Commit Graph

1082 Commits

Author SHA1 Message Date
James Carter
be11f48b7a libsepol: Remove special handling of roles in module_to_cil.c
Certain roles (user_r, staff_r, sysadm_r, system_r, unconfined_r,
auditadm_r, and secadm_r) have always been handled in a special
way when converting a policy module to CIL to avoid having
duplicate role declarations. By optionally allowing duplicate role
declarations in CIL and by creating an option in libsemanage to
make use of duplicate declaration support, the special handling of
these roles can be removed.

Remove the special handling of certain roles in module_to_cil.c.

Signed-off-by: James Carter <jwcart2@gmail.com>
2024-11-15 13:26:47 -05:00
James Carter
7492632a6b libsepol/cil: Optionally allow duplicate role declarations
Allow duplicate role declarations (along with duplicate type and
type attribute declarations and context rules) if the multiple_decls
field in the CIL db has been set. This field can be set by a call to
cil_set_multiple_decls().

Signed-off-by: James Carter <jwcart2@gmail.com>
2024-11-15 13:26:41 -05:00
Thiébaud Weksteen
b33da68f7a libsepol: Support nlmsg xperms in assertions
commit ba7945a250 added support for nlmsg extended permissions in the
policy. The assertion validation was not updated which lead to false
positives when evaluated. The optimization update was also missing. Add
support for the new extended permission for optimization and assertions.

Fixes: ba7945a250
Signed-off-by: Thiébaud Weksteen <tweek@google.com>
Acked-by: James Carter <jwcart2@gmail.com>
2024-10-30 08:14:31 -04:00
Vit Mojzis
cd8302f0a6 libsepol: Initialize "strs" on declaration
The value of "strs" was not always initialized before being used by
strs_destroy.

Fixes:
Error: UNINIT (CWE-457):
libsepol-3.7/src/kernel_to_cil.c:1439:2: var_decl: Declaring variable "strs" without initializer.
libsepol-3.7/src/kernel_to_cil.c:1487:2: uninit_use_in_call: Using uninitialized value "strs" when calling "strs_destroy".
 \# 1485|
 \# 1486|   exit:
 \# 1487|-> 	strs_destroy(&strs);
 \# 1488|
 \# 1489|   	if (rc != 0) {

Error: UNINIT (CWE-457):
libsepol-3.7/src/kernel_to_conf.c:1422:2: var_decl: Declaring variable "strs" without initializer.
libsepol-3.7/src/kernel_to_conf.c:1461:2: uninit_use_in_call: Using uninitialized value "strs" when calling "strs_destroy".
 \# 1459|
 \# 1460|   exit:
 \# 1461|-> 	strs_destroy(&strs);
 \# 1462|
 \# 1463|   	if (rc != 0) {

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
2024-10-30 08:07:00 -04:00
Vit Mojzis
00fb52ce34 libsepol/cil/cil_post: Initialize tmp on declaration
tmp.node was not always initialized before being used by
ebitmap_destroy.

Fixes:
Error: UNINIT (CWE-457):
libsepol-3.7/cil/src/cil_post.c:1309:2: var_decl: Declaring variable "tmp" without initializer.
libsepol-3.7/cil/src/cil_post.c:1382:6: uninit_use_in_call: Using uninitialized value "tmp.node" when calling "ebitmap_destroy".
 \# 1380|   				if (rc != SEPOL_OK) {
 \# 1381|   					cil_log(CIL_INFO, "Failed to apply operator to bitmaps\n");
 \# 1382|-> 					ebitmap_destroy(&tmp);
 \# 1383|   					goto exit;
 \# 1384|   				}

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
2024-10-30 08:06:58 -04:00
Vit Mojzis
575d1cfaac libsepol/mls: Do not destroy context on memory error
In case of malloc error, ctx1, or ctx2 may be pointing to uninitialized
space and context_destroy should not be used on it.

Fixes:
Error: UNINIT (CWE-457):
libsepol-3.7/src/mls.c:673:2: alloc_fn: Calling "malloc" which returns uninitialized memory.
libsepol-3.7/src/mls.c:673:2: assign: Assigning: "ctx1" = "malloc(64UL)", which points to uninitialized data.
libsepol-3.7/src/mls.c:699:2: uninit_use_in_call: Using uninitialized value "ctx1->range.level[0].cat.node" when calling "context_destroy".
 \#  697|   	ERR(handle, "could not check if mls context %s contains %s",
 \#  698|   	    mls1, mls2);
 \#  699|-> 	context_destroy(ctx1);
 \#  700|   	context_destroy(ctx2);
 \#  701|   	free(ctx1);

Error: UNINIT (CWE-457):
libsepol-3.7/src/mls.c:674:2: alloc_fn: Calling "malloc" which returns uninitialized memory.
libsepol-3.7/src/mls.c:674:2: assign: Assigning: "ctx2" = "malloc(64UL)", which points to uninitialized data.
libsepol-3.7/src/mls.c:700:2: uninit_use_in_call: Using uninitialized value "ctx2->range.level[0].cat.node" when calling "context_destroy".
 \#  698|   	    mls1, mls2);
 \#  699|   	context_destroy(ctx1);
 \#  700|-> 	context_destroy(ctx2);
 \#  701|   	free(ctx1);
 \#  702|   	free(ctx2);

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
2024-10-30 08:06:57 -04:00
Vit Mojzis
0dac9813e1 libsepol/cil: Initialize avtab_datum on declaration
avtab_datum.xperms was not always initialized before being used.

