Commit Graph

310 Commits

Author SHA1 Message Date
Vit Mojzis 1d33c911f5 checkpolicy: Improve error message for type bounds
Make the error message consistent with other occurrences of the
same issue:
https://github.com/SELinuxProject/selinux/blob/master/checkpolicy/module_compiler.c#L243
https://github.com/SELinuxProject/selinux/blob/master/checkpolicy/module_compiler.c#L488

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-12-16 16:29:55 -05:00
Christian Göttsche aaaed69911 checkpolicy: simplify string copying
Use strdup(3) instead of allocating memory and then manually copying the
content.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-11-21 14:30:06 -05:00
Paul Moore a0a216ff7d docs: provide a top level LICENSE file
Provide a top level LICENSE file explaining how multiple the SELinux
userspace is released under multiple different licenses.  Also ensure
that all the different license files share a consistent file name,
LICENSE, to make it easier for people to identify the license files.

This is to help meet the OpenSSF Best Practices requirements.

Signed-off-by: Paul Moore <paul@paul-moore.com>
2022-10-05 08:20:38 -04:00
Juraj Marcin c916f0884b checkpolicy: avoid passing NULL pointer to memset()
Function `class_perm_node_init()` is called with `dest_perms` before it
is checked that its allocation succeeded. If the allocation fails, then
a NULL pointer is passed to `memset()` inside the
`class_perm_node_init()` function.

Signed-off-by: Juraj Marcin <juraj@jurajmarcin.com>
2022-09-01 09:27:01 -04:00
Christian Göttsche 2a9c619b5f checkpolicy: use strict function prototype for definitions
Clang 15 starts to complain about non strict function definitions:

    policy_define.c:4907:30: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
    int define_devicetree_context()
                                 ^
                                  void
    policy_define.c:5298:29: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
    int define_ipv4_node_context()
                                ^
                                 void

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-15 08:46:41 -04:00
Christian Göttsche 25e9c91a8b checkpolicy: error out if required permission would exceed limit
A require statement for a class permission adds that permission to the
class representation for the current module.  In case the resulting
class would have more than the supported amount of 32 permissions
assigned the resulting binary module will fail to load at link-time
without an informative error message (since [1]).

Bail out if adding a permission would result in a class having more than
the supported amount of 32 permissions assigned.

[1]: 97af65f696

Closes: https://github.com/SELinuxProject/selinux/issues/356
Reported-by: Julie Pichon
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-06-21 15:20:58 +02:00
Petr Lautrbach 0a8c177dac
Update VERSIONs to 3.4 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2022-05-18 16:51:03 +02:00
Ondrej Mosnacek 9e096e6ef0 libsepol,checkpolicy: add support for self keyword in type transitions
With the addition of the anon_inode class in the kernel, 'self'
transition rules became useful, but haven't been implemented.

The typetransition, typemember, and typechange statements share the
relevant code, so this patch implements the self keyword in all of them
at the TE language level and adds the support to the module policydb
format. Note that changing the kernel policydb format is not necessary
at all, as type transitions are always expanded in the kernel policydb.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-05-16 10:37:17 -04:00
Petr Lautrbach 9df28c241a
Update VERSIONs to 3.4-rc3 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2022-05-04 19:20:37 +02:00
Christian Göttsche 5645f803e1 checkpolicy: mention class name on invalid permission
When a permission for a constraint statement cannot be found also
mention the related class name.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-05-04 15:12:04 +02:00
Petr Lautrbach 2a167d1156
Update VERSIONs to 3.4-rc2 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2022-04-20 21:48:57 +02:00
Petr Lautrbach 73562de8fc
Update VERSIONs to 3.4-rc1 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2022-04-06 19:53:39 +02:00
Thiébaud Weksteen c900816e93 libsepol: Populate and use policy name
When an assertion fails, the error message refers to a generic
"policy.conf" file. When parsing a policy in checkpolicy, populate its
name using the original filename (source_filename is still build using
the #line directives within the policy).

