Fixes bug found by Nicolas Iooss as described below in the way suggested by Steve Lawrence.
Nicolass reported:
When compiling a CIL policy with more than 32 items in a class (e.g. in
(class capability (chown ...)) with many items),
cil_classorder_to_policydb() overflows perm_value_to_cil[class_index]
array. As this array is allocated on the heap through
calloc(PERMS_PER_CLASS+1, sizeof(...)), this makes secilc crash with the
following message:
*** Error in `/usr/bin/secilc': double free or corruption (!prev): 0x000000000062be80 ***
======= Backtrace: =========
/usr/lib/libc.so.6(+0x70c4b)[0x7ffff76a7c4b]
/usr/lib/libc.so.6(+0x76fe6)[0x7ffff76adfe6]
/usr/lib/libc.so.6(+0x777de)[0x7ffff76ae7de]
/lib/libsepol.so.1(+0x14fbda)[0x7ffff7b24bda]
/lib/libsepol.so.1(+0x152db8)[0x7ffff7b27db8]
/lib/libsepol.so.1(cil_build_policydb+0x63)[0x7ffff7af8723]
/usr/bin/secilc[0x40273b]
/usr/lib/libc.so.6(__libc_start_main+0xf1)[0x7ffff7657291]
/usr/bin/secilc[0x402f7a]
This bug has been found by fuzzing secilc with american fuzzy lop.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Commit 915fa8f08f moves the xperm specified value directly from
avrule to avtab. The mapping between them is currently the same,
but may not always be. Instead these values should be mapped using
values defined in av_extended_perms_t and avtab_extended_perms_t.
Fixes: 915fa8f08f ("checkpolicy: switch operations to extended perms")
Change-Id: Ic9f4031c9381b2ff6cc46043fb1602758ef4c224
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
A mispelling in the Makefile in the root directory prevented "make
distclean" to go into subdirectories.
In libsemanage/src/, semanageswig_python_exception.i was not cleaned by
"make distclean" because the target did not use $(GENERATED) and this
variable was being redefined in the Makefile.
Fix these two bugs.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Commit f1352e7399 ("policycoreutils: setfiles - Utility to find
security.restorecon_last entries") introduced restorecon_xattr binary
without adding it to .gitignore.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Android label back ends are now configurable by NO_ANDROID_BACKEND,
which is set if on ANDROID_HOST != y.
Signed-off-by: Janis Danisevskis <jdanis@android.com>
We use the same lookup function for service contexts
that we use for property contexts. However, property
contexts are namespace based and only compare the
prefix. This may lead to service associations with
a wrong label.
This patch introduces a new back end for android
services with a stricter lookup function. Now the
service name must match the key of the service label
exactly.
Signed-off-by: Janis Danisevskis <jdanis@android.com>
Change the default build behavior to always use DISABLE_RPM.
To get the old behavior call make with DISABLE_RPM=n.
eg.)
make DISABLE_RPM=n
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Change EMFLAGS variable, used for setting additional CFLAGS
to DISABLE_FLAGS, to indicate its usage better.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
When building for Android, this error manifests itself:
label_file.c:570:7: error: unused variable ‘subs_file’ [-Werror=unused-variable]
char subs_file[PATH_MAX + 1];
Fix it by moving the variable into the ifdef'd usage block.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
The "-r" flag of sefcontext_compile now causes it to omit the
precompiled regular expressions from the output.
Signed-off-by: Janis Danisevskis <jdanis@android.com>
Adds the "-i" flag, which prints the version and
architecture identifier of the regular expression back end.
Signed-off-by: Janis Danisevskis <jdanis@android.com>
Serialized precompiled regular expressins are architecture
dependent when using PCRE2. This patch
- bumps the SELINUX_COMPILED_FCONTEXT version to 5 and
- adds a field to the output indicating the architecture
compatibility.
libselinux can cope with an architecture mismatch by
ignoring the precompiled data in the input file and recompiling
the regular expressions at runtime. It can also load older
versions of file_contexts.bin if they where built with
sefcontext_compile using the exact same version of the
pcre1/2 as selinux.
Signed-off-by: Janis Danisevskis <jdanis@android.com>
7a728e46 commit supposed to add a warning when a module name is
different than a filename, but this warning is printed always. This
commit fixes it.
Fixes:
$ semodule -X 400 -i testmod.pp
Warning: SELinux userspace will refer to the module from testmod.pp as
testmod rather than testmod
Signed-off-by: Miroslav Grepl <mgrepl@redhat.com>
According to dbus upstream: "dbus-launch is fairly horrible code,
complicated by the historical need for it to support X11 autolaunching,
so the D-Bus maintainers would like to move it out of the critical path
and minimize its use."
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=836289
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
sefcontext_compile was failing silently on various error paths.
Generate a suitable error message to stderr for each error.