Fixes:
Error: UNINIT (CWE-457):
libsepol-3.7/cil/src/cil_binary.c:977:2: var_decl: Declaring variable "avtab_datum" without initializer.
libsepol-3.7/cil/src/cil_binary.c:1059:3: uninit_use_in_call: Using uninitialized value "avtab_datum". Field "avtab_datum.xperms" is uninitialized when calling "__cil_cond_insert_rule".
 \# 1057|   			}
 \# 1058|   		}
 \# 1059|-> 		rc = __cil_cond_insert_rule(&pdb->te_cond_avtab, &avtab_key, &avtab_datum, cond_node, cond_flavor);
 \# 1060|   	}

Error: UNINIT (CWE-457):
libsepol-3.7/cil/src/cil_binary.c:1348:2: var_decl: Declaring variable "avtab_datum" without initializer.
libsepol-3.7/cil/src/cil_binary.c:1384:3: uninit_use_in_call: Using uninitialized value "avtab_datum". Field "avtab_datum.xperms" is uninitialized when calling "__cil_cond_insert_rule".
 \# 1382|   	} else {
 \# 1383|   		avtab_datum.data = data;
 \# 1384|-> 		rc = __cil_cond_insert_rule(&pdb->te_cond_avtab, &avtab_key, &avtab_datum, cond_node, cond_flavor);
 \# 1385|   	}
 \# 1386|

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
2024-10-30 08:06:55 -04:00
Thiébaud Weksteen
9c7c6e15a2 libsepol: Add policy capability netlink_xperm
This capability can be enabled to change the kernel's behaviour and use
the extended permissions for netlink messages.

Signed-off-by: Thiébaud Weksteen <tweek@google.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2024-09-04 16:54:26 -04:00
Thiébaud Weksteen
ba7945a250 libsepol: Support nlmsg extended permissions
Add support for AVTAB_XPERMS_NLMSG as extended permissions for netlink
sockets. The behaviour is similar to the existing
AVTAB_XPERMS_IOCTLFUNCTION.

Signed-off-by: Thiébaud Weksteen <tweek@google.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2024-09-04 16:54:26 -04:00
James Carter
0190a658a7 libsepol/cil: Allow dotted names in aliasactual rules
The function cil_gen_alias() is used to declare type, sensitivity,
and category aliases and the function cil_gen_aliasactual() is used
to assign an alias to the actual declared name.

Commit e55621c03 ("libsepol/cil: Add notself and other support to CIL")
added "notself" and "other" as reserved words. Previously, a check
was made in cil_gen_aliasactual() to ensure that the "self" reserved
word was not used. With the notself patch this function was upgraded
to call cil_verify_name() to verify that the other reserved words
were not used as well. This change prevents the use of dotted names
to refer to alias or actual names that are declared in blocks.

The check for a reserved word being used is not needed because that
check will be done for both the alias and the actual name when they
are declared.

Remove the call to cil_verify_name() and allow dotted names in
aliasactual rules.

Reported-by: Dominick Grift <dominick.grift@defensec.nl>
Signed-off-by: James Carter <jwcart2@gmail.com>
2024-09-04 16:53:51 -04:00
Vit Mojzis
6b5626fd30 libsepol/cil: Check that sym_index is within bounds
Make sure sym_index is within the bounds of symtab array before using it
to index the array.

Fixes:
  Error: OVERRUN (CWE-119):
  libsepol-3.6/cil/src/cil_resolve_ast.c:3157: assignment: Assigning: "sym_index" = "CIL_SYM_UNKNOWN".
  libsepol-3.6/cil/src/cil_resolve_ast.c:3189: overrun-call: Overrunning callee's array of size 19 by passing argument "sym_index" (which evaluates to 20) in call to "cil_resolve_name".
  \# 3187|                   switch (curr->flavor) {
  \# 3188|                   case CIL_STRING:
  \# 3189|->                         rc = cil_resolve_name(parent, curr->data, sym_index, db, &res_datum);
  \# 3190|                           if (rc != SEPOL_OK) {
  \# 3191|                                   goto exit;

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
2024-08-14 08:27:23 -04:00
Vit Mojzis
1f080ffd7a libsepol/sepol_compute_sid: Do not destroy uninitialized context
Avoid context_destroy() on "newcontext" before context_init() is called.