Signed-off-by: Thiébaud Weksteen <tweek@google.com>
[Merge conflicts fixed by: James Carter <jwcart2@gmail.com>]
Signed-off-by: James Carter <jwcart2@gmail.com>
2022-02-24 10:44:46 -05:00
Christian Göttsche 4be0e2e19c checkpolicy: allow wildcard permissions in constraints
Allow all and complement permission sets in constraints, e.g.:

    constrain service ~ { status } (...);
    constrain service * (...);

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-02-18 14:48:57 -05:00
Christian Göttsche 01b88ac323 checkpolicy: warn on bogus IP address or netmask in nodecon statement
Warn if the netmask is not contiguous or the address has host bits set,
e.g.:

    127.0.0.0 255.255.245.0
    127.0.0.1 255.255.255.0

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-12-15 12:47:22 -05:00
Christian Göttsche 8a8275a5ac checkpolicy: ignore possible string truncation
The source code line content, saved to improve error reporting, might
get truncated, as the current Bison source buffer is 8192 bytes long and
only 254 bytes (plus NUL-terminator) are reserved.
As the saved string is only used for improving error reports and source
lines longer than 254 character are quite uncommon, simply silence the
GCC warning.

    In file included from /usr/include/string.h:519,
                     from lex.yy.c:20:
    In function ‘strncpy’,
        inlined from ‘yylex’ at policy_scan.l:63:7:
    /usr/include/x86_64-linux-gnu/bits/string_fortified.h:91:10: warning: ‘__builtin_strncpy’ output may be truncated copying 255 bytes from a string of length 8190 [-Wstringop-truncation]
       91 |   return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
          |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-11-15 16:00:54 -05:00
Christian Göttsche cc671d6a5e checkpolicy: use correct unsigned format specifiers
The two variables policydb_lineno and source_lineno are both of the type
unsigned long; use the appropriate format specifier.

Found by Cppcheck

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-11-15 16:00:54 -05:00
Petr Lautrbach 7f600c40bc
Update VERSIONs to 3.3 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2021-10-21 16:31:23 +02:00
James Carter ce815bd11b checkpolicy: Fix potential undefined shifts
An expression of the form "1 << x" is undefined if x == 31 because
the "1" is an int and cannot be left shifted by 31.

Instead, use "UINT32_C(1) << x" which will be an unsigned int of
at least 32 bits.

Signed-off-by: James Carter <jwcart2@gmail.com>
2021-10-12 13:44:55 -04:00
Petr Lautrbach 5319c49d8a
Update VERSIONs to 3.3-rc3 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2021-10-06 13:28:15 +02:00
Christian Göttsche eac7fb001a checkpolicy: delay down-cast to avoid align warning
Delay the down-cast from hashtab_datum_t, alias void*, to the actual
type once its kind has been determined.

    module_compiler.c:174:19: warning: cast from 'symtab_datum_t *' (aka 'struct symtab_datum *') to 'level_datum_t *' (aka 'struct level_datum *') increases required alignment from 4 to 8 [-Wcast-align]
                            *dest_value = ((level_datum_t *)s)->level->sens;
                                           ^~~~~~~~~~~~~~~~~~

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-10-04 09:25:18 -04:00
Christian Göttsche 44ed3074bb checkpolicy: drop incorrect cast
The function require_symbol takes the type hashtab_datum_t (alias void*)
as third argument. Do not cast to hashtab_datum_t* alias void**. Since
explicit casting to void* is unnecessary, drop the casts.

    module_compiler.c:1002:36: warning: cast from 'cond_bool_datum_t *' (aka 'struct cond_bool_datum *') to 'hashtab_datum_t *' (aka 'void **') increases required alignment from 4 to 8 [-Wcast-align]
                require_symbol(SYM_BOOLS, id, (hashtab_datum_t *) booldatum,
                                              ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    module_compiler.c:1092:40: warning: cast from 'cat_datum_t *' (aka 'struct cat_datum *') to 'hashtab_datum_t *' (aka 'void **') increases required alignment from 4 to 8 [-Wcast-align]
            retval = require_symbol(SYM_CATS, id, (hashtab_datum_t *) cat,
                                                  ^~~~~~~~~~~~~~~~~~~~~~~

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-10-04 09:25:15 -04:00
Christian Göttsche 7a1c7e7a82 checkpolicy: update documentation
Add missing command-line arguments to synopsis and highlight mentions of
other tools in man pages.

