Commit Graph

1119 Commits

Author SHA1 Message Date
John Brooks
798950e055 Use a better hash function for libsepol's avtab
This function, based on murmurhash3, has much better distribution than
the original. Using the current default of 4096 buckets, there are many
fewer collisions:

Before:
2893000 entries and 4096/4096 buckets used, longest chain length 1649
After:
2732000 entries and 4096/4096 buckets used, longest chain length 764

The difference becomes much more significant when buckets are increased.
A naive attempt to expand the current function to larger outputs doesn't
yield any significant improvement; so this function is a prerequisite
for increasing the bucket size.

Signed-off-by: John Brooks <john.brooks@jolla.com>
2015-01-15 10:44:01 -05:00
John Brooks
76ea9f8987 Build libsepol with -O2
libsepol contains performance sensitive code; in particular, compiler
optimizations save a few minutes off of the optimized policydb hash
tables.

Signed-off-by: John Brooks <john.brooks@jolla.com>
2015-01-15 10:44:01 -05:00
Dan Albert
b1bbd3030b Clear errno before call to strtol(3).
Since strtol(3) doesn't clear errno on success, anything that sets
errno prior to this call will make it look like the call failed. This
happens when built with ASAN.

Signed-off-by: Dan Albert <danalbert@google.com>
Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-12-11 08:29:34 -05:00
Steve Lawrence
823ebc8c6b Bump to release candidate 7 2014-12-03 10:06:26 -05:00
Steve Lawrence
5b9a172bf9 scripts: update release script to not output file name twice
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2014-12-03 10:06:26 -05:00
Steve Lawrence
72dc45bf54 Merge commit '80afe7b2ce0b06f93b6b3a07e58cab1aee8afc91' 2014-12-03 10:05:59 -05:00
Steve Lawrence
80afe7b2ce Squashed 'libsepol/cil/' changes from 15b955e..08520e9
08520e9 Do not associate the object_r role with users
5c771ff Move symtab from cil_db to root ast node
c27cace Refactored cil_get_symtab()
a25af5a Fixed bug in copying an AST.
ca5e3f8 Fixed the source of two potential memory leaks when copying an AST.
2aef1b8 Fix bug when blockabstract statements failed to resolve

git-subtree-dir: libsepol/cil
git-subtree-split: 08520e91db86bdbb8ce393afa35c1465bdc7f63b
2014-12-03 10:05:59 -05:00
Steve Lawrence
f21b2e138c libsemanage: ensure migrated files have the correct types
All files in /var/lib/selinux/ are now labeled the same as those in
/etc/selinux/<store>/modules/active, which in refpolicy is semanage_store_t.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Reviewed-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2014-12-03 10:05:25 -05:00
Laurent Bigonville
b9abc5c6e7 Add "RuntimeDirectory=setrans" to the mcstrans.service
Add "RuntimeDirectory=setrans" to the mcstrans.service, this will make
systemd automatically create the /run/setrans directory before starting
the service.

This directory contains the ".setrans-unix" socket created by the
daemon.

Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-12-03 10:05:25 -05:00
Steve Lawrence
b817a523c4 libsemanage: close hll file descriptors
Stops leaking of file descriptors to things like load_policy and
setfiles.

Reported-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Reviewed-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2014-12-03 10:05:24 -05:00
Stephen Smalley
678ec5df79 Fix expand logic for policy versions older than 24.
This was broken for older policy versions when we updated to
version 24.

Broken by commit 787f2f00f5d8ed6f5f.

Change-Id: I4063334c5c0462ef5c3706611c7dff5c60c612aa
Reported-by: William Roberts <bill.c.roberts@gmail.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-12-03 09:49:22 -05:00
Stephen Smalley
9da070f700 libsepol: Report all neverallow violations.
Switch libsepol check_assertions() from only reporting the first violation
to reporting them all.

