Commit Graph

1745 Commits

Author SHA1 Message Date
James Carter
68885c80ea Updated libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-09-29 14:49:34 -04:00
James Carter
c303ca910a libsepol/cil: Check for too many permissions in classes and commons
Fixes bug found by Nicolas Iooss as described below in the way suggested by Steve Lawrence.

Nicolass reported:

When compiling a CIL policy with more than 32 items in a class (e.g. in
(class capability (chown ...)) with many items),
cil_classorder_to_policydb() overflows perm_value_to_cil[class_index]
array. As this array is allocated on the heap through
calloc(PERMS_PER_CLASS+1, sizeof(...)), this makes secilc crash with the
following message:

    *** Error in `/usr/bin/secilc': double free or corruption (!prev): 0x000000000062be80 ***
    ======= Backtrace: =========
    /usr/lib/libc.so.6(+0x70c4b)[0x7ffff76a7c4b]
    /usr/lib/libc.so.6(+0x76fe6)[0x7ffff76adfe6]
    /usr/lib/libc.so.6(+0x777de)[0x7ffff76ae7de]
    /lib/libsepol.so.1(+0x14fbda)[0x7ffff7b24bda]
    /lib/libsepol.so.1(+0x152db8)[0x7ffff7b27db8]
    /lib/libsepol.so.1(cil_build_policydb+0x63)[0x7ffff7af8723]
    /usr/bin/secilc[0x40273b]
    /usr/lib/libc.so.6(__libc_start_main+0xf1)[0x7ffff7657291]
    /usr/bin/secilc[0x402f7a]

This bug has been found by fuzzing secilc with american fuzzy lop.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-09-29 13:59:45 -04:00
Stephen Smalley
3a48f6ff90 Updated libsepol ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-29 13:02:23 -04:00
Jeff Vander Stoep
6ccfa46ad4 libsepol: fix xperm mapping between avrule and avtab
Commit 915fa8f08f moves the xperm specified value directly from
avrule to avtab. The mapping between them is currently the same,
but may not always be. Instead these values should be mapped using
values defined in av_extended_perms_t and avtab_extended_perms_t.

Fixes: 915fa8f08f ("checkpolicy: switch operations to extended perms")

Change-Id: Ic9f4031c9381b2ff6cc46043fb1602758ef4c224
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
2016-09-29 13:01:12 -04:00
Stephen Smalley
202fd6ed5d Updated libsemanage ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-29 10:49:35 -04:00
Nicolas Iooss
b08d7c159e Makefile: make distclean target work
A mispelling in the Makefile in the root directory prevented "make
distclean" to go into subdirectories.

In libsemanage/src/, semanageswig_python_exception.i was not cleaned by
"make distclean" because the target did not use $(GENERATED) and this
variable was being redefined in the Makefile.

Fix these two bugs.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-09-29 10:48:14 -04:00
Stephen Smalley
d8bc2b7657 Updated policycoreutils ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-29 10:42:57 -04:00
Nicolas Iooss
ca3cc145d8 policycoreutils: setfiles: ignore restorecon_xattr in git
Commit f1352e7399 ("policycoreutils: setfiles - Utility to find
security.restorecon_last entries") introduced restorecon_xattr binary
without adding it to .gitignore.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-09-29 10:42:23 -04:00
Stephen Smalley
7be921921b Updated libselinux ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-29 10:08:52 -04:00
Janis Danisevskis
e029ace4d9 libselinux: makes android label back ends configurable
Android label back ends are now configurable by NO_ANDROID_BACKEND,
which is set if on ANDROID_HOST != y.

Signed-off-by: Janis Danisevskis <jdanis@android.com>
2016-09-29 10:08:15 -04:00
Janis Danisevskis
6dd85b9e0e libselinux: android: fix lax service context lookup
We use the same lookup function for service contexts
that we use for property contexts. However, property
contexts are namespace based and only compare the
prefix. This may lead to service associations with
a wrong label.

This patch introduces a new back end for android
services with a stricter lookup function. Now the
service name must match the key of the service label
exactly.

