Commit Graph

1734 Commits

Author SHA1 Message Date
Jason Zaman
c3176aeee8 sepolicy: rearrange vars together at the top
This has no functional or code changes other than grouping lines
together for clarity.

Signed-off-by: Jason Zaman <jason@perfinion.com>
2016-09-23 16:33:49 -04:00
Stephen Smalley
a17e04436c Updated libselinux ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-23 16:29:59 -04:00
William Roberts
2b6bc3f886 libselinux: kill logging check for selinux_enabled()
Drop the check for selinux_enabled() on logging. The
caller can silence the logs by setting the logging
callback and discarding the messages.

Change-Id: Ia6769ef7ad8cc2144ad2bb73e5bf7c76ebfe487b
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-09-23 16:26:24 -04:00
Stephen Smalley
6abc179335 Updated policycoreutils ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-23 15:53:12 -04:00
Petr Lautrbach
acca96a135 sandbox: create a new session for sandboxed processes
It helps to prevent sandboxed processes to inject arbitrary commands
into the parent.

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2016-09-23 15:49:57 -04:00
Petr Lautrbach
5b98f39de5 sandbox: do not try setup directories without -X or -M
sandbox tried to copy all affected files to the new home
or tmp even though -M or -X was not specified and there was no new
directory.

Fixes:
$ sandbox ls ~
/usr/bin/sandbox: [Errno 17] File exists: '/root'

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2016-09-23 15:49:16 -04:00
Stephen Smalley
936e5be59a Updated libselinux ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-23 14:52:24 -04:00
William Roberts
d88597798f libselinux: drop usage of _D_ALLOC_NAMLEN
_D_ALLOC_NAMLEN is not very portable. Currently, the code
mallocs based on _D_ALLOC_NAMLEN() and then strcpy's dirent
d_name into the buffer. Instead, just use strdup.

Change-Id: I5c8ca47da2c593ea2726caba5781f5e9d9d910ae
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-09-23 14:51:48 -04:00
Stephen Smalley
42be018d2e Updated libselinux ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-22 13:31:42 -04:00
Jason Zaman
09d99e8bec libselinux: Add openrc_contexts functions
The file will initially contain:
run_init=run_init_t
There can not be any spaces around the = since OpenRC's existing config
files and the methods it uses require it.

Signed-off-by: Jason Zaman <jason@perfinion.com>
2016-09-22 13:27:45 -04:00
Stephen Smalley
1389d125e7 Updated libselinux ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-22 13:25:56 -04:00
William Roberts
d5947256fa Fix redefinition of XATTR_NAME_SELINUX
When the Kernel UAPI header is present, this error occurs:

external/selinux/libselinux/src/policy.h:7:9: warning: 'XATTR_NAME_SELINUX' macro redefined [-Wmacro-redefined]
\#define XATTR_NAME_SELINUX "security.selinux"
        ^
bionic/libc/kernel/uapi/linux/xattr.h:52:9: note: previous definition is here
\#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX

Just use the kernel UAPI version on that case.

Change-Id: I1b2d34e463477adaec227ac8c3364f1b9d49e997
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-09-22 13:21:39 -04:00
Stephen Smalley
7a72a88019 Updated libsemanage ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-22 09:57:44 -04:00
Gary Tierney
d97292639c genhomedircon: remove hardcoded refpolicy strings
Removes the "system_u" and "s0" string literals from refpolicy and
replaces the seuser and range in each homedir, uid, and username context
specification for every user.

Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
2016-09-22 09:47:25 -04:00
Stephen Smalley
841fe53c2d Updated libselinux ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-21 12:42:31 -04:00
Janis Danisevskis
6ff294a002 sefcontext_compile: cleanup confusing usage message
Signed-off-by: Janis Danisevskis <jdanis@google.com>
2016-09-21 12:38:15 -04:00
Stephen Smalley
e2d54e52bc Updated policycoreutils ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-21 12:31:37 -04:00
Petr Lautrbach
e90ebf08eb sandbox: do not run xmodmap in a new X session
xmodmap causes Xephyr X server to reset itself when it's run before wm
and even right after wm. It causes termination of the server as we use
-terminate. The -terminate option seems be important enough in order not
to left running the server when the last client connection is closed.