Add missing space between arguments in help message.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-10-04 09:25:12 -04:00
Christian Göttsche e32809155b checkpolicy: print reason of fopen failure
Print the reason why opening a source policy file failed, e.g:

    checkpolicy:  unable to open policy.conf:  No such file or directory

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-10-04 09:25:10 -04:00
Christian Göttsche 3d27e5a410 checkpolicy: policy_define: cleanup declarations
The variable curfile is nowhere used.

Static functions do not need to be forward declared if not used before
their definition.

The error buffer errormsg can be a simple scoped variable. Also
vsnprintf(3) always NUL-terminates the buffer, so the whole length can
be passed.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-10-04 09:25:07 -04:00
Petr Lautrbach 0b833973bf
Update VERSIONs to 3.3-rc2 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2021-09-22 17:14:25 +02:00
Christian Göttsche a0a342c37b checkpolicy: free extended permission memory
define_te_avtab_xperms_helper() allocates memory for the avrule, while
define_te_avtab_ioctl() does not transfer any ownership of it.
Free the affected memory.

    Direct leak of 272 byte(s) in 2 object(s) allocated from:
        #0 0x49bb8d in __interceptor_malloc (./checkpolicy/checkmodule+0x49bb8d)
        #1 0x4f379c in define_te_avtab_xperms_helper ./checkpolicy/policy_define.c:2047:24
        #2 0x4f379c in define_te_avtab_extended_perms ./checkpolicy/policy_define.c:2469:6
        #3 0x4cf417 in yyparse ./checkpolicy/policy_parse.y:494:30
        #4 0x4eaf35 in read_source_policy ./checkpolicy/parse_util.c:63:6
        #5 0x50cccd in main ./checkpolicy/checkmodule.c:278:7
        #6 0x7fbfa455ce49 in __libc_start_main csu/../csu/libc-start.c:314:16

    Direct leak of 32 byte(s) in 2 object(s) allocated from:
        #0 0x49bb8d in __interceptor_malloc (./checkpolicy/checkmodule+0x49bb8d)
        #1 0x4f4a38 in avrule_sort_ioctls ./checkpolicy/policy_define.c:1844:12
        #2 0x4f4a38 in avrule_ioctl_ranges ./checkpolicy/policy_define.c:2021:6
        #3 0x4f4a38 in define_te_avtab_ioctl ./checkpolicy/policy_define.c:2399:6
        #4 0x4f4a38 in define_te_avtab_extended_perms ./checkpolicy/policy_define.c:2475:7
        #5 0x4cf417 in yyparse ./checkpolicy/policy_parse.y:494:30
        #6 0x4eaf35 in read_source_policy ./checkpolicy/parse_util.c:63:6
        #7 0x50cccd in main ./checkpolicy/checkmodule.c:278:7
        #8 0x7fbfa455ce49 in __libc_start_main csu/../csu/libc-start.c:314:16

Reported-by: liwugang <liwugang@163.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-09-15 10:14:42 -04:00
Christian Göttsche ba18cf0cdf checkpolicy: print warning on source line overflow
In case the source line value overflows or has a too big value in the
source policy print a warning.

    policy_scan.l:273:19: runtime error: implicit conversion from type 'int' of value -2 (32-bit, signed) to type 'unsigned long' changed the value to 18446744073709551614 (64-bit, unsigned)
    policy_scan.l:66:20: runtime error: unsigned integer overflow: 18446744073709551615 + 1 cannot be represented in type 'unsigned long'

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-09-15 10:14:37 -04:00
Christian Göttsche 15fcc6df66 checkpolicy: error out on parsing too big integers
Error out instead of silently converting too big integer values in
policy sources.

    policy_parse.y:893:41: runtime error: implicit conversion from type 'unsigned long' of value 18446744073709551615 (64-bit, unsigned) to type 'unsigned int' changed the value to 4294967295 (32-bit, unsigned)

