Do not unconditionally add warning flags and especially -Werror to
CFLAGS, only when CFLAGS is empty.
This helps when building with noisy warning flags, like -Weverything.
Also drop -W, since it is an alias for -Wextra.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
The canonical order of calloc(3) parameters is the number of elements
first and the size of each element second.
Reported by GCC 14:
is_customizable_type.c:43:45: warning: 'calloc' sizes specified with 'sizeof' in the earlier argument and not in the later argument [-Wcalloc-transposed-args]
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
The canonical order of calloc(3) parameters is the number of elements
first and the size of each element second.
Reported by GCC 14:
kernel_to_conf.c:814:47: warning: 'calloc' sizes specified with 'sizeof' in the earlier argument and not in the later argument [-Wcalloc-transposed-args]
kernel_to_conf.c:945:46: warning: 'calloc' sizes specified with 'sizeof' in the earlier argument and not in the later argument [-Wcalloc-transposed-args]
kernel_to_conf.c:2109:35: warning: 'calloc' sizes specified with 'sizeof' in the earlier argument and not in the later argument [-Wcalloc-transposed-args]
kernel_to_common.c:578:29: warning: 'calloc' sizes specified with 'sizeof' in the earlier argument and not in the later argument [-Wcalloc-transposed-args]
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
While well-defined unsigned integer underflow might signal a logic
mistake or processing of unchecked user input. Please Clang's undefined
behavior sanitizer:
restore.c:91:37: runtime error: unsigned integer overflow: 1 - 2 cannot be represented in type 'unsigned long'
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Clang's undefined behavior sanitizer supports checking for unsigned
integer overflow and underflow, and implicit conversions. While those
operations are well-defined by the C language they can signal logic
mistakes or processing of unchecked user input.
Annotate functions deliberately making use of integer overflow and adopt
the remaining code sites.
Example reports:
stringrep.c:348:7: runtime error: left shift of 2147483648 by 1 places cannot be represented in type 'access_vector_t' (aka 'unsigned int')
seusers.c:98:14: runtime error: implicit conversion from type 'int' of value -1 (32-bit, signed) to type 'gid_t' (aka 'unsigned int') changed the value to 4294967295 (32-bit, unsigned)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
getpwnam_r(3) might return ERANGE in case the supplied buffer was too
short for the passwd entry. Retry with a bigger buffer.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
getpwnam_r(3) and getgrnam_r(3) might return ERANGE in case the supplied
buffer was too short for the passwd/group entry. Retry with a bigger
buffer.
Also use a fallback buffer size in case the libc returns -1 for
sysconf(3) of _SC_GETPW_R_SIZE_MAX or _SC_GETGR_R_SIZE_MAX, like musl.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Instead of writing error messages directly to stderr use the wrapper
selinux_log(), which by default writes to stderr. This allows
applications to redirect or silence messages via
selinux_set_callback(3).
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Return an error on invalid selabel_open(3) options, e.g. an option for
a different backend was used.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
According to selabel_opn(3) a non-null value for this option enables the
generation of an SHA1 digest of the spec files loaded as described in
selabel_digest(3).
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Show the more interesting inverse of the auditdeny vector as dontaudit.
Show the inverse of the decided vector, although since Linux v2.6.30
f1c6381a6e33 ("SELinux: remove unused av.decided field") all permissions
are always decided.
$ compute_av staff_u:staff_r:staff_t:s0 sysadm_u:sysadm_r:sysadm_t:s0 process
allowed= null
auditdeny= { fork transition sigchld sigkill sigstop signull ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit 0x80000000 }
dontaudit= { signal }
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Remove noise while running with sanitizers or under valgrind.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Selabel lookups might fail with errno set to EINVAL in the unlikely case
a regular expression from the file context definition failed to compile.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
The other functions (getexeccon(3) and setexeccon(3)) from the man page
also set errno on failure similar to the getcon(3) function family.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Allow callers to expect errno is set on failure, e.g. other exported
libselinux functions like setexecfilecon(3).
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Add missing const qualifier to parameters in the man pages to align them
with <selinux/selinux.h>.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Validate no common classes inside scope indices are defined.