This patch drops the execution of xmodmap from .sandboxrc until there's
a better solution.

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2016-09-21 12:30:57 -04:00
Stephen Smalley
b660a87b5f libselinux: public symbol cleanup
Hide or remove symbols that should not be public.
All uses of obj_class_compat were removed by
commit 76913d8adb
("Deprecate use of flask.h and av_permissions.h")
and it never should have been public regardless,
so remove it.
myprintf is used by matchpathcon internally but should
not be public, so hide it.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-21 11:09:26 -04:00
Stephen Smalley
b54758560a Updated policycoreutils ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-19 14:33:10 -04:00
Petr Lautrbach
9a57996dfa sandbox: Use GObject introspection binding instead of pygtk2
sandbox command is also now using GTK 3.0

This patch comes from Fedora patch set

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2016-09-19 14:31:35 -04:00
Stephen Smalley
c4fdd9a4c8 Updated libselinux ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-19 10:18:54 -04:00
William Roberts
ba9bb2ebcb libselinux: correct error path to always try text
patch 5e15a52aaa cleans up the process_file() routine,
but introduced a bug. If the binary file cannot be
opened, always attempt to fall back to the textual file,
this was not occurring.

The logic should be:
1. Open the newest file between base path + suffix and
   base_path + suffix + ".bin"
2. If anything fails, attempt to load the oldest file.

The result, with a concrete example, would be:
If file_contexts is the newest file, and it cannot be
processed, the code will fall back to file_contexts.bin
and vice versa.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-09-19 09:48:11 -04:00
Stephen Smalley
72b43e523d Updated libselinux ChangeLog.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-15 13:50:30 -04:00
Stephen Smalley
8e776b074c libselinux: regex_writef: Mark unused argument with __attribute__((unused)).
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-15 13:49:31 -04:00
Janis Danisevskis
50f0910cf0 libselinux: add support for pcre2
This patch moves all pcre1/2 dependencies into the new files regex.h
and regex.c implementing the common denominator of features needed
by libselinux. The compiler flag -DUSE_PCRE2 toggles between the
used implementations.

As of this patch libselinux supports either pcre or pcre2 but not
both at the same time. The persistently stored file contexts
information differs. This means libselinux can only load file
context files generated by sefcontext_compile build with the
same pcre variant.

Also, for pcre2 the persistent format is architecture dependent.
Stored precompiled regular expressions can only be used on the
same architecture they were generated on. If pcre2 is used,
sefcontext_compile now respects the "-r". This flag makes
sefcontext_compile include the precompiled regular expressions
in the output file. The default is to omit them, so that the
output remains portable at the cost of having to recompile
the regular expressions at load time, or rather on first use.

Signed-off-by: Janis Danisevskis <jdanis@google.com>
2016-09-15 13:49:14 -04:00
Stephen Smalley
4f29266623 Updated policycoreutils ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-15 13:49:00 -04:00
Petr Lautrbach
964bf69a65 sandbox: fix file labels on copied files
Since python 3.3, shutil.copy2() tries to preserve extended file
system attributes. It means that when a user uses -i or -I, copied files
have the original labels and sandboxed process can't read them.

With this change, homedir and tmpdir is recursively relabeled with the
expected sandbox labels after all items are in their place.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1294020

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2016-09-15 13:47:25 -04:00
Petr Lautrbach
6fcef9a09c sandbox: tests - close stdout of p1
p1.stdout should be closed after it's connected to p2 according to
https://docs.python.org/3/library/subprocess.html#replacing-shell-pipeline

Fixes:
$ make PYTHON=python3 test
Verify that we can read file descriptors handed to sandbox ...
/usr/lib64/python3.5/unittest/case.py:638: ResourceWarning: unclosed
file <_io.BufferedReader name=4>
  testMethod()

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2016-09-15 13:47:25 -04:00
Petr Lautrbach
3aedecefc7 sandbox: tests - use sandbox from cwd
The tests executed sandbox from $PATH while they should test sandbox in
cwd. At the same time, tests should be run using the same python as is
used by make to run them.

