Currently ebitmap_load() accepts loading a bitmap with highbit=192 and
one node {startbit=0, map=0x2}. When iterating over the bitmap,
ebitmap_for_each_bit() is expected to only yield "1" but it gives the
following bits: 1, 65, 129.
This is due to two facts in ebitmap_for_each_bit() implementation:
* ebitmap_next() stays on the first (and only) node of the bitmap
instead of stopping the iteration.
* the end condition of the for loop consists in comparing the bit with
ebitmap_length() (ie. the bitmap highbit), which is above the limit of
the last node here.
These are not bugs when the bitmap highbit is equals to
l->startbit+MAPSIZE, where l is the last node (this is how
ebitmap_set_bit() sets it). So a simple fix consists in making
ebitmap_load() reject bitmaps which are loaded with an invalid highbit
value.
This issue has been found while fuzzing semodule_package with the
American Fuzzy Lop.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Commit 02a7d77ef2 ("libsepol: make parsing symbol table headers more
robust") broke refpolicy build, because checkmodule generates avrule
decl blocks with "decl->symtab[i].nprim = 0" for all possible i, even
when decl->symtab[SYM_ROLES] and decl->symtab[SYM_TYPES] are not
empty.
More precisely, decl->symtab[i].nprim seems to be only updated in
libsepol/src/link.c (in *_copy_callback() functions).
Revert the buggy part of commit 02a7d77ef2 to fix this regression.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
There is no reason to modify the number of roles defined in a policy
when no role is being inserted.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When running hll/pp on some invalid policy module, it can output:
libsepol.sepol_module_package_read: unknown magic number at section
1, offset: 251, number: 0x
The last number looks funny and was caused by using "%ux". "u" is not a
prefix like "l", "h", "z"... and "%x" already expects an unsigned
integer (cf. http://man7.org/linux/man-pages/man3/printf.3.html).
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When fuzzing hll/pp, the fuzzer created a policy module with a block
which has no declaration. With block->branch_list = NULL,
typealias_list_create() triggered a NULL pointer dereference when
computing max_decl_id.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When hll/pp reads an invalid policy module where some scopes use
required symbols which are not defined, the program crashes with a
segmentation fault in required_scopes_to_cil():
Program received signal SIGSEGV, Segmentation fault.
required_scopes_to_cil (decl_stack=0x6040b0, block=0x607780,
pdb=0x6042e0, indent=0) at module_to_cil.c:3479
3479 for (j = 0; j < scope_datum->decl_ids_len; j++)
{
=> 0x00007ffff7a7b1a8 <block_to_cil+5224>: 44 8b 58 10 mov
0x10(%rax),%r11d
(gdb) bt
#0 required_scopes_to_cil (decl_stack=0x6040b0, block=0x607780,
pdb=0x6042e0, indent=0) at module_to_cil.c:3479
#1 block_to_cil (pdb=pdb@entry=0x6042e0,
block=block@entry=0x607780, stack=stack@entry=0x6040b0,
indent=indent@entry=0) at module_to_cil.c:3622
#2 0x00007ffff7a85a18 in global_block_to_cil (stack=0x6040b0,
block=0x607780, pdb=0x6042e0) at module_to_cil.c:3738
#3 blocks_to_cil (pdb=0x6042e0) at module_to_cil.c:3764
#4 sepol_module_policydb_to_cil (fp=fp@entry=0x7ffff79d05e0
<_IO_2_1_stdout_>, pdb=0x6042e0, linked=linked@entry=0) at
module_to_cil.c:4051
#5 0x00007ffff7a86b55 in sepol_module_package_to_cil
(fp=fp@entry=0x7ffff79d05e0 <_IO_2_1_stdout_>, mod_pkg=0x604280) at
module_to_cil.c:4080
#6 0x0000000000401acc in main (argc=<optimized out>,
argv=<optimized out>) at pp.c:150
(gdb) p scope_datum
$1 = (struct scope_datum *) 0x0
Detect such errors and exit with an error return value.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When hll/pp operates on an invalid policy module which defines blocks
with non-empty decl->symtab[SYM_COMMONS], additive_scopes_to_cil_map()
calls func_to_cil[SYM_COMMONS], which is NULL.