Reported-by: oss-fuzz (issue 64849)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Declare the read-only permission parameter const.
Use a more readable overflow check, which is also resilient against
changes of the growth factor or initial size.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
The input string to be tokenized is not modified.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
* add option to display users
* drop duplicate option to display booleans
* show number of entries before listing them
* drop global variable
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Python scripts present in the same directory as the tool
override regular modules.
Fixes:
#cat > /usr/bin/signal.py <<EOF
import sys
print("BAD GUY!", file=sys.stderr)
sys.exit(1)
EOF
#sandbox date
BAD GUY!
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Commit fb0a4ce1 (libsepol/cil: Allow paths in filecon rules to be
passed as arguments) changed when the new AST node data would be set
to point to the new filecon struct when creating a filecon rule.
This causes cil_destroy_filecon() to be called twice on the filecon
struct if there is an error when creating the filecon rule.
If there is an error when creating a filecon rule, call
cil_clear_node() after destroying the filecon struct.
Reported-by: oss-fuzz (issue 64385)
Signed-off-by: James Carter <jwcart2@gmail.com>
This patch adds CPPFLAGS to all of the Makefiles as suggested.
Signed-off-by: Cameron Williams <ckwilliams.work@gmail.com>
Acked-by: James Carter <jwcart2@gmail.com>
`gcc-14` added a new `-Walloc-size` warning that makes sure that size of
an individual element matches size of a pointed type:
https://gcc.gnu.org/PR71219
`libsemanage` triggers it on `calloc()` calls where member size is used
as `1` (instead of member count):
genhomedircon.c: In function 'ignore_setup':
genhomedircon.c:152:21:
error: allocation of insufficient size '1' for type 'ignoredir_t'
{aka 'struct IgnoreDir'} with size '16' [-Werror=alloc-size]
152 | ptr = calloc(sizeof(ignoredir_t),1);
| ^
Signed-off-by: Sergei Trofimovich <slyich@gmail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Simplify the string formatting helpers create_str() and
strs_create_and_add() by calling the GNU extension vasprintf(3), already
used in libsepol/cil/. This allows a redundant parameter from both
functions to be dropped.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Standard policy modules generated by compilers have at least one global
av rule. Reject modules otherwise, e.g. generated by a fuzzer.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Do not check assertions for policies without any av rules.
Only output kernel policies in traditional and CIL format.
Perform hierarchy constraint checks.
Try to link, expand and output base module policies.
Also rework argument passing of verbose flags to improve debugging
usability.
Reported-by: oss-fuzz (issues 64515, 64531)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Internally class values are stored in multiple placed in a 16-bit wide
integer. Reject class values exceeding the maximum representable value.
This avoids truncations in the helper
policydb_string_to_security_class(), which gets called before validation
of the policy:
policydb.c:4082:9: runtime error: implicit conversion from type 'uint32_t' (aka 'unsigned int') of value 2113929220 (32-bit, unsigned) to type 'sepol_security_class_t' (aka 'unsigned short') changed the value to 4 (16-bit, unsigned)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Avoid duplicate policydb initialization when reading a kernel policy.
One caller, main(), already performs the initialization. The other one,
link_module(), needs to do it also for the module policy case.
Also set the target platform to enable module linking.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Avoid truncations of the read 32 bit unsigned integer:
conditional.c:764:8: runtime error: implicit conversion from type 'uint32_t' (aka 'unsigned int') of value 3758096384 (32-bit, unsigned) to type 'int' changed the value to -536870912 (32-bit, signed)
conditional.c:831:8: runtime error: implicit conversion from type 'uint32_t' (aka 'unsigned int') of value 4280295456 (32-bit, unsigned) to type 'int' changed the value to -14671840 (32-bit, signed)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Similar to unconditional avtab keys check the default type of type av
rules are a simple type, not an attribute.
Since extended permission rules are not allowed in conditional policies
this check does not need to be performed.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
yum module is not available since RHEL 7.
Drop -systemd related code as it's obsoleted these days - only 2
packages ship their .service in -systemd subpackage
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Acked-by: Ondrej Mosnacek <omosnace@redhat.com>
An extended access vector rule can consist of many individual ranges of
permissions. Use a dynamically growing sized buffer for formatting such
rules instead of a static buffer to avoid write failures due to
truncations.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
An extended access vector rule can consist of many individual ranges of
permissions. Use a dynamically growing sized buffer for formatting such
rules instead of a static buffer to avoid write failures due to
truncations.
