Commit Graph

245 Commits

Author SHA1 Message Date
Christian Göttsche
fc1f62ce80 checkpolicy: add missing forward declaration
policy_scan.l:294:3: warning: implicit declaration of function 'yyerror' is

      invalid in C99 [-Wimplicit-function-declaration]

{ yyerror("unrecognized character");}

  ^

policy_scan.l:294:3: warning: this function declaration is not a prototype

      [-Wstrict-prototypes]

Acked-by: William Roberts <william.c.roberts@intel.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-03-25 09:54:21 -05:00
Stephen Smalley
f8c110c8a6 libsepol,checkpolicy: remove use of hardcoded security class values
libsepol carried its own (outdated) copy of flask.h with the generated
security class and initial SID values for use by the policy
compiler and the forked copy of the security server code
leveraged by tools such as audit2why.  Convert libsepol and
checkpolicy entirely to looking up class values from the policy,
remove the SECCLASS_* definitions from its flask.h header, and move
the header with its remaining initial SID definitions private to
libsepol.  While we are here, fix the sepol_compute_sid() logic to
properly support features long since added to the policy and kernel,
although there are no users of it other than checkpolicy -d (debug)
and it is not exported to users of the shared library.  There
are still some residual differences between the kernel logic and
libsepol.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
2020-03-12 07:50:55 +01:00
Daniel Burgener
62a91d7d71 checkpolicy: Add --werror flag to checkmodule and checkpolicy to treat warnings as errors.
When the lexer encounters an unexpected character in a policy source file, it prints a warning, discards the character and moves on.  In some build environments, these characters could be a symptom of an earlier problem, such as unintended results of expansion of preprocessor macros, and the ability to have the compiler halt on such issues would be helpful for diagnosis.

Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
2020-03-11 14:39:39 -04:00
Daniel Burgener
42b13ba15a checkpolicy: Treat invalid characters as an error
Previously the behavior was to warn, discard the character and proceed.
Now the build will halt upon encountering an unexpected character.

Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: James Carter <jwcart2@gmail.com>
2020-03-11 14:14:03 -04:00
Stephen Smalley
8677ce5e8f libsepol,checkpolicy: support omitting unused initial sid contexts
Remove restrictions in libsepol and checkpolicy that required all
declared initial SIDs to be assigned a context.  With this patch,
it is possible to build and load a policy that drops the sid <sidname>
<context> declarations for the unused initial SIDs.  It is still
required to retain the sid <sidname> declarations (in the flask
definitions) in order to preserve the initial SID ordering/values.
The unused initial SIDs can be renamed, e.g. to add an unused_
prefix or similar, if desired, since the names used in the policy
are not stored in the kernel binary policy.

In CIL policies, the (sid ...) and (sidorder (...)) statements
must be left intact for compatibility but the (sidcontext ...)
statements for the unused initial SIDs can be omitted after this change.

With current kernels, if one removes an unused initial SID context
from policy, builds policy with this change applied and loads the
policy into the kernel, cat /sys/fs/selinux/initial_contexts/<sidname>
will show the unlabeled context.  With the kernel patch to remove unused
initial SIDs, the /sys/fs/selinux/initial_contexts/<sidname>
file will not be created for unused initial SIDs in the first place.

NB If an unused initial SID was assigned a context different from
the unlabeled context in existing policy, then it is not safe to
remove that initial SID context from policy and reload policy on
the running kernel that was booted with the original policy.  This
is because that kernel may have assigned that SID to various kernel
objects already and those objects will then be treated as having
the unlabeled context after the removal.  In refpolicy, examples
of such initial SIDs are the "fs" SID and the "sysctl" SID.  Even
though these initial SIDs are not directly used (in code) by the current
kernel, their contexts are being applied to filesystems and sysctl files by
policy and therefore the SIDs are being assigned to objects.

NB The "sysctl" SID was in use by the kernel up until
commit 8e6c96935fcc1ed3dbebc96fddfef3f2f2395afc ("security/selinux:
fix /proc/sys/ labeling) circa v2.6.39.  Removing its context from
policy will cause sysctl(2) or /proc/sys accesses to end up
performing permission checks against the unlabeled context and
likely encounter denials for kernels < 2.6.39.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2020-01-29 10:17:02 -05:00
Ondrej Mosnacek
4d330d0d31 checkpolicy: remove unused te_assertions
This variable is declared in a header file, but never defined or used.
The te_assert structure definition is only used in this declaration, so
remove both.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2020-01-27 10:51:21 -05:00
Petr Lautrbach
dca7ce8195
Update VERSIONs to 3.0 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-11-28 13:46:48 +01:00
Petr Lautrbach
6e187f8a2a Update VERSIONs to 3.0-rc2 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-11-22 13:54:17 +01:00
Petr Lautrbach
6d5f7f20bc Replace www.nsa.gov references by github.com/SELinuxProject
The original page doesn't exist anymore.

