Kernel policies with unsupported policy capabilities enabled can
currently be parsed, since they result just in a bit set inside an
ebitmap. Writing such a loaded policy into the traditional language or
CIL will fail however, since the unsupported policy capabilities can not
be converted into a name.
Reject kernel policies with invalid policy capabilities.
Reported-by: oss-fuzz (issue 60573)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Ensure the ibendport port is not 0 (similar to the kernel).
More general depth test for boolean expressions.
Ensure the boolean id is not set for logic operators.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Ensure constraint expressions are complete and do not exceed the
supported depth limit.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
The default type of a type transition must be a regular type, not an
attribute.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Introduce reallocarray(3), a realloc(3) wrapper incorporating a
multiplication overflow check.
Add private implementation in case the function is not provided by the
standard C library.
Use in appropriate locations.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
* mention -r <role> and -v command line options in usage string
* use distinct error messages on getseuser(3) and
get_default_context_with_[role]level(3) failure
* always print program name on error
* drop unnecessary double parenthesis
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Add round-trip tests for checkpolicy(8).
Test standard and MLS minimal policies as well as SELinux and Xen
policies with each available statement.
The output is checked against an expected result and then then checked
for idempotence.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Ensure counts are not set to the maximum value of their type.
Also limit their size during fuzzing to prevent OOM reports.
Reported-by: oss-fuzz (issue 60572), caused at the time by the filetrans
prefix proposal
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Neverallow avtab entries are not supported (normal and extended). Reject
them to avoid lookup confusions via avtab_search(), e.g. when searching
for a invalid key of AVTAB_TRANSITION|AVTAB_NEVERALLOW and the result of
only AVTAB_NEVERALLOW has no transition value.
Simplify the check for the number of specifiers by using the compiler
popcount builtin (already used in libsepol).
Reported-by: oss-fuzz (issue 60568), caused at the time by the filetrans
prefix proposal
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
The list entries in the alphabetically grouped dict are
not sorted, which results in non-deterministic output for
index.html.
Sort entries of those lists to make the output deterministic
to be able to have reproducible builds.
See https://reproducible-builds.org/ for reasoning.
This patch was done while working on reproducible builds for openSUSE.
Signed-off-by: Cathy Hu <cahu@suse.de>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
The `EUID` does not exist in some shell environments. To ensure compatibility,
use `id -u` instead of `EUID` when `EUID` does not exist.
Signed-off-by: Huizhao Wang <wanghuizhao1@huawei.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
selabel_lookup(3) is expected to set errno on lookup failure, i.e. when
it returns NULL. Set errno if a regular expression failed to compile in
compile_regex().
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Some entries might have been already parsed and allocated.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
selabel_get_digest_all_partial_matches is dynamically linked against
libselinux, so it should not depend on any internals and thus do not
make use of an internal header file
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Move the check whether to validate or not to the caller, to avoid all
having to carry the complete selabel_handle around.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Use fseek(3) instead of rewind(3) to detect failures.
Drop the final rewind in digest_add_specfile(), since all callers are
going to close the stream without any further action.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Define selabel_subs_init() only if its call-sites are enabled.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Fix the typo and adjust the logic accordingly so the android backend is
not build by default, but if either ANDROID_HOST or
LABEL_BACKEND_ANDROID is set to y.
Fixes: c2a58cc525 ("libselinux: LABEL_BACKEND_ANDROID add option to enable")
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Drop parameter NULL check since the only caller does a NULL check on the
argument.
Avoid strlen(3) call by comparing by hand.
Drop unreachable return statement.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
selabel_open(3) expects the backend to be of type unsigned int.
Also initialize with a macro flag instead raw 0.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Check (for the probably impossible) case the serialized data is longer
than the compiled fcontext format supports.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
selinux_check_access.c:43:10: warning: cast to union type is a GNU extension [-Wgnu-union-cast]
43 | (union selinux_callback)cb_auditinfo);
| ^ ~~~~~~~~~~~~
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Merge malloc(3) plus memset(3) call into calloc(3).
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Comparing two selabel handles should (and currently does) not modify
them.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Do not issue an audit event of type AUDIT_FS_RELABEL in case of a
passive check.
Print the reason for an audit_open(3) failure.