Reported-by: oss-fuzz (issue 64316)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
In mls_semantic_level_expand(), there is a explicitly determine
whether category is 0, which may cause an potential integer
overflow in error branch.
Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
Acked-by: James Carter <jwcart2@gmail.com>
Macros can use classpermission arguments. These are used in two
different ways. Either a named classpermission is passed (which is
declared using a classpermisison rule) or an anonymous classpermission
is passed (something like "(CLASS (PERM))").
Usually this will look like either of the following:
Ex1/
(classpermission cp1)
(classpermisisonset cp1 (CLASS (PERM)))
(macro m1 ((classpermisison ARG1))
(allow t1 self ARG1)
)
(call m1 (cp1))
or
Ex2/
(macro m2 ((classpermission ARG2))
(allow t2 self ARG2)
)
(call m2 ((CLASS (PERM))))
The following would also be valid:
Ex3/
(classpermission cp3)
(macro m3 ((classpermission ARG3))
(classpermissionset ARG3 (CLASS (PERM)))
(allow t3 self ARG3)
)
(call m3 (cp3))
The oss-fuzzer did the equivalent of the following:
(classpermission cp4)
(macro m4 ((classpermission ARG4))
(classpermissionset ARG4 (CLASS (PERM1)))
(allow t4 self ARG4)
)
(call m4 (CLASS (PERM2)))
It passed an anonymous classpermission into a macro where there
was a classpermissionset rule. Suprisingly, everything worked well
until it was time to destroy the AST. There is no way to distinguish
between the anonymous classpermission being passed in which needs
to be destroyed and the classpermission in the classpermissionset
rule which is destroyed when the classpermissionset rule is
destroyed. This led to CIL trying to destroy the classpermission
in the classpermissionset rule twice.
To fix this, when resolving the classpermission name in the
classpermissionset rule, check if the datum returned is for
an anonymous classpermission (it has no name) and return an
error if it is.
This fixes oss-fuzz issue 60670.
Signed-off-by: James Carter <jwcart2@gmail.com>
While still giving an error if there is a declaration with the
same flavor and name as a macro parameter, now give a warning in
the case where there is a declaration with the same name as a
macro parameter, but with a different flavor.
Example/
(macro m1 ((string ARG1))
(type ARG1)
(allow ARG1 ARG1 (CLASS (PERM)))
(typetransition t1a t1b CLASS ARG1 t1c)
)
(call m1 (foo))
This will result in the following equivalent code:
(type ARG1)
(allow ARG1 ARG1 (CLASS (PERM)))
(typetransition t1a t1b CLASS "foo" t1c)
With the warning (if using "-v"), "Declaration of type ARG1 has
same name as a macro parameter with a different flavor"
Signed-off-by: James Carter <jwcart2@gmail.com>
There are many rules in CIL that do not declare an object but
reference a datum or relate two or more datums together. In the
struct for these rules, strings are stored so that the appropriate
datums can be looked up when the rule is resolved. One example is
classcommon, which relates a kernel class and a common class. Often
the datums referenced in these rules will not be needed again, so
there are no pointers to datums in the struct for these rules.
When these rules are in a macro and make use of one of the arguments,
then we do not know the actual value to use when writing out the
AST for the resolve phase or later. Re-resolving the strings to
find the corresponding datums would be complex. If the structs for
these rules had pointers to the datums, then we could use the datums
to write out the correct values.
Add pointers to the datums in the data structures for these rules
and then use the actual datum values when writing out the AST.
Signed-off-by: James Carter <jwcart2@gmail.com>
Remove references to "typealias", "categoryalias", and
sensitivityalias" as valid parameter kinds, because they are not.
Add "string" as a valid parameter kind.
Add a note that "categoryset", "level", "levelrange",
"classpermission", and "ipaddr" can be named or anonymous.
Add a note that "type", "role", and "user" can be used for attributes.
Add a note that "type", "sensitivity" and "category" can be used for
aliases.
