Commit Graph

558 Commits

Author SHA1 Message Date
James Carter
d1d81b6c1f libsepol: Create the macro ebitmap_is_empty() and use it where needed
Create the macro ebitmap_is_empty() to check if an ebitmap is empty.
Use ebitmap_is_empty(), instead of ebitmap_cardinality() or
ebitmap_length(), to check whether or not an ebitmap is empty.

Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-03-02 13:23:59 +01:00
Nicolas Iooss
6968ea9775
libsepol: make ebitmap_cardinality() of linear complexity
As ebitmap_get_bit() complexity is linear in the size of the bitmap, the
complexity of ebitmap_cardinality() is quadratic. This can be optimized
by browsing the nodes of the bitmap directly in ebitmap_cardinality().

While at it, use built-in function __builtin_popcountll() to count the
ones in the 64-bit value n->map for each bitmap node. This seems better
suited than "count++". This seems to work on gcc and clang on x86,
x86_64, ARM and ARM64 but if it causes compatibility issues with some
compilers or architectures (or with older versions of gcc or clang),
the use of __builtin_popcountll() can be replaced by a C implementation
of a popcount algorithm.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2020-03-01 21:51:23 +01:00
Ondrej Mosnacek
ee4b20ca10 libsepol: grow hashtab dynamically
Detect when the hashtab's load factor gets too high and try to grow it
and rehash it in such case. If the reallocation fails, just keep the
hashtab at its current size, since this is not a fatal error (it will
just be slower).

This speeds up semodule -BN on Fedora from ~8.9s to ~7.2s (1.7 seconds
saved).

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-02-21 15:15:41 -05:00
Ondrej Mosnacek
00bdfefcce libsepol, newrole: remove unused hashtab functions
hashtab_replace() and hashtab_map_remove_on_error() aren't used
anywhere, no need to keep them around...

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
2020-02-21 15:15:41 -05:00
Ondrej Mosnacek
542e878690 libsepol: cache ebitmap cardinality value
According to profiling of semodule -BN, ebitmap_cardinality() is called
quite often and contributes a lot to the total runtime. Cache its result
in the ebitmap struct to reduce this overhead. The cached value is
invalidated on most modifying operations, but ebitmap_cardinality() is
usually called once the ebitmap doesn't change any more.

After this patch, the time to do 'semodule -BN' on Fedora Rawhide has
decreased from ~10.9s to ~8.9s (2s saved).

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
[sds@tycho.nsa.gov: correct times per follow-up on list]
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
2020-02-18 10:36:21 -05:00
Ondrej Mosnacek
a60343cabf libsepol/cil: remove unnecessary hash tables
The filename_- and range_trans_table ancillary hash tables in
cil_binary.c just duplicate the final policydb content and can be simply
removed.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-02-11 10:02:27 -05:00
James Carter
26a994539d libsepol/cil: Rewrite verification of map classes and classpermissionsets
The classperms associated with each map class permission and with each
classpermissionset are verified in __cil_verify_classperms() which had
multiple problems with how it did the verification.

1) Verification was short-circuited when the first normal class is found.
  The second classpermissionset statement below would not have been
  verified.
    (classpermission cp1)
    (classpermissionset cp1 (CLASS (PERM)))
    (classpermissionset cp1 cp2)

2) The classperms of a map class permission and classpermissionset were
not checked for being NULL before the function recursively called itself.
This would result in a segfault if the missing map or set was referred to
before the classmap or classpermission occured. This error was reported by
Dominick Grift (dominick.grift@defensec.nl).
  These rules would cause a segfault.
    (classmap cm1 (mp1))
    (classmapping cm1 mp1 (cm2 (mp2)))
    (classmap cm2 (mp2))
  But an error would be produced for these rules.
    (classmap cm1 (mp1))
    (classmap cm2 (mp2))
    (classmapping cm2 mp2 (cm1 (mp1)))