Fixes: https://github.com/SELinuxProject/selinux/issues/170

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-11-08 09:20:29 -05:00
Petr Lautrbach
b3ed0a7a60 Update VERSIONs to 3.0-rc1 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-10-28 13:06:11 +01:00
Masatake YAMATO
9be4e7454d checkpolicy: allow to write policy to stdout
If - is given as filename for -o option, checkpolicy
writes the policy to standard output. This helps users
to read policy.conf and/or CIL policy file with pager
like less command:

 $ checkpolicy -M -F -b /sys/fs/selinux/policy  -o - | less

The users don't have to make a temporary file.
/dev/stdout can be used instead. However, - reduces the number of
typing for the purpose. Using - for standard output (and/or standard
input) is popular convention.

Change(s) in v2:
* Check the availability of output stream only when opening
  a regualar file. Suggested by Stephen Smalley <sds@tycho.nsa.gov>.

Signed-off-by: Masatake YAMATO <yamato@redhat.com>
2019-10-22 08:26:26 -04:00
Masatake YAMATO
b8455f774a checkpolicy: update the description for -o option in the man page
Write about policy.conf and CIL files.

Signed-off-by: Masatake YAMATO <yamato@redhat.com>
2019-10-22 08:26:26 -04:00
Masatake YAMATO
a581560eb0 checkpolicy: remove a redundant if-condition
Inner if-condition in following code is redundant:

	if (outfile) {
		/* ... just referring outfile ... */
		if (outfile) {
			do_something();
		}
	}

We can simplify this to:

	if (outfile) {
		/* ... just referring outfile ... */
		do_something();
	}

Signed-off-by: Masatake YAMATO <yamato@redhat.com>
2019-10-22 08:26:26 -04:00
Nicolas Iooss
b550c0e202
Fix many misspellings
Use codespell (https://github.com/codespell-project/codespell) in order
to find many common misspellings that are present in English texts.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-18 22:47:35 +02:00
Joshua Brindle
9ba35fe8c2 Add default_range glblub support
Policy developers can set a default_range default to glblub and
computed contexts will be the intersection of the ranges of the
source and target contexts. This can be used by MLS userspace
object managers to find the range of clearances that two contexts
have in common. An example usage is computing a transition between
the network context and the context of a user logging into an MLS
application.

For example, one can add a default with
this cil:

(defaultrange db_table glblub)

or in te (base module only):

default_range db_table glblub;

and then test using the compute_create utility:

$ ./compute_create system_u:system_r:kernel_t:s0:c1,c2,c5-s0:c1.c20 system_u:system_r:kernel_t:s0:c0.c20-s0:c0.c36 db_table
system_u:object_r:kernel_t:s0:c1,c2,c5-s0:c1.c20

Some example range transitions are:

User Permitted Range | Network Device Label | Computed Label
---------------------|----------------------|----------------
s0-s1:c0.c12         | s0                   | s0
s0-s1:c0.c12         | s0-s1:c0.c1023       | s0-s1:c0.c12
s0-s4:c0.c512        | s1-s1:c0.c1023       | s1-s1:c0.c512
s0-s15:c0,c2         | s4-s6:c0.c128        | s4-s6:c0,c2
s0-s4                | s2-s6                | s2-s4
s0-s4                | s5-s8                | INVALID
s5-s8                | s0-s4                | INVALID

Signed-off-by: Joshua Brindle <joshua.brindle@crunchydata.com>
2019-09-10 12:30:29 -04:00
James Carter
071247e8f4 checkpolicy: add flag to enable policy optimization
Add the command-line option 'O' to checkpolicy to cause kernel policies
to be optimized by calling policydb_optimize() before being written out.