Signed-off-by: Janis Danisevskis <jdanis@android.com>
2016-09-29 09:59:44 -04:00
Janis Danisevskis
b3d9550bcd libselinux: renamed andriod label backend source file
Signed-off-by: Janis Danisevskis <jdanis@android.com>
2016-09-29 09:50:08 -04:00
Stephen Smalley
35d7021a12 Updated libselinux ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-28 12:25:20 -04:00
William Roberts
b5dd7959d8 libselinux: add ANDROID_HOST=y build option
To build the selinux host configuration, specify
ANDROID_HOST=y on the Make command line.

eg)
make ANDROID_HOST=y
2016-09-28 12:22:15 -04:00
Stephen Smalley
c9fb010a41 Updated libselinux ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-28 12:08:49 -04:00
William Roberts
b67fefd991 libselinux: set DISABLE_RPM default to y.
Change the default build behavior to always use DISABLE_RPM.
To get the old behavior call make with DISABLE_RPM=n.

eg.)
make DISABLE_RPM=n

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-09-28 12:07:17 -04:00
William Roberts
9b3e18ed4d libselinux: rename EMFLAGS to DISABLE_FLAGS
Change EMFLAGS variable, used for setting additional CFLAGS
to DISABLE_FLAGS, to indicate its usage better.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-09-28 12:07:13 -04:00
Stephen Smalley
906a9839e8 Updated libselinux ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-28 12:04:37 -04:00
William Roberts
2ec56b3da9 libselinux: fix unused variable error
When building for Android, this error manifests itself:

label_file.c:570:7: error: unused variable ‘subs_file’ [-Werror=unused-variable]
  char subs_file[PATH_MAX + 1];

Fix it by moving the variable into the ifdef'd usage block.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-09-28 12:02:25 -04:00
Stephen Smalley
c44895c82c Updated libselinux ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-28 11:47:52 -04:00
William Roberts
fba72330dd libselinux: drop DISABLE_BOOL=y option
Build option DISABLE_BOOL=y is not being used, and is broken, drop it.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-09-28 11:45:58 -04:00
William Roberts
42ab513703 libselinux: drop DISABLE_AVC=y
Remove build config DISABLE_AVC, it is unused and broken.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-09-28 11:43:36 -04:00
William Roberts
b8bb9a104b libselinux: drop build config EMBEDDED=y
It was reported that this is no longer used, so drop it.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-09-28 11:41:52 -04:00
Stephen Smalley
f9a62a1554 Updated libselinux ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-28 07:54:10 -04:00
Janis Danisevskis
36df37555b libselinux: sefcontext_compile invert semantics of "-r" flag
The "-r" flag of sefcontext_compile now causes it to omit the
precompiled regular expressions from the output.

Signed-off-by: Janis Danisevskis <jdanis@android.com>
2016-09-28 07:54:01 -04:00
Janis Danisevskis
487d652e71 libselinux: sefcontext_compile: Add "-i" flag
Adds the "-i" flag, which prints the version and
architecture identifier of the regular expression back end.

Signed-off-by: Janis Danisevskis <jdanis@android.com>
2016-09-28 07:52:49 -04:00
Janis Danisevskis
3b68c6f9e9 libselinux: Add architecture string to file_context.bin
Serialized precompiled regular expressins are architecture
dependent when using PCRE2. This patch
- bumps the SELINUX_COMPILED_FCONTEXT version to 5 and
- adds a field to the output indicating the architecture
  compatibility.

libselinux can cope with an architecture mismatch by
ignoring the precompiled data in the input file and recompiling
the regular expressions at runtime. It can also load older
versions of file_contexts.bin if they where built with
sefcontext_compile using the exact same version of the
pcre1/2 as selinux.

Signed-off-by: Janis Danisevskis <jdanis@android.com>
2016-09-28 07:51:58 -04:00
Stephen Smalley
eb5bcc6752 Updated libsemanage ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-27 12:12:29 -04:00
Miroslav Grep
e3655a7378 libsemanage: Do not always print a module name warning
7a728e46 commit supposed to add a warning when a module name is
different than a filename, but this warning is printed always. This
commit fixes it.

