Disable generating filespec hash table stats on non-debug builds,
as they are not useful information for users and cause fixfiles
check to produce noisy output.
Reported-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Define a logging callback for libselinux so that any informational
or error messages generated by libselinux functions are properly
prefixed with the program name and routed to the proper output stream.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
fixfiles was redirecting log output to `tty`. This overrides user intent
e.g. when shell redirection is used.
Redirect it to stdout, using /proc. `tty` equally depended on /proc.
We do not depend on /dev/stdout: it might not be present, if a rescue
system is booted with devtmpfs (no udev daemon).
By default, log messages were redirected into the void when not run from a
tty. We consider this a bug, which is now fixed.
1. If calling scripts happen to require the old behaviour, they can easily
write the same code themselves.
2. When fixfiles is run from Fedora's selinux-autorelabel.service,
the calling script is specifically run from a tty.
Also Fedora's calling script chooses to redirect stdout and stderr to
/dev/null. This redirection will now suceed, improving the transparency
of the code. The previous behaviour may be obtained by choosing not
to redirect the progress messages of this long-running process to
/dev/null. A patch has been submitted to Fedora to suggest this novel
approach: https://bugzilla.redhat.com/show_bug.cgi?id=1415674
Complete disclosure:
* Remove unused variable LOGGER.
* Fix logfiles containing spaces.
Disclaimer:
1. "Log" output may contain escape sequences (backspace?) e.g. in
`fixfiles -l log.txt restore`. This is not the usual understanding
of a log file.
2. For some reason, not all informative messages are sent to `-l` e.g.
the list of filesystems, and "cleaning up labels on /tmp".
3. `function logit` is retained, but the logfile is also written to
outside this function. Implementing support for the system log
would require another function which accepts piped input.
Also see point 1.
Signed-off-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
While checkmodule tries to compile the following policy file and fails
because class "process" is not found, it does not free some allocated
memory:
module ckpol_leaktest 1.0.0;
require {type TYPE1;}
allow TYPE1 self:process fork;
clang memory sanitier output is:
=================================================================
==16050==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 136 byte(s) in 1 object(s) allocated from:
#0 0x7f8bd8127608 in malloc (/usr/lib/clang/3.9.1/lib/linux/libclang_rt.asan-x86_64.so+0xf6608)
#1 0x41a620 in define_te_avtab_helper /usr/src/selinux/checkpolicy/policy_define.c:2450:24
#2 0x41b6c8 in define_te_avtab /usr/src/selinux/checkpolicy/policy_define.c:2621:6
#3 0x40522b in yyparse /usr/src/selinux/checkpolicy/policy_parse.y:470:10
#4 0x411816 in read_source_policy /usr/src/selinux/checkpolicy/parse_util.c:64:6
#5 0x7f8bd7cb3290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
Direct leak of 8 byte(s) in 1 object(s) allocated from:
#0 0x7f8bd8127608 in malloc (/usr/lib/clang/3.9.1/lib/linux/libclang_rt.asan-x86_64.so+0xf6608)
#1 0x411c87 in insert_id /usr/src/selinux/checkpolicy/policy_define.c:120:18
Indirect leak of 24 byte(s) in 1 object(s) allocated from:
#0 0x7f8bd8127608 in malloc (/usr/lib/clang/3.9.1/lib/linux/libclang_rt.asan-x86_64.so+0xf6608)
#1 0x43133c in ebitmap_set_bit /usr/src/selinux/libsepol/src/ebitmap.c:321:27
Indirect leak of 18 byte(s) in 1 object(s) allocated from:
#0 0x7f8bd80b5eb0 in __interceptor___strdup (/usr/lib/clang/3.9.1/lib/linux/libclang_rt.asan-x86_64.so+0x84eb0)
#1 0x41a6e5 in define_te_avtab_helper /usr/src/selinux/checkpolicy/policy_define.c:2460:28
#2 0x41b6c8 in define_te_avtab /usr/src/selinux/checkpolicy/policy_define.c:2621:6
#3 0x40522b in yyparse /usr/src/selinux/checkpolicy/policy_parse.y:470:10
#4 0x411816 in read_source_policy /usr/src/selinux/checkpolicy/parse_util.c:64:6
#5 0x7f8bd7cb3290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)
SUMMARY: AddressSanitizer: 186 byte(s) leaked in 4 allocation(s).