Change-Id: I45b3502ff96b1d093574e1fecff93a582f8d00bd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-12-03 09:49:13 -05:00
Jason Zaman
877acdb31f semanage_migrate_store: Python3 support
Mainly used the 2to3 conversion tool. Also added in a __future__
import so that the script continues to work on Python 2.

Tested on 2.7, 3.3, 3.4. Should work on 2.6 too but untested.

Signed-off-by: Jason Zaman <jason@perfinion.com>
Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-11-20 09:59:11 -05:00
Steve Lawrence
7a09af2123 policycoreutils: pp: add roletype statements for both declared and required type/typeattributes
Currently, roletype statements are only added for types when they are
declared (not required). This means that in policy like:

  require {
    type foo_t;
  }
  type bar_t;
  role staff_r types foo_t, bar_t;

only bar_t is associated with staff_r. This patch moves the code that
generates roletype statements for types to outside the SCOPE_DECL check
so that roletype statements are generated for all types, regardless of
the required/declared scope. It further moves the code outside of the
type/typeattribute flavor check so that roletype statements are also
generated for typeattributes.

Reported-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Reviewed-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Tested-by: Jason Zaman <jason@perfinion.com>
2014-11-19 14:25:33 -05:00
Steve Lawrence
07e75a9cc7 Bump to release candidate 6 2014-11-12 08:30:15 -05:00
Steve Lawrence
81d8cea807 policycoreutils: pp: define type aliases in the correct scope
Previously, type aliases were converted to CIL in the global namespace,
regardless of which scope they were actually defined in. So essentially
type aliases could never be in optionals. For the most part this worked,
however, in some small number of cases, a type alias could reference a
type defined inside an optional. If that optional was disabled, the type
would be disabled and so the type alias would fail to resolve, causing
policy to fail to build.

Unfortunately, type alises are stored in pp modules different than other
symbols (e.g. types/roles/etc) so they must be added to scopes
differently. So this patch gathers up all type aliases in a list and
keeps track of which scope each type alias is defined in. When we enter
a new scope, use that list to determine which type alias are defined
there and print the appropriate CIL statements.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Reviewed-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
2014-11-12 08:06:41 -05:00
Steve Lawrence
3904db5ac9 policycoreutils: pp: mimic require block support in CIL
CIL does not have any concept of require blocks. Instead, CIL relies on
whether or not all statements inside an optional block resolve to
determine if an optional block should be enabled/disabled. However, a
small number of optional statements require a type that is not actually
used in the optional block. In old style policy, this would cause the
optional block to be disabled. However, in CIL, because the type is never
used, the optional block will remain enabled.

To maintain compatibility, we modify pp2cil to create a new attribute,
cil_gen_require, and all types/roles/attributes that are required in a
pp module/optional block are associated with this attribute. Thus, if a
type is required but not used, it will still fail to resolve in the
typeattributeset statement, causing the optional to correctly be
disabled.

Note that when compiling the CIL this generated from compiling refpolicy
pp modules with pp2cil, the extra CIL statements cause ~12.6MB increase
in maximum memory usage (129.7 MB to 142.3 MB). Though, compilation time
decreases by ~35% (26 seconds to 17 seconds).

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Reviewed-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Reported-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2014-11-12 08:06:41 -05:00
Steve Lawrence
d1db56c52b Bump to release candidate 5 2014-10-29 11:01:03 -04:00
Steve Lawrence
71393a181d libselinux: libsepol: use ln --relative to create .so symlinks
The current build system assumes SHLIBDIR is ../../ relative to LIBDIR.
However, this isn't always the case. For example, Arch Linux sets both
LIBDIR and SHLIBDIR to /usr/lib, which results in broken symlinks.

Instead of making that assumption, create .so symlinks using ln
--relative so that the correct relative paths are used. Note that this
adds a dependency for the build system to use coretuils-8.16 or later.