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2016-09-15 13:47:25 -04:00
Stephen Smalley
d10c8b81d4 sepolgen: fix make test
make test in sepolgen was broken because checkmodule now requires
the module name to match the file name.  Fix it.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-12 09:42:38 -04:00
Stephen Smalley
429041bfab Updated libselinux ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-09 14:26:45 -04:00
Stephen Smalley
0a0e5afbb4 libselinux: fix coding style problems with the prior commit
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-09 14:25:06 -04:00
William Roberts
5e15a52aaa libselinux: clean up process file
The current process_file() code will open the file
twice on the case of a binary file, correct this.

The general flow through process_file() was a bit
difficult to read, streamline the routine to be
more readable.

Detailed statistics of before and after:

Source lines of code reported by cloc on modified files:
before: 735
after: 742

Object size difference:
before: 195530 bytes
after:  195485 bytes

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-09-09 14:08:55 -04:00
James Carter
c1d873e971 Updated libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-09-06 13:48:20 -04:00
Guido Trentalancia
e7fbb8b401 Produce more meaningful error messages when conflicting type rules are found by libsepol.
Fixes Debian bug #832331 (https://bugs.debian.org/832331).

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-09-06 13:46:32 -04:00
Stephen Smalley
542b528703 Updated checkpolicy and libsepol ChangeLogs
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-09-06 11:14:09 -04:00
Nicolas Iooss
2489b50a91 libsepol: make "make test" fails when a CUnit test fails
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-09-06 10:49:56 -04:00
Nicolas Iooss
3666bd9a99 libsepol: tests: fix g_b_role_2 test
Even though g_b_role_2 is used both in
tests/policies/test-linker/small-base.conf and
tests/policies/test-linker/module1.conf, it seems to only exists in the
scope of the base policy.

This fixes the following failure of "make -C libsepol test":

    ./libsepol-tests
         CUnit - A unit testing framework for C - Version 2.1-3
         http://cunit.sourceforge.net/
    Suite: cond
      Test: cond_expr_equal ...passed
    Suite: linker
      Test: linker_indexes ...passed
      Test: linker_types ...passed
      Test: linker_roles ...sym g_b_role_2 has 1 decls, 2 expected
    FAILED
        1. test-common.c:43  - scope->decl_ids_len == len
        2. test-common.c:52  - found == 1
      Test: linker_cond ...passed
    Suite: expander
      Test: expander_indexes ...passed
      Test: expander_attr_mapping ...passed
      Test: expander_role_mapping ...passed
      Test: expander_user_mapping ...passed
      Test: expander_alias ...passed
    Suite: deps
      Test: deps_modreq_global ...passed
      Test: deps_modreq_opt ...passed
    Suite: downgrade
      Test: downgrade ...passed

    Run Summary:    Type  Total    Ran Passed Failed Inactive
                  suites      5      5    n/a      0        0
                   tests     13     13     12      1        0
                 asserts   1274   1274   1272      2      n/a

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-09-06 10:49:56 -04:00
Nicolas Iooss
112f86d489 checkpolicy: add types associated to a role in the current scope when parsing
This fixes most of the errors reported in "make -C libsepol test":

    ./libsepol-tests
         CUnit - A unit testing framework for C - Version 2.1-3
         http://cunit.sourceforge.net/
    Suite: cond
      Test: cond_expr_equal ...passed
    Suite: linker
      Test: linker_indexes ...passed
      Test: linker_types ...passed
      Test: linker_roles ...
    role o1_b_role_1 has 0 types, 1 expected
    role o1_b_role_1 has 0 types, 1 expected
    role o1_m1_role_1 has 0 types, 1 expected
    sym g_b_role_2 has 1 decls, 2 expected
    Role o1_b_role_2 had type o1_b_type_1 not in types array
    role o1_b_role_2 has 0 types, 1 expected
    Role g_b_role_4 had type g_m1_type_2 not in types array
    role g_b_role_4 has 0 types, 1 expected
    role o3_b_role_1 has 0 types, 1 expected
    role o3_b_role_1 has 0 types, 1 expected
    role o4_b_role_1 has 0 types, 1 expected
    Role o4_b_role_1 had type g_m1_type_1 not in types array