Fixes:
$ semodule -X 400 -i testmod.pp
Warning: SELinux userspace will refer to the module from testmod.pp as
testmod rather than testmod

Signed-off-by: Miroslav Grepl <mgrepl@redhat.com>
2016-09-27 12:11:01 -04:00
Stephen Smalley
f0dc773856 Updated policycoreutils ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-27 09:48:54 -04:00
Laurent Bigonville
a992b9993d sandbox: Use dbus-run-session instead of dbus-launch when available
According to dbus upstream: "dbus-launch is fairly horrible code,
complicated by the historical need for it to support X11 autolaunching,
so the D-Bus maintainers would like to move it out of the critical path
and minimize its use."

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=836289

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2016-09-27 09:48:03 -04:00
Stephen Smalley
ff0d3dde2e Updated libselinux ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-26 15:41:13 -04:00
Stephen Smalley
2c0b12699d sefcontext_compile: do not fail silently
sefcontext_compile was failing silently on various error paths.
Generate a suitable error message to stderr for each error.

Before:
$ sefcontext_compile /path/to/unwritabledirectory/file_contexts
<no output, although non-zero exit status>

After:
$ sefcontext_compile /path/to/unwritabledirectory/file_contexts
sefcontext_compile: mkstemp /path/to/unwritabledirectory/file_contexts.binNmQJqa failed: Permission denied

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-26 15:25:12 -04:00
Stephen Smalley
6830e0d311 Updated libselinux ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-26 15:19:34 -04:00
William Roberts
0fdfdcc8a3 libselinux: add ifdef'ing for ANDROID and BUILD_HOST
On Android, certain discrepancies arise for unused functionality or
for dealing with the differences in Bionic libc. This patch includes
all the "ifdef'ing" required and introduces the BUILD_HOST define.

The BUILD_HOST define removes functionality not needed when building
libselinux for the Android build host machine.

Note that not all the libselinux src files are used to build
the host and target libraries on Android.

Change-Id: I7984e7b769c4dfa627d6cf311411fa2c93bb7ef7
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-09-26 15:15:31 -04:00
William Roberts
84d07ebd48 libselinux: introduce configurable backends
On Android for both the host build, and the target, certain
backends are not needed:
 - X Backend
 - DB Backend
 - Media Backend

Introduce the following defines for removing them from the
built library:

 - NO_X_BACKEND
 - NO_DB_BACKEND
 - NO_MEDIA_BACKEND

When configured with these options and an attempt
is made to use them, selabel_open() will return
ENOTSUP.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-09-26 15:06:43 -04:00
James Carter
a982bc61b5 Updated libselinux and policycoreutils ChangeLogs.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-09-26 14:11:22 -04:00
Richard Haines
f1352e7399 policycoreutils: setfiles - Utility to find security.restorecon_last entries
This patch adds restorecon_xattr(8) to find and/or remove
security.restorecon_last entries added by setfiles(8) or
restorecon(8). Uses the services of selinux_restorecon_xattr(3).

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2016-09-26 14:05:58 -04:00
Richard Haines
2d814ff4c7 libselinux: Add function to find security.restorecon_last entries
This patch adds a new selinux_restorecon_xattr(3) function to find
and/or remove security.restorecon_last entries added by setfiles(8)
or restorecon(8).

Also review and update the man pages.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2016-09-26 14:05:54 -04:00
Richard Haines
2496c85734 policycoreutils: setfiles - Add option to stop setting the digest
Add -D option to setfiles and restorecon - Do not set or update
directory SHA1 digests when relabeling files. This will allow
users the option of not using the "security.restorecon_last"
extended attribute feature.

Also review and update the man pages.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2016-09-26 14:05:49 -04:00
James Carter
b0f76c3a4c Updated libsemanage and policycoreutils ChangeLogs.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-09-26 11:47:03 -04:00
Petr Lautrbach
7a728e46a5 libsemanage: Use pp module name instead of filename
When a user installs a module, the filename is used as the module name.
This change was introduced with CIL language where a module name is not
stored in the module itself. It means that when a pp module has
different filename and stored module name, the filename is used instead
of the stored module name. It brings problems with compatibility for
scripts and modules which were built and used on older system and were
migrated to the new userspace.

This patch changes the behavior of semanage_direct_install_file() which
is used by 'semodule -i' so that when a module with pp language
extension is installed, it tries to get and use a stored module name
instead of a filename. A warning message is provided.