3) The loop detection logic was incomplete and could only detect a loop
with a certain statement ordering.
  These rules would cause a stack overflow.
    (classmap cm1 (mp1))
    (classmapping cm1 mp1 (cm2 (mp2)))
    (classmap cm2 (mp2))
    (classmapping cm2 mp2 (cm3 (mp3)))
    (classmap cm3 (mp3))
    (classmapping cm3 mp3 (cm2 (mp2)))

Rewrote __cil_verify_classperms() to fix these errors.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2020-02-06 11:01:07 -05:00
Christian Göttsche
3854698833 libsepol: add support for new polcap genfs_seclabel_symlinks
Add support for new SELinux policy capability genfs_seclabel_symlinks.
With this capability enabled symlinks on kernel filesystems will receive
contexts based on genfscon statements, like directories and files,
and not be restricted to the respective filesystem root sid.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-02-06 10:50:54 -05:00
Stephen Smalley
8677ce5e8f libsepol,checkpolicy: support omitting unused initial sid contexts
Remove restrictions in libsepol and checkpolicy that required all
declared initial SIDs to be assigned a context.  With this patch,
it is possible to build and load a policy that drops the sid <sidname>
<context> declarations for the unused initial SIDs.  It is still
required to retain the sid <sidname> declarations (in the flask
definitions) in order to preserve the initial SID ordering/values.
The unused initial SIDs can be renamed, e.g. to add an unused_
prefix or similar, if desired, since the names used in the policy
are not stored in the kernel binary policy.

In CIL policies, the (sid ...) and (sidorder (...)) statements
must be left intact for compatibility but the (sidcontext ...)
statements for the unused initial SIDs can be omitted after this change.

With current kernels, if one removes an unused initial SID context
from policy, builds policy with this change applied and loads the
policy into the kernel, cat /sys/fs/selinux/initial_contexts/<sidname>
will show the unlabeled context.  With the kernel patch to remove unused
initial SIDs, the /sys/fs/selinux/initial_contexts/<sidname>
file will not be created for unused initial SIDs in the first place.

NB If an unused initial SID was assigned a context different from
the unlabeled context in existing policy, then it is not safe to
remove that initial SID context from policy and reload policy on
the running kernel that was booted with the original policy.  This
is because that kernel may have assigned that SID to various kernel
objects already and those objects will then be treated as having
the unlabeled context after the removal.  In refpolicy, examples
of such initial SIDs are the "fs" SID and the "sysctl" SID.  Even
though these initial SIDs are not directly used (in code) by the current
kernel, their contexts are being applied to filesystems and sysctl files by
policy and therefore the SIDs are being assigned to objects.

NB The "sysctl" SID was in use by the kernel up until
commit 8e6c96935fcc1ed3dbebc96fddfef3f2f2395afc ("security/selinux:
fix /proc/sys/ labeling) circa v2.6.39.  Removing its context from
policy will cause sysctl(2) or /proc/sys accesses to end up
performing permission checks against the unlabeled context and
likely encounter denials for kernels < 2.6.39.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2020-01-29 10:17:02 -05:00
Ondrej Mosnacek
3d32fc24d6 libsepol: remove leftovers of cil_mem_error_handler
Commit 4459d635b8 ("libsepol: Remove cil_mem_error_handler() function
pointer") replaced cil_mem_error_handler usage with inline contents of
the default handler. However, it left over the header declaration and
two callers. Convert these as well and remove the header declaration.

This also fixes a build failure with -fno-common.

Fixes: 4459d635b8 ("libsepol: Remove cil_mem_error_handler() function pointer")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-01-27 10:51:18 -05:00
Ondrej Mosnacek
a96e8c59ec libsepol: fix CIL_KEY_* build errors with -fno-common
GCC 10 comes with -fno-common enabled by default - fix the CIL_KEY_*
global variables to be defined only once in cil.c and declared in the
header file correctly with the 'extern' keyword, so that other units
including the file don't generate duplicate definitions.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-01-27 10:51:14 -05:00
James Carter
11264556d8 libsepol/cil: Fix bug in cil_copy_avrule() in extended permission handling
When copying an avrule with extended permissions (permx) in
cil_copy_avrule(), the check for a named permx checks the new permx
instead of the old one, so the check will always fail. This leads to a
segfault when trying to copy a named permx because there will be an
attempt to copy the nonexistent permx struct instead of the name of
the named permx.

