Add missing command-line arguments to synopsis and highlight mentions of
other tools in man pages.
Add missing space between arguments in help message.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Print the reason why opening a source policy file failed, e.g:
checkpolicy: unable to open policy.conf: No such file or directory
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
The variable curfile is nowhere used.
Static functions do not need to be forward declared if not used before
their definition.
The error buffer errormsg can be a simple scoped variable. Also
vsnprintf(3) always NUL-terminates the buffer, so the whole length can
be passed.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Add an intermediate cast to uintptr_t to silence the clang specific
warning about casting a void pointer to an enum.
../cil/src/cil_verify.c:1749:28: error: cast to smaller integer type 'enum cil_flavor' from 'void *' [-Werror,-Wvoid-pointer-to-enum-cast]
enum cil_flavor op = (enum cil_flavor)i->data;
^~~~~~~~~~~~~~~~~~~~~~~~
Similar to 32f8ed3d6b.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
GCC reports a NULL dereference of the return value of stack_peek(). This
function explicitly returns NULL in case of 'stack->pos == -1'.
Error out on NULL returned.
module_to_cil.c: In function ‘block_to_cil’:
module_to_cil.c:3357:55: error: potential null pointer dereference [-Werror=null-dereference]
3357 | struct list *alias_list = typealias_lists[decl->decl_id];
| ~~~~^~~~~~~~~
There are more occurrences of unconditionally dereferencing the return
value of stack_peek(), but the callers should ensure a valid stack, so
just silence this single warning.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
The function hashtab_insert takes the type hashtab_datum_t (alias void*)
as third argument. Do not cast to hashtab_datum_t* alias void**. The
casts could be dropped, as explicit casting to void* is unnecessary, but
to fit the overall style of this file keep the casts.
expand.c:246:41: error: cast from 'perm_datum_t *' (aka 'struct perm_datum *') to 'hashtab_datum_t *' (aka 'void **') increases required alignment from 4 to 8 [-Werror,-Wcast-align]
ret = hashtab_insert(s->table, new_id, (hashtab_datum_t *) new_perm);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Mark pointers to nodes of const ebitmaps also const. C does not enforce
a transitive const-ness, but it clarifies the intent and improves
maintainability.
Follow-up of 390ec54d27
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
The extra dependency of sefcontext_compile on its object file causes the
compile and link step to be separated.
During the link step the CFLAGS are not passed, which might contain
optimization or sanitizer flags.
Reorder the LDLIBS requirements to avoid the symbol 'pcre_fullinfo'
being unresolvable at link time.
Current behavior:
gcc-11 **custom CFLAGS** -I../include -D_GNU_SOURCE -c -o sefcontext_compile.o sefcontext_compile.c
gcc-11 -L../src sefcontext_compile.o ../src/regex.o -lselinux -lpcre ../src/libselinux.a -lsepol -o sefcontext_compile
Changed:
gcc-11 **custom CFLAGS** -I../include -D_GNU_SOURCE -L../src sefcontext_compile.c -lselinux ../src/libselinux.a -lpcre -lsepol -o sefcontext_compile
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
When checking for circular class permission declarations and a class
mapping is encountered, the class permissions for each map permission
must be checked. An assumption was made that there were no operators
in the class permissions. An operator in the class permissions would
cause a segfault.
Example causing segault:
(classmap cm1 (mp1))
(classmapping cm1 mp1 (CLASS (PERM)))
(classpermission cp1)
(classpermissionset cp1 (cm1 (all)))
For map class permissions, check each item in the permission list to
see if it is an operator. If it is not, then verify the class
permissions associated with the map permission. If it is an operator
and the operator is "all", then create a list of all permissions for
that map class and verify the class permissions associated with each
map permission. If it is a different operator, then it can be skipped.
This bug was found by the secilc-fuzzer.
Signed-off-by: James Carter <jwcart2@gmail.com>
When compiling CIL policy using secilc's "-m" option (which allows
duplicate declarations for types and type attributes), a segfault
will occur if the type or type attribute being copied has already
been declared. This is because a search of the symbol table is made
during the copy and the original datum will be used if one is found.
