__cil_fill_expr() initializes 'cil_list *sub_expr' but does not destroy
it when __cil_fill_expr_helper() fails. This list is therefore leaked
when __cil_fill_expr() returns.
This occurs when secilc compiles the following policy:
(class CLASS (PERM))
(classorder (CLASS))
(sid SID)
(sidorder (SID))
(user USER)
(role ROLE)
(type TYPE)
(category CAT)
(categoryorder (CAT))
(sensitivity SENS)
(sensitivityorder (SENS))
(sensitivitycategory SENS (CAT))
(allow TYPE self (CLASS (PERM)))
(roletype ROLE TYPE)
(userrole USER ROLE)
(userlevel USER (SENS))
(userrange USER ((SENS)(SENS (CAT))))
(sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))
(categoryset cats (not (range unknown)))
This bug has been found using gcc address sanitizer.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When cil_fill_cats() fails to parse an expression and destroys a
category set, it fails to reset *cats to NULL. This makes this object be
destroyed again in cil_destroy_catset().
This bug can be triggered by the following policy:
(class CLASS (PERM))
(classorder (CLASS))
(sid SID)
(sidorder (SID))
(user USER)
(role ROLE)
(type TYPE)
(category CAT)
(categoryorder (CAT))
(sensitivity SENS)
(sensitivityorder (SENS))
(sensitivitycategory SENS (CAT))
(allow TYPE self (CLASS (PERM)))
(roletype ROLE TYPE)
(userrole USER ROLE)
(userlevel USER (SENS))
(userrange USER ((SENS)(SENS (CAT))))
(sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))
(categoryset cats (range unknown))
This bug has been found by fuzzing secilc with american fuzzy lop.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This CIL policy makes secilc crash with a NULL pointer dereference:
(class CLASS (PERM))
(classorder (CLASS))
(sid SID)
(sidorder (SID))
(user USER)
(role ROLE)
(type TYPE)
(category CAT)
(categoryorder (CAT))
(sensitivity SENS)
(sensitivityorder (SENS))
(sensitivitycategory SENS (CAT))
(allow TYPE self (CLASS (PERM)))
(roletype ROLE TYPE)
(userrole USER ROLE)
(userlevel USER (SENS))
(userrange USER ((SENS)(SENS (CAT))))
(sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))
(allow . self (CLASS (PERM)))
Using "." in the allow statement makes strtok_r() return NULL in
cil_resolve_name() and this result is then used in a call to
cil_symtab_get_datum(), which is thus invalid.
Instead of crashing, make secilc fail with an error message.
This bug has been found by fuzzing secilc with american fuzzy lop.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Checkpolicy has an option to produce CIL output and is dependent on
the policydb-to-CIL conversion in libsepol for that option. Add
support for converting extended permissions to CIL so that checlpolicy
can generate CIL.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Pre-expands the role and user caches used in context validation when
conerting a cildb to a binary policydb. This is currently only done
when loading a binary policy and prevents context validation from
working correctly with a newly built policy (i.e., when semanage builds
a new policy and then runs genhomedircon).
Also adds declarations for the hashtable mapping functions used:
policydb_role_cache and policydb_user_cache().
Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
Commit 7a728e46 changed module installation so that a module pp would
be installed using its module name instead of its filename and a warning
would be printed if they were different. With this change, base modules
could no longer be installed because of the way error handling was done.
This change fixes the error handling, so that when a base module is
installed it will be installed using its filename (since it does not
have a module name).
Based on bug report by Jason Zaman
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Gentoo and Arch have pkg-config entries for "ruby-$(RUBYLIBVER)" but not
for "ruby". Check if that exists first then fall back to plain ruby if
it does not.
The ruby install paths were incorrect. Fedora 20 installed to
/usr/lib64/ruby/vendor_ruby/, Arch needs it to be vendor_ruby as well,
site_ruby does not work. Thanks to Nicolas Iooss for the correct way to
query for the path.
Signed-off-by: Jason Zaman <jason@perfinion.com>
Reverse the sense of the -D option, from disabling setting/use of
security.restorecon_last to enabling it, making disabled the default state.
Rationale:
1) Users often use restorecon to fix labels on files whose labels are
wrong even through nothing has changed in file_contexts, e.g. after
copying/moving files to a different location. They won't expect
restorecon to suddenly stop relabeling by default because the hash of
file_contexts hasn't changed.
