Handle the case where either separated trailing input is empty or non-
existent by initializing the size to 0 and only call related code on
non-zero size.
Fixes: 8997f543 ("libselinux: add selabel_file(5) fuzzer")
Reported-by: oss-fuzz (issue 388319478)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Free the hashtable for nlmsg xperm rules similar to the ioctl hashtable.
Fixes: 1fd41f48 ("libsepol/cil: add support for xperms in conditional policies")
Reported-by: oss-fuzz (issue 388376332)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Update the fuzzers for the input number parameter addition.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Prior the recent selabel_file(5) rework regular expressions for a
certain stem where matched in the order given by the input.
The Reference and Fedora Policy as well as CIL and libsemanage pre-sort
the file context definitions based on the prefix stem length, so this
ordering was adopted.
Do not alter the order by the input of regex specifications, and search
on matches on regex specifications in in parent nodes, which might
contain specifications with definitions defined later in the source
file.
This restores backward compatibility, especially for Android.
Reported-by: Takaya Saeki <takayas@chromium.org>
Closes: https://lore.kernel.org/selinux/CAH9xa6eFO6BNeGko90bsq8CuDba9eO+qdDoF+7zfyAUHEDpH9g@mail.gmail.com/
Fixes: 92306da ("libselinux: rework selabel_file(5) database")
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Mute error messages produced by selinux_restorecon when rebuilding the
policy store to avoid error messages in containers, image mode, etc.
Fixes:
#podman build --security-opt=label=disable --cap-add=all --device /dev/fuse -t quay.io/jlebon/fedora-bootc:tier-x . --build-arg MANIFEST=fedora-tier-x.yaml --from quay.io/fedora/fedora:rawhide
...
Could not set context for /etc/selinux/targeted/tmp/modules/100/rtas/lang_ext: Operation not supported
Could not set context for /etc/selinux/targeted/tmp/modules/100/rtas: Operation not supported
Could not set context for /etc/selinux/targeted/tmp/modules/100/rtkit/cil: Operation not supported
Could not set context for /etc/selinux/targeted/tmp/modules/100/rtkit/hll: Operation not supported
...
https://bugzilla.redhat.com/show_bug.cgi?id=2326348
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Commit 89dd0b23 ("libselinux: avoid memory allocation in common file
label lookup") added an additional parameter to lookup_all() for an
optional buffer the return value might be placed into. Update the
fuzzing related code accordingly.
Fixes: 89dd0b23 ("libselinux: avoid memory allocation in common file label lookup")
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
The concatenation of the multi line error messages misses a separating
space between the boundary words.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Maintains the type signature of the existing matchpathcon_filespec_add()
entry point on 32-bit archs but maps the API to a new
matchpathcon_filespec_add64() entry point that takes a 64-bit ino_t argument
instead.
Software on 32-bit Linux ports which historically use a 32-bit time_t (thus
affected by the y2038 problem) have, as a precondition of migrating to
64-bit time_t, that they also migrate to large filesystem support because
glibc does not provide entry points for the cross-product of
(LFS: yes, LFS: no) x (time_t: 32, time_t: 64).
In order to support smooth migration of such operating systems from 32-bit
time_t to 64-bit time_t, it is useful for libselinux to:
- provide entry points on 32-bit systems for both LFS and non-LFS variants
of the API (as glibc itself does)
- use LFS internally for all filesystem calls (just in case)
- map the API call to the correct implementation based on the build
environment of the caller.
Signed-off-by: Steve Langasek <steve.langasek@canonical.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
When a file name in type transition rule used in an interface is same as
a keyword, it needs to be M4 escaped so that the keyword is not expanded
by M4, e.g.
- filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, "interface")
+ filetrans_pattern($1, virt_var_run_t, virtinterfaced_var_run_t, dir, ``"interface"'')
But sepolgen-ifgen could not parse such string:
# sepolgen-ifgen
Illegal character '`'
This change allows M4 escaping inside quoted strings and fixed described
problem.
https://bugzilla.redhat.com/show_bug.cgi?id=2254206
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
The two asserts following qsort(3) where useful during development to
ensure the comparison function and the corresponding pointer handling
were correct. They however do not take into account an empty file
context definition file containing no definitions and thus `stab->nel`
being NULL. Drop the two asserts.
Also return early to not depend on whether calloc(3) called with a size
of zero returns NULL or a special value.
Reported-by: Petr Lautrbach <lautrbach@redhat.com>
Closes: https://lore.kernel.org/selinux/87jzchqck5.fsf@redhat.com/
Fixes: 92306daf ("libselinux: rework selabel_file(5) database")
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Tested-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Drop the host bits in the IPV6 address defined via a CIDR notation in
define_ipv6_cidr_node_context(), similar to
define_ipv4_cidr_node_context(). Otherwise the kernel will never match
this entry since the host bits from the actual address will be zeroed
before comparison, see
security/selinux/ss/services.c:match_ipv6_addrmask().
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Use struct initialization with designators to skip unnecessary memset(3)
calls. Since libsepol is not a security boundary uninitialized padding
is not a concern.
Also drop the dead assignment of a region to be free'd in the next line.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Instead of returning directly goto the err label, which prints a message
and closes the opened file stream.