The original datum will be considered a duplicate when an attempt is
made to add it to the symbol table. The original datum, which is still
in use, will then be destroyed and a segfault will follow soon after
that.
Instead, always create a new datum. When it is added the new datum
will be destroyed if it is a duplicate and duplicate declarations
are allowed.
Signed-off-by: James Carter <jwcart2@gmail.com>
define_te_avtab_xperms_helper() allocates memory for the avrule, while
define_te_avtab_ioctl() does not transfer any ownership of it.
Free the affected memory.
Direct leak of 272 byte(s) in 2 object(s) allocated from:
#0 0x49bb8d in __interceptor_malloc (./checkpolicy/checkmodule+0x49bb8d)
#1 0x4f379c in define_te_avtab_xperms_helper ./checkpolicy/policy_define.c:2047:24
#2 0x4f379c in define_te_avtab_extended_perms ./checkpolicy/policy_define.c:2469:6
#3 0x4cf417 in yyparse ./checkpolicy/policy_parse.y:494:30
#4 0x4eaf35 in read_source_policy ./checkpolicy/parse_util.c:63:6
#5 0x50cccd in main ./checkpolicy/checkmodule.c:278:7
#6 0x7fbfa455ce49 in __libc_start_main csu/../csu/libc-start.c:314:16
Direct leak of 32 byte(s) in 2 object(s) allocated from:
#0 0x49bb8d in __interceptor_malloc (./checkpolicy/checkmodule+0x49bb8d)
#1 0x4f4a38 in avrule_sort_ioctls ./checkpolicy/policy_define.c:1844:12
#2 0x4f4a38 in avrule_ioctl_ranges ./checkpolicy/policy_define.c:2021:6
#3 0x4f4a38 in define_te_avtab_ioctl ./checkpolicy/policy_define.c:2399:6
#4 0x4f4a38 in define_te_avtab_extended_perms ./checkpolicy/policy_define.c:2475:7
#5 0x4cf417 in yyparse ./checkpolicy/policy_parse.y:494:30
#6 0x4eaf35 in read_source_policy ./checkpolicy/parse_util.c:63:6
#7 0x50cccd in main ./checkpolicy/checkmodule.c:278:7
#8 0x7fbfa455ce49 in __libc_start_main csu/../csu/libc-start.c:314:16
Reported-by: liwugang <liwugang@163.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
In case the source line value overflows or has a too big value in the
source policy print a warning.
policy_scan.l:273:19: runtime error: implicit conversion from type 'int' of value -2 (32-bit, signed) to type 'unsigned long' changed the value to 18446744073709551614 (64-bit, unsigned)
policy_scan.l:66:20: runtime error: unsigned integer overflow: 18446744073709551615 + 1 cannot be represented in type 'unsigned long'
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Error out instead of silently converting too big integer values in
policy sources.
policy_parse.y:893:41: runtime error: implicit conversion from type 'unsigned long' of value 18446744073709551615 (64-bit, unsigned) to type 'unsigned int' changed the value to 4294967295 (32-bit, unsigned)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Avoid implicit conversions from signed to unsigned values, found by
UB sanitizers, by using unsigned values in the first place.
dismod.c:92:42: runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Example leak:
Indirect leak of 4 byte(s) in 1 object(s) allocated from:
#0 0x49bacd in __interceptor_malloc (./checkpolicy/test/dismod+0x49bacd)
#1 0x58ae54 in add_i_to_a ./libsepol/src/util.c:55:21
#2 0x53ea8e in symtab_insert ./libsepol/src/policydb.c:1729:6
#3 0x536252 in roles_init ./libsepol/src/policydb.c:772:7
#4 0x536252 in policydb_init ./libsepol/src/policydb.c:892:7
#5 0x562ff1 in sepol_policydb_create ./libsepol/src/policydb_public.c:69:6
#6 0x521a7c in module_package_init ./libsepol/src/module.c:96:6
#7 0x521a7c in sepol_module_package_create ./libsepol/src/module.c:126:7
#8 0x4cfb80 in read_policy ./checkpolicy/test/dismod.c:750:7
#9 0x4cda10 in main ./checkpolicy/test/dismod.c:878:6
#10 0x7f8538d01e49 in __libc_start_main csu/../csu/libc-start.c:314:16
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