2) Only processes running with CAP_SYS_ADMIN can set
security.restorecon_last, so this will fail for non-root users anyway.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Provide stubs to the public boolean API that always returns -1.
On Android, boolean symbols are needed for:
external/ltrace/sysdeps/linux-gnu/trace.c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Fixes bug found by Nicolas Iooss as described below in the way suggested by Steve Lawrence.
Nicolass reported:
When compiling a CIL policy with more than 32 items in a class (e.g. in
(class capability (chown ...)) with many items),
cil_classorder_to_policydb() overflows perm_value_to_cil[class_index]
array. As this array is allocated on the heap through
calloc(PERMS_PER_CLASS+1, sizeof(...)), this makes secilc crash with the
following message:
*** Error in `/usr/bin/secilc': double free or corruption (!prev): 0x000000000062be80 ***
======= Backtrace: =========
/usr/lib/libc.so.6(+0x70c4b)[0x7ffff76a7c4b]
/usr/lib/libc.so.6(+0x76fe6)[0x7ffff76adfe6]
/usr/lib/libc.so.6(+0x777de)[0x7ffff76ae7de]
/lib/libsepol.so.1(+0x14fbda)[0x7ffff7b24bda]
/lib/libsepol.so.1(+0x152db8)[0x7ffff7b27db8]
/lib/libsepol.so.1(cil_build_policydb+0x63)[0x7ffff7af8723]
/usr/bin/secilc[0x40273b]
/usr/lib/libc.so.6(__libc_start_main+0xf1)[0x7ffff7657291]
/usr/bin/secilc[0x402f7a]
This bug has been found by fuzzing secilc with american fuzzy lop.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Commit 915fa8f08f moves the xperm specified value directly from
avrule to avtab. The mapping between them is currently the same,
but may not always be. Instead these values should be mapped using
values defined in av_extended_perms_t and avtab_extended_perms_t.
Fixes: 915fa8f08f ("checkpolicy: switch operations to extended perms")
Change-Id: Ic9f4031c9381b2ff6cc46043fb1602758ef4c224
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
A mispelling in the Makefile in the root directory prevented "make
distclean" to go into subdirectories.
In libsemanage/src/, semanageswig_python_exception.i was not cleaned by
"make distclean" because the target did not use $(GENERATED) and this
variable was being redefined in the Makefile.
Fix these two bugs.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Commit f1352e7399 ("policycoreutils: setfiles - Utility to find
security.restorecon_last entries") introduced restorecon_xattr binary
without adding it to .gitignore.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Android label back ends are now configurable by NO_ANDROID_BACKEND,
which is set if on ANDROID_HOST != y.
Signed-off-by: Janis Danisevskis <jdanis@android.com>
We use the same lookup function for service contexts
that we use for property contexts. However, property
contexts are namespace based and only compare the
prefix. This may lead to service associations with
a wrong label.
This patch introduces a new back end for android
services with a stricter lookup function. Now the
service name must match the key of the service label
exactly.
Signed-off-by: Janis Danisevskis <jdanis@android.com>
Change the default build behavior to always use DISABLE_RPM.
To get the old behavior call make with DISABLE_RPM=n.
eg.)
make DISABLE_RPM=n
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Change EMFLAGS variable, used for setting additional CFLAGS
to DISABLE_FLAGS, to indicate its usage better.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
When building for Android, this error manifests itself:
label_file.c:570:7: error: unused variable ‘subs_file’ [-Werror=unused-variable]
char subs_file[PATH_MAX + 1];
Fix it by moving the variable into the ifdef'd usage block.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
The "-r" flag of sefcontext_compile now causes it to omit the
precompiled regular expressions from the output.
Signed-off-by: Janis Danisevskis <jdanis@android.com>
Adds the "-i" flag, which prints the version and
architecture identifier of the regular expression back end.
Signed-off-by: Janis Danisevskis <jdanis@android.com>
Serialized precompiled regular expressins are architecture
dependent when using PCRE2. This patch
- bumps the SELINUX_COMPILED_FCONTEXT version to 5 and
- adds a field to the output indicating the architecture
compatibility.
libselinux can cope with an architecture mismatch by
ignoring the precompiled data in the input file and recompiling
the regular expressions at runtime. It can also load older
versions of file_contexts.bin if they where built with
sefcontext_compile using the exact same version of the
pcre1/2 as selinux.
Signed-off-by: Janis Danisevskis <jdanis@android.com>