Do not prematurely exit in case audit_open(3) fails, since all important
work is already done, but proceed with cleanup tasks.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Drop overrides of warning flags which are not triggered by any code.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
The flag -fipa-pure-const is enabled by default in GCC at -O0 and above.
The flag is not supported by Clang, which might result in issues if a
compilation database was created via GCC.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Drop unused parameter from selabel_is_digest_set(). It is only written
to but writes to the function local copy of the pointer are void.
Constify read-only handle parameter of selabel_validate() and
compat_validate().
Constify read-only from-address parameter of digest_add_specfile().
Constify read-only function pointer array initfuncs.
Merge malloc(3) and memset(3) calls into calloc(3).
Simplify boolean assignment.
Drop duplicate include file.
Drop return at end of void function.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Print usage information and exit if required path option is not given
or superfluous arguments are given.
Constify read-only variables assigned command line arguments.
Simplify bool evaluation.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Fix xml validation issues that often crop up since the XML catalogs
for DocBook often only contain versioned public identifiers.
Signed-off-by: Bruno Victal <mirai@makinata.eu>
Acked-by: James Carter <jwcart2@gmail.com>
cil_write_post_ast() should be in libsepol version 3.6, since version
3.5 has already been released.
Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
Role dominance has been deprecated for a very, very long time (since
at least August 2008) and has never been used in any widely deployed
policy.
Remove support for compiling role dominance rules.
Support will remain, for now, in libsepol for backwards compatibility.
Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
Signed-off-by: James Carter <jwcart2@gmail.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
Signed-off-by: James Carter <jwcart2@gmail.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
This will show the resulting CIL AST after deny rules have been
processed.
Signed-off-by: James Carter <jwcart2@gmail.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
Signed-off-by: James Carter <jwcart2@gmail.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
The function cil_write_post_ast() will write the CIL AST after
post processing is done. Most post processing does not change the
CIL AST, this is where deny rules are processed (because to process
them, type attributes have to have been evaluated.)
When processed, deny rules may add new rules and attributes and the
deny rule itself will be removed from the AST, so using this new
function will show the results of the deny rule processing.
Signed-off-by: James Carter <jwcart2@gmail.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
A deny rule is like a neverallow rule, except that permissions are
removed rather than an error reported.
(allow S1 T1 P1)
(deny S2 T2 P2)
First, write the allow rule with all of the permissions not in the deny rule
P3 = P1 and not P2
(allow S1 T1 P3)
Obviously, the rule is only written if P3 is not an empty list. This goes
for the rest of the rules as well--they are only written if the source and
target exist.
The remaining rules will only involve the common permissions
P4 = P1 and P2
Next, write the allow rule for any types in S1 that are not in S2
S3 = S1 and not S2
(allow S3 T1 P4)
Finally, write the allow rules needed to cover the types in T1 that are
not in T2. Since, T1 and T2 might be "self", "notself", or "other", this
requires more complicated handling. Any rule with "self" will not match
a rule with either "notself" or "other".
if (T1 is self and T2 is self) or (T1 is notself and T2 is notself) then
Nothing more needs to be done.
The rest of the rules will depend on the intersection of S1 and S2
which cannot be the empty set since the allow and deny rules match.
S4 = S1 and S2
if T1 is notself or T1 is other or T2 is notself or T2 is other then
if T1 is notself then
if T2 is other then
T = ALL and not S2
(allow S4 T P4)
else [T2 is not self, notself, or other]
S5 = S4 and not T2
S6 = S4 and T2
TA = ALL and not T2
TB = TA and not S4
(allow S6 TA P4)
(allow S5 TB P4)
if cardinality(S5) > 1 then
(allow S5 other P4)
else if T1 is other then
(allow S3 S4 P4)
if T2 is notself then
[Nothing else is needed]
else if T2 is other then
(allow S4 S3 P4)
else [T2 is not self, notself, or other]
S5 = S4 and not T2
S6 = S4 and T2
TC = S1 and not T2
TD = S3 and not T2
(allow S6 TC P4)
(allow S5 TD P4)
if cardinality(S5) > 1 then
(allow S5 other P4)
else [T1 is not self, notself, or other]
S8 = S4 and T1
(allow S8 self P4)
if T2 is notself then
[Nothing else is needed]
else [T2 is other]
T = T1 and not S2
(allow S4 T P4)
else [Neither T1 nor T2 are notself or other]
if T1 is self and T2 is not self then
S5 = S4 and not T2
(allow S5 self P4)
else if T1 is not self and T2 is self then
S7 = S4 and not T1
S8 = S4 and T1
T8 = T1 and not S4
(allow S7 T1 P4)
(allow S8 T8 P4)
if cardinality(S8) > 1 then
(allow S8 other P4)
else [Neither T1 nor T2 is self]
T3 = T1 and not T2
(allow S4 T3 P4)
Signed-off-by: James Carter <jwcart2@gmail.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
Add the function cil_tree_node_remove() which takes a node pointer
as an input, finds the parent, walks the list of nodes to the node
prior to the given node, updates that node's next pointer to remove
the given node from the tree, and then destroys the node.
