Commit Graph

210 Commits

Author SHA1 Message Date
Tri Vo
ea8d689b53 Resolve conflicts in expandattribute.
This commit resolves conflicts in values of expandattribute statements
in policy language and expandtypeattribute in CIL.

For example, these statements resolve to false in policy language:
 expandattribute hal_audio true;
 expandattribute hal_audio false;

Similarly, in CIL these also resolve to false.
 (expandtypeattribute (hal_audio) true)
 (expandtypeattribute (hal_audio) false)

A warning will be issued on this conflict.

Motivation
When Android combines multiple .cil files from system.img and vendor.img
it's possible to have conflicting expandattribute statements.

This change deals with this scenario by resolving the value of the
corresponding expandtypeattribute to false. The rationale behind this
override is that true is used for reduce run-time lookups, while
false is used for tests which must pass.

Signed-off-by: Tri Vo <trong@android.com>
Acked-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: William Roberts <william.c.roberts@intel.com>
Acked-by: James Carter <jwcart2@tycho.nsa.gov>
2018-03-26 12:29:37 -07:00
Richard Haines via Selinux
cf0ab12414 selinux: Add support for the SCTP portcon keyword
Update libsepol, checkpolicy and the CIL compiler to support the SCTP
portcon keyword.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2018-03-19 12:34:29 -04:00
Marcus Folkesson
23bbd2e448 checkpolicy: build: follow standard semantics for DESTDIR and PREFIX
This patch solves the following issues:
- DESTDIR is needed during compile time to compute library
  and header paths which it should not.
- Installing with both DESTDIR and PREFIX set gives us odd paths
- Make usage of DESTDIR and PREFIX more standard

Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
2018-02-14 15:59:37 +01:00
Stephen Smalley
53bb2a11c2 checkpolicy,libselinux,libsepol,policycoreutils: Update my email address
Update my email address since epoch.ncsc.mil no longer exists.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-08-17 14:17:12 -04:00
Stephen Smalley
1bac758bf6 Update VERSION files for 2.7 release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-08-04 09:31:00 -04:00
Stephen Smalley
dfda6a5b2c Update VERSION files for 2.7-rc6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-07-28 15:43:47 -04:00
Stephen Smalley
9f1730fa39 Update VERSION files for 2.7-rc5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-07-18 12:01:26 -04:00
Stephen Smalley
83fbc0979d Update VERSION files for 2.7-rc4 release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-30 13:41:33 -04:00
Stephen Smalley
6fab7923ce Update VERSION files for 2.7-rc3 release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-23 13:01:45 -04:00
Stephen Smalley
7b5699bfd7 Fix BINDIR/SBINDIR/... variables in Makefiles
As reported by Nicolas Iooss, there are still some inconsistencies
in the definitions and usage of Makefile variables related to bin
and sbin directories. Since we need to still support non-usrmerge
systems, we cannot completely synchronize them, but we can eliminate
unnecessary differences, remove unused variables, and drop the
USRSBINDIR variables.

Before:
$ find . -name Makefile -exec cat {} + |grep '^[A-Z_]*BINDIR' |sort -u
BINDIR=$(PREFIX)/bin
BINDIR ?= $(PREFIX)/bin
BINDIR ?= $(PREFIX)/sbin
SBINDIR ?= $(DESTDIR)/sbin
SBINDIR ?= $(PREFIX)/sbin
USRSBINDIR ?= $(PREFIX)/sbin

After:
$ find . -name Makefile -exec cat {} + | grep '^[A-Z_]*BINDIR' | sort -u
BINDIR ?= $(PREFIX)/bin
SBINDIR ?= $(DESTDIR)/sbin
SBINDIR ?= $(PREFIX)/sbin

This does not change the actual install location of any file.
It does drop the legacy symlink from /usr/sbin/load_policy to
/sbin/load_policy; packagers can create that separately if
desired.

Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-20 12:18:26 -04:00
Stephen Smalley
08d4b030ea Update VERSION files for 2.7-rc2 release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-16 12:50:03 -04:00
Stephen Smalley
2f602f6cb9 Update VERSION files for 2.7-rc1 release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-06-09 10:36:06 -04:00
Daniel Jurgens
118c0cd103 libsepol: Add ibendport ocontext handling
Add support for reading, writing, and copying IB end port ocontext data.
Also add support for querying a IB end port sid to checkpolicy.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
2017-05-23 16:20:55 -04:00
Daniel Jurgens
5bc05dd2a5 checkpolicy: Add support for ibendportcon labels
Add checkpolicy support for scanning and parsing ibendportcon labels.
Also create a new ocontext for IB end ports.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
2017-05-23 16:20:55 -04:00
Daniel Jurgens
9fbb311276 libsepol: Add ibpkey ocontext handling
Add support for reading, writing, and copying Infiniband Pkey ocontext
data. Also add support for querying a Pkey sid to checkpolicy.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
2017-05-23 16:20:54 -04:00
Daniel Jurgens
5b203145fd checkpolicy: Add support for ibpkeycon labels
Add checkpolicy support for scanning and parsing ibpkeycon labels. Also
create a new ocontext for Infiniband Pkeys and define a new policydb
version for infiniband support.

Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
2017-05-23 16:20:54 -04:00
Stephen Smalley
58962eb3d8 libsepol,checkpolicy: add binary module support for xperms
Presently we support xperms rules in source policy and in CIL modules.
The binary policy module format however was never extended for xperms.
This limitation inhibits use of xperms in refpolicy-based policy modules
(including the selinux-testsuite policy).  Update libsepol to support
linking, reading, and writing a new binary policy module version that
supports xperms rules.  Update dismod to display xperms rules in binary
policy modules.

Also, to support use of a non-base binary policy module with a newer
version on a system using a base policy module with an older version,
automatically upgrade the version during module linking.  This facilitates
usage of newer features in non-base modules without requiring rebuilding
the base module.

Tests:
1. Add an allowxperms rule to the selinux-testsuite policy and
confirm that it is properly written to the binary policy module
(displayed by dismod), converted to CIL (the latter was already supported),
and included in the kernel policy (via dispol and kernel test).

2. Use semodule_link and semodule_expand to manually link and expand
all of the .pp files via libsepol, and confirm that the allowxperms rule
is correctly propagated to the kernel policy.  This test is required to
exercise the legacy link/expand code path for binary modules that predated
CIL.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-17 09:35:52 -04:00
Stephen Smalley
c3118041df checkpolicy,libsepol: drop unnecessary usage of s6_addr32
s6_addr32 is not portable; use s6_addr instead.
This obviates the need for #ifdef __APPLE__ conditionals in these cases.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-10 10:25:56 -04:00
Jeff Vander Stoep
1089665e31 Add attribute expansion options
This commit adds attribute expansion statements to the policy
language allowing compiler defaults to be overridden.

Always expands an attribute example:
expandattribute { foo } true;
CIL example:
(expandtypeattribute (foo) true)

Never expand an attribute example:
expandattribute { bar } false;
CIL example:
(expandtypeattribute (bar) false)

Adding the annotations directly to policy was chosen over other
methods as it is consistent with how targeted runtime optimizations
are specified in other languages. For example, in C the "inline"
command.

Motivation

expandattribute true:
Android has been moving away from a monolithic policy binary to
a two part split policy representing the Android platform and the
underlying vendor-provided hardware interface. The goal is a stable
API allowing these two parts to be updated independently of each
other. Attributes provide an important mechanism for compatibility.
For example, when the vendor provides a HAL for the platform,
permissions needed by clients of the HAL can be granted to an
attribute. Clients need only be assigned the attribute and do not
need to be aware of the underlying types and permissions being
granted.

