Commit Graph

297 Commits

Author SHA1 Message Date
Stephen Smalley
1a17785446 Updated libsepol ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-26 10:35:41 -04:00
William Roberts
d97cd6a203 libsepol: fix unitialized variable 'nread' on mac build
Fix this:
genusers.c:63:14: warning: variable 'nread' is uninitialized when used here [-Wuninitialized]
                if (buffer[nread - 1] == '\n')
                           ^~~~~
genusers.c:40:15: note: initialize the variable 'nread' to silence this warning
        ssize_t nread;
                     ^
                      = 0

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-09-26 10:32:19 -04:00
William Roberts
87c5afdad2 libsepol: fix unused variable 'len' on mac build
Fix this:
genusers.c:39:9: warning: unused variable 'len' [-Wunused-variable]
        size_t len = 0;

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-09-26 10:32:19 -04:00
William Roberts
e729fbe9b4 libsepol: fix unused variable 'size' on mac build
Fix this on Mac build:
genbools.c:71:9: warning: unused variable 'size' [-Wunused-variable]
        size_t size = 0;
               ^
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-09-26 10:32:19 -04:00
James Carter
c1d873e971 Updated libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-09-06 13:48:20 -04:00
Guido Trentalancia
e7fbb8b401 Produce more meaningful error messages when conflicting type rules are found by libsepol.
Fixes Debian bug #832331 (https://bugs.debian.org/832331).

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-09-06 13:46:32 -04:00
Stephen Smalley
542b528703 Updated checkpolicy and libsepol ChangeLogs
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-06 11:14:09 -04:00
Nicolas Iooss
2489b50a91 libsepol: make "make test" fails when a CUnit test fails
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-09-06 10:49:56 -04:00
Nicolas Iooss
3666bd9a99 libsepol: tests: fix g_b_role_2 test
Even though g_b_role_2 is used both in
tests/policies/test-linker/small-base.conf and
tests/policies/test-linker/module1.conf, it seems to only exists in the
scope of the base policy.

This fixes the following failure of "make -C libsepol test":

    ./libsepol-tests
         CUnit - A unit testing framework for C - Version 2.1-3
         http://cunit.sourceforge.net/
    Suite: cond
      Test: cond_expr_equal ...passed
    Suite: linker
      Test: linker_indexes ...passed
      Test: linker_types ...passed
      Test: linker_roles ...sym g_b_role_2 has 1 decls, 2 expected
    FAILED
        1. test-common.c:43  - scope->decl_ids_len == len
        2. test-common.c:52  - found == 1
      Test: linker_cond ...passed
    Suite: expander
      Test: expander_indexes ...passed
      Test: expander_attr_mapping ...passed
      Test: expander_role_mapping ...passed
      Test: expander_user_mapping ...passed
      Test: expander_alias ...passed
    Suite: deps
      Test: deps_modreq_global ...passed
      Test: deps_modreq_opt ...passed
    Suite: downgrade
      Test: downgrade ...passed

    Run Summary:    Type  Total    Ran Passed Failed Inactive
                  suites      5      5    n/a      0        0
                   tests     13     13     12      1        0
                 asserts   1274   1274   1272      2      n/a

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-09-06 10:49:56 -04:00
James Carter
0dce00d72e Updated libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-08-19 15:14:41 -04:00
James Carter
f9927d9370 libsepol: Change which attributes CIL keeps in the binary policy
The removal of attributes that are only used in neverallow rules is
hindering AOSP adoption of the CIL compiler. This is because AOSP
extracts neverallow rules from its policy.conf for use in the Android
compatibility test suite. These neverallow rules are applied against
the binary policy being tested to check for a violation. Any neverallow
rules with an attribute that has been removed cannot be checked.