In additive_scopes_to_cil(), filter out NULL elements of func_to_cil
before calling additive_scopes_to_cil_map().
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
process_line called compat_validate, but never actually looked at the
return value. When an invalid entry is found, a warning is printed, but
since the upper layers of the code don't see the error, validation
appears to succeed.
Steps to reproduce on Android:
1) Edit system/sepolicy/private/file_contexts and create an entry with
an invalid label.
2) Recompile Android, which executes out/host/linux-x86/bin/checkfc to
check if file_contexts is valid.
Expected: Compile failure.
Actual: Compile succeeds with warnings.
Change-Id: I20fa18c7b11b5ffdd243c3274bedc4518431e1fb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
checkpolicy wrongly handles "-self". At the least, it should handle it as
an error. At best, it should support it correctly (which would involve
libsepol support as well). At present, it looks like it will end up
negating (-) the next type/attribute in the list after self, or if
there are no entries after self, ignoring it entirely.
This originally was raised by the Android team, which wanted to support
something like the following:
neverallow domain { domain -self }:dir search;
to prohibit cross domain access to some resource but allow access within
the same domain.
This change just makes it a fatal error during compilation.
Implementing real support for -self is left as future work.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Normalize enforce values received from the kernel via
/sys/fs/selinux/enforce or netlink selinux notifications
to ensure that we always return a 0 or 1 to userspace code.
selinux_status_getenforce(), which reads the enforce value
via the SELinux kernel status page (/sys/fs/selinux/status)
already normalizes its result, so we do not need to update it.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The Makefiles currently install the Python wrapper libraries using .so
suffix (_selinux.so, audit2why.so and _semanage.so). Even though this
works well with CPython 2 and 3, PyPy fails to find these files because
it is looking for files with a specific version token in the suffix (eg.
_selinux.pypy-41.so).
This suffix is advertised by the imp module. Here is the result of
'import imp;print([s for s, m, t in imp.get_suffixes() if t ==
imp.C_EXTENSION])' for several Python versions:
Python 2.7.12: ['.so', 'module.so']
Python 3.5.2: ['.cpython-35m-x86_64-linux-gnu.so', '.abi3.so', '.so']
PyPy 5.4.1 (Python 2.7.10): ['.pypy-41.so']
PyPy3 5.5.0-alpha0 (Python 3.3.5): ['.pypy3-55.so', '.pypy3-55.so']
Define the name of the installed Python-C extension using the first
extension of these lists, in order to make the Python extensions
compatible with pypy.
When building the Python wrappers for PyPy and PyPy3 on Linux, the
following environment variables need to be set (PyPy does not provide a
pkg-config file nor a platform-agnostic way to build the string
"-lpypy-c"):
PYTHON=pypy (or PYTHON=pypy3)
PYINC=-I$($PYTHON -c 'import sys;print(sys.prefix)')/include
PYLIBS=-lpypy-c (or PYLIBS= if LDFLAGS does not have
-Wl,-no-undefined)
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This structure has been empty since its introduction and makes clang
complain when $(filter-out -Werror, $(CFLAGS)) is removed in the
Makefile target for audit2why.lo:
audit2why.c:443:1: error: empty struct has size 0 in C, size 1 in
C++ [-Werror,-Wc++-compat]
struct module_state {
^
1 error generated.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When running "make install" in the root directory of the project, with
variable DESTDIR set and while being on a system without SELinux, the
compiler complains while building:
fatal error: selinux/selinux.h: No such file or directory
Other subdirectories add -I$(PREFIX)/include to CFLAGS and -L$(LIBDIR)
to the linking command line, in order to find libselinux headers and .so
file. Do this too in mcstrans.