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When parsing type_transition statements with names, the memory allocated
by the type set bitmaps of variable stypes and ttypes was never freed.
Call type_set_destroy() to free this memory and, while at it, make the
function exits without leaking memory when exiting with an error.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
In function define_type(), some error conditions between "id =
queue_remove(id_queue)" and "get_local_type(id, attr->s.value, 1)"
returned without freeing id. Fix theses memory leaks.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
ln on macOS doesn't support --relative, so use the gnu version by default.
Also document how to build on macOS.
Signed-off-by: Karl MacMillan <karlwmacmillan@gmail.com>
Policy module structure created by libsepol out of base module
contains NULL in module name, which results in segfault in "pp"
compiler. Add NULL check.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1350806
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
libselinux/src/get_context_list.c defines
get_default_context_with_rolelevel(user, role, level...
libselinux/utils/getdefaultcon.c uses
get_default_context_with_rolelevel(seuser, role, level...
but libselinux/include/selinux/get_context_list.h declares
get_default_context_with_rolelevel(user, level, role...
and libselinux/man/man3/get_ordered_context_list.3 follows this
declaration.
Fix the header and the man page.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
There is no point in initializing a variable which gets
almost-immediately assigned an other value.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Even though "hashtab_key_t" is an alias for "char *", "const
hashtab_key_t" is not an alias for "(const char) *" but means "(char *)
const".
Introduce const_hashtab_key_t to map "(const char) *" and use it in
hashtab_search() and hashtab key comparison functions.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
After libsepol is modified (for example while developing new features or
fixing bugs), running "make install" in the top-level directory does not
update the programs which use libsepol.a. Add this static library to the
target dependencies in order to force their updates. This makes "make"
use libsepol.a in the linking command without using LDLIBS.
While at it, copy what commit 14d7064348 ("libselinux: Allow
overriding libsepol.a location during build") introduced in libselinux
Makefile by using a new LIBSEPOLA variable in all Makefiles.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
selinux.security_getenforce() triggers an exception when running tests
on systems without SELinux. In order to skip tests which need SELinux in
enforcing mode, test selinux.is_selinux_enabled() too, like commit
945bc8853b ("sandbox: make test not fail on systems without SELinux").
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When generating file_contexts.homedirs, libsemanage enumerates the users
on the system and tries to find misconfiguration issues by comparing
their home directories with file contexts defined in the policy. The
comparison is done by fcontext_matches().
Currently this function only operates on file contexts with type ALL,
but it makes sense to also operate on the DIR ones, as a comment states
in the function.
For example on a system with the following entry in /etc/passwd:
mytestservice❌2000💯:/var/lib/mytestservice/dir:/bin/bash
and with the following file context definition:
/var/lib/mytestservice/.* -d gen_context(system_u:object_r:var_lib_t,s0)
"semodule -B" now shows the following warning:
libsemanage.get_home_dirs: mytestservice homedir
/var/lib/mytestservice/dir or its parent directory conflicts with a
file context already specified in the policy. This usually
indicates an incorrectly defined system account. If it is a system
account please make sure its uid is less than 1000 or greater than
60000 or its login shell is /sbin/nologin.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Unlike queue_remove(), queue_head() does not modify the queue, but
rather, returns a pointer to an element within the queue. Freeing the
memory associated with a value returned from that function corrupts
subsequent users of the queue, who may try to reference this
now-deallocated memory.
This causes the following policy generation errors on Android:
FAILED:
out/target/product/bullhead/obj/ETC/plat_sepolicy.cil_intermediates/plat_policy_nvr.cil
/bin/bash -c "out/host/linux-x86/bin/checkpolicy -M -C -c 30 -o
out/target/product/bullhead/obj/ETC/plat_sepolicy.cil_intermediates/plat_policy_nvr.cil
out/target/product/bullhead/obj/ETC/plat_sepolicy.cil_intermediates/plat_policy.conf"
system/sepolicy/public/app.te:241:ERROR 'only ioctl extended permissions
are supported' at token ';' on line 6784:
#line 241
} };
checkpolicy: error(s) encountered while parsing configuration
because the value of "id" in:
id = queue_remove(id_queue);
if (strcmp(id,"ioctl") == 0) {
...