Now attributes are kept unless they are not used in any allow rule and
they are auto-generated or named "cil_gen_require" or do not have any
types associated with them.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-08-19 15:13:32 -04:00
James Carter
a0f05b307b Updated libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-08-19 14:09:50 -04:00
William Roberts
fbf77104c3 libsepol: port str_read from kernel
Rather than duplicating the following sequence:
1. Read len from file
2. alloc up space based on 1
3. read the contents into the buffer from 2
4. null terminate the buffer from 2

Use the str_read() function that is in the kernel, which
collapses steps 2 and 4. This not only reduces redundant
code, but also has the side-affect of providing a central
check on zero_or_saturated lengths from step 1 when
generating string values.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-19 13:18:02 -04:00
William Roberts
fb0cc0cc64 libsepol: calloc all the *_to_val_structs
The usage patterns between these structures seem similair
to role_val_to_struct usages. Calloc these up to prevent
any unitialized usages.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-19 13:17:57 -04:00
James Carter
dbc6d6d596 Updated libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-08-17 10:10:40 -04:00
William Roberts
8673854fb8 libsepol: fix overflow and 0 length allocations
Throughout libsepol, values taken from sepolicy are used in
places where length == 0 or length == <saturated> matter,
find and fix these.

Also, correct any type mismatches noticed along the way.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-17 09:58:19 -04:00
William Roberts
02081779f3 libsepol: fix unitialized jmp and invalid dereference
When initializing role_datum_t array, initialize the array.
This corrects this issue:

==25766== Conditional jump or move depends on uninitialised value(s)
==25766==    at 0x40ABFE: context_is_valid (context.c:59)
==25766==    by 0x40AAED: policydb_context_isvalid (context.c:19)
==25766==    by 0x43CBF4: context_read_and_validate (policydb.c:1881)
==25766==    by 0x43E7B3: ocontext_read_selinux (policydb.c:2631)
==25766==    by 0x43EC4D: ocontext_read (policydb.c:2729)
==25766==    by 0x442019: policydb_read (policydb.c:3937)
==25766==    by 0x442F15: sepol_policydb_read (policydb_public.c:174)
==25766==    by 0x407ED4: init (check_seapp.c:885)
==25766==    by 0x408D83: main (check_seapp.c:1230)

Also, check for NULL when determining if a role can be associated
with a type.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-17 09:56:45 -04:00
William Roberts
d13bff623b libsepol: bound attr_type_map access by nprim
Correct an invalid memory access when attr_type_map array
indexing is outside of bounds.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-17 09:56:25 -04:00
William Roberts
305986f58c genfs_read: fix use heap-use-after-free
The newc variable is calloc'd and assigned to a new
owner during a loop. After the first assignment of newc
to newgenfs->head, the subsequent iteration could fail
before the newc is reseated with a new heap allocation
pointer. When the subsequent iteration fails, the
newc variable is freed. Later, an attempt it made to
free the same pointer assigned to newgenfs->head.

To correct this, clear newc after every loop iteration.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-17 09:56:12 -04:00
William Roberts
33de30a284 ebitmap: detect invalid bitmap
When count is 0 and the highbit is not zero, the ebitmap is not
valid and the internal node is not allocated. This causes issues
when routines, like mls_context_isvalid() attempt to use the
ebitmap_for_each_bit() and ebitmap_node_get_bit() as they assume
a highbit > 0 will have a node allocated.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-17 09:55:57 -04:00
William Roberts
b612314bf3 libsepol: ensure key is valid before doing search
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-17 09:55:44 -04:00
William Roberts
8b4ad4fde5 libsepol: fix invalid access of NULL on type_val_to_struct
In type_set_expand:
When nprim, the table index counter, is greater than the value of initizalized
entries in the type_val_to_struct[] array, detect this as invalid
and return an error.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-17 09:55:31 -04:00
James Carter
50d8a181e8 Updated libsepol and policycoreutils ChangeLogs.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-08-09 16:16:58 -04:00
William Roberts
8e8a648e92 libsepol: fix memory leak in expand.c
ebitmap_set_bit() can possible allocate nodes, however, the bail early
style of type_set_expand() could leave internal ebitmaps allocated
but not free'd.