The warning message in policycoreutils/hll/pp is updated to reflect this
change:

$ semodule -X 400 -i /root/testfile.pp
Warning: SELinux userspace will refer to the module from /root/testfile.pp as testmod rather than testfile

$ /usr/libexec/selinux/hll/pp /root/testfile.pp testfile.cil
Warning: SELinux userspace will refer to the module from /root/testfile.pp as testmod rather than testfile

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2016-09-26 11:38:45 -04:00
Stephen Smalley
3638935b46 Updated libsepol ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-26 11:09:51 -04:00
Nicolas Iooss
ea941ee14d libsepol/tests: fix mispelling of optimization option
In CFLAGS, -o0 means "output in file 0", not "compile at optimization
level 0".

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-09-26 11:08:53 -04:00
Stephen Smalley
badb849805 Updated ChangeLogs
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-26 11:03:33 -04:00
Nicolas Iooss
d977330c98 policycoreutils: Remove LDFLAGS from CFLAGS
Mixing LDFLAGS in CFLAGS can lead to compiler errors. For example in
policycoreutils/sandbox:

    $ make CC=clang LDFLAGS='-Wl,-as-needed,-no-undefined'
    clang -Wl,-as-needed,-no-undefined -I/usr/include
    -DPACKAGE="\"policycoreutils\"" -Wall -Werror -Wextra -W   -c -o
    seunshare.o seunshare.c
    clang-3.8: error: -Wl,-as-needed,-no-undefined: 'linker' input
    unused

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-09-26 11:02:40 -04:00
Nicolas Iooss
b7ac3286f2 libsemanage/tests: do not force using gcc
Allow using other compilers such as clang. Without this, the build fails
when $(CFLAGS) contains clang-specific flags:

    gcc: error: unrecognized command line option '-Weverything'

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-09-26 11:01:49 -04:00
Nicolas Iooss
8647a6c621 libselinux: silent -Wsign-compare warnings
When building libselinux with gcc and many warning flags, the build
fails with the following errors:

    selinux_restorecon.c: In function ‘selinux_restorecon’:
    selinux_restorecon.c:784:36: error: comparison between signed and
    unsigned integer expressions [-Werror=sign-compare]
       if (!flags.ignore_digest && size == fc_digest_len &&
                                        ^~

    selabel_digest.c: In function ‘main’:
    selabel_digest.c:162:16: error: comparison between signed and
    unsigned integer expressions [-Werror=sign-compare]
      for (i = 0; i < digest_len; i++)
                    ^
    selabel_digest.c:173:17: error: comparison between signed and
    unsigned integer expressions [-Werror=sign-compare]
       for (i = 0; i < num_specfiles; i++) {
                     ^

clang reports the precise type information of the variables:

    selinux_restorecon.c:784:36: error: comparison of integers of
    different signs: 'ssize_t' (aka 'long') and 'size_t' (aka 'unsigned
    long') [-Werror,-Wsign-compare]
                if (!flags.ignore_digest && size == fc_digest_len &&
                                            ~~~~ ^  ~~~~~~~~~~~~~

    selabel_digest.c:162:16: error: comparison of integers of different
    signs: 'int' and 'size_t' (aka 'unsigned long')
    [-Werror,-Wsign-compare]
            for (i = 0; i < digest_len; i++)
                        ~ ^ ~~~~~~~~~~
    selabel_digest.c:173:17: error: comparison of integers of different
    signs: 'int' and 'size_t' (aka 'unsigned long')
    [-Werror,-Wsign-compare]
                    for (i = 0; i < num_specfiles; i++) {
                                ~ ^ ~~~~~~~~~~~~~

Silent the warnings by using size_t where appropriate.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-09-26 11:00:31 -04:00
Stephen Smalley
80f71e326b Updated libselinux ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-26 10:57:32 -04:00
William Roberts
f7ec9d9137 libselinux: drop unused stdio_ext.h header file
Nothing was being used from the stdio_ext.h header file, so
remove it. Additionally, Mac builds, required for the
Android build, do not have this header.

Change-Id: Ic61c87fcda79ffebeef93a20a2b3802f048bb0b0
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-09-26 10:55:57 -04:00