Fixes #2

Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2014-10-22 08:25:44 -04:00
Steve Lawrence
dee40ec1f8 libsemanage: install to LIBDIR instead of SHLIBDIR
The libsemanage Makefile currently installs libsemanage.so.1 into
SHLIBDIR, but links libsemanage.so to libsemanage.so.1 in LIBDIR. This
means things will only work if SHLIBDIR and LIBDIR are the same.
Fortunately, by default, they are the same because the default of
SHLIBDIR is set to PREFIX/lib (same as LIBDIR default) instead of the
standard DESTDIR/lib.  Unfortunately, if a user overrides SHLIBDIR, by
doing something like the following:

    make DESTDIR=~/tmp/ LIBDIR=~/tmp/usr/lib SHLIBDIR=~/tmp/lib install

then a broken symlink is created. Note that in some cases this may still
work even when SHLIBDIR and LIBDIR are not the same, e.g.:

    make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install

But this only works because, in systems like Fedora, /lib is a symlink
to /usr/lib, so SHLIBDIR and LIBDIR are the same even though it doesn't
immediately look like it.

This patch changes the libsemanage Makefile to set the default value of
SHLIBDIR to the standard DESTDIR/lib to prevent confusion, and installs
libsemanage to LIBDIR and completely ignores SHLIBDIR.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2014-10-22 08:22:56 -04:00
Steve Lawrence
6280387034 Bump to release candidate 4 2014-10-06 15:03:24 -04:00
Steve Lawrence
847aa150e3 Squashed 'libsepol/cil/' changes from 73f1e3f..15b955e
15b955e Fix typos in error strings
fe5a24e Disable declarations inside an optional even if in the first call pass

git-subtree-dir: libsepol/cil
git-subtree-split: 15b955ea49c86549661b6520a85291735ce5496c
2014-10-06 14:55:04 -04:00
Steve Lawrence
450a3ea216 Merge commit '847aa150e30e6147c28ed9807fae4dc232b5a8fe' 2014-10-06 14:55:04 -04:00
Steve Lawrence
84d9486eb2 policycoreutils/hll/pp: fix typo in error messages
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2014-10-06 14:51:23 -04:00
Steve Lawrence
7f16505a31 policycoreutils/hll/pp: only print certain roles when declared in base modules
Some roles (i.e. user_r, staff_r, sysadm_r, system_r, unconfined_r) are
declared in the base module, and sometimes in non-base modules. This
could result in duplicate declarations of roles, which isn't allowed in
CIL. So for these roles, only generate their declarations if they appear
in a base module, otherwise ignore their declarations. All other roles
are printed regardlss of their declaration location.

Note that this means that if a policy author does not include one of the
roles in the base module then they will not be included in the resulting
policy, likely causing a compliation error in CIL.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 12:10:22 -04:00
Steve Lawrence
ff5bbe6dcf Bump VERSION/ChangeLog for release candidate 3
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 10:16:34 -04:00
Steve Lawrence
a3abb2c053 Squashed 'libsepol/cil/' changes from c13ce01..73f1e3f
73f1e3f fix gcc -Wwrite-strings warnings
8132615 libsepol:cil: Fix bugs in cil_reset_ast
95cca78 libsepol/cil: fix compilation with -Wformat-security

git-subtree-dir: libsepol/cil
git-subtree-split: 73f1e3f04f789a4e7541a7cbc618943dc458a34a
2014-10-02 10:07:00 -04:00
Steve Lawrence
bbbd58e125 Merge commit 'a3abb2c05301b24ad2f8307d07734d89ddf808d8' into merge 2014-10-02 10:07:00 -04:00
Yuli Khodorkovskiy
0a71540723 policycoreutils/hll/pp: change printing behavior of typeattribute/sets
Avrules that have the negation, star, or complement flag set for types
need typeattributes and typeattributesets that are generated. This caused
issues when these generated statements were inserted into conditionals, since
typeattributes/sets are not allowed in conditionals.