Modify type_set_expand() so that it free's all allocated ebitmaps
before returning the error code to the calling routine.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-09 15:55:22 -04:00
William Roberts
6e7d04ac0b libsepol: fix invalid read when policy file is corrupt
AFL Found this bug:
==6523== Invalid read of size 8
==6523==    at 0x4166B4: type_set_expand (expand.c:2508)
==6523==    by 0x43A0B8: policydb_role_cache (policydb.c:790)
==6523==    by 0x41CD70: hashtab_map (hashtab.c:235)
==6523==    by 0x43AC9E: policydb_index_others (policydb.c:1103)
==6523==    by 0x441B14: policydb_read (policydb.c:3888)
==6523==    by 0x442A1F: sepol_policydb_read (policydb_public.c:174)
==6523==    by 0x407ED4: init (check_seapp.c:885)
==6523==    by 0x408D97: main (check_seapp.c:1231)

This occurs when the type_val_to_struct[] mapping array
doesn't contain the type indicated in the ebitmap.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-09 15:55:15 -04:00
Steve Lawrence
4209c00afe Update libsepol ChangeLog
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2016-08-05 07:37:08 -04:00
William Roberts
ca3ec93ad0 module_to_cil: fix possible use of uninitialized value
Correct errors like these reported by gcc:

module_to_cil.c: In function ‘block_to_cil’:
module_to_cil.c:229:20: error: ‘attr_list’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
  struct list_node *curr = (*attr_list)->head;

Usages of attr_list_destroy() were called when list_init()
fails.

stack_init() and stack_destroy() also suffered from the
aforementioned issue.

To correct the issue, initialize stack and list variables to
NULL.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-05 07:36:24 -04:00
Stephen Smalley
a736d9d070 Updated libsepol ChangeLog.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-07-28 10:52:34 -04:00
James Carter
46e157b470 libsepol/cil: Warn instead of fail if permission is not resolve
If a policy module package has been created with a policy that contains
a permission and then is used on a system without that permission CIL
will fail with an error when it cannot resolve the permission.

This will prevent the installation on policy and the user will not
know that the policy has not been installed.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-07-28 10:51:38 -04:00
James Carter
d5396d8312 Updated libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-07-26 13:43:18 -04:00
Steve Lawrence
7a137eb75f libsepol/cil: Ignore object_r in userrole mappings when creating policy binary
Commit 77779d2ca, which added support for userattributes in CIL,
accidentally removed code that ignored object_r when adding userrole
mappings to the policydb. This meant that running commands like
`semanage user -l` would incorrectly show object_r. This patch adds that
code back in. Note that CIL requires that these mappings exist to
properly validate file contexts, so pp2cil's behavior of creating these
mappings is not modified.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2016-07-26 13:41:43 -04:00
James Carter
77e86c0b8c Updated libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-07-12 14:27:57 -04:00
Petr Lautrbach
747a440fdd libsepol: Add missing return to sepol_node_query()
Due to the missing return in sepol_node_query(), the function always
set *response to NULL whenever a protocol was SEPOL_PROTO_IP6

Fixes:
sudo semanage node -a -M ::1 -p ipv6 -t node_t ::1
sudo semanage node -m -M ::1 -p ipv6 -t node_t ::1
[1]    12968 segmentation fault (core dumped)  semanage node -m -M ::1 -p ipv6 -t node_t ::1

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2016-07-12 13:48:05 -04:00
Stephen Smalley
144b74905c Updated libsepol ChangeLog.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-07-01 13:04:15 -04:00
Thomas Petazzoni
0635cd495b Add missing <stdarg.h> include
Add missing <stdarg.h> include

This is needed to fix the build on uClibc, due to the usage of
va_list.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-07-01 13:02:15 -04:00
Stephen Smalley
28e92c5325 libsepol: rewrite sepol_string_to_security_class to use hashtab_search
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-06-20 16:28:45 -04:00
Stephen Smalley
69da2076e5 Updated libselinux and libsepol ChangeLogs.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-06-20 16:24:35 -04:00
Joshua Brindle
94df3f7d24 Correctly detect unknown classes in sepol_string_to_security_class
Bail before running off the end of the class index

