If file_contexts.bin was opened with SELABEL_OPT_VALIDATE set, then
we should validate contexts in the same manner as with file_contexts.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Check to see if the file whose path is passed to selabel_open() starts
with the file_contexts.bin magic number, and if so, automatically
treat it as a file_contexts.bin file. This allows one to open
file_contexts.bin formatted files without necessarily having a .bin
file suffix. This removes the need for the previously added
.bin file suffix test.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Add a selabel_cmp() interface for comparing two label configurations,
and implement it for the file backend (i.e. for file_contexts). This
allows comparing two file_contexts configurations to see if the first
is a subset of, equal/identical to, a superset of, or incomparable to
the second. The motivating use case is to allow comparing two
file_contexts.bin files in Android CTS to confirm that a device
file_contexts.bin file contains all of the entries in the AOSP
general file_contexts.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
At present, the label_file backend expects to be provided the path
to the text file_contexts file and always appends the .bin suffix
when checking for the binary file_contexts.bin file. If one
attempts to directly specify the path to a file_contexts.bin file
to selabel_open(), it will fail as the code will append a second
.bin suffix to it. Check to see if the file path already has a .bin
suffix and do not append it in that case.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Change the label_file backend in libselinux to support systems
that only have file_contexts.bin files installed and do not ship
a file_contexts file at all. Only fail if neither file can be
loaded.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
https://github.com/systemd/systemd/issues/475 identified a problem
in libselinux with using getpid(3) rather than getpid(2) due to direct
use of the clone() system call by systemd. We could change libselinux
to use getpid(2) instead, but this would impose a getpid(2) system call
overhead on each get*con() or set*con() call. Rather than do this,
we can instead simplify the procattr cache and get rid of the
caching of the pid and tid entirely, along with the atfork handler.
With commit 3430519109c0423a49b9350aa8444beec798d5a7 ("use
/proc/thread-self when available"), we only need the tid when
on Linux < 3.17, so we can just always call gettid() in that case (as
done prior to the procattr cache) and drop the cached tid. The cached
pid and atfork handlers were only needed to reset the cached tid, so
those can also be dropped. The rest of the cached attributes are not
reset by the kernel on fork, only on exec, so we do not need to
flush them upon fork/clone.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Linux 3.17 introduced a /proc/thread-self symlink that can be used
to reference the proc files of the current thread without needing to
use gettid(2). Use this symlink when it exists, falling back to
using gettid(2) when it does not. This is generally beneficial, but
was specifically motivated by https://github.com/systemd/systemd/issues/475.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Change selabel_open and label backends to take a
'const struct selinux_opt' argument. This work has already
been done for the Android version components.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
File labels assigned using the lookup_best_match() function do not
assign the best match if its regex contains metacharacters in the
binary file_contexts file version.
This change adds a new entry in the binary file with the calculated
prefix length that is then read when processing the file. This fix
also bumps SELINUX_COMPILED_FCONTEXT_MAX_VERS.
This patch relies on patch [1] that fixes the same problem
for text based file_contexts files.
[1] http://marc.info/?l=selinux&m=143576498713964&w=2
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
File labels assigned using the lookup_best_match() function do not
assign the best match if its regex contains metacharacters.
For non-exact regex matches, lookup_best_match() finds the closest match
by tracking the length of the matching prefix. Prefix match is tracked via
the prefix_len variable. This was previously calculated and set in
the spec_hasMetaChars() function. Commit 3cb6078 removed the
prefix_len calculation, this commit restores it.
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
If the last line of a file_contexts file is not '\n' terminated
or if any line has additional isspace(3) characters at end, it
gave an invalid file type error.
read_spec_entries now handles these situations.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
If you add some local file contexts via semanage fcontext -a and
later delete them all via semanage fcontext -D, you get an empty
file_contexts.local file. Then when you try to load it, getline()
returns 0 and we fall through to the out path without having set rc.
In label_file.c, rc will always be non-zero at this point because
we will have failed the load_mmap() call. In sefcontext_compile,
rc may contain random garbage at this point. Explicitly set rc
before the loop.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Update file contexts generation and loading to use common code.
Remove "status = 0; after "status = sort_specs(data);" otherwise
the function will never indicate a failure.
The file labeling code also has minor formatting, white space
removal etc. changes.
label_file.c - Move process_line function to label_file.h
sefcontext_compile.c - Update to use common process_line code. Now frees
all malloc'ed memory, checked by valgrind. Also added optional -o output
file parameter - updated man page to reflect this change.
V2 - Revert to using compat_validate instead of selabel_validate.
V3 - Revert to using callback for validation now the problem has been
fixed by commit e889148494
("libselinux: build sefcontext_compile with static libselinux")
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
sefcontext_compile depends on libselinux internals, so it might
as well use static libselinux. Hide read_spec_entries as this is not
intended as a public interface for shared library users.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Fix memory issues flagged by valgrind.