This option can be used on conf files and binary kernel policies, but
not when converting a conf file to CIL.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
[omosnace: make commit desc more consistent with the other patches]
[omosnace: fix a typo in the commit message]
[omosnace: directly use policydb_optimize() as also the rest of code already uses
 other policydb_*() functions...]
[omosnace: update man page]
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2019-06-25 10:11:00 -04:00
Unto Sten
6062c45b1d Remove redundant if-clause
Signed-off-by: Unto Sten <sten.unto@gmail.com>
2019-06-19 09:03:12 -07:00
Aleksei Nikiforov
26462e101f Update man pages translation by Olesya Gerasimenko
Signed-off-by: Olesya Gerasimenko <gammaray@basealt.ru>
Signed-off-by: Aleksei Nikiforov <darktemplar@basealt.ru>
2019-05-28 07:50:34 -04:00
Ondrej Mosnacek
3e506bda3b libsepol: add ebitmap_for_each_set_bit macro
Most of the users of ebitmap_for_each_bit() macro only care for the set
bits, so introduce a new ebitmap_for_each_positive_bit() macro that
skips the unset bits. Replace uses of ebitmap_for_each_bit() with the
new macro where appropriate.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2019-05-20 14:00:32 -04:00
Gary Tierney
ac2a3fb4fe dismod: print policy version of loaded modules
Signed-off-by: Gary Tierney <gary.tierney@fastmail.com>
2019-04-19 13:10:53 -04:00
Gary Tierney
4984a75f38 checkmodule: add support for specifying module policy version
Currently checkpolicy can produce binary policies for earlier policy versions
to provide support for building policies on one machine and loading/analyzing
them on another machine with an earlier version of the kernel or libsepol,
respectively. However, checkmodule was lacking this capability.

This commit adds an identical `-c` flag that can be passed to checkmodule that
will build a modular policy file of the specified version.

Signed-off-by: Gary Tierney <gary.tierney@fastmail.com>
2019-04-19 13:10:44 -04:00
Petr Lautrbach
891cfee44f Update VERSIONs to 2.9 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-03-15 11:32:30 +01:00
Petr Lautrbach
ee1809f453 Update VERSIONs to 2.9-rc2 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-03-01 13:58:20 +01:00
Vit Mojzis
3cad474303
checkpolicy: Update manpage
- Add description of -S option
- Sort the option descriptions based on the synopsis
- Add missing options to synopsis

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2019-02-10 17:03:58 +01:00
Aleksei Nikiforov
0445e65d83 Allow installing translated man pages
Signed-off-by: Aleksei Nikiforov <darktemplar@basealt.ru>
2019-01-28 12:03:57 +01:00
Aleksei Nikiforov
e3e3873de7 Add man pages translation by Olesya Gerasimenko
Signed-off-by: Olesya Gerasimenko <gammaray@basealt.ru>
Signed-off-by: Aleksei Nikiforov <darktemplar@basealt.ru>
2019-01-28 12:03:57 +01:00
Petr Lautrbach
53312c7d61 Update VERSIONs to 2.9-rc1 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2019-01-25 11:48:54 +01:00
James Carter
9077c5c056 checkpolicy: Add option to sort ocontexts when creating a binary policy
Add an option, specified by "-S" or "--sort", to sort the ocontexts
before writing out the binary policy.

Binary policies created by semanage and secilc are always sorted, so
this option allows checkpolicy to be consistent with those. It has
not been made the default to maintain backwards compatibility for
anyone who might be depending on the unsorted behavior of checkpolicy.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2018-10-12 13:38:00 -04:00
Nick Kralevich via Selinux
854fdc1ac4 checkpolicy: remove extraneous policy build noise
Reduce noise when calling the checkpolicy command line. In Android, this
creates unnecessary build noise which we'd like to avoid.

https://en.wikipedia.org/wiki/Unix_philosophy

  Rule of Silence
  Developers should design programs so that they do not print
  unnecessary output. This rule aims to allow other programs
  and developers to pick out the information they need from a
  program's output without having to parse verbosity.

An alternative approach would be to add a -s (silent) option to these
tools, or to have the Android build system redirect stdout to /dev/null.

Signed-off-by: Nick Kralevich <nnk@google.com>
2018-09-21 12:51:36 -07:00
liwugang
98a951fa76
checkpolicy: check the result value of hashtable_search
Signed-off-by: liwugang <liwugang@xiaomi.com>
2018-09-19 20:43:39 +02:00
Nicolas Iooss
daa00b2899
checkpolicy: destroy the class datum if it fails to initialize
require_class() allocate memory for its variable "class_datum_t *datum"
and calls symtab_init(&datum->permissions, PERM_SYMTAB_SIZE). If this
second call fails, datum is not freed.

Fix this memory leak.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-05-30 22:00:13 +02:00
Stephen Smalley
a9f8a101fd Update VERSIONs to 2.8 for release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2018-05-24 14:21:09 -04:00
Stephen Smalley
20c9b4971e Update VERSION files to 2.8-rc3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2018-05-10 11:08:22 -04:00
Stephen Smalley
dc03bae194 Update VERSION files to 2.8-rc2.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2018-04-26 13:20:40 -04:00
Stephen Smalley
f04d64012a Update VERSION files to 2.8-rc1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2018-04-19 10:40:16 -04:00
Tri Vo
ea8d689b53 Resolve conflicts in expandattribute.
This commit resolves conflicts in values of expandattribute statements
in policy language and expandtypeattribute in CIL.