This change always prints typeattributes and typeattributesets
immediately unless the types appear inside of an avrule in conditionals or blocks.
For this special case, we print the typeattributes after the end
of each conditional/block.

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:57:08 -04:00
Yuli Khodorkovskiy
836ffd988e policycoreutils/hll/pp: fix '\n' parsing in filecon statements
Some module fc files do not contain a trailing new line. This
caused contexts to have their last character to be deleted. When
parsing each line from a fc file, we only strip off the last character
if it is a new line.

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:57:03 -04:00
Yuli Khodorkovskiy
f42d013eec policycoreutils/hll/pp: Fix role/roletype scoping
- Create role declarations no matter if the declaration is in base or
  a module. Since CIL does not permit role re-declarations, this change
  will break existing policies that have the same role declared in multiple
  modules. To fix this, the policies will need to change the role to be
  defined in a single place.
- Pass around the avrule_decl stack rather than just the most recent
  decl. The full stack is needed to determine if identifiers are in
  scope
- Only create roletype statements for a role and a type in two cases:
   1) The role is declared/required and the type is declared/required in
      the same scope or an ancestor scope of the role
   2) The type is declared/required and the role is declared/required in
      an ancestor scope of the type

Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:56:58 -04:00
Scapelli
387dc6342e Add missing semicolon to parser rule "cond_else"
Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:56:54 -04:00
Nicolas Iooss
e4d693ae87 Use $(PYTHON) instead of "python" in every Makefile
This fixes the build with "make PYTHON=python2" on systems where python
is python3.

For PYLIBVER and PYTHONLIBDIR definitions, I tested Python 2.5, 2.6, 2.7,
3.3 and 3.4.  For each of them, these commands print the expected result:

    python -c 'import sys;print("python%d.%d" % sys.version_info[0:2])'"
    python -c "from distutils.sysconfig import *;print(get_python_lib(1))"

Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:56:49 -04:00
Nicolas Iooss
44035fcab4 libsepol/tests: fix gcc -Warray-bounds warning
test-linker-roles.c: In function 'module_role_tests':
  test-linker-roles.c:147:7: error: array subscript is above array bounds
  [-Werror=array-bounds]
    decls[2] = (test_find_decl_by_sym(base, SYM_TYPES,"tag_g_m2"))->decl_id;
         ^

Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:56:45 -04:00
Nicolas Iooss
5af8c5adb2 checkpolicy: fix gcc -Wunused-variable warnings
Add __attribute__ ((unused)) to unused function parameters.

Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:56:41 -04:00
Nicolas Iooss
c4a4a1a7ed Fix gcc -Wstrict-prototypes warnings
In C, defining a function with () means "any number of parameters", not
"no parameter".  Use (void) instead where applicable and add unused
parameters when needed.

Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:56:38 -04:00
Nicolas Iooss
188a028f74 policycoreutils: fix most gcc -Wwrite-strings warnings
Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:56:34 -04:00
Nicolas Iooss
aad0962be2 policycoreutils/hll/pp: fix gcc -Wwrite-strings warnings
Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:56:31 -04:00
Nicolas Iooss
7dcb7a5946 checkpolicy: fix most gcc -Wwrite-strings warnings
Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:56:28 -04:00
Nicolas Iooss
b8b0d7fa8a libsemanage: fix gcc -Wwrite-strings warnings
Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:56:25 -04:00
Nicolas Iooss
81f17737e7 libsemanage: constify name and ext_lang parameters of semanage_module_install_hll
This fixes a warning from "gcc -Wwrite-strings", when
semanage_module_install_hll is called with "pp" as last parameter.

Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:56:22 -04:00
Nicolas Iooss
14c0564641 libsepol: fix most gcc -Wwrite-strings warnings
gcc puts literal strings lie in read-only memory.  On x86_64, trying to
write to them triggers a segmentation fault.

To detect such issues at build time, variables holding a pointer to such
strings should be "const char*".  "gcc -Wwrite-strings" warns when using
non-const pointers to literal strings.