These changes bring the property service in line with Android [1]
V2 reverts to original upstream %u when logging errors. Android needs
these corrections also.
[1] https://android-review.googlesource.com/#/c/153580/
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
When Eamon created label_file.c, he drew code from the setfiles program,
which I originally wrote. At the time, setfiles had a comment
about being derived in part from the setfiles.pl script written by SCC, so
Eamon put a comment in label_file.c that tried to preserve that lineage.
However, there was no real code lineage there. The setfiles program
was inspired by the setfiles.pl perl script, but the implementation was
a complete rewrite. And while label_file.c drew some data structures and
code from the setfiles C program, it had nothing to do with the setfiles.pl
script at all. Just drop the comment; it serves no purpose.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Currently sscanf is used with %ms parameters that are not supported
on all platforms. The new read_spec_entries function may be used
to replace these where required. This patch updates
sefcontext_compile, label_file and label_android_property services
to use the new function.
The file and property services have been tested on Android emulator
and the file service on Fedora 21.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Currently sefcontext_compile defines the mode field as mode_t whose
size will vary depending on the architecture (e.g. 32 bit / 64 bit).
This patch sets the size when writing/reading binary files to
uint32_t. The file version is set to SELINUX_COMPILED_FCONTEXT_MODE
V2 fixes those listed in http://marc.info/?l=selinux&m=143273965514292&w=2
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Missed a few references to these header files when they were
deprecated in 76913d8adb61b5afe28fd3b4ce91feab29e284dd.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The reading of bin files has been changed to follow that of loading
policy to catch over-runs. Entries that should be NUL terminated are
also checked. If any error, then process the text file. This should
fix all problems highlighted in [1] with V2 fixing those in [2].
V3 corrects int32_t/uint32_t for *_len entries and V4 fixes [3]
and adds pcre_fullinfo checks to validate regex and study data
sizes. pcre_fullinfo also validates its magic number.
Tested with bin files built using sefcontext_compile PCRE_VERS 1 and 2.
The following is a rough guide to the difference in processing a bin
file against a text file:
6K entries - x5
4K entries - x4
1K entries - x3
500 entries - x2
[1] http://marc.info/?l=selinux&m=143101983922281&w=2
[2] http://marc.info/?l=selinux&m=143161763905159&w=2
[3] http://marc.info/?l=selinux&m=143204170705586&w=2
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
openssh in Fedora uses "sshd_net_t" type for privilege separated
processes in the preauthentication phase. Similarly, openssh portable uses
"sftp_t" for internal-sftp processes. Both type are hardcoded what is not ideal.
Therefore selinux_openssh_contexts_path() was created to get a path where sshd
can get a correct types prepared by a distribution or an administrator.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
As mcstransd is not installed/running by default, we should not impose
the overhead of trying to connect to it on each operation that takes or
returns a security context string. Test for the existence of the socket
file on first use, and if the socket file does not exist, then skip the
processing on all subsequent calls.
Previously we had a similar attempt at optimization by checking
whether MLS was enabled, but since the kernel MLS support is enabled
even for -mcs and mcstransd is no longer installed/running by default,
this is not a useful optimization. Just replace it with the new test.
Compare strace ls -Z /usr/bin |& grep .setrans-unix before and after
this patch to get a sense of the impact.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Ensure that the array of strings is NULL terminated to stop core
dumps. Also cleaned up code.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
To avoid regressions such as the one reported in:
https://bugzilla.redhat.com/show_bug.cgi?id=1219045
add a test for /etc/selinux/config to is_selinux_enabled().
This ensures that systems that do not install selinux-policy
will continue to return 0 from is_selinux_enabled().
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
As discussed in https://bugzilla.redhat.com/show_bug.cgi?id=1219718,
there are several inconsistencies between the matchpathcon man page
and the implementation. The same is true of the SELABEL_OPT_SUBSET
option for the selabel_file backend. Fix the man pages for both.
Also note in the man pages that the entire matchpathcon family
of functions is deprecated and recommend use of the corresponding
selabel interfaces for new code.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Check buffer address limits when processing *.bin files
to catch any over-runs. On failure process text file instead.
To test, the bin files were corrupted by adding and removing
various bits of data. Various file sizes were also checked and
all were caught by the patch.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Add support for new API functions selabel_partial_match and
selabel_lookup_best_match ported from the Android libselinux
fork.
Add supporting man(3) pages and test utilities: selabel_lookup,
selabel_lookup_best_match and selabel_partial_match.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
os.path.walk() function is deprecated and has been removed in Python 3
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: Steve Lawrence <slawrence@tresys.com>