Check whether the original is a named permx instead of the new one.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2020-01-27 09:15:01 +01:00
Petr Lautrbach
dca7ce8195
Update VERSIONs to 3.0 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-11-28 13:46:48 +01:00
Petr Lautrbach
6e187f8a2a Update VERSIONs to 3.0-rc2 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-11-22 13:54:17 +01:00
James Carter
c7527bdb60 libsepol/cil: Report disabling an optional block only at high verbose levels
Since failing to resolve a statement in an optional block is normal,
only display messages about the statement failing to resolve and the
optional block being disabled at the highest verbosity level.

These messages are now only at log level CIL_INFO instead of CIL_WARN.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2019-11-06 12:32:06 -05:00
Petr Lautrbach
b3ed0a7a60 Update VERSIONs to 3.0-rc1 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-10-28 13:06:11 +01:00
Petr Lautrbach
e0e66c25e2 libsepol: Use LIBSEPOL_3.0 and fix sepol_policydb_optimize symbol mapping
There's a typo in commit b8213acff8 ("libsepol: add a function to optimize
kernel policy") which added new function sepol_policydb_optimize(), but there's
sepol_optimize_policy in libsepol.map.

LIBSEPOL_3.0 is used to follow the next release version libsepol-3.0

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
2019-10-17 08:40:19 -04:00
James Carter
9d8fd6e9b9 libsepol: Further improve binary policy optimization
This improves commit b8213acf (libsepol: add a function to optimize
kernel policy) by Ondrej Mosnacek <omosnace@redhat.com> by always
removing redundant conditional rules which have an identical rule
in the unconditional policy.

Add a flag called not_cond to is_avrule_redundant(). When checking
unconditional rules against the avtab (which stores the unconditional
rules) we need to skip the actual rule that we are checking (otherwise
a rule would be determined to be redundant with itself and bad things
would happen), but when checking a conditional rule against the avtab
we do not want to skip an identical rule (which is what currently
happens), we want to remove the redundant permissions in the conditional
rule.

A couple of examples to illustrate when redundant condtional rules
are not removed.

Example 1
  allow t1 t2:class1 perm1;
  if (bool1) {
    allow t1 t2:class1 perm1;
  }
The conditional rule is clearly redundant, but without this change it
will not be removed, because of the check for an identical rule.

Example 2
  typeattribute t1 a1;
  allow t1 t2:class1 perm1;
  allow a1 t2:class1 perm1;
  if (bool1) {
    allow t1 t2:class1 perm1;
  }
The conditional rule is again clearly redundant, but now the order of
processing during the optimization will determine whether or not the
rule is removed. Because a1 contains only t1, a1 and t1 are considered
to be supersets of each other. If the rule with the attribute is
processed first, then it will be determined to be redundant and
removed, so the conditional rule will not be removed. But if the rule
with the type is processed first, then it will be removed and the
conditional rule will be determined to be redundant with the rule with
the attribute and removed as well.

The change reduces the size of policy a bit more than the original
optimization. Looking at the change in number of allow rules, there is
about a 10% improvement over the old optimization.
           orig    old    new
Refpolicy 113284  82467  78053
Fedora    106410  64015  60008

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2019-09-30 15:13:17 -04:00
Nicolas Iooss
120681c1a3 libsepol, libsemanage: add a macro to silence static analyzer warnings in tests
Several static analyzers (clang's one, Facebook Infer, etc.) warn about
NULL pointer dereferences after a call to CU_ASSERT_PTR_NOT_NULL_FATAL()
in the test code written using CUnit framework. This is because this
CUnit macro is too complex for them to understand that the pointer
cannot be NULL: it is translated to a call to CU_assertImplementation()
with an argument as TRUE in order to mean that the call is fatal if the
asserted condition failed (cf.
http://cunit.sourceforge.net/doxdocs/group__Framework.html).

