Fixes:
Error: RESOURCE_LEAK (CWE-772):
libselinux-3.6/src/matchpathcon.c:519: alloc_arg: "lgetfilecon_raw" allocates memory that is stored into "con". [Note: The source code implementation of the function has been overridden by a user model.]
libselinux-3.6/src/matchpathcon.c:528: leaked_storage: Variable "con" going out of scope leaks the storage it points to.
\# 526|
\# 527| if (!hnd && (matchpathcon_init_prefix(NULL, NULL) < 0))
\# 528|-> return -1;
\# 529|
\# 530| if (selabel_lookup_raw(hnd, &fcontext, path, mode) != 0) {
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Fixes:
Error: IDENTICAL_BRANCHES (CWE-398):
libselinux-3.6/src/setexecfilecon.c:45: implicit_else: The code from the above if-then branch is identical to the code after the if statement.
libselinux-3.6/src/setexecfilecon.c:43: identical_branches: The same code is executed when the condition "rc < 0" is true or false, because the code in the if-then branch and after the if statement is identical. Should the if statement be removed?
\# 41|
\# 42| rc = setexeccon(newcon);
\# 43|-> if (rc < 0)
\# 44| goto out;
\# 45| out:
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Set errno in open_file() if rolling_append(), which does not set errno,
failed, since transitive callers might rely on it.
Reported-by: clang-analyzer
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Free the allocated line if it fails to parse via process_line() for the
X or media database.
Also declare the line_buf parameter of process_line() const, so it is
more obvious it is not modified or free'd.
Reported-by: clang-analyzer
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
In case fclose(3) might modify the global variable errno, use a wrapper
retaining the errno value. In the affected cases the success of
fclose(3) itself is not important, since the underlying descriptor is
only read from.
Reported-by: clang-analyzer
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
https://github.com/swig/swig/blob/master/CHANGES.current
"[Python] #2907 Fix returning null from functions with output
parameters. Ensures OUTPUT and INOUT typemaps are handled
consistently wrt return type.
New declaration of SWIG_Python_AppendOutput is now:
SWIG_Python_AppendOutput(PyObject* result, PyObject* obj, int is_void);
The 3rd parameter is new and the new $isvoid special variable
should be passed to it, indicating whether or not the wrapped
function returns void.
Also consider replacing with:
SWIG_AppendOutput(PyObject* result, PyObject* obj);
which calls SWIG_Python_AppendOutput with same parameters but adding $isvoid
for final parameter."
Fixes: https://github.com/SELinuxProject/selinux/issues/447
selinuxswig_python_wrap.c: In function ‘_wrap_security_compute_user’:
selinuxswig_python_wrap.c:11499:17: error: too few arguments to function ‘SWIG_Python_AppendOutput’
11499 | resultobj = SWIG_Python_AppendOutput(resultobj, plist);
| ^~~~~~~~~~~~~~~~~~~~~~~~
selinuxswig_python_wrap.c:1248:1: note: declared here
1248 | SWIG_Python_AppendOutput(PyObject* result, PyObject* obj, int is_void) {
| ^~~~~~~~~~~~~~~~~~~~~~~~
selinuxswig_python_wrap.c: In function ‘_wrap_security_compute_user_raw’:
selinuxswig_python_wrap.c:11570:17: error: too few arguments to function ‘SWIG_Python_AppendOutput’
11570 | resultobj = SWIG_Python_AppendOutput(resultobj, plist);
| ^~~~~~~~~~~~~~~~~~~~~~~~
selinuxswig_python_wrap.c:1248:1: note: declared here
1248 | SWIG_Python_AppendOutput(PyObject* result, PyObject* obj, int is_void) {
| ^~~~~~~~~~~~~~~~~~~~~~~~
selinuxswig_python_wrap.c: In function ‘_wrap_security_get_boolean_names’:
selinuxswig_python_wrap.c:12470:17: error: too few arguments to function ‘SWIG_Python_AppendOutput’
12470 | resultobj = SWIG_Python_AppendOutput(resultobj, list);
| ^~~~~~~~~~~~~~~~~~~~~~~~
selinuxswig_python_wrap.c:1248:1: note: declared here
1248 | SWIG_Python_AppendOutput(PyObject* result, PyObject* obj, int is_void) {
| ^~~~~~~~~~~~~~~~~~~~~~~~
error: command '/usr/bin/gcc' failed with exit code 1
Suggested-by: Jitka Plesnikova <jplesnik@redhat.com>
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
It was originally marked for deprecation back in Feb 2020,
commit a41dfeb55d ("libselinux: deprecate security_compute_user(),
update man pages"), but the attribute was not added at the time.
Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
In commit d95bc8b755 ("libselinux: migrating hashtab from
policycoreutils") and commit 4a420508a9 ("libselinux: adapting hashtab
to libselinux"), the hashtab implementation was copied to libselinux.
Since the same functions exist in libsepol (e.g., hashtab_create,
hashtab_destroy, etc), a compilation error is raised when both libraries
are included statically.
Prefix the libselinux internal implementation with "selinux_".
Signed-off-by: Thiébaud Weksteen <tweek@google.com>
Acked-by: James Carter <jwcart2@gmail.com>
The runtime disable functionality has been removed in Linux 6.4. Thus
security_disable(3) will no longer work on these kernels.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Trying to compile libselinux for 32-bit produces the following error:
selinux_restorecon.c:1194:31: error: comparison of integer expressions of different signedness: ‘__fsword_t’ {aka ‘int’} and ‘unsigned int’ [-Werror=sign-compare]
1194 | if (state.sfsb.f_type == RAMFS_MAGIC || state.sfsb.f_type == TMPFS_MAGIC ||
| ^~
Since RAMFS_MAGIC = 0x858458f6 == 2240043254, which > 2^31, but < 2^32,
cast both as uint32_t for the comparison.
Reported-by: Daniel Schepler
Signed-off-by: James Carter <jwcart2@gmail.com>
Reviewed-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
restorecon.h uses types defined in label.h, so it needs to include
label.h (or code using restorecon.h also needs to include label.h,
which is not practical).
Fixes:
$ make DESTDIR=~/obj install > make.out
In file included from semanage_store.c:39:
/home/sdsmall/obj/usr/include/selinux/restorecon.h:137:52: error:
‘struct selabel_handle’ declared inside parameter list will not be
visible outside of this definition or declaration [-Werror]
137 | extern void selinux_restorecon_set_sehandle(struct
selabel_handle *hndl);
| ^~~~~~~~~~~~~~
cc1: all warnings being treated as errors
make[2]: *** [Makefile:111: semanage_store.o] Error 1
make[1]: *** [Makefile:15: install] Error 2
make: *** [Makefile:40: install] Error 1
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Fixes segfault in selabel_open() on systems with SELinux disabled and without any
SELinux policy installed introduced by commit 5876aca048 ("libselinux: free
data on selabel open failure"):
$ sestatus
SELinux status: disabled
$ cat /etc/selinux/config
cat: /etc/selinux/config: No such file or directory
$ matchpathcon /abc
[1] 907999 segmentation fault (core dumped) matchpathcon /abc
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
The option array passed to avc_open(3) is only read from.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Since commit 5876aca0 ("libselinux: free data on selabel open failure")
the close handler of label backends must support partial initialized
state, e.g. ->data being NULL. Thus checks for NULL were added, but in
two cases the pointers in question were already dereferenced before.
Reorder the dereference after the NULL-checks.
Fixes: 5876aca0 ("libselinux: free data on selabel open failure")
Reported-by: Cppcheck
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
In case scandir(3) finds no entries still free the returned result to
avoid leaking it.
Also do not override errno in case of a failure.
Reported.by: Cppcheck
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
The map parameter of selinux_set_mapping(3) is only read from and not
modified, thus declare it const.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
The parameter for set_matchpathcon_printf(3) is a function pointer that
takes a format string with variable arguments. Add a GNU printf
function attribute, if supported, to enable compilers checking for
format string inconsistencies.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
For functions that do not take any argument use consistently void
instead of empty parenthesis.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Sync the const qualifiers of parameters with the actual implementation.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Set the correct file extension .3 (instead of .c) for the
security_validatetrans(3) and security_validatetrans_raw(3) man pages.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
If no policy has been loaded yet and thus the current context is still
"kernel" avoid logging failures in get_ordered_context_list(), like:
get_ordered_context_list: error in processing configuration file /etc/selinux/debian/contexts/users/root
get_ordered_context_list: error in processing configuration file /etc/selinux/debian/contexts/default_contexts
Move the context parsing from get_context_user() to its caller
get_ordered_context_list(), so an invalid context is not treated as an
get_context_user() failure and not logged.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
In libselinux there is an availability check for strlcpy() and
in both libselinux and libsepol there are availability checks for
reallocarray() in the src Makfiles. CFLAGS and LDFLAGS are needed
for cross-compiling, but, unfortunately, the default CFLAGS cause
all of these availability checks to fail to compile because of
compilationerrors (rather than just the function not being available).
Add CFLAGS and LDFLAGS to the availibility checks, update the checks
so that a compilation error will only happen if the function being
checked for is not available, and make checks for the same function
the same in both libselinux and libsepol.