    FAILED
        1. test-common.c:216  - found == len
        2. test-common.c:216  - found == len
        3. test-common.c:216  - found == len
        4. test-common.c:43  - scope->decl_ids_len == len
        5. test-common.c:52  - found == 1
        6. test-common.c:213  - new == 1
        7. test-common.c:216  - found == len
        8. test-common.c:213  - new == 1
        9. test-common.c:216  - found == len
        10. test-common.c:216  - found == len
        11. test-common.c:216  - found == len
        12. test-common.c:216  - found == len
        13. test-common.c:213  - new == 1
      Test: linker_cond ...passed
    Suite: expander
      Test: expander_indexes ...passed
      Test: expander_attr_mapping ...passed
      Test: expander_role_mapping ...passed
      Test: expander_user_mapping ...passed
      Test: expander_alias ...passed
    Suite: deps
      Test: deps_modreq_global ...passed
      Test: deps_modreq_opt ...passed
    Suite: downgrade
      Test: downgrade ...passed

    Run Summary:    Type  Total    Ran Passed Failed Inactive
                  suites      5      5    n/a      0        0
                   tests     13     13     12      1        0
                 asserts   1269   1269   1256     13      n/a

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-09-06 10:49:56 -04:00
Stephen Smalley
36a21c38d1 Updated libsemanage ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-08-23 15:57:33 -04:00
Gary Tierney
67b328a91c genhomedircon: add support for %group syntax
semanage-login supports login mappings using the %group syntax, but
genhomedircon does not expand groups to the users belonging to them.

This commit adds support for generating home directory contexts for login
mappings using the group syntax and adds error reporting for handling cases
where there is ambiguity due to a user belonging to multiple groups mapped by
semanage-login. If a login mapping is added for the user which belongs to
multiple groups it will take precedence and resolve the ambiguity issue.

Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
2016-08-23 15:54:45 -04:00
Gary Tierney
83ab9e258f genhomedircon: generate contexts for logins mapped to the default user
Removes a test in get_users() which excludes any logins that are
explicitly mapped to the default user from file context generation,
which results in logins mapped to the fallback user with home
directories outside of LU_HOMEDIRECTORY (in the absence of
usepasswd=True) having no matching file_contexts.homedirs entries.

Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
2016-08-23 15:51:06 -04:00
James Carter
0dce00d72e Updated libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-08-19 15:14:41 -04:00
James Carter
f9927d9370 libsepol: Change which attributes CIL keeps in the binary policy
The removal of attributes that are only used in neverallow rules is
hindering AOSP adoption of the CIL compiler. This is because AOSP
extracts neverallow rules from its policy.conf for use in the Android
compatibility test suite. These neverallow rules are applied against
the binary policy being tested to check for a violation. Any neverallow
rules with an attribute that has been removed cannot be checked.

Now attributes are kept unless they are not used in any allow rule and
they are auto-generated or named "cil_gen_require" or do not have any
types associated with them.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-08-19 15:13:32 -04:00
James Carter
a0f05b307b Updated libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-08-19 14:09:50 -04:00
William Roberts
fbf77104c3 libsepol: port str_read from kernel
Rather than duplicating the following sequence:
1. Read len from file
2. alloc up space based on 1
3. read the contents into the buffer from 2
4. null terminate the buffer from 2

Use the str_read() function that is in the kernel, which
collapses steps 2 and 4. This not only reduces redundant
code, but also has the side-affect of providing a central
check on zero_or_saturated lengths from step 1 when
generating string values.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-19 13:18:02 -04:00
William Roberts
fb0cc0cc64 libsepol: calloc all the *_to_val_structs
The usage patterns between these structures seem similair
to role_val_to_struct usages. Calloc these up to prevent
any unitialized usages.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-19 13:17:57 -04:00
Stephen Smalley
a1d76acf04 Updated policycoreutils ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-08-19 10:41:03 -04:00
Jason Zaman
b5002d54d7 audit2allow: tests should use local copy not system
The tests currently just executed "audit2allow" which meant search in
$PATH. They should instead test the one in the pwd. The files in the
repo are not executable so prefix with "python" also.

Signed-off-by: Jason Zaman <jason@perfinion.com>
2016-08-19 08:45:10 -04:00