} else {
yyerror("only ioctl extended permissions are supported");
...
}
is now garbage.
This is a partial revert of the following commit:
c1ba8311 checkpolicy: free id where it was leaked
Signed-off-by: Nick Kralevich <nnk@google.com>
In commit 36f1ccbb57 ("policycoreutils: setfiles: print error if
no default label found"), a warning message was added to setfiles/restorecon
if the user explicitly does a restorecon /path/to/foo and
/path/to/foo does not have any matching label in file_contexts; in the
case of a restorecon -R or setfiles, the warning isn't supposed to be
logged. The check on the recursive flag got dropped when this logic was
taken into selinux_restorecon(3) in libselinux. Restore this check so
that we do not generate noisy log messages on restorecon -R or setfiles.
Reported-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
fixfiles links to restorecon. However if you start with restorecon
"restore file(s) default SELinux security contexts", you can easily
miss the fixfiles script. fixfiles is more generally useful than
`restorecon -R`. For example `restorecon -R /` is not as good as
`fixfiles restore`, because the restorecon command will try to relabel
`/sys` and fail noisily.
Signed-off-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
Fix missing and surplus commas. Fix the following formatting errors:
.BR selinux(8)
renders the the "(8)" in bold as well as the "selinux". This is wrong.
.B selinux
(8)
renders with a space between "selinux" and "(8)", this is wrong.
.B selinux (8)
commits both of the above mistakes.
.BR selinux (8), apparmor (8)
omits the space separating "selinux(8)," and "apparmor(8)", this is wrong.
Correct all the above using the following markup:
.BR selinux (8),
.BR apparmor (8)
Signed-off-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
- Sort included header files by their number of path components then
alphabetically.
- Include unistd.h and sys/types.h only once.
- Include sys/uio.h to get readv() and writev() declarations when
compiling with musl libc.
- Include poll.h instead of sys/poll.h as building with musl results in
the following message:
/usr/lib/musl/include/sys/poll.h:1:2: error: #warning redirecting
incorrect #include <sys/poll.h> to <poll.h> [-Werror=cpp]
#warning redirecting incorrect #include <sys/poll.h> to <poll.h>
^~~~~~~
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The prototype of isdigit() is provided by ctypes.h header. Without
including this file, gcc fails to build checkpolicy using musl libc:
checkpolicy.c: In function ‘main’:
checkpolicy.c:705:8: error: implicit declaration of function
‘isdigit’ [-Werror=implicit-function-declaration]
if (isdigit(ans[0])) {
^~~~~~~
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Building with musl libc leads to some build errors:
setrans_client.c: In function ‘receive_response’:
setrans_client.c:147:19: error: implicit declaration of function
‘readv’ [-Werror=implicit-function-declaration]
while (((count = readv(fd, resp_hdr, 3)) < 0) && (errno == EINTR)) ;
^~~~~
and:
In file included from matchpathcon.c:10:0:
/usr/include/sys/errno.h:1:2: error: #warning redirecting incorrect
#include <sys/errno.h> to <errno.h> [-Werror=cpp]
#warning redirecting incorrect #include <sys/errno.h> to <errno.h>
^
Fix the first one by including <sys/uio.h> and the second one by using
<errno.h> instead of <sys/errno.h>.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When sepol_polcap_getname() is called with a negative capnum, it
dereferences polcap_names[capnum] which produces a segmentation fault
most of the time.
For information, here is a gdb session when hll/pp loads a policy module
which has been mutated by American Fuzzy Lop:
Program received signal SIGSEGV, Segmentation fault.