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-09-15 10:14:33 -04:00
Christian Göttsche c7c582a0ef checkpolicy: avoid implicit conversion
Avoid implicit conversions from signed to unsigned values, found by
UB sanitizers, by using unsigned values in the first place.

    dismod.c:92:42: runtime error: left shift of 1 by 31 places cannot be represented in type 'int'

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-09-15 10:14:27 -04:00
Christian Göttsche 16d7dde41c checkpolicy: resolve dismod memory leaks
Example leak:

    Indirect leak of 4 byte(s) in 1 object(s) allocated from:
        #0 0x49bacd in __interceptor_malloc (./checkpolicy/test/dismod+0x49bacd)
        #1 0x58ae54 in add_i_to_a ./libsepol/src/util.c:55:21
        #2 0x53ea8e in symtab_insert ./libsepol/src/policydb.c:1729:6
        #3 0x536252 in roles_init ./libsepol/src/policydb.c:772:7
        #4 0x536252 in policydb_init ./libsepol/src/policydb.c:892:7
        #5 0x562ff1 in sepol_policydb_create ./libsepol/src/policydb_public.c:69:6
        #6 0x521a7c in module_package_init ./libsepol/src/module.c:96:6
        #7 0x521a7c in sepol_module_package_create ./libsepol/src/module.c:126:7
        #8 0x4cfb80 in read_policy ./checkpolicy/test/dismod.c:750:7
        #9 0x4cda10 in main ./checkpolicy/test/dismod.c:878:6
        #10 0x7f8538d01e49 in __libc_start_main csu/../csu/libc-start.c:314:16

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-09-15 10:14:20 -04:00
Christian Göttsche e6bab7bf45 checkpolicy: add missing function declarations
Ideally they should be declared in the corresponding header file, but
the overall include style in the checkpolicy code is quite messy.
Declare them for now in the source file before defining them to silence
related compiler warnings:

    policy_define.c:84:6: error: no previous prototype for function 'init_parser' [-Werror,-Wmissing-prototypes]
    void init_parser(int pass_number)
         ^
    policy_define.c:93:6: error: no previous prototype for function 'yyerror2' [-Werror,-Wmissing-prototypes]
    void yyerror2(const char *fmt, ...)
         ^

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-09-15 10:14:09 -04:00
Christian Göttsche 5c376d6db1 checkpolicy: mark file local functions in policy_define static
Also remove the unused function `avrule_ioctl_freeranges()`.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-09-15 10:14:00 -04:00
Christian Göttsche 6388cfe7f3 checkpolicy: mark read-only parameters in module compiler const
Make it more obvious which parameters are read-only and not being
modified and allow callers to pass const pointers.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-09-15 10:13:58 -04:00
Christian Göttsche 9eebc4b731 checkpolicy: misc checkpolicy tweaks
Add missing argument in usage message.
Drop redundant includes `optarg` and `optind`, which are declared in
<getopt.h>.
Mark file local functions static.
Drop unused function declaration.

Check closing file streams after writing, which can signal a failed
write or sync to disk and should be checked.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-09-15 10:13:54 -04:00
Christian Göttsche 9696bb5449 checkpolicy: misc checkmodule tweaks
Add missing argument in usage message.
Drop redundant includes `optarg` and `optind`, which are declared in
<getopt.h>.
Use consistent quit style by using `exit(1)`.
Mark read-only options struct const.
Check closing file streams after writing, which can signal a failed
write or sync to disk and should be checked.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-09-15 10:13:51 -04:00
Christian Göttsche 5570c2e394 checkpolicy: enclose macro argument in parentheses
Found by clang-tidy

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-09-15 10:13:48 -04:00
Petr Lautrbach 38cb18e931 Update VERSIONs and Python bindings version to 3.3-rc1 for release
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2021-09-08 09:49:46 +02:00
Christian Göttsche 1711757378
checkpolicy: mark read-only parameters in policy define const
Make it more obvious which parameters are read-only and not being
modified and allow callers to pass const pointers.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-07-13 21:02:10 +02:00
Christian Göttsche b306cd5b90
checkpolicy/test: mark file local functions static
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-07-13 21:02:09 +02:00
Christian Göttsche 47f4cbd357
checkpolicy: parse_util drop unused declaration
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-07-13 21:02:09 +02:00
Christian Göttsche 4e3d0990c6
checkpolicy: drop redundant cast to the same type
Found by clang-tidy.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-07-13 21:02:09 +02:00
Christian Göttsche 5218bf4b26
checkpolicy: avoid potential use of uninitialized variable
checkpolicy.c: In function ‘main’:
    checkpolicy.c:1000:25: error: ‘tsid’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
     1000 |                         printf("if_sid %d default_msg_sid %d\n", ssid, tsid);
          |                         ^