While at it, mcstrans Makefile uses -I../include but this directory does
not exist. Remove this option.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
On systems without SELinux (eg. some continuous integration
environments), "make test" fails with:
Traceback (most recent call last):
File "test_sandbox.py", line 110, in <module>
if selinux.security_getenforce() == 1:
FileNotFoundError: [Errno 2] No such file or directory
This is exception is thrown because the selinuxfs file system is not
mounted.
Detect such configurations using selinux.is_selinux_enabled() and skip
the test when SELinux is disabled accordingly.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
1. Use the new helper to convert from AVRULE to AVTAB values.
2. Only check once for invalid AVRULE specified parameter.
3. Drop assert and just return error on invalid specification.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
General clean up for expand_avrule_helper:
1. Minimize the conversions of AVRULE specification to AVTAB specification,
they are almost the same, the one exception is AVRULE_DONTAUDIT.
2. Clean up the if/else logic, collapse with a switch.
3. Move xperms allocation and manipulation to its own helper.
4. Only write avkey for values that change.
5. Return error rather than assert on invalid specification.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Rather than having multiple copies of the AVTAB and AVRULE
defines, consolidate them.
This makes it clear that AVRULE to AVTAB conversion no longer
need to occur.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
All the other makefiles just have LIBDIR optionally set so it can be
overridden. These makefiles were autodetecting incorrectly. uname -i
returns "GenuineIntel" so should have been uname -m.
Signed-off-by: Jason Zaman <jason@perfinion.com>
Now that restorecond is separated from policycoreutils, we should not
retain a build dependency on the policycoreutils/setfiles source files.
Fork the restore.[ch] files for restorecond.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Fix the following warnings from clang.
mcstrans.c:1309:6: warning: variable 'groups' is used uninitialized whenever 'if' condition is true [-Wsometimes-uninitialized]
if (violates_constraints(l)) {
^~~~~~~~~~~~~~~~~~~~~~~
mcstrans.c:1491:9: note: uninitialized use occurs here
while (groups)
^~~~~~
mcstrans.c:1309:2: note: remove the 'if' if its condition is always false
if (violates_constraints(l)) {
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
mcstrans.c:1303:6: warning: variable 'groups' is used uninitialized whenever 'if' condition is true [-Wsometimes-uninitialized]
if (!l)
^~
mcstrans.c:1491:9: note: uninitialized use occurs here
while (groups)
^~~~~~
mcstrans.c:1303:2: note: remove the 'if' if its condition is always false
if (!l)
^~~~~~~
mcstrans.c:1299:6: warning: variable 'groups' is used uninitialized whenever 'if' condition is true [-Wsometimes-uninitialized]
if (!level)
^~~~~~
mcstrans.c:1491:9: note: uninitialized use occurs here
while (groups)
^~~~~~
mcstrans.c:1299:2: note: remove the 'if' if its condition is always false
if (!level)
^~~~~~~~~~~
mcstrans.c:1316:2: note: variable 'groups' is declared here
word_group_t *groups = NULL;
^
3 warnings generated.
mcscolor.c:334:24: warning: size argument in 'strncat' call appears to be size of the source [-Wstrncat-size]
strncat(result, buf, sizeof(buf));
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
We should build it by default or else it will bitrot.
But you can still omit it by overriding OPT_SUBDIRS.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Split optional components into their own overridable OPT_SUBDIRS
definition. Then you can build without them via make OPT_SUBDIRS=
or specify a subset of them in that manner.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
When hll/pp loads a policy file which has been modified so that the
nprim field of one of its non-empty symbol table was changed to zero, it
crashes with a segmentation fault. A quick analysis leads to
"p->sym_val_to_name[i] = (char **)alloc(p->symtab[i].nprim, sizeof(char
*));" in policydb_index_others(), which is not executed when
p->symtab[i].nprim is zero even though there are items in
p->symtab[i].table.
Detect such an oddity in the policy file early to exit with a clean
error message.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