Before:
$ sefcontext_compile /path/to/unwritabledirectory/file_contexts
<no output, although non-zero exit status>
After:
$ sefcontext_compile /path/to/unwritabledirectory/file_contexts
sefcontext_compile: mkstemp /path/to/unwritabledirectory/file_contexts.binNmQJqa failed: Permission denied
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
On Android, certain discrepancies arise for unused functionality or
for dealing with the differences in Bionic libc. This patch includes
all the "ifdef'ing" required and introduces the BUILD_HOST define.
The BUILD_HOST define removes functionality not needed when building
libselinux for the Android build host machine.
Note that not all the libselinux src files are used to build
the host and target libraries on Android.
Change-Id: I7984e7b769c4dfa627d6cf311411fa2c93bb7ef7
Signed-off-by: William Roberts <william.c.roberts@intel.com>
On Android for both the host build, and the target, certain
backends are not needed:
- X Backend
- DB Backend
- Media Backend
Introduce the following defines for removing them from the
built library:
- NO_X_BACKEND
- NO_DB_BACKEND
- NO_MEDIA_BACKEND
When configured with these options and an attempt
is made to use them, selabel_open() will return
ENOTSUP.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
This patch adds restorecon_xattr(8) to find and/or remove
security.restorecon_last entries added by setfiles(8) or
restorecon(8). Uses the services of selinux_restorecon_xattr(3).
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
This patch adds a new selinux_restorecon_xattr(3) function to find
and/or remove security.restorecon_last entries added by setfiles(8)
or restorecon(8).
Also review and update the man pages.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Add -D option to setfiles and restorecon - Do not set or update
directory SHA1 digests when relabeling files. This will allow
users the option of not using the "security.restorecon_last"
extended attribute feature.
Also review and update the man pages.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
When a user installs a module, the filename is used as the module name.
This change was introduced with CIL language where a module name is not
stored in the module itself. It means that when a pp module has
different filename and stored module name, the filename is used instead
of the stored module name. It brings problems with compatibility for
scripts and modules which were built and used on older system and were
migrated to the new userspace.
This patch changes the behavior of semanage_direct_install_file() which
is used by 'semodule -i' so that when a module with pp language
extension is installed, it tries to get and use a stored module name
instead of a filename. A warning message is provided.
The warning message in policycoreutils/hll/pp is updated to reflect this
change:
$ semodule -X 400 -i /root/testfile.pp
Warning: SELinux userspace will refer to the module from /root/testfile.pp as testmod rather than testfile
$ /usr/libexec/selinux/hll/pp /root/testfile.pp testfile.cil
Warning: SELinux userspace will refer to the module from /root/testfile.pp as testmod rather than testfile
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Mixing LDFLAGS in CFLAGS can lead to compiler errors. For example in
policycoreutils/sandbox:
$ make CC=clang LDFLAGS='-Wl,-as-needed,-no-undefined'
clang -Wl,-as-needed,-no-undefined -I/usr/include
-DPACKAGE="\"policycoreutils\"" -Wall -Werror -Wextra -W -c -o
seunshare.o seunshare.c
clang-3.8: error: -Wl,-as-needed,-no-undefined: 'linker' input
unused
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Allow using other compilers such as clang. Without this, the build fails
when $(CFLAGS) contains clang-specific flags:
gcc: error: unrecognized command line option '-Weverything'
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When building libselinux with gcc and many warning flags, the build
fails with the following errors:
selinux_restorecon.c: In function ‘selinux_restorecon’:
selinux_restorecon.c:784:36: error: comparison between signed and
unsigned integer expressions [-Werror=sign-compare]
if (!flags.ignore_digest && size == fc_digest_len &&
^~
selabel_digest.c: In function ‘main’:
selabel_digest.c:162:16: error: comparison between signed and
unsigned integer expressions [-Werror=sign-compare]
for (i = 0; i < digest_len; i++)
^
selabel_digest.c:173:17: error: comparison between signed and
unsigned integer expressions [-Werror=sign-compare]
for (i = 0; i < num_specfiles; i++) {
^
clang reports the precise type information of the variables:
selinux_restorecon.c:784:36: error: comparison of integers of
different signs: 'ssize_t' (aka 'long') and 'size_t' (aka 'unsigned
long') [-Werror,-Wsign-compare]
if (!flags.ignore_digest && size == fc_digest_len &&
~~~~ ^ ~~~~~~~~~~~~~
selabel_digest.c:162:16: error: comparison of integers of different
signs: 'int' and 'size_t' (aka 'unsigned long')
[-Werror,-Wsign-compare]
for (i = 0; i < digest_len; i++)
~ ^ ~~~~~~~~~~
selabel_digest.c:173:17: error: comparison of integers of different
signs: 'int' and 'size_t' (aka 'unsigned long')
[-Werror,-Wsign-compare]
for (i = 0; i < num_specfiles; i++) {
~ ^ ~~~~~~~~~~~~~
Silent the warnings by using size_t where appropriate.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Nothing was being used from the stdio_ext.h header file, so
remove it. Additionally, Mac builds, required for the
Android build, do not have this header.
Change-Id: Ic61c87fcda79ffebeef93a20a2b3802f048bb0b0
Signed-off-by: William Roberts <william.c.roberts@intel.com>