sepol_polcap_getname (capnum=capnum@entry=-4259840) at polcaps.c:34
34 return polcap_names[capnum];
=> 0x00007ffff7a8da07 <sepol_polcap_getname+135>: 48 8b 04 f8 mov
(%rax,%rdi,8),%rax
(gdb) bt
#0 sepol_polcap_getname (capnum=capnum@entry=-4259840) at
polcaps.c:34
#1 0x00007ffff7a7c440 in polcaps_to_cil (pdb=0x6042e0) at
module_to_cil.c:2492
#2 sepol_module_policydb_to_cil (fp=fp@entry=0x7ffff79c75e0
<_IO_2_1_stdout_>, pdb=0x6042e0, linked=linked@entry=0) at
module_to_cil.c:4039
#3 0x00007ffff7a7e695 in sepol_module_package_to_cil
(fp=fp@entry=0x7ffff79c75e0 <_IO_2_1_stdout_>, mod_pkg=0x604280) at
module_to_cil.c:4087
#4 0x0000000000401acc in main (argc=<optimized out>,
argv=<optimized out>) at pp.c:150
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
In an error path of define_bool_tunable(), variable id is freed after
being used by a successful call to declare_symbol(). This may cause
trouble as this pointer may have been used as-is in the policy symtab
hash table.
Moreover bool_value is never freed after being used. Fix this memory
leak too. This leak has been detected with gcc Address Sanitizer.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When the restorecon method was added to the libselinux swig python
bindings, there was no libselinux restorecon implementation and it
he had to call matchpathcon() which is deprecated in favor of
selabel_lookup().
The new restorecon method uses selinux_restorecon method from libselinux
and which is exported by the previous commit.
https://github.com/SELinuxProject/selinux/issues/29
Fixes:
>>> selinux.restorecon('/var/lib', recursive=True)
Traceback (most recent call last):
File "/usr/lib64/python3.5/site-packages/selinux/__init__.py", line 114, in restorecon
status, context = matchpathcon(path, mode)
FileNotFoundError: [Errno 2] No such file or directory
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Decrease loglevel of termination message
(eg. "restorecond[709]: terminated") to LOG_INFO because it is printed
upon normal shutdown of the daemon.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1264505
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Several functions in policy_define.c do not free id after handling it.
Add the missing free(id) statements.
The places where free(id) was missing were found both with gcc Address
Sanitizer and manual code inspection.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Elements which are inserted into a queue_t object are either NULL (from
insert_separator()) or strings allocated with malloc() in insert_id().
They would be freed if there are still present in the queue when it is
destroyed. Otherwise the memory allocated for these elements would be
leaked.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When parsing several genfscon statements for the same filesystem, the
content of local variable "fstype" is never freed. Moreover variable
"type" is never freed when define_genfs_context_helper() succeeds.
Fix these leaks by calling free() appropriately.
These leaks have been detected with gcc Address Sanitizer.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Variable id is almost never freed in define_port_context().
This leak has been detected with gcc Address Sanitizer.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
When running "make test" with the Address Sanitizer (by adding
-fsanitize=address to compiler flags), a lot of memory leaks are
reported from checkpolicy. Anyway some leaks come from the tests and it
seems cleaner to start fixing these ones.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When compiling libsepol tests, clang complains about some uninitialized
variables:
test-common.c:171:14: error: variable 'my_primary' is used
uninitialized whenever 'if' condition is false
[-Werror,-Wsometimes-uninitialized]
} else if (my_flavor == TYPE_ALIAS) {
^~~~~~~~~~~~~~~~~~~~~~~
test-common.c:179:30: note: uninitialized use occurs here
CU_ASSERT(type->primary == my_primary);
^~~~~~~~~~
/usr/include/CUnit/CUnit.h:123:30: note: expanded from macro
'CU_ASSERT'
{ CU_assertImplementation((value), __LINE__, #value, __FILE__, "", CU_...
^
test-common.c:171:10: note: remove the 'if' if its condition is
always true
} else if (my_flavor == TYPE_ALIAS) {
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
test-common.c:153:25: note: initialize the variable 'my_primary' to
silence this warning
unsigned int my_primary, my_flavor, my_value;
^
= 0
test-common.c:171:14: error: variable 'my_value' is used
uninitialized whenever 'if' condition is false
[-Werror,-Wsometimes-uninitialized]
} else if (my_flavor == TYPE_ALIAS) {
^~~~~~~~~~~~~~~~~~~~~~~
test-common.c:181:30: note: uninitialized use occurs here
CU_ASSERT(type->s.value == my_value);
^~~~~~~~
/usr/include/CUnit/CUnit.h:123:30: note: expanded from macro
'CU_ASSERT'
{ CU_assertImplementation((value), __LINE__, #value, __FILE__, "", CU_...
