Commit Graph

3655 Commits

Author SHA1 Message Date
Christian Göttsche
44375cb4a2 libsepol: adjust type for saturation check
Change the type for the number of primary names in a symtab to uint32_t,
which conforms to the bytes read and the type used in the symtab.
The type is important for the saturation check via is_saturated(), since
it checks against -1 casted to the specific type.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-11-15 08:36:20 -05:00
Christian Göttsche
84a5457f88 libsepol: use str_read() where appropriate
Use the internal helper str_read() in more places while reading strings
from a binary policy.  This improves readability and helps adjusting
future sanity checks on inputs in fewer places.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-11-15 08:36:13 -05:00
Petr Lautrbach
1aaf594346
Update VERSIONs to 3.6-rc1 for release.
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
2023-11-08 12:51:35 +01:00
Petr Lautrbach
489197c419 Update translations
Source: https://translate.fedoraproject.org/projects/selinux/

Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-11-07 16:27:38 -05:00
Christian Göttsche
7cf2bfb593 libsepol: reject unsupported policy capabilities
Kernel policies with unsupported policy capabilities enabled can
currently be parsed, since they result just in a bit set inside an
ebitmap.  Writing such a loaded policy into the traditional language or
CIL will fail however, since the unsupported policy capabilities can not
be converted into a name.

Reject kernel policies with invalid policy capabilities.

Reported-by: oss-fuzz (issue 60573)

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-11-07 16:27:36 -05:00
Christian Göttsche
7b754f703d libsepol: more strict validation
Ensure the ibendport port is not 0 (similar to the kernel).

More general depth test for boolean expressions.

Ensure the boolean id is not set for logic operators.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-11-07 16:27:35 -05:00
Christian Göttsche
80eb21924b libsepol: validate constraint depth
Ensure constraint expressions are complete and do not exceed the
supported depth limit.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-11-07 16:27:33 -05:00
Christian Göttsche
4670a63081 libsepol: validate default type of transition is not an attribute
The default type of a type transition must be a regular type, not an
attribute.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-11-07 16:27:32 -05:00
Christian Göttsche
cb8289c2b2 libselinux: introduce reallocarray(3)
Introduce reallocarray(3), a realloc(3) wrapper incorporating a
multiplication overflow check.

Add private implementation in case the function is not provided by the
standard C library.

Use in appropriate locations.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-11-07 16:27:30 -05:00
Christian Göttsche
3dad44a1a9 libselinux: cast to unsigned char for character handling function
Character handling functions, like isspace(3), expect a value
representable as unsigned char or equal to EOF.  Otherwise the behavior
is undefined.

See https://wiki.sei.cmu.edu/confluence/display/c/STR37-C.+Arguments+to+character-handling+functions+must+be+representable+as+an+unsigned+char

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-11-07 16:27:29 -05:00
Christian Göttsche
674470fd89 libselinux/utils: update getdefaultcon
* mention -r <role> and -v command line options in usage string
* use distinct error messages on getseuser(3) and
  get_default_context_with_[role]level(3) failure
* always print program name on error
* drop unnecessary double parenthesis

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-11-07 16:27:27 -05:00
Christian Göttsche
2b9f21ef81 checkpolicy: add round-trip tests
Add round-trip tests for checkpolicy(8).
Test standard and MLS minimal policies as well as SELinux and Xen
policies with each available statement.
The output is checked against an expected result and then then checked
for idempotence.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-11-07 16:27:26 -05:00
Christian Göttsche
f9fd25005f libsepol: avtab: check read counts for saturation
Ensure counts are not set to the maximum value of their type.
Also limit their size during fuzzing to prevent OOM reports.

Reported-by: oss-fuzz (issue 60572), caused at the time by the filetrans
             prefix proposal
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-11-07 16:27:24 -05:00
Christian Göttsche
b1b3467a47 libsepol: reject avtab entries with invalid specifier
Neverallow avtab entries are not supported (normal and extended). Reject
them to avoid lookup confusions via avtab_search(), e.g. when searching
for a invalid key of AVTAB_TRANSITION|AVTAB_NEVERALLOW and the result of
only AVTAB_NEVERALLOW has no transition value.

Simplify the check for the number of specifiers by using the compiler
popcount builtin (already used in libsepol).