Signed-off-by: James Carter <jwcart2@gmail.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
Add a macro, called cil_list_is_empty, that returns true if the
list pointer or list head is NULL.
Signed-off-by: James Carter <jwcart2@gmail.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
Adds the ability to parse a deny rule, add it to the AST, and
write it out when writing the AST, but the deny rule is otherwise
ignored and does nothing.
When it is fully supported, the deny rule will work like a neverallow
except that it will remove permissions rather than give an error.
Signed-off-by: James Carter <jwcart2@gmail.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
Also reorganize the access vector rules section to minimize duplication
explanation of the parts of access vector rules.
Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
Since log_err() has been removed, use ERR() instead of log_err() in
module_to_cil.c.
Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
Convert trivial not-self neverallow rules to CIL, e.g.
neverallow TYPE1 ~self:CLASS1 PERM1;
into
(neverallow TYPE1 notself (CLASS1 (PERM1)))
More complex targets are not yet supported in CIL and will fail to
convert, e.g.:
neverallow TYPE1 ~{ self ATTR1 } : CLASS1 PERM1;
neverallow TYPE2 { ATTR2 -self } : CLASS2 PERM2;
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
Like "self", both of these reserved words can be used as a target
in an access vector rule. "notself" means all types other than
the source type. "other" is meant to be used with an attribute and
its use results in the rule being expanded with each type of the
attribute being used as the source type with each of the other types
being used as the target type. Using "other" with just a type will
result in no rule.
Example 1
(allow TYPE1 notself (CLASS (PERM)))
This rule is expanded to a number of rules with TYPE1 as the source
and every type except for TYPE1 as the target.
Example 2
(allow ATTR1 notself (CLASS (PERM)))
Like Example 1, this rule will be expanded to each type in ATTR1
being the source with every type except for the type used as the
source being the target.
Example 3
(allow TYPE1 other (CLASS (PERM)))
This expands to no rule.
Example 4
(allow ATTR1 other (CLASS (PERM)))
Like Example 2, but the target types will be limited to the types
in the attribute ATTR1 instead of all types. So if ATTR1 has the
type t1, t2, and t3, then this rule expands to the following rules.
(allow t1 t2 (CLASS (PERM)))
(allow t1 t3 (CLASS (PERM)))
(allow t2 t1 (CLASS (PERM)))
(allow t2 t3 (CLASS (PERM)))
(allow t3 t1 (CLASS (PERM)))
(allow t3 t2 (CLASS (PERM)))
Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
While it does no harm to call ebitmap_init() twice for an ebitmap,
since it is just memsetting the ebitmap to 0, it is poor practice.
In the function cil_type_matches() in cil_find.c, either ebitmap_and()
or ebitmap_set_bit() will be called. The function ebitmap_and() will
call ebitmap_init() on the destination ebitmap, but ebitmap_set_bit()
does not.
Instead of calling ebitmap_init() before the call to cil_type_matches(),
let cil_type_matches() make the call if it is going to call
ebitmap_set_bit(). It can also call ebitmap_destroy() on an error.
Since we are removing the call to ebitmap_init() in cil_self_match_any(),
cleanup some other things in the function (like using the FLAVOR()
macro and using ebitmap_is_empty()).
Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
Christian Göttsche
Cathy Hu
Dominick Grift
Huizhao Wang
Bruno Victal
James Carter