Inheriting permissions via attribute creates a convenient mechanism
for independence between vendor and platform policy, but results
in the creation of many attributes, and the potential for performance
issues when processes are clients of many HALs. [1] Annotating these
attributes for expansion at compile time allows us to retain the
compatibility benefits of using attributes without the performance
costs. [2]

expandattribute false:
Commit 0be23c3f15fd added the capability to aggresively remove unused
attributes. This is generally useful as too many attributes assigned
to a type results in lengthy policy look up times when there is a
cache miss. However, removing attributes can also result in loss of
information used in external tests. On Android, we're considering
stripping neverallow rules from on-device policy. This is consistent
with the kernel policy binary which also did not contain neverallows.
Removing neverallow rules results in a 5-10% decrease in on-device
policy build and load and a policy size decrease of ~250k. Neverallow
rules are still asserted at build time and during device
certification (CTS). If neverallow rules are absent when secilc is
run, some attributes are being stripped from policy and neverallow
tests in CTS may be violated. [3] This change retains the aggressive
attribute stripping behavior but adds an override mechanism to
preserve attributes marked as necessary.

[1] https://github.com/SELinuxProject/cil/issues/9
[2] Annotating all HAL client attributes for expansion resulted in
    system_server's dropping from 19 attributes to 8. Because these
    attributes were not widely applied to other types, the final
    policy size change was negligible.
[3] data_file_type and service_manager_type are stripped from AOSP
    policy when using secilc's -G option. This impacts 11 neverallow
    tests in CTS.

Test: Build and boot Marlin with all hal_*_client attributes marked
    for expansion. Verify (using seinfo and sesearch) that permissions
    are correctly expanded from attributes to types.
Test: Mark types being stripped by secilc with "preserve" and verify
    that they are retained in policy and applied to the same types.

Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
2017-05-09 12:09:46 -04:00
Jason Zaman
fcb5d5cc72 Makefiles: drop -L/-I to system paths
The toolchain automatically handles them and they break cross compiling.

LDFLAGS should also come before object files, some flags (eg,
-Wl,as-needed) can break things if they are in the wrong place)

Gentoo-Bug: https://bugs.gentoo.org/500674

Signed-off-by: Jason Zaman <jason@perfinion.com>
2017-04-25 08:27:05 -04:00
James Carter
13c27d6cc9 checkpolicy: Add options to convert binary policy to CIL or a policy.conf
Use the same option "-C" used to ouput CIL from a policy.conf, but now
generate CIL from a binary policy instead of giving an error.i

Use the option "-F" to generate a policy.conf file from a binary policy.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-04-05 12:23:30 -04:00
James Carter
dd11ab6f7f checkpolicy: Fix minor memory leak in checkpolicy
sepol_set_sidtab() is called without calling sepol_sidtab_destroy().
This is not a big deal, since checkpolicy does not run for long, but
it does add noise when checking for other, more important, leaks.

Call sepol_sidtab_destroy() before exiting if not in debug mode.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-03-21 14:20:43 -04:00
Nicolas Iooss
9087bb9c5a checkpolicy: dereference rangehead after checking it was not NULL
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-03-21 14:20:28 -04:00
Nicolas Iooss
ef61dd7d4b checkpolicy: add noreturn attribute to usage()
While at it, make usage() static and mark its argument as const.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-03-07 14:00:25 -05:00
James Carter
192153db43 checkpolicy: Make print_error_msg() static
The function print_error_msg() in module_compiler.c is not called
externally, so make it static.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-02-06 11:01:32 -05:00
James Carter
5d56c2679d checkpolicy: Remove uneeded return check in require_symbol()
Since symtab_insert() no longer returns -2 in the case of a
declaration of an identifier followed by a require of the same
symbol, remove the uneeded check.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-02-03 14:02:32 -05:00
James Carter
b6f3e0086f checkpolicy: Improve check for identifier flavor mismatch
An identifier flavor mismatch occurs when an identifier is
declared or required as a regular role or type in one place but as
an attribute in another place.

Currently there is only a check for an identifier flavor mismatch
when a type has already been declared and there is a require of
the same type in the same scope. There are no checks if the require
comes first and there are no checks for roles.

Check for an identifier flavor mismatch for both roles and types
whenever a declaration or requirement tries to add an identifier
that is already in the symtab.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-02-03 14:02:32 -05:00
James Carter
d676e7ce3c checkpolicy: Move common require and declare code into new function
Move common code from declare_symbol() and require_symbol() to a new
function named create_symbol().

