Since strtol(3) doesn't clear errno on success, anything that sets
errno prior to this call will make it look like the call failed. This
happens when built with ASAN.
Signed-off-by: Dan Albert <danalbert@google.com>
Acked-by: Steve Lawrence <slawrence@tresys.com>
08520e9 Do not associate the object_r role with users
5c771ff Move symtab from cil_db to root ast node
c27cace Refactored cil_get_symtab()
a25af5a Fixed bug in copying an AST.
ca5e3f8 Fixed the source of two potential memory leaks when copying an AST.
2aef1b8 Fix bug when blockabstract statements failed to resolve
git-subtree-dir: libsepol/cil
git-subtree-split: 08520e91db86bdbb8ce393afa35c1465bdc7f63b
All files in /var/lib/selinux/ are now labeled the same as those in
/etc/selinux/<store>/modules/active, which in refpolicy is semanage_store_t.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Reviewed-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Add "RuntimeDirectory=setrans" to the mcstrans.service, this will make
systemd automatically create the /run/setrans directory before starting
the service.
This directory contains the ".setrans-unix" socket created by the
daemon.
Acked-by: Steve Lawrence <slawrence@tresys.com>
Stops leaking of file descriptors to things like load_policy and
setfiles.
Reported-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Reviewed-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
This was broken for older policy versions when we updated to
version 24.
Broken by commit 787f2f00f5d8ed6f5f.
Change-Id: I4063334c5c0462ef5c3706611c7dff5c60c612aa
Reported-by: William Roberts <bill.c.roberts@gmail.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Switch libsepol check_assertions() from only reporting the first violation
to reporting them all.
Change-Id: I45b3502ff96b1d093574e1fecff93a582f8d00bd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Steve Lawrence <slawrence@tresys.com>
Mainly used the 2to3 conversion tool. Also added in a __future__
import so that the script continues to work on Python 2.
Tested on 2.7, 3.3, 3.4. Should work on 2.6 too but untested.
Signed-off-by: Jason Zaman <jason@perfinion.com>
Acked-by: Steve Lawrence <slawrence@tresys.com>
Currently, roletype statements are only added for types when they are
declared (not required). This means that in policy like:
require {
type foo_t;
}
type bar_t;
role staff_r types foo_t, bar_t;
only bar_t is associated with staff_r. This patch moves the code that
generates roletype statements for types to outside the SCOPE_DECL check
so that roletype statements are generated for all types, regardless of
the required/declared scope. It further moves the code outside of the
type/typeattribute flavor check so that roletype statements are also
generated for typeattributes.
Reported-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Reviewed-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Tested-by: Jason Zaman <jason@perfinion.com>
Previously, type aliases were converted to CIL in the global namespace,
regardless of which scope they were actually defined in. So essentially
type aliases could never be in optionals. For the most part this worked,
however, in some small number of cases, a type alias could reference a
type defined inside an optional. If that optional was disabled, the type
would be disabled and so the type alias would fail to resolve, causing
policy to fail to build.
Unfortunately, type alises are stored in pp modules different than other
symbols (e.g. types/roles/etc) so they must be added to scopes
differently. So this patch gathers up all type aliases in a list and
keeps track of which scope each type alias is defined in. When we enter
a new scope, use that list to determine which type alias are defined
there and print the appropriate CIL statements.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Reviewed-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
CIL does not have any concept of require blocks. Instead, CIL relies on
whether or not all statements inside an optional block resolve to
determine if an optional block should be enabled/disabled. However, a
small number of optional statements require a type that is not actually
used in the optional block. In old style policy, this would cause the
optional block to be disabled. However, in CIL, because the type is never
used, the optional block will remain enabled.
To maintain compatibility, we modify pp2cil to create a new attribute,
cil_gen_require, and all types/roles/attributes that are required in a
pp module/optional block are associated with this attribute. Thus, if a
type is required but not used, it will still fail to resolve in the
typeattributeset statement, causing the optional to correctly be
disabled.
Note that when compiling the CIL this generated from compiling refpolicy
pp modules with pp2cil, the extra CIL statements cause ~12.6MB increase
in maximum memory usage (129.7 MB to 142.3 MB). Though, compilation time
decreases by ~35% (26 seconds to 17 seconds).
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Reviewed-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Reported-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The current build system assumes SHLIBDIR is ../../ relative to LIBDIR.
However, this isn't always the case. For example, Arch Linux sets both
LIBDIR and SHLIBDIR to /usr/lib, which results in broken symlinks.