    checkpolicy.c: In function ‘main’:
    checkpolicy.c:971:25: error: ‘tsid’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
      971 |                         printf("fs_sid %d default_file_sid %d\n", ssid, tsid);
          |                         ^

Found by GCC 11 with LTO enabled.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-07-13 21:02:09 +02:00
Christian Göttsche 5a10f05f53
checkpolicy: check before potential NULL dereference
policy_define.c: In function ‘define_te_avtab_extended_perms’:
    policy_define.c:1946:17: error: potential null pointer dereference [-Werror=null-dereference]
     1946 |         r->omit = omit;
          |                 ^

In the case of `r` being NULL, avrule_read_ioctls() would return
with its parameter `rangehead` being a pointer to NULL, which is
considered a failure in its caller `avrule_ioctl_ranges`.
So it is not necessary to alter the return value.

Found by GCC 11 with LTO enabled.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-07-13 21:02:08 +02:00
Christian Göttsche 7723180fa0
checkpolicy: remove dead assignments
The variable `cladatum` is otherwise always assigned before used, so
these two assignments without a follow up usages are not needed.

Found by clang-analyzer.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-07-13 21:02:08 +02:00
Christian Göttsche 79e7724930
checkpolicy: follow declaration-after-statement
Follow the project style of no declaration after statement.

Found by the GCC warning -Wdeclaration-after-statement.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-07-13 21:02:07 +02:00
Christian Göttsche babc3d5351
checkpolicy: use correct format specifier for unsigned
test/dispol.c:288:4: warning: %d in format string (no. 1) requires 'int' but the argument type is 'unsigned int'. [invalidPrintfArgType_sint]
       snprintf(buf, sizeof(buf), "unknown (%d)", i);
       ^
    test/dismod.c:830:4: warning: %d in format string (no. 1) requires 'int' but the argument type is 'unsigned int'. [invalidPrintfArgType_sint]
       snprintf(buf, sizeof(buf), "unknown (%d)", i);
       ^

Found by Cppcheck.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-07-13 21:02:06 +02:00
Christian Göttsche db674bf218
checkpolicy: drop dead condition
The variable `id` is guaranteed to be non-NULL due to the preceding
while condition.

    policy_define.c:1171:7: style: Condition '!id' is always false [knownConditionTrueFalse]
      if (!id) {
          ^
    policy_define.c:1170:13: note: Assuming that condition 'id=queue_remove(id_queue)' is not redundant
     while ((id = queue_remove(id_queue))) {
                ^
    policy_define.c:1171:7: note: Condition '!id' is always false
      if (!id) {
          ^

Found by Cppcheck.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-07-13 21:02:05 +02:00
Christian Göttsche 7cdb2a8fd2
checkpolicy: simplify assignment
checkpolicy.c:504:20: style: The statement 'if (policyvers!=n) policyvers=n' is logically equivalent to 'policyvers=n'. [duplicateConditionalAssign]
    if (policyvers != n)
                   ^
checkpolicy.c:505:17: note: Assignment 'policyvers=n'
     policyvers = n;
                ^
checkpolicy.c:504:20: note: Condition 'policyvers!=n' is redundant
    if (policyvers != n)
                   ^

Found by Cppcheck

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-07-13 21:02:05 +02:00
Christian Göttsche 02678b9d40
checkpolicy: drop -pipe compile option
The compiler option -pipe does not affect the generated code; it affects
whether the compiler uses temporary files or pipes. As the benefit might
vary from system to system usually its up to the packager or build
framework to set it.
Also these are the only places where the flag is used.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-07-13 21:02:04 +02:00