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-02-03 14:02:24 -05:00
James Carter
a7a0678999 checkpolicy: Cleanup error messages
Add the new function print_error_msg() to print an error message
based on the local error number and symbol_type. Remove the
duplicate switch statements used throughout module_complier.c
to display error messages.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-02-03 14:01:28 -05:00
James Carter
a141c0d19f checkpolicy: Create common function for user declares and requires
Move common code out of declare_user() and require_user() into the
new function create_user().

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-02-03 14:01:21 -05:00
James Carter
bd05768057 checkpolicy: Create common function for role declares and requires
Move common code out of declare_role() and require_role_or_attribute()
    into the new function create_role().

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-02-03 13:54:05 -05:00
James Carter
daaaf28bfb checkpolicy: Create common function for type declares and requires
Move common code out of declare_type() and require_type_or_attribute()
into the new function create_type().

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-02-03 13:53:23 -05:00
Nicolas Iooss
7da9bc00f2 checkpolicy: do not leak memory when a class is not found in an avrule
While checkmodule tries to compile the following policy file and fails
because class "process" is not found, it does not free some allocated
memory:

    module ckpol_leaktest 1.0.0;
    require {type TYPE1;}
    allow TYPE1 self:process fork;

clang memory sanitier output is:

=================================================================
==16050==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 136 byte(s) in 1 object(s) allocated from:
    #0 0x7f8bd8127608 in malloc (/usr/lib/clang/3.9.1/lib/linux/libclang_rt.asan-x86_64.so+0xf6608)
    #1 0x41a620 in define_te_avtab_helper /usr/src/selinux/checkpolicy/policy_define.c:2450:24
    #2 0x41b6c8 in define_te_avtab /usr/src/selinux/checkpolicy/policy_define.c:2621:6
    #3 0x40522b in yyparse /usr/src/selinux/checkpolicy/policy_parse.y:470:10
    #4 0x411816 in read_source_policy /usr/src/selinux/checkpolicy/parse_util.c:64:6
    #5 0x7f8bd7cb3290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)

Direct leak of 8 byte(s) in 1 object(s) allocated from:
    #0 0x7f8bd8127608 in malloc (/usr/lib/clang/3.9.1/lib/linux/libclang_rt.asan-x86_64.so+0xf6608)
    #1 0x411c87 in insert_id /usr/src/selinux/checkpolicy/policy_define.c:120:18

Indirect leak of 24 byte(s) in 1 object(s) allocated from:
    #0 0x7f8bd8127608 in malloc (/usr/lib/clang/3.9.1/lib/linux/libclang_rt.asan-x86_64.so+0xf6608)
    #1 0x43133c in ebitmap_set_bit /usr/src/selinux/libsepol/src/ebitmap.c:321:27

Indirect leak of 18 byte(s) in 1 object(s) allocated from:
    #0 0x7f8bd80b5eb0 in __interceptor___strdup (/usr/lib/clang/3.9.1/lib/linux/libclang_rt.asan-x86_64.so+0x84eb0)
    #1 0x41a6e5 in define_te_avtab_helper /usr/src/selinux/checkpolicy/policy_define.c:2460:28
    #2 0x41b6c8 in define_te_avtab /usr/src/selinux/checkpolicy/policy_define.c:2621:6
    #3 0x40522b in yyparse /usr/src/selinux/checkpolicy/policy_parse.y:470:10
    #4 0x411816 in read_source_policy /usr/src/selinux/checkpolicy/parse_util.c:64:6
    #5 0x7f8bd7cb3290 in __libc_start_main (/usr/lib/libc.so.6+0x20290)

SUMMARY: AddressSanitizer: 186 byte(s) leaked in 4 allocation(s).

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-23 11:26:44 -05:00
Nicolas Iooss
42658e729f checkpolicy: add a missing free(id) in define_roleattribute()
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-23 11:26:40 -05:00
Nicolas Iooss
0a0d055283 checkpolicy: fix memory leaks in define_filename_trans()
When parsing type_transition statements with names, the memory allocated
by the type set bitmaps of variable stypes and ttypes was never freed.