Instead of making that assumption, create .so symlinks using ln
--relative so that the correct relative paths are used. Note that this
adds a dependency for the build system to use coretuils-8.16 or later.
Fixes#2
Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
The libsemanage Makefile currently installs libsemanage.so.1 into
SHLIBDIR, but links libsemanage.so to libsemanage.so.1 in LIBDIR. This
means things will only work if SHLIBDIR and LIBDIR are the same.
Fortunately, by default, they are the same because the default of
SHLIBDIR is set to PREFIX/lib (same as LIBDIR default) instead of the
standard DESTDIR/lib. Unfortunately, if a user overrides SHLIBDIR, by
doing something like the following:
make DESTDIR=~/tmp/ LIBDIR=~/tmp/usr/lib SHLIBDIR=~/tmp/lib install
then a broken symlink is created. Note that in some cases this may still
work even when SHLIBDIR and LIBDIR are not the same, e.g.:
make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install
But this only works because, in systems like Fedora, /lib is a symlink
to /usr/lib, so SHLIBDIR and LIBDIR are the same even though it doesn't
immediately look like it.
This patch changes the libsemanage Makefile to set the default value of
SHLIBDIR to the standard DESTDIR/lib to prevent confusion, and installs
libsemanage to LIBDIR and completely ignores SHLIBDIR.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
15b955e Fix typos in error strings
fe5a24e Disable declarations inside an optional even if in the first call pass
git-subtree-dir: libsepol/cil
git-subtree-split: 15b955ea49c86549661b6520a85291735ce5496c
Some roles (i.e. user_r, staff_r, sysadm_r, system_r, unconfined_r) are
declared in the base module, and sometimes in non-base modules. This
could result in duplicate declarations of roles, which isn't allowed in
CIL. So for these roles, only generate their declarations if they appear
in a base module, otherwise ignore their declarations. All other roles
are printed regardlss of their declaration location.
Note that this means that if a policy author does not include one of the
roles in the base module then they will not be included in the resulting
policy, likely causing a compliation error in CIL.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
Avrules that have the negation, star, or complement flag set for types
need typeattributes and typeattributesets that are generated. This caused
issues when these generated statements were inserted into conditionals, since
typeattributes/sets are not allowed in conditionals.
This change always prints typeattributes and typeattributesets
immediately unless the types appear inside of an avrule in conditionals or blocks.
For this special case, we print the typeattributes after the end
of each conditional/block.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Acked-by: Steve Lawrence <slawrence@tresys.com>
Some module fc files do not contain a trailing new line. This
caused contexts to have their last character to be deleted. When
parsing each line from a fc file, we only strip off the last character
if it is a new line.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Acked-by: Steve Lawrence <slawrence@tresys.com>
- Create role declarations no matter if the declaration is in base or
a module. Since CIL does not permit role re-declarations, this change
will break existing policies that have the same role declared in multiple
modules. To fix this, the policies will need to change the role to be
defined in a single place.
- Pass around the avrule_decl stack rather than just the most recent
decl. The full stack is needed to determine if identifiers are in
scope
- Only create roletype statements for a role and a type in two cases:
1) The role is declared/required and the type is declared/required in
the same scope or an ancestor scope of the role
2) The type is declared/required and the role is declared/required in
an ancestor scope of the type
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Acked-by: Steve Lawrence <slawrence@tresys.com>
This fixes the build with "make PYTHON=python2" on systems where python
is python3.
For PYLIBVER and PYTHONLIBDIR definitions, I tested Python 2.5, 2.6, 2.7,
3.3 and 3.4. For each of them, these commands print the expected result:
python -c 'import sys;print("python%d.%d" % sys.version_info[0:2])'"
python -c "from distutils.sysconfig import *;print(get_python_lib(1))"
Acked-by: Steve Lawrence <slawrence@tresys.com>
test-linker-roles.c: In function 'module_role_tests':
test-linker-roles.c:147:7: error: array subscript is above array bounds
[-Werror=array-bounds]
decls[2] = (test_find_decl_by_sym(base, SYM_TYPES,"tag_g_m2"))->decl_id;
^
Acked-by: Steve Lawrence <slawrence@tresys.com>
In C, defining a function with () means "any number of parameters", not
"no parameter". Use (void) instead where applicable and add unused
parameters when needed.
Acked-by: Steve Lawrence <slawrence@tresys.com>
This fixes a warning from "gcc -Wwrite-strings", when
semanage_module_install_hll is called with "pp" as last parameter.