Reported-by: oss-fuzz (issue 60568), caused at the time by the filetrans
             prefix proposal
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-11-07 16:27:22 -05:00
Cathy Hu
84e0884260 sepolicy/manpage.py: make output deterministic
The list entries in the alphabetically grouped dict are
not sorted, which results in non-deterministic output for
index.html.

Sort entries of those lists to make the output deterministic
to be able to have reproducible builds.

See https://reproducible-builds.org/ for reasoning.
This patch was done while working on reproducible builds for openSUSE.

Signed-off-by: Cathy Hu <cahu@suse.de>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
2023-11-07 16:27:21 -05:00
Dominick Grift
e533a45612 secilc/docs: fixes filecon example
Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
2023-11-07 16:27:18 -05:00
Huizhao Wang
ca76a8813e restorecond: compatible with the use of EUID
The `EUID` does not exist in some shell environments. To ensure compatibility,
use `id -u` instead of `EUID` when `EUID` does not exist.

Signed-off-by: Huizhao Wang <wanghuizhao1@huawei.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
2023-11-07 16:27:11 -05:00
Christian Göttsche
6df403d597 libselinux: set errno on label lookup failure
selabel_lookup(3) is expected to set errno on lookup failure, i.e. when
it returns NULL.  Set errno if a regular expression failed to compile in
compile_regex().

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-10-11 15:08:26 -04:00
Christian Göttsche
168edd1ca2 libselinux: free elements on read_spec_entries() failure
Some entries might have been already parsed and allocated.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-10-11 15:08:03 -04:00
Christian Göttsche
dcb8e1bfbb libselinux/utils: drop include of internal header file
selabel_get_digest_all_partial_matches is dynamically linked against
libselinux, so it should not depend on any internals and thus do not
make use of an internal header file

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-10-11 15:07:37 -04:00
Christian Göttsche
c81c76cb6b libselinux: simplify internal selabel_validate prototype
Move the check whether to validate or not to the caller, to avoid all
having to carry the complete selabel_handle around.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-10-11 15:07:00 -04:00
Christian Göttsche
9911f2ac6f libselinux: check for stream rewind failures
Use fseek(3) instead of rewind(3) to detect failures.

Drop the final rewind in digest_add_specfile(), since all callers are
going to close the stream without any further action.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-10-11 15:06:37 -04:00
Christian Göttsche
275daa4e0b libselinux: avoid unused function
Define selabel_subs_init() only if its call-sites are enabled.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-10-11 15:02:17 -04:00
Christian Göttsche
25a1811087 libselinux: fix logic for building android backend
Fix the typo and adjust the logic accordingly so the android backend is
not build by default, but if either ANDROID_HOST or
LABEL_BACKEND_ANDROID is set to y.

Fixes: c2a58cc525 ("libselinux: LABEL_BACKEND_ANDROID add option to enable")
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-10-11 15:02:02 -04:00
Christian Göttsche
0b93e30c93 libselinux: update string_to_mode()
Drop parameter NULL check since the only caller does a NULL check on the
argument.

Avoid strlen(3) call by comparing by hand.

Drop unreachable return statement.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-10-11 15:01:36 -04:00
Christian Göttsche
e28f6a8a15 libselinux/utils: use correct type for backend argument
selabel_open(3) expects the backend to be of type unsigned int.

Also initialize with a macro flag instead raw 0.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-10-11 15:01:15 -04:00
Christian Göttsche
0eb989f699 libselinux: parameter simplifications
Use bool where applicable.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-10-11 15:00:51 -04:00
Christian Göttsche
4eea9948d3 libselinux: avoid regex serialization truncations
Check (for the probably impossible) case the serialized data is longer
than the compiled fcontext format supports.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-10-11 15:00:36 -04:00
Christian Göttsche
f1a8afc272 libselinux/utils: use type safe union assignment
selinux_check_access.c:43:10: warning: cast to union type is a GNU extension [-Wgnu-union-cast]
       43 |                                      (union selinux_callback)cb_auditinfo);
          |                                      ^                       ~~~~~~~~~~~~

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-10-11 15:00:16 -04:00
Christian Göttsche
92b1e5b660 libselinux: simplify zeroing allocation
Merge malloc(3) plus memset(3) call into calloc(3).