A possible solution could consist in replacing the
CU_ASSERT_..._FATAL() calls by assert() ones, as most static analyzers
know about assert(). Nevertheless this seems to go against CUnit's API.

An alternative solution consists in overriding CU_ASSERT_..._FATAL()
macros in order to expand to assert() after a call to the matching
CU_ASSERT_...() non-fatal macro. This appears to work fine and to remove
many false-positive warnings from various static analyzers.

As this substitution should only occur when using static analyzer, put
it under #ifdef __CHECKER__, which is the macro used by sparse when
analyzing the Linux kernel.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-30 08:43:41 -04:00
Nicolas Iooss
b550c0e202
Fix many misspellings
Use codespell (https://github.com/codespell-project/codespell) in order
to find many common misspellings that are present in English texts.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-18 22:47:35 +02:00
Nicolas Iooss
cfc57c2e70 libsepol/tests: do not dereference a NULL pointer
In test_attr_types, the pointer decl is allowed to be NULL in the
beginning, but is dereferenced to produce a helpful message right before
a CU_ASSERT_FATAL. Make this derefence not happen if the pointer is
NULL.

This issue has been found using clang's static analyzer.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-17 10:38:59 -04:00
Nicolas Iooss
dddd28e90b libsepol/cil: do not dereference perm_value_to_cil when it has not been allocated
When one of the first allocations of cil_binary_create_allocated_pdb()
fails, the exit label dereferences the items of array perm_value_to_cil
even though it could be still NULL.

This issue has been found using clang's static analyzer:
https://327-118970575-gh.circle-artifacts.com/0/output-scan-build/2019-08-05-203459-6149-1/report-febf85.html#EndPath

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-17 10:38:45 -04:00
Nicolas Iooss
c8ac3af7b5 libsepol: reset *p to NULL if sepol_module_package_create fails
semodule-utils/semodule_link/semodule_link.c contains:

    static sepol_module_package_t *load_module(char *filename)
    {
        /* ... */
        if (sepol_module_package_create(&p)) {
            /* ... */
            goto bad;

    /* ... */
    bad:
        sepol_module_package_free(p);

When sepol_module_package_create() fails while having successfully
allocated p, it currently frees p without setting it back to NULL. This
causes a use-after-free in load_module().

Prevent this use-after-free by setting sepol_module_package_create's
argument back to NULL when an error happens.

This issue has been found using Infer static analyzer.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-17 10:38:41 -04:00
Nicolas Iooss
0b136a35e3 libsepol: do not dereference scope if it can be NULL
Doing this looks wrong:

    len = scope->decl_ids_len;
    if (scope == NULL) {
        /* ... */

Move the dereferencing of scope after the NULL check.

This issue has been found using Infer static analyzer.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-17 10:38:38 -04:00
Nicolas Iooss
4a266cc3ce libsepol: do not dereference a failed allocated pointer
When strs_stack_init(&stack) fails to allocate memory and stack is still
NULL, it should not be dereferenced with strs_stack_pop(stack).

This issue has been found using Infer static analyzer.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-17 10:38:29 -04:00
James Carter
4459d635b8 libsepol: Remove cil_mem_error_handler() function pointer
As reported by Nicolas Iooss (nicolas.iooss@m4x.org), static analyzers
have problems understanding that the default memory error handler does
not return since it is called through the cil_mem_error_handler()
function pointer. This results in a number of false positive warnings
about null pointer dereferencing.

Since the ability to set the cil_mem_error_handler() is only through
the function cil_set_mem_error_handler() which is never used and whose
definition is not in any header file, remove that function, remove the
use of cil_mem_error_handler() and directly in-line the contents of
the default handler, cil_default_mem_error_handler().

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2019-09-17 10:38:20 -04:00
James Carter
dc4e54126b libsepol: Make an unknown permission an error in CIL
This patch is loosely based on a patch by Yuli Khodorkovskiy
<yuli@crunchydata.com> from June 13th, 2019.