Change-Id: I47c4eaac3c7d789f8d85047e34e37e3f0bb38b3a
Signed-off-by: Joshua Brindle <brindle@quarksecurity.com>
2016-06-20 16:10:32 -04:00
James Carter
999747aa57 Updated libselinux, libsemanage, libsepol, and policycoreutils ChangeLogs.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-06-06 13:08:17 -04:00
Laurent Bigonville
fb85e5cc95 Sort object files for deterministic linking order
This patch is part of the Debian effort to make the build reproducible

Thank to Reiner Herrmann <reiner@reiner-h.de> for the patches

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2016-06-06 12:52:55 -04:00
Stephen Smalley
3749315847 Updated ChangeLogs.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-05-19 14:22:55 -04:00
Jeff Vander Stoep
44c359aa05 Fix neverallowxperm checking on attributes
The following test incorrectly asserts a neverallowxperm failure.

	attribute test1_attr1;
	attribute test1_attr2;
	type test1_type1, test1_attr1, test1_attr2;

	allow test1_type1 test1_attr1:socket ioctl;
	allowxperm test1_type1 test1_attr2:socket ioctl { 1 };
	neverallowxperm test1_attr1 test1_attr1:socket ioctl { 0 }

To handle attributes correctly, the neverallowxperm checking has been
modified. Now when the ioctl permission is granted on an avtab entry
that matches an avrule neverallowxperm entry, the assertion checking
first determines the matching source/target/class sets between the
avtab entry and the neverallowxperm entry. Only the matching sets are
enumerated over to determine if the neverallowed extended permissions
exist and if they are granted. This is similar to how
report_assertion_avtab_matches() reports neverallow failures.

Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
2016-05-19 14:22:07 -04:00
Stephen Smalley
77475b2228 Updated libsepol and sepolgen ChangeLogs.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-05-09 08:19:30 -04:00
Nicolas Iooss
2c2c81dcdc libsepol: remove libsepol.map when cleaning
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-05-09 08:16:05 -04:00
Nicolas Iooss
8e30f76c6d Update .gitignore files
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-05-09 08:14:54 -04:00
James Carter
65bf9ae14a Updated libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-05-06 09:43:42 -04:00
James Carter
175aba387b libsepol: When generating CIL use HLL line mark for neverallows
When converting pp files to CIL or generating CIL using checkpolicy
or checkmodule use CIL's HLL line mark annotations to record the
original file and line numbers for neverallow rules so that CIL can
produce more informative error messages. (Unfortunately, the original
line number information is not saved in pp files, so there is no benefit
for policy modules.)

This is only done for neverallow rules currently.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-05-05 16:33:29 -04:00
James Carter
67560cc7ac libsepol/cil: Remove path field from cil_tree_node struct
Remove path field from cil_tree_node struct and all references
to it in CIL. This will reduce memory usage by 5%.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-05-05 16:32:07 -04:00
James Carter
46b3a55598 libsepol/cil: Replace cil_log() calls with cil_tree_log()
Replace all calls to cil_log() that print path information with a
call to cil_tree_log() which will also print information about any
high-level sources.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-05-05 16:23:36 -04:00
James Carter
73aac8fc1e libsepol/cil: Add cil_tree_log() and supporting functions
Provide more detailed log messages containing all relevant CIL and
high-level language source file information through cil_tree_log().

cil_tree_log() uses two new functions: cil_tree_get_next_path() and
cil_tree_get_cil_path().

cil_tree_get_next_path() traverses up the parse tree or AST until
it finds the next CIL or high-level language source information nodes.
It will return the path and whether or not the path is for a CIL file.

cil_tree_get_cil_path() uses cil_tree_get_next_path() to return
the CIL path.

Example cil_tree_log() message:
    Problem at policy.cil:21 from foo.hll:11 from bar.hll:2

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-05-05 16:19:45 -04:00