Call type_set_destroy() to free this memory and, while at it, make the
function exits without leaking memory when exiting with an error.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-23 11:26:34 -05:00
Nicolas Iooss
aa1a8a3c84 checkpolicy: always free id in define_type()
In function define_type(), some error conditions between "id =
queue_remove(id_queue)" and "get_local_type(id, attr->s.value, 1)"
returned without freeing id. Fix theses memory leaks.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-23 11:26:30 -05:00
Nicolas Iooss
dcd135cc06 Re-link programs after libsepol.a is updated
After libsepol is modified (for example while developing new features or
fixing bugs), running "make install" in the top-level directory does not
update the programs which use libsepol.a. Add this static library to the
target dependencies in order to force their updates. This makes "make"
use libsepol.a in the linking command without using LDLIBS.

While at it, copy what commit 14d706434846 ("libselinux: Allow
overriding libsepol.a location during build") introduced in libselinux
Makefile by using a new LIBSEPOLA variable in all Makefiles.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-18 16:41:34 -05:00
Nick Kralevich
908898846a policy_define.c: don't free memory returned from queue_head()
Unlike queue_remove(), queue_head() does not modify the queue, but
rather, returns a pointer to an element within the queue. Freeing the
memory associated with a value returned from that function corrupts
subsequent users of the queue, who may try to reference this
now-deallocated memory.

This causes the following policy generation errors on Android:

  FAILED:
  out/target/product/bullhead/obj/ETC/plat_sepolicy.cil_intermediates/plat_policy_nvr.cil
  /bin/bash -c "out/host/linux-x86/bin/checkpolicy -M -C -c 30 -o
  out/target/product/bullhead/obj/ETC/plat_sepolicy.cil_intermediates/plat_policy_nvr.cil
  out/target/product/bullhead/obj/ETC/plat_sepolicy.cil_intermediates/plat_policy.conf"
  system/sepolicy/public/app.te:241:ERROR 'only ioctl extended permissions
  are supported' at token ';' on line 6784:
  #line 241
  } };
  checkpolicy:  error(s) encountered while parsing configuration

because the value of "id" in:

  id = queue_remove(id_queue);
  if (strcmp(id,"ioctl") == 0) {
    ...
  } else {
    yyerror("only ioctl extended permissions are supported");
    ...
  }

is now garbage.

This is a partial revert of the following commit:

  c1ba8311 checkpolicy: free id where it was leaked

Signed-off-by: Nick Kralevich <nnk@google.com>
2017-01-13 14:43:38 -05:00
Nicolas Iooss
61f760b78d checkpolicy: always include ctypes.h
The prototype of isdigit() is provided by ctypes.h header. Without
including this file, gcc fails to build checkpolicy using musl libc:

    checkpolicy.c: In function ‘main’:
    checkpolicy.c:705:8: error: implicit declaration of function
    ‘isdigit’ [-Werror=implicit-function-declaration]
        if (isdigit(ans[0])) {
            ^~~~~~~

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-09 16:00:25 -05:00
Nicolas Iooss
d7b0941eed checkpolicy: fix memory usage in define_bool_tunable()
In an error path of define_bool_tunable(), variable id is freed after
being used by a successful call to declare_symbol(). This may cause
trouble as this pointer may have been used as-is in the policy symtab
hash table.

Moreover bool_value is never freed after being used. Fix this memory
leak too. This leak has been detected with gcc Address Sanitizer.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-09 15:01:33 -05:00
Nicolas Iooss
c1ba831122 checkpolicy: free id where it was leaked
Several functions in policy_define.c do not free id after handling it.
Add the missing free(id) statements.