For example, these statements resolve to false in policy language:
 expandattribute hal_audio true;
 expandattribute hal_audio false;

Similarly, in CIL these also resolve to false.
 (expandtypeattribute (hal_audio) true)
 (expandtypeattribute (hal_audio) false)

A warning will be issued on this conflict.

Motivation
When Android combines multiple .cil files from system.img and vendor.img
it's possible to have conflicting expandattribute statements.

This change deals with this scenario by resolving the value of the
corresponding expandtypeattribute to false. The rationale behind this
override is that true is used for reduce run-time lookups, while
false is used for tests which must pass.

Signed-off-by: Tri Vo <trong@android.com>
Acked-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: William Roberts <william.c.roberts@intel.com>
Acked-by: James Carter <jwcart2@tycho.nsa.gov>
2018-03-26 12:29:37 -07:00
Richard Haines via Selinux
cf0ab12414 selinux: Add support for the SCTP portcon keyword
Update libsepol, checkpolicy and the CIL compiler to support the SCTP
portcon keyword.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2018-03-19 12:34:29 -04:00
Marcus Folkesson
23bbd2e448 checkpolicy: build: follow standard semantics for DESTDIR and PREFIX
This patch solves the following issues:
- DESTDIR is needed during compile time to compute library
  and header paths which it should not.
- Installing with both DESTDIR and PREFIX set gives us odd paths
- Make usage of DESTDIR and PREFIX more standard

Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
2018-02-14 15:59:37 +01:00
Stephen Smalley
53bb2a11c2 checkpolicy,libselinux,libsepol,policycoreutils: Update my email address
Update my email address since epoch.ncsc.mil no longer exists.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-08-17 14:17:12 -04:00
Stephen Smalley
1bac758bf6 Update VERSION files for 2.7 release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-08-04 09:31:00 -04:00
Stephen Smalley
dfda6a5b2c Update VERSION files for 2.7-rc6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-07-28 15:43:47 -04:00
Stephen Smalley
9f1730fa39 Update VERSION files for 2.7-rc5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-07-18 12:01:26 -04:00
Stephen Smalley
83fbc0979d Update VERSION files for 2.7-rc4 release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-30 13:41:33 -04:00
Stephen Smalley
6fab7923ce Update VERSION files for 2.7-rc3 release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-23 13:01:45 -04:00
Stephen Smalley
7b5699bfd7 Fix BINDIR/SBINDIR/... variables in Makefiles
As reported by Nicolas Iooss, there are still some inconsistencies
in the definitions and usage of Makefile variables related to bin
and sbin directories. Since we need to still support non-usrmerge
systems, we cannot completely synchronize them, but we can eliminate
unnecessary differences, remove unused variables, and drop the
USRSBINDIR variables.

Before:
$ find . -name Makefile -exec cat {} + |grep '^[A-Z_]*BINDIR' |sort -u
BINDIR=$(PREFIX)/bin
BINDIR ?= $(PREFIX)/bin
BINDIR ?= $(PREFIX)/sbin
SBINDIR ?= $(DESTDIR)/sbin
SBINDIR ?= $(PREFIX)/sbin
USRSBINDIR ?= $(PREFIX)/sbin

After:
$ find . -name Makefile -exec cat {} + | grep '^[A-Z_]*BINDIR' | sort -u
BINDIR ?= $(PREFIX)/bin
SBINDIR ?= $(DESTDIR)/sbin
SBINDIR ?= $(PREFIX)/sbin

This does not change the actual install location of any file.
It does drop the legacy symlink from /usr/sbin/load_policy to
/sbin/load_policy; packagers can create that separately if
desired.

Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-20 12:18:26 -04:00
Stephen Smalley
08d4b030ea Update VERSION files for 2.7-rc2 release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-16 12:50:03 -04:00
Stephen Smalley
2f602f6cb9 Update VERSION files for 2.7-rc1 release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-09 10:36:06 -04:00
Daniel Jurgens
118c0cd103 libsepol: Add ibendport ocontext handling
Add support for reading, writing, and copying IB end port ocontext data.
Also add support for querying a IB end port sid to checkpolicy.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
2017-05-23 16:20:55 -04:00
Daniel Jurgens
5bc05dd2a5 checkpolicy: Add support for ibendportcon labels
Add checkpolicy support for scanning and parsing ibendportcon labels.
Also create a new ocontext for IB end ports.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
2017-05-23 16:20:55 -04:00
Daniel Jurgens
9fbb311276 libsepol: Add ibpkey ocontext handling
Add support for reading, writing, and copying Infiniband Pkey ocontext
data. Also add support for querying a Pkey sid to checkpolicy.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
2017-05-23 16:20:54 -04:00