Since any permission used in the policy should be defined, CIL
should return an error if it cannot resolve a permission used
in a policy. This was the original behavior of CIL.

The behavior was changed over three commits from July to November
2016 (See commits 46e157b47, da51020d6, and 2eefb20d8). The change
was motivated by Fedora trying to remove permissions from its
policy that were never upstreamed (ex/ process ptrace_child and
capability2 compromise_kernel). Local or third party modules
compiled with those permissions would break policy updates.

After three years it seems unlikely that we need to worry about
those local and third party modules and it is time for CIL to
give an error like it should.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2019-09-17 10:38:09 -04:00
Joshua Brindle
9ba35fe8c2 Add default_range glblub support
Policy developers can set a default_range default to glblub and
computed contexts will be the intersection of the ranges of the
source and target contexts. This can be used by MLS userspace
object managers to find the range of clearances that two contexts
have in common. An example usage is computing a transition between
the network context and the context of a user logging into an MLS
application.

For example, one can add a default with
this cil:

(defaultrange db_table glblub)

or in te (base module only):

default_range db_table glblub;

and then test using the compute_create utility:

$ ./compute_create system_u:system_r:kernel_t:s0:c1,c2,c5-s0:c1.c20 system_u:system_r:kernel_t:s0:c0.c20-s0:c0.c36 db_table
system_u:object_r:kernel_t:s0:c1,c2,c5-s0:c1.c20

Some example range transitions are:

User Permitted Range | Network Device Label | Computed Label
---------------------|----------------------|----------------
s0-s1:c0.c12         | s0                   | s0
s0-s1:c0.c12         | s0-s1:c0.c1023       | s0-s1:c0.c12
s0-s4:c0.c512        | s1-s1:c0.c1023       | s1-s1:c0.c512
s0-s15:c0,c2         | s4-s6:c0.c128        | s4-s6:c0,c2
s0-s4                | s2-s6                | s2-s4
s0-s4                | s5-s8                | INVALID
s5-s8                | s0-s4                | INVALID

Signed-off-by: Joshua Brindle <joshua.brindle@crunchydata.com>
2019-09-10 12:30:29 -04:00
Nicolas Iooss
7eef9386c2
libsepol: initialize a local variable once
Function optimize_cond_av_list() initializes its local variable pcov_cur
twice. Remove the first initialization.

This issue has been found using clang's static analyzer:
https://282-118970575-gh.circle-artifacts.com/0/output-scan-build/2019-06-24-210510-6101-1/report-c64da3.html#EndPath

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-07-30 22:59:40 +02:00
Richard Haines
2a1766f443
selinux: Update manpages after removing legacy boolean and user code
Remove and update all relevant manpages.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2019-07-29 23:46:47 +02:00
Richard Haines
c3f9492d7f
selinux: Remove legacy local boolean and user code
Remove legacy local boolean and user code, and to preserve API/ABI
compatibility the following functions int values should be set to '0'
as they are no longer used:
  selinux_mkload_policy(int preservebools)
  security_set_boolean_list(.... int permanent)
and the following are now no-op and return '-1':
  security_load_booleans()
  sepol_genusers()
  sepol_set_delusers()
  sepol_genbools()
  sepol_genbools_array()
and these still return their paths for compatibility, however they are
marked as deprecated:
  selinux_booleans_path()
  selinux_users_path()

These have been removed as they are local functions only:
  sepol_genusers_policydb()
  sepol_genbools_policydb()

Also "SETLOCALDEFS" removed from SELinux config file and code.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2019-07-29 23:46:24 +02:00
Nicolas Iooss
3abeb7c654
libsepol: include module.c internal header in module_to_cil.c
In module_to_cil.c, sepol_ppfile_to_module_package() calls functions
from module.c without including the internal header. This makes building
libsepol with "gcc -flto -fuse-ld=gold" fails when linking libsepol.so:

    /tmp/ccHYAKVZ.ltrans21.ltrans.o:<artificial>:function
    sepol_ppfile_to_module_package: error: undefined reference to
    'sepol_module_package_free'
    /tmp/ccHYAKVZ.ltrans21.ltrans.o:<artificial>:function
    sepol_ppfile_to_module_package: error: undefined reference to
    'sepol_module_package_create'
    /tmp/ccHYAKVZ.ltrans21.ltrans.o:<artificial>:function
    sepol_ppfile_to_module_package: error: undefined reference to
    'sepol_module_package_create'
    collect2: error: ld returned 1 exit status

Fixes: https://github.com/SELinuxProject/selinux/issues/165

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-06-26 08:39:14 +02:00
Ondrej Mosnacek
b8213acff8 libsepol: add a function to optimize kernel policy
Add sepol_policydb_optimize(), which checks a kernel policy for
redundant rules (i.e. those that are covered by an existing more general
rule) and removes them.

Results on Fedora 29 policy:

WITHOUT OPTIMIZATION:
    # time semodule -B
    real    0m21,280s
    user    0m18,636s
    sys     0m2,525s

    $ wc -c /sys/fs/selinux/policy
    8692158 /sys/fs/selinux/policy

    $ seinfo (edited)
      Allow:            113159
      Dontaudit:         10297
      Total:            123156

WITH OPTIMIZATION ENABLED:
    # time semodule -B
    real    0m22,825s
    user    0m20,178s
    sys     0m2,520s

    $ wc -c /sys/fs/selinux/policy
    8096158 /sys/fs/selinux/policy

    $ seinfo (edited)
      Allow:             66334
      Dontaudit:          7480
      Total:             73814

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2019-06-25 10:11:00 -04:00
Unto Sten
84b8f30606 More accurate error messages
Signed-off-by: Unto Sten <sten.unto@gmail.com>
2019-06-19 09:03:20 -07:00
Unto Sten
163d5b456d Remove unneeded int
Signed-off-by: Unto Sten <sten.unto@gmail.com>
2019-06-19 09:03:03 -07:00
Mike Palmiotto
544cc7957b libsepol/cil: fix mlsconstrain segfault
Installing a cil module with invalid mlsconstrain syntax currently
results in a segfault. In the following module, the right-hand side of
the second operand of the OR is a list (mlstrustedobject):

$ cat test.cil
(class test (foo) )
(classorder (unordered test))

(mlsconstrain (test (foo))
	(or
		(dom h1 h2)
		(eq t2 (mlstrustedobject))
	)
)

$ sudo semodule -i test.cil
zsh: segmentation fault  sudo semodule -i test.cil

This syntax is invalid and should error accordingly, rather than
segfaulting. This patch provides this syntax error for the same module:

$ sudo semodule -i test.cil
t1, t2, r1, r2, u1, u2 cannot be used on the left side with a list on the right side
Bad expression tree for constraint
Bad constrain declaration at /var/lib/selinux/mls/tmp/modules/400/test/cil:4
semodule:  Failed!

Signed-off-by: Mike Palmiotto <mike.palmiotto@crunchydata.com>
2019-06-19 09:01:23 -07:00
Jokke Hämäläinen
eb2a875747 libsepol: Replace constant with sizeof()
Replace constant 18 with safer use of sizeof()

Signed-off-by: Unto Sten <sten.unto@gmail.com>
2019-06-19 09:01:12 -07:00
Jokke Hämäläinen
e8d880e0a2 libsepol: Check strdup() failures
Check strdup() failures

Signed-off-by: Unto Sten <sten.unto@gmail.com>
2019-06-19 09:01:12 -07:00
Richard Haines
159d5063d3 libsepol/cil: Allow validatetrans rules to be resolved
When validatetrans rule is in CIL policy it errors with:
u3, r3, and t3 can only be used with mlsvalidatetrans rules

Will now resolve these examples:
(validatetrans binder (and (and (eq t1 t1_t) (eq t2 t2_t)) (eq t3 t3_t)))
(mlsvalidatetrans file (and (and (eq t1 t1_t) (eq t2 t2_t))
    (and (eq t3 t3_t) (domby h1 h2))))