Acked-by: Steve Lawrence <slawrence@tresys.com>
gcc puts literal strings lie in read-only memory. On x86_64, trying to
write to them triggers a segmentation fault.
To detect such issues at build time, variables holding a pointer to such
strings should be "const char*". "gcc -Wwrite-strings" warns when using
non-const pointers to literal strings.
Remove gcc warnings by adding const to local variables and argumens of
internal functions.
This does *not* fix this warning:
policydb_public.c:208:10: warning: passing argument 2 of 'hashtab_search' discards 'const' qualifier from pointer target type
return (hashtab_search(p->p.p_classes.table, PACKET_CLASS_NAME) ==
^
In file included from ../include/sepol/policydb/symtab.h:16:0,
from ../include/sepol/policydb/policydb.h:60,
from policydb_public.c:4:
../include/sepol/policydb/hashtab.h:98:24: note: expected 'hashtab_key_t' but argument is of type 'const char *'
extern hashtab_datum_t hashtab_search(hashtab_t h, const hashtab_key_t k);
^
Moreover the "const" word in hashtab_search prototype does not make the
second parameter "const char*" but "char* const".
Acked-by: Steve Lawrence <slawrence@tresys.com>
Once __attribute__ ((format(printf, 1, 2))) is added to yyerror2,
"gcc -Wformat -Wformat-security" shows some issues. Fix them.
Acked-by: Steve Lawrence <slawrence@tresys.com>
log_err, cil_printf and cil_println use printf formats to process their
arguments. Use __attribute__((format(printf,...))) to make "gcc
-Wformat -Wformat-security" detect issues.
This detected this issue several times on a x86_64 system:
format '%lx' expects argument of type 'long unsigned int', but
argument has type 'uint32_t'
Fix this by introducing an explicit cast to unsigned long.
While at it, constify the format string argument of each function.
Acked-by: Steve Lawrence <slawrence@tresys.com>
Building from the root directory with "make DEBUG=1" enables -Wshadow
option. This makes the compilation fail with the following error:
semodule_unpackage.c: In function 'usage':
semodule_unpackage.c:17:25: error: declaration of 'progname' shadows a global declaration [-Werror=shadow]
static void usage(char *progname)
^
semodule_unpackage.c:14:7: error: shadowed declaration is here [-Werror=shadow]
char *progname = NULL;
^
Fix this error by no longer passing a global variable as a parameter to
usage function.
Acked-by: Steve Lawrence <slawrence@tresys.com>
Building from the root directory with "make DEBUG=1" enables -Wshadow
option. This makes the compilation fails with the following error:
cc -g3 -O0 -gdwarf-2 -fno-strict-aliasing -Wall -Wshadow -Werror -g
-I/usr/include -DPACKAGE="\"policycoreutils\"" -Wall -Werror -Wextra
-W -c -o seunshare.o seunshare.c
seunshare.c: In function 'spawn_command':
seunshare.c:141:6: error: declaration of 'child' shadows a global declaration [-Werror=shadow]
int child;
^
seunshare.c:58:12: error: shadowed declaration is here [-Werror=shadow]
static int child = 0;
^
Fix this error by renaming the "child" variable in spawn_command.
Acked-by: Steve Lawrence <slawrence@tresys.com>
"gcc -O2 -Wall -Werror" failed with two errors when building pp due to
the use of unitialized variables.
Acked-by: Steve Lawrence <slawrence@tresys.com>
"gcc -O2 -Wall -Werror" fails to compile seusers_local.c:
seusers_local.c: In function 'semanage_seuser_modify_local':
seusers_local.c:122:6: error: 'rc' may be used uninitialized in this
function [-Werror=maybe-uninitialized]
It seems rc is not initialized when the call to semanage_seuser_clone
fails in semanage_seuser_modify_local.
Acked-by: Steve Lawrence <slawrence@tresys.com>
When using "gcc -O2 -Wall -Werror" to compile libsepol, the following
error happens:
services.c: In function 'constraint_expr_eval_reason':
services.c:820:2: error: 'answer_list' may be used uninitialized in this
function [-Werror=maybe-uninitialized]
free(answer_list);
^
Indeed, because of a goto statement in constraint_expr_eval_reason
function, "free(answer_list)" can be called before answer_list has been
initialized.
Fix this error by moving the definition of answer_list to the beginning
of constraint_expr_eval_reason.
Acked-by: Steve Lawrence <slawrence@tresys.com>