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-10-11 14:59:58 -04:00
Christian Göttsche
b4007663c5 libselinux: constify selabel_cmp(3) parameters
Comparing two selabel handles should (and currently does) not modify
them.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-10-11 14:59:19 -04:00
Christian Göttsche
df7d19ce60 setfiles: do not issue AUDIT_FS_RELABEL on dry run
Do not issue an audit event of type AUDIT_FS_RELABEL in case of a
passive check.

Print the reason for an audit_open(3) failure.

Do not prematurely exit in case audit_open(3) fails, since all important
work is already done, but proceed with cleanup tasks.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-10-11 14:58:54 -04:00
Christian Göttsche
9c668bfda6 libselinux: drop unnecessary warning overrides
Drop overrides of warning flags which are not triggered by any code.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-10-11 14:58:41 -04:00
Christian Göttsche
bfff3417b1 libselinux: drop obsolete optimization flag
The flag -fipa-pure-const is enabled by default in GCC at -O0 and above.

The flag is not supported by Clang, which might result in issues if a
compilation database was created via GCC.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-10-11 14:58:21 -04:00
Christian Göttsche
6ec7a49c3b libselinux: misc label cleanup
Drop unused parameter from selabel_is_digest_set().  It is only written
to but writes to the function local copy of the pointer are void.

Constify read-only handle parameter of selabel_validate() and
compat_validate().

Constify read-only from-address parameter of digest_add_specfile().

Constify read-only function pointer array initfuncs.

Merge malloc(3) and memset(3) calls into calloc(3).

Simplify boolean assignment.

Drop duplicate include file.

Drop return at end of void function.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-10-11 14:57:56 -04:00
Christian Göttsche
3459dfd92e libselinux/utils: update selabel_partial_match
Print usage information and exit if required path option is not given
or superfluous arguments are given.

Constify read-only variables assigned command line arguments.

Simplify bool evaluation.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-10-11 14:57:17 -04:00
Bruno Victal
bb5a8541fb secilc: Use versioned DocBook public identifier.
Fix xml validation issues that often crop up since the XML catalogs
for DocBook often only contain versioned public identifiers.

Signed-off-by: Bruno Victal <mirai@makinata.eu>
Acked-by: James Carter <jwcart2@gmail.com>
2023-10-11 14:54:47 -04:00
James Carter
01da3a9ca3 libsepol: Fix the version number for the latest exported function
cil_write_post_ast() should be in libsepol version 3.6, since version
3.5 has already been released.

Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
2023-10-11 14:54:35 -04:00
James Carter
e609391105 checkpolicy: Remove support for role dominance rules
Role dominance has been deprecated for a very, very long time (since
at least August 2008) and has never been used in any widely deployed
policy.

Remove support for compiling role dominance rules.

Support will remain, for now, in libsepol for backwards compatibility.

Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
2023-08-16 13:34:20 -04:00
James Carter
17c2247f20 secilc/docs: Add deny rule to CIL documentation
Signed-off-by: James Carter <jwcart2@gmail.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
2023-08-16 13:34:18 -04:00
James Carter
cc02a5f53f secilc/test: Add deny rule tests
Signed-off-by: James Carter <jwcart2@gmail.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
2023-08-16 13:34:16 -04:00
James Carter
409b4d3bd4 secilc/secil2tree: Add option to write CIL AST after post processing
This will show the resulting CIL AST after deny rules have been
processed.

Signed-off-by: James Carter <jwcart2@gmail.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
2023-08-16 13:34:14 -04:00
James Carter
5d5a871cb1 libsepol: Export the cil_write_post_ast function
Signed-off-by: James Carter <jwcart2@gmail.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
2023-08-16 13:34:11 -04:00
James Carter
2fe8a49566 libsepol/cil: Add cil_write_post_ast function
The function cil_write_post_ast() will write the CIL AST after
post processing is done. Most post processing does not change the
CIL AST, this is where deny rules are processed (because to process
them, type attributes have to have been evaluated.)

When processed, deny rules may add new rules and attributes and the
deny rule itself will be removed from the AST, so using this new
function will show the results of the deny rule processing.

Signed-off-by: James Carter <jwcart2@gmail.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
2023-08-16 13:34:09 -04:00
James Carter
b0ed365ed7 libsepol/cil: Process deny rules
A deny rule is like a neverallow rule, except that permissions are
removed rather than an error reported.