The places where free(id) was missing were found both with gcc Address
Sanitizer and manual code inspection.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-06 13:43:21 -05:00
Nicolas Iooss
47f61b0ee9 checkpolicy: do not leak queue elements in queue_destroy()
Elements which are inserted into a queue_t object are either NULL (from
insert_separator()) or strings allocated with malloc() in insert_id().
They would be freed if there are still present in the queue when it is
destroyed. Otherwise the memory allocated for these elements would be
leaked.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-06 13:33:15 -05:00
Nicolas Iooss
6ef96094d3 checkpolicy: fix memory leaks in genfscon statements parsing
When parsing several genfscon statements for the same filesystem, the
content of local variable "fstype" is never freed. Moreover variable
"type" is never freed when define_genfs_context_helper() succeeds.

Fix these leaks by calling free() appropriately.

These leaks have been detected with gcc Address Sanitizer.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-06 13:28:23 -05:00
Nicolas Iooss
da00246827 checkpolicy: free id in define_port_context()
Variable id is almost never freed in define_port_context().

This leak has been detected with gcc Address Sanitizer.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2017-01-06 13:22:38 -05:00
Nicolas Iooss
1c187d797f checkpolicy: remove -lfl from LDLIBS
When building checkpolicy/test, the linker reports the following error:

    cc   dispol.o  -lfl /usr/src/selinux/DESTDIR/usr/lib/libsepol.a
    -L/usr/src/selinux/DESTDIR/usr/lib -o dispol

    /usr/lib/gcc/x86_64-pc-linux-gnu/6.2.1/../../../../lib/libfl.so:
    undefined reference to `yylex'

    collect2: error: ld returned 1 exit status

According to flex documentation
(https://github.com/westes/flex/blob/master/doc/flex.texi), -lfl is used
to provide an implementation for yywrap(). However every flex file now
uses "%option noyywrap", which makes -lfl no longer mandatory. Remove
this option from checkpolicy Makefiles.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-11-29 08:46:43 -05:00
Stephen Smalley
8fdb225521 libsepol,checkpolicy: convert rangetrans and filenametrans to hashtabs
range transition and name-based type transition rules were originally
simple unordered lists.  They were converted to hashtabs in the kernel
by commit 2f3e82d694d3d7a2db019db1bb63385fbc1066f3 ("selinux: convert range
transition list to a hashtab") and by commit
2463c26d50adc282d19317013ba0ff473823ca47 ("SELinux: put name based
create rules in a hashtable"), but left unchanged in libsepol and
checkpolicy. Convert libsepol and checkpolicy to use the same hashtabs
as the kernel for the range transitions and name-based type transitions.

With this change and the preceding one, it is possible to directly compare
a policy file generated by libsepol/checkpolicy and the kernel-generated
/sys/fs/selinux/policy pseudo file after normalizing them both through
checkpolicy.  To do so, you can run the following sequence of commands:

checkpolicy -M -b /etc/selinux/targeted/policy/policy.30 -o policy.1
checkpolicy -M -b /sys/fs/selinux/policy -o policy.2
cmp policy.1 policy.2

Normalizing the two files via checkpolicy is still necessary to ensure
consistent ordering of the avtab entries.  There may still be potential
for other areas of difference, e.g. xperms entries may lack a well-defined
order.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-28 13:10:59 -05:00
Stephen Smalley
49bfee8562 checkpolicy: treat -self as an error
checkpolicy wrongly handles "-self". At the least, it should handle it as
an error. At best, it should support it correctly (which would involve
libsepol support as well). At present, it looks like it will end up
negating (-) the next type/attribute in the list after self, or if
there are no entries after self, ignoring it entirely.

This originally was raised by the Android team, which wanted to support
something like the following:
neverallow domain { domain -self }:dir search;
to prohibit cross domain access to some resource but allow access within
the same domain.

This change just makes it a fatal error during compilation.
Implementing real support for -self is left as future work.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-18 11:09:38 -05:00
Stephen Smalley
7935dee8f6 Drop ChangeLog files
They can be generated as desired via git log.
No need to keep maintaining them by hand.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-16 12:10:58 -05:00
Stephen Smalley
b4cca24240 Update VERSION and ChangeLog files for 2.6 final release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-10-14 11:31:26 -04:00
Stephen Smalley
4257778f18 Update VERSION and ChangeLog files for 2.6-rc2 release.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-10-06 10:23:40 -04:00