Found by clang-analyzer.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Instead of using asprintf(3) and heavy string formatting just manually
concatenate the substitution string.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Utilize cache locality for the substitutions by storing them in
contiguous memory instead of a linked list.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Remove a memory allocation during a common file label lookup,
e.g. requested by restorecon(8)/setfiles(8), by using a local stack
buffer for a potential lookup result.
Additional minor optimization tweaks.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
If CFLAGS set by the user contains the warnings override
`-Wno-error=implicit-function-declaration` the availability check does
not work properly. Explicitly enable and treat this warnings as failure
by appending the appropriate flag.
Also include CPPFLAGS in the check.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
If CFLAGS set by the user contains the warnings override
`-Wno-error=implicit-function-declaration` the availability check does
not work properly. Explicitly enable and treat this warnings as failure
by appending the appropriate flag.
Also include CPPFLAGS in the check.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
When building libselinux from its own directory GCC complains about the
two functions free_spec_node() and sort_spec_node(), which are not tiny
and also recursive.
In file included from label_file.c:27:
In function ‘load_mmap’,
inlined from ‘process_file’ at label_file.c:1106:9:
label_file.h:816:20: error: inlining failed in call to ‘free_spec_node’: --param max-inline-insns-single limit reached [-Werror=inline]
816 | static inline void free_spec_node(struct spec_node *node)
| ^~~~~~~~~~~~~~
label_file.c:899:17: note: called from here
899 | free_spec_node(data->root);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
label_file.h:816:20: error: inlining failed in call to ‘free_spec_node’: --param max-inline-insns-single limit reached [-Werror=inline]
816 | static inline void free_spec_node(struct spec_node *node)
| ^~~~~~~~~~~~~~
label_file.c:908:17: note: called from here
908 | free_spec_node(root);
| ^~~~~~~~~~~~~~~~~~~~
In function ‘sort_specs’,
inlined from ‘init’ at label_file.c:1350:3:
label_file.h:404:20: error: inlining failed in call to ‘sort_spec_node’: --param max-inline-insns-single limit reached [-Werror=inline]
404 | static inline void sort_spec_node(struct spec_node *node, struct spec_node *parent)
| ^~~~~~~~~~~~~~
label_file.h:433:9: note: called from here
433 | sort_spec_node(data->root, NULL);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In function ‘sort_specs’,
inlined from ‘init’ at label_file.c:1370:3:
label_file.h:404:20: error: inlining failed in call to ‘sort_spec_node’: --param max-inline-insns-single limit reached [-Werror=inline]
404 | static inline void sort_spec_node(struct spec_node *node, struct spec_node *parent)
| ^~~~~~~~~~~~~~
label_file.h:433:9: note: called from here
433 | sort_spec_node(data->root, NULL);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 92306daf ("libselinux: rework selabel_file(5) database")
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
openattr() supplies the simplementation for the getcon(3) interface
family. Use a short local buffer instead of descend into memory
allocation.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Use calloc(3) instead of calling malloc(3) plus a call to memset(3) or
manual zero'ing.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Consider paths with the prefix /usr for shells by including them in the
list of fallback default shells and by extending the check for a nologin
shell.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
For example fedora contains the following cdefault configuration:
[sefcontext_compile]
path = /usr/sbin/sefcontext_compile
args = -r $@
[end]
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Fedora is setting optimize-policy to 1 by default, and there seem to be
no bugs related to policy optimizations so far.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Instead of checking if a file to be deleted exists, just try to delete
it and ignore any error for it not existing in the first place.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Check that closing a file that has been written to is successful, to
avoid potential unsuccessful writes/syncs.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Close internal managed file descriptors in case of an concurrent execve.
Also avoid leaking file descriptors in get_shell_list().
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
* Explicitly mark unused function parameters and drop compiler warning
override
* Move declaration of `semanage_handle_t *sh` from individual source
files to utilities.h, since it is defined in utilities.c
* Declare file local variables static
* Drop unused macros
* Avoid casts dropping const qualifier
* Avoid usage of reserved identifier names (leading underscores)
* Silence UBSAN underflow warning by adding explicit cast
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
UBSAN triggers if the first argument of qsort(3) is NULL, even if the
associated passed size is 0 and thus no actual dereference will happen.
Sort only arrays with at least two elements.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
The client application might have redirected the error output via
semanage_msg_set_callback(3), so use the logging macros.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Use the %m printf modifier to format errno in a thread safe way.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
The variable num_modules is already been dereferenced before the NULL
check, and also the code is identical for each condition outcome.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
It's unlikely any input will every be bigger than 4G, but avoid any
potential truncation regardless.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Use size_t for sizes and align miscellaneous type mismatches.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Function pointer casts are strictly speaking undefined behavior.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Simplify the loop condition and make the loop exit more explicit to
avoid static analyzers reporting a potential uninitialized variable.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Declare the read-only function pointer structures.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Be more strict when parsing values from semanage.conf, especially
numeric ones.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
write(2) can return early with the input buffer only partially written.
Add a wrapper to call write(2) until the full buffer has been written or
an error has occurred.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