(allow S1 T1 P1)
(deny  S2 T2 P2)

First, write the allow rule with all of the permissions not in the deny rule
P3 = P1 and not P2
(allow S1 T1 P3)

Obviously, the rule is only written if P3 is not an empty list. This goes
for the rest of the rules as well--they are only written if the source and
target exist.

The remaining rules will only involve the common permissions
P4 = P1 and P2

Next, write the allow rule for any types in S1 that are not in S2
S3 = S1 and not S2
(allow S3 T1 P4)

Finally, write the allow rules needed to cover the types in T1 that are
not in T2. Since, T1 and T2 might be "self", "notself", or "other", this
requires more complicated handling. Any rule with "self" will not match
a rule with either "notself" or "other".

if (T1 is self and T2 is self) or (T1 is notself and T2 is notself) then
  Nothing more needs to be done.

The rest of the rules will depend on the intersection of S1 and S2
which cannot be the empty set since the allow and deny rules match.
S4 = S1 and S2

if T1 is notself or T1 is other or T2 is notself or T2 is other then
  if T1 is notself then
    if T2 is other then
      T = ALL and not S2
      (allow S4 T P4)
    else [T2 is not self, notself, or other]
      S5 = S4 and not T2
      S6 = S4 and T2
      TA = ALL and not T2
      TB = TA and not S4
      (allow S6 TA P4)
      (allow S5 TB P4)
      if cardinality(S5) > 1 then
        (allow S5 other P4)
  else if T1 is other then
    (allow S3 S4 P4)
    if T2 is notself then
      [Nothing else is needed]
    else if T2 is other then
      (allow S4 S3 P4)
    else [T2 is not self, notself, or other]
      S5 = S4 and not T2
      S6 = S4 and T2
      TC = S1 and not T2
      TD = S3 and not T2
      (allow S6 TC P4)
      (allow S5 TD P4)
      if cardinality(S5) > 1 then
        (allow S5 other P4)
  else [T1 is not self, notself, or other]
    S8 = S4 and T1
    (allow S8 self P4)
    if T2 is notself then
      [Nothing else is needed]
    else [T2 is other]
      T = T1 and not S2
      (allow S4 T P4)
else [Neither T1 nor T2 are notself or other]
  if T1 is self and T2 is not self then
    S5 = S4 and not T2
    (allow S5 self P4)
  else if T1 is not self and T2 is self then
    S7 = S4 and not T1
    S8 = S4 and T1
    T8 = T1 and not S4
    (allow S7 T1 P4)
    (allow S8 T8 P4)
    if cardinality(S8) > 1 then
      (allow S8 other P4)
  else [Neither T1 nor T2 is self]
    T3 = T1 and not T2
    (allow S4 T3 P4)

Signed-off-by: James Carter <jwcart2@gmail.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
2023-08-16 13:34:07 -04:00
James Carter
9d5ca92be1 libsepol/cil: Add cil_tree_node_remove function
Add the function cil_tree_node_remove() which takes a node pointer
as an input, finds the parent, walks the list of nodes to the node
prior to the given node, updates that node's next pointer to remove
the given node from the tree, and then destroys the node.

Signed-off-by: James Carter <jwcart2@gmail.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
2023-08-16 13:34:05 -04:00
James Carter
085e330062 libsepol/cil: Add cil_list_is_empty macro
Add a macro, called cil_list_is_empty, that returns true if the
list pointer or list head is NULL.

Signed-off-by: James Carter <jwcart2@gmail.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
2023-08-16 13:34:03 -04:00
James Carter
347254695f libsepol/cil: Parse and add deny rule to AST, but do not process
Adds the ability to parse a deny rule, add it to the AST, and
write it out when writing the AST, but the deny rule is otherwise
ignored and does nothing.

When it is fully supported, the deny rule will work like a neverallow
except that it will remove permissions rather than give an error.

Signed-off-by: James Carter <jwcart2@gmail.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
2023-08-16 13:34:01 -04:00
James Carter
0e88ee26fb secilc/test: Add notself and other tests
Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
2023-08-16 13:34:00 -04:00
James Carter
ed8f4a9508 secilc/docs: Add notself and other keywords to CIL documentation
Also reorganize the access vector rules section to minimize duplication
explanation of the parts of access vector rules.

Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
2023-08-16 13:33:58 -04:00