Remove gcc warnings by adding const to local variables and argumens of
internal functions.

This does *not* fix this warning:

  policydb_public.c:208:10: warning: passing argument 2 of 'hashtab_search' discards 'const' qualifier from pointer target type
    return (hashtab_search(p->p.p_classes.table, PACKET_CLASS_NAME) ==
            ^
  In file included from ../include/sepol/policydb/symtab.h:16:0,
                   from ../include/sepol/policydb/policydb.h:60,
                   from policydb_public.c:4:
  ../include/sepol/policydb/hashtab.h:98:24: note: expected 'hashtab_key_t' but argument is of type 'const char *'
  extern hashtab_datum_t hashtab_search(hashtab_t h, const hashtab_key_t k);
                         ^

Moreover the "const" word in hashtab_search prototype does not make the
second parameter "const char*" but "char* const".

Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:56:15 -04:00
Nicolas Iooss
581d3eb128 checkpolicy: fix gcc -Wsign-compare warnings
Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:56:13 -04:00
Nicolas Iooss
ae5de8ae69 libselinux: fix gcc -Wsign-compare warnings
Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:56:11 -04:00
Nicolas Iooss
832e7017f8 checkpolicy: constify the message written by yyerror and yywarn
Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:56:06 -04:00
Nicolas Iooss
8db96d0cb4 checkpolicy: add printf format attribute to relevant functions
Once __attribute__ ((format(printf, 1, 2))) is added to yyerror2,
"gcc -Wformat -Wformat-security" shows some issues.  Fix them.

Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:56:03 -04:00
Nicolas Iooss
3642a57cd0 policycoreutils/hll/pp: add printf format attribute to relevant functions
log_err, cil_printf and cil_println use printf formats to process their
arguments.  Use __attribute__((format(printf,...))) to make "gcc
-Wformat -Wformat-security" detect issues.

This detected this issue several times on a x86_64 system:

  format '%lx' expects argument of type 'long unsigned int', but
  argument has type 'uint32_t'

Fix this by introducing an explicit cast to unsigned long.

While at it, constify the format string argument of each function.

Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:56:00 -04:00
Nicolas Iooss
e198427fe5 policycoreutils/semodule_package: fix debug build
Building from the root directory with "make DEBUG=1" enables -Wshadow
option.  This makes the compilation fail with the following error:

  semodule_unpackage.c: In function 'usage':
  semodule_unpackage.c:17:25: error: declaration of 'progname' shadows a global declaration [-Werror=shadow]
   static void usage(char *progname)
                         ^
  semodule_unpackage.c:14:7: error: shadowed declaration is here [-Werror=shadow]
   char *progname = NULL;
         ^

Fix this error by no longer passing a global variable as a parameter to
usage function.

Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:55:57 -04:00
Nicolas Iooss
f978b1b071 policycoreutils/sandbox: fix debug build
Building from the root directory with "make DEBUG=1" enables -Wshadow
option.  This makes the compilation fails with the following error:

  cc -g3 -O0 -gdwarf-2 -fno-strict-aliasing -Wall -Wshadow -Werror -g
  -I/usr/include -DPACKAGE="\"policycoreutils\"" -Wall -Werror -Wextra
  -W   -c -o seunshare.o seunshare.c

  seunshare.c: In function 'spawn_command':
  seunshare.c:141:6: error: declaration of 'child' shadows a global declaration [-Werror=shadow]
    int child;
        ^
  seunshare.c:58:12: error: shadowed declaration is here [-Werror=shadow]
   static int child = 0;
              ^

Fix this error by renaming the "child" variable in spawn_command.

Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:55:53 -04:00
Nicolas Iooss
855bfdf0ce policycoreutils/hll/pp: fix potential use of uninitialized variable
"gcc -O2 -Wall -Werror" failed with two errors when building pp due to
the use of unitialized variables.

Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:55:49 -04:00