Add a note that "string" and "name" can be used for filenames in
typetransition rules and paths in filecon rules.
Signed-off-by: James Carter <jwcart2@gmail.com>
Allow paths in filecon rules to be passed as arguments in macro calls
just like filenames can be passed for named type transition rules.
The paths are handled just like the filenames in named type transition
rules.
Example/
(macro m1 ((string ARG1))
(filecon ARG1 dir (USER ROLE TYPE ((SENS)(SENS))))
)
(call m1 ("/usr/bin"))
Results in the following equivalent rule:
(filecon "/usr/bin" dir (USER ROLE TYPE ((SENS)(SENS))))
Signed-off-by: James Carter <jwcart2@gmail.com>
To support passing a filename as an argument in a macro call that
is to be used in a named type transition, the filename is considered
to be declared when it is used in a named type transition or passed
as an argument with the name flavor. In the struct for a named
type transition, there are fields for a pointer to the filename
string and the filename datum pointer.
When writing out the filename after the resolve phase AST, it is not
possible to determine whether the filename in a named type transition
is an argument name or an actual filename. If it is an actual filename,
then it should be enclosed in double quotes, otherwise, it should
not. Currently, it is always double quoted.
Rework how filenames are declared and handled, so that if the datum
pointer for the name is not NULL, then that is an actual filename
that should be double quoted. Otherwise, the value pointed to by
the string pointer is used and not double quoted.
Move the declaration of the filename to the build phase. Any named
type transition that is not in a macro or is not using a macro
argument is an actual filename, so create a datum and store that in
the struct for the named type transition. Otherwise, store the
string in the named type transition. During the resolve phase,
filename strings can be looked up to find the actual filename that
is being passed into the macro call.
Since the name parameter was never used, just get rid of the
cil_name struct and use datums directly.
Allow either "name" or "string" to be used as the parameter flavor.
Internally, it will be a CIL_DECLARED_STRING and "string" will be
used to write out the AST.
Signed-off-by: James Carter <jwcart2@gmail.com>
For nodecon rules, IP Addresses may be declared without a previous
declaration by enclosing them within parentheses.
Like this: (127.0.0.1) or (::1)
Allow them to also be declared by writing them directly.
Like this: 127.0.0.11 or ::1
This can be done without causing problems with the use of named
IP addresses because identifiers cannot start with a number or
contain a ":".
Signed-off-by: James Carter <jwcart2@gmail.com>
The nodecon statement requires that the IP address and mask values be
enclosed in parentheses so that these values can be distinguished from
named IP addresses. But since an identifier in CIL cannot start with a
number or contain colons, the parentheses are not really required.
Allow IP address and mask values to be written directly and do not
require (but still allow) parentheses around them. Distinguish
between an address or mask and an identifier by checking if the
first character is a number or if the string contains a colon.
Both of these are now valid:
(nodecon (10.0.0.1) (255.255.255.0) (USER ROLE TYPE ((SENS) (SENS))))
(nodecon 10.0.0.1 255.255.255.0 (USER ROLE TYPE ((SENS) (SENS))))
Signed-off-by: James Carter <jwcart2@gmail.com>
Use the same common structure for the ordering rules (classorder,
sidorder, sensitivityorder, and categoryorder). This removes code
duplication and makes it easier to write out the CIL AST.
Simplify the merging of multiple order rules.
Add a verification that checks that the final merged ordering is
fully specified and without ambiguity.
Signed-off-by: James Carter <jwcart2@gmail.com>
In the CIL AST resolve phase, the functions all take a void *
and struct cil_args_resolve * is passed in to them. But in almost
all cases, only the cil_db is needed.
Modify the functions to take struct cil_db * and pass in extra
arguments in the few cases where something more is needed.
Signed-off-by: James Carter <jwcart2@gmail.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
The patch set to change to the hash string function used to DJB2a
caused the ordering of the reported neverallow failures to change
in the libsepol tests.
Changed the expected test results to reflect the new ordering.
See the DJB2a patch series here:
https://lore.kernel.org/all/20230816123845.80171-1-cgzones@googlemail.com/
Signed-off-by: James Carter <jwcart2@gmail.com>