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2019-05-21 13:49:38 -04:00
Ondrej Mosnacek
3e506bda3b libsepol: add ebitmap_for_each_set_bit macro
Most of the users of ebitmap_for_each_bit() macro only care for the set
bits, so introduce a new ebitmap_for_each_positive_bit() macro that
skips the unset bits. Replace uses of ebitmap_for_each_bit() with the
new macro where appropriate.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2019-05-20 14:00:32 -04:00
Petr Lautrbach
891cfee44f Update VERSIONs to 2.9 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-03-15 11:32:30 +01:00
Petr Lautrbach
ee1809f453 Update VERSIONs to 2.9-rc2 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-03-01 13:58:20 +01:00
Nicolas Iooss
913613da66
libsepol/cil: silence static analyser's use-after-free warning
clang's static analyze reports a use-after-free in
__cil_expr_to_string(), when __cil_expr_to_string_helper() does not
modify its third parameter (variable s1 here) in this loop:

    for (curr = curr->next; curr; curr = curr->next) {
        __cil_expr_to_string_helper(curr, flavor, &s1);
        cil_asprintf(&c2, "%s %s", c1, s1);
        free(c1);
        free(s1);
        c1 = c2;
    }

Silence this warning by making sure s1 is always NULL at the beginning
of every iteration of the loop.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-02-10 19:32:15 +01:00
Nicolas Iooss
bac905ce86 libsepol: do not use uninitialized value for low_value
clang's static analyzer reports a warning when low_bit is used without
having been initialized in statements such as:

    low_value = low_bit << 8;

The warning is: "Result of operation is garbage or undefined".

This is caused by low_bit being only initialized when in_range is true.
This issue is not critical because low_value is only used in an
"if (in_range)" block. Silence this warning by moving low_value's
assignment inside this block.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-02-06 09:08:58 +01:00
James Carter
4ba87e3d2c libsepol: Fix RESOURCE_LEAK defects reported by coverity scan
These were reported by Petr Lautrbach (plautrba@redhat.com) and this
patch was based on his patch with only a few changes.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2019-02-05 09:56:34 +01:00
Aleksei Nikiforov
0445e65d83 Allow installing translated man pages
Signed-off-by: Aleksei Nikiforov <darktemplar@basealt.ru>
2019-01-28 12:03:57 +01:00
Aleksei Nikiforov
e3e3873de7 Add man pages translation by Olesya Gerasimenko
Signed-off-by: Olesya Gerasimenko <gammaray@basealt.ru>
Signed-off-by: Aleksei Nikiforov <darktemplar@basealt.ru>
2019-01-28 12:03:57 +01:00
Petr Lautrbach
53312c7d61 Update VERSIONs to 2.9-rc1 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-01-25 11:48:54 +01:00
Stephen Smalley
49c13dd6bc
libsepol: ibpkeys.c: fix printf format string specifiers for subnet_prefix
Use PRIx64 to print the subnet_prefix (which is a uint64_t) instead
of lx.

Fixes #108

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2018-11-23 21:38:44 +01:00
James Carter
46c5207482 libsepol: mark permissive types when loading a binary policy
Nicolas Iooss reports:
When using checkpolicy to read a binary policy, permissive types are not
written in the output file. In order to reproduce this issue, a test
policy can be written from minimal.cil with the following commands:

    $ cd secilc/test/
    $ cp minimum.cil my_policy.cil
    $ echo '(typepermissive TYPE)' >> my_policy.cil
    $ secilc my_policy.cil
    $ checkpolicy -bC -o /dev/stdout policy.31

    # There is no "(typepermissive TYPE)" in checkpolicy output.

This is because TYPE_FLAGS_PERMISSIVE is added to typdatum->flags only
when loading a module, which uses the permissive flag in the type
properties. A kernel policy defines permissive types in a dedicated
bitmap, which gets loaded as p->permissive_map before the types are
loaded.

The solution is to use the permissive_map bitmap instead of relying on
the flags field of the struct type_datum when writing out CIL or
policy.conf policy from a binary.

Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2018-11-06 14:11:56 -05:00