Suggested-by: Jordan Williams <jordan@jwillikers.com>
Suggested-by: Winfried Dobbe <winfried_mb2@xmsnet.nl>
Signed-off-by: James Carter <jwcart2@gmail.com>
Since commit 65c8fd45 ("libselinux: fail selabel_open(3) on invalid
option") selabel_open(3) rejects options not supported for the
respective backend. Pass SELABEL_OPT_BASEONLY only if the file backend
is selected.
Reported-by: zgzxx (https://github.com/SELinuxProject/selinux/issues/427)
Fixes: 65c8fd45 ("libselinux: fail selabel_open(3) on invalid option")
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
In case the init function for a selabel backend fails, free the possible
already allocated data:
Direct leak of 16 byte(s) in 1 object(s) allocated from:
#0 0x5e7e2bf001e3 in malloc (/tmp/destdir/usr/sbin/selabel_digest+0xc71e3)
#1 0x7233764baa65 in selabel_media_init /home/christian/Coding/workspaces/selinux/libselinux/src/label_media.c:226:30
#2 0x7233764ac1fe in selabel_open /home/christian/Coding/workspaces/selinux/libselinux/src/label.c:227:6
#3 0x5e7e2bf3ebfc in main /home/christian/Coding/workspaces/selinux/libselinux/utils/selabel_digest.c:125:8
#4 0x7233761856c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: 16 byte(s) leaked in 1 allocation(s).
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
In case the specfiles have very long paths or there are too many abort
instead of writing past the stack buffer.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Avoid global variable.
Constify read-only parameters.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
The command line option -d is not supported, drop from usage message.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Use the reentrant version strtok_r(3) instead of strtok(3) to avoid
potential data races with concurrent threads.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
The canonical order of calloc(3) parameters is the number of elements
first and the size of each element second.
Reported by GCC 14:
is_customizable_type.c:43:45: warning: 'calloc' sizes specified with 'sizeof' in the earlier argument and not in the later argument [-Wcalloc-transposed-args]
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Clang's undefined behavior sanitizer supports checking for unsigned
integer overflow and underflow, and implicit conversions. While those
operations are well-defined by the C language they can signal logic
mistakes or processing of unchecked user input.
Annotate functions deliberately making use of integer overflow and adopt
the remaining code sites.
Example reports:
stringrep.c:348:7: runtime error: left shift of 2147483648 by 1 places cannot be represented in type 'access_vector_t' (aka 'unsigned int')
seusers.c:98:14: runtime error: implicit conversion from type 'int' of value -1 (32-bit, signed) to type 'gid_t' (aka 'unsigned int') changed the value to 4294967295 (32-bit, unsigned)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
getpwnam_r(3) and getgrnam_r(3) might return ERANGE in case the supplied
buffer was too short for the passwd/group entry. Retry with a bigger
buffer.
Also use a fallback buffer size in case the libc returns -1 for
sysconf(3) of _SC_GETPW_R_SIZE_MAX or _SC_GETGR_R_SIZE_MAX, like musl.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Instead of writing error messages directly to stderr use the wrapper
selinux_log(), which by default writes to stderr. This allows
applications to redirect or silence messages via
selinux_set_callback(3).
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Return an error on invalid selabel_open(3) options, e.g. an option for
a different backend was used.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
According to selabel_opn(3) a non-null value for this option enables the
generation of an SHA1 digest of the spec files loaded as described in
selabel_digest(3).
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Show the more interesting inverse of the auditdeny vector as dontaudit.
Show the inverse of the decided vector, although since Linux v2.6.30
f1c6381a6e33 ("SELinux: remove unused av.decided field") all permissions
are always decided.
$ compute_av staff_u:staff_r:staff_t:s0 sysadm_u:sysadm_r:sysadm_t:s0 process
allowed= null
auditdeny= { fork transition sigchld sigkill sigstop signull ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit 0x80000000 }
dontaudit= { signal }
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Remove noise while running with sanitizers or under valgrind.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Selabel lookups might fail with errno set to EINVAL in the unlikely case
a regular expression from the file context definition failed to compile.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
The other functions (getexeccon(3) and setexeccon(3)) from the man page
also set errno on failure similar to the getcon(3) function family.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Allow callers to expect errno is set on failure, e.g. other exported
libselinux functions like setexecfilecon(3).
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Add missing const qualifier to parameters in the man pages to align them
with <selinux/selinux.h>.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
This patch adds CPPFLAGS to all of the Makefiles as suggested.
Signed-off-by: Cameron Williams <ckwilliams.work@gmail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Vit Mojzis
Christian Göttsche
Petr Lautrbach
Stephen Smalley
Thiébaud Weksteen
James Carter
Cameron Williams