^
test-common.c:171:10: note: remove the 'if' if its condition is
always true
} else if (my_flavor == TYPE_ALIAS) {
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
test-common.c:153:46: note: initialize the variable 'my_value' to
silence this warning
unsigned int my_primary, my_flavor, my_value;
^
= 0
This is because the call to CU_FAIL("not an alias") is not fatal in
test_alias_datum(), and variables my_primary and my_value are indeed
used uninitialized in a CU_ASSERT statement later.
Silent the warning by moving the elseif condition to a CU_ASSERT
statement which replaces the CU_FAIL.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Fix unitialized variable compiler warnings when using the
"-O -Werror" flags on gcc6 by initializing the variables in
question. It was possible for err_data_len to be used without
initialization, but not cil_data_len.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Fix unitialized variable compiler warnings when using the
"-O3 -Werror" flags on gcc6 by initializing the variables in
question. The variables were never used before being initialized.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
When building libselinux package, "make install" creates /sbin directory
without putting anything in it. Remove this from the Makefile.
While at it, rename USRBINDIR variable USRSBINDIR (with an S) as it
refers to /usr/sbin.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
ustr library uses old (pre-C99) "extern inline" semantic. This makes it
incompatible with recent versions of gcc and clang, which default to
C99 standard. Distributions have shipped patched versions of this
library to fix issues (e.g. Gentoo package uses this patch:
https://gitweb.gentoo.org/repo/gentoo.git/tree/dev-libs/ustr/files/ustr-1.0.4-gcc_5-check.patch?id=7dea6f8820f36bf389e6315044bea7507553bed0
) but there is no upstream solution to make ustr compatible with C99
standard.
The git tree of ustr (http://www.and.org/ustr/ustr.git) has not been
updated since 2008 and the developer of this project did not reply to
emails.
Therefore update genhomedircon implementation in order to no longer
rely on ustr library.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Use string functions from C standard library instead of ustr. This makes
the code simpler and make utilities.c no longer depend on ustr library.
This changes how semanage_split() behaves when delim is not empty (NULL
or "") and the input string contains several successive delimiters:
semanage_split("foo::::bar", ":") returned "bar" and now returns ":bar".
This would not have any impact in the current code as semanage_split()
is only called with delim="=" (through semanage_findval(), in
libsemanage/src/genhomedircon.c), in order to split a "key=value"
statement.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Before modifying semanage_split_on_space() and semanage_split(), test in
test_utilities.c how these functions behave for example when several
delimiter tokens are concatenated in the input string.
While at it, fix the memory leaks which were present in libsemanage
tests.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
In order to run libsemanage tests, libsepol and libselinux source
directories need to exist next to libsemanage source directory. This
prevents tests to be run when using the released package.
As libsemanage tests only use public API of libselinux and libsepol,
link with the shared objects which are likely to be installed on the
system (or at least present in $DESTDIR).
While at it, drop TESTSRC variable as it was used to find libsemanage
internal headers but not the tested library (libsemanage.a). Moreover
add ../src/libsemanage.a to the target dependencies of the test
executable in order to rebuild it after libsemanage.a has been updated.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When modifications to libsemanage functions break the test cases tested
with the CUnit framework, "make test" currently succeeds, even though it
prints an output similar to:
Suite: semanage_store
Test: semanage_store_access_check ...passed
Test: semanage_get_lock ...passed
Test: semanage_nc_sort ...passed
Suite: semanage_utilities
Test: semanage_is_prefix ...passed
Test: semanage_split_on_space ...FAILED
1. test_utilities.c:150 - CU_ASSERT_STRING_EQUAL(temp,"baz")
Test: semanage_split ...passed
Test: semanage_list ...passed
Test: semanage_str_count ...passed
Test: semanage_rtrim ...passed
Test: semanage_str_replace ...passed
Test: semanage_findval ...passed
Test: slurp_file_filter ...passed
Like commit 2489b50a91 ("libsepol: make "make test" fails when a CUnit
test fails") did for libsepol tests, modify the logic of function
do_tests() to return an error value when there has been at least one
failure. This makes "make test" fail as expected.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>