Fixes:
  libsepol-3.6/src/services.c:1335: var_decl: Declaring variable "newcontext" without initializer.
  libsepol-3.6/src/services.c:1462: uninit_use_in_call: Using uninitialized value "newcontext.range.level[0].cat.node" when calling "context_destroy".
  \# 1460|   	rc = sepol_sidtab_context_to_sid(sidtab, &newcontext, out_sid);
  \# 1461|         out:
  \# 1462|-> 	context_destroy(&newcontext);
  \# 1463|   	return rc;
  \# 1464|   }

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Reviewed-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2024-07-30 13:18:08 -04:00
Petr Lautrbach
2eb286bc08 Release 3.7
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
2024-06-26 17:30:41 +02:00
Christian Göttsche
589e2dba72 libsepol: check scope permissions refer to valid class
Validate that the permission maps in the scope index refer to a valid
class datum.  Otherwise since commit 52e5c306 ("libsepol: move unchanged
data out of loop") this can lead to a NULL dereference in the class
existence check during linking.

Reported-by: oss-fuzz (issue 69655)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2024-06-21 09:29:50 -04:00
James Carter
1efc121466 libsepol: Do not reject all type rules in conditionals when validating
Commit 1c91bc84 ("libsepol: reject self flag in type rules in old
policies") actually rejects all type rules in conditionals in modular
policies prior to version 21 (MOD_POLICYDB_VERSION_SELF_TYPETRANS).

The problem is because of fall-through in a switch statement when
the avrule flags are 0. Instead, break rather than fall-through when
avrule flags are 0.

Reviewed-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
2024-06-21 09:29:02 -04:00
Petr Lautrbach
e6c99f34a1
Update VERSIONs to 3.7-rc3 for release.
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
2024-06-20 14:49:08 +02:00
Christian Göttsche
c9ed9ea63d libsepol: contify function pointer arrays
These function pointers are never modified.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2024-06-14 09:10:56 -04:00
Christian Göttsche
a02fccf825 tree-wide: fix misc typos
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2024-06-14 09:10:56 -04:00
Christian Göttsche
8c1110d134 libsepol: validate attribute-type maps
Ensure the attribute-to-type maps contain no invalid entries, required
for generating typeattributeset statements when converting to CIL.

Reported-by: oss-fuzz (issue 69283)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2024-06-14 09:10:56 -04:00
Christian Göttsche
d034a3e660 libsepol: rework permission enabled check
Check the class is defined once, and not for every permission via
is_perm_enabled(). Also pass the class datum to avoid an unnecessary
name lookup.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2024-06-14 09:10:49 -04:00
Christian Göttsche
52e5c306f5 libsepol: move unchanged data out of loop
Perform the lookup whether the class is in the current scope once, and
not for every permission.
This also ensures the class is checked to be in the current scope if
there are no permissions attached.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2024-06-13 16:32:49 -04:00
Christian Göttsche
a3332e5741 libsepol: hashtab: save one comparison on hit
When the comparison function returns 0, avoid a repeated call to it.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2024-06-13 16:30:25 -04:00
Petr Lautrbach
9ef1a83563
Update VERSIONs to 3.7-rc2 for release.
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
2024-06-05 20:28:35 +02:00
Christian Göttsche
d506c0b184 libsepol: include prefix for module policy versions
If writing a policy fails due to a limitation by the requested policy
version include a prefix if the version refers to a module policy.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2024-05-24 08:46:30 -04:00
Christian Göttsche
b77d851ffa libsepol: validate type-attribute-map for old policies
Validate the type-to-associated-attributes maps also for policies prior
to version 20.
To ensure only valid entries in these maps, skip the degenerate case for
gaps during construction.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2024-05-24 08:46:25 -04:00
Christian Göttsche
fc3de95d28 libsepol: only exempt gaps checking for kernel policies
Kernel policy versions 20 to 23 store attributes only in type_attr_map
and reference gaps in the type arrays.  Thus they are exempted from gaps
checks.

Only exempt kernel policies, not base and module ones.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2024-05-24 08:46:22 -04:00
Christian Göttsche
1c91bc84e6 libsepol: reject self flag in type rules in old policies
The flag RULE_SELF in type rules is only supported in modular policies
since version 21 (MOD_POLICYDB_VERSION_SELF_TYPETRANS).

Reported-by: oss-fuzz (issue 68731)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2024-05-24 08:46:20 -04:00
Petr Lautrbach
6a223cb1c2
Update VERSIONs to 3.7-rc1 for release.
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
2024-05-22 17:21:32 +02:00
Vit Mojzis
1f173f8efa libsepol/cil: Fix detected RESOURCE_LEAK (CWE-772)
libsepol-3.6/cil/src/cil_binary.c:902: alloc_fn: Storage is returned from allocation function "cil_malloc".
libsepol-3.6/cil/src/cil_binary.c:902: var_assign: Assigning: "mls_level" = storage returned from "cil_malloc(24UL)".
libsepol-3.6/cil/src/cil_binary.c:903: noescape: Resource "mls_level" is not freed or pointed-to in "mls_level_init".
libsepol-3.6/cil/src/cil_binary.c:905: noescape: Resource "mls_level" is not freed or pointed-to in "mls_level_cpy".
libsepol-3.6/cil/src/cil_binary.c:919: leaked_storage: Variable "mls_level" going out of scope leaks the storage it points to.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
2024-05-01 16:50:31 -04:00
Christian Göttsche
d3d975ae22 libsepol: validate class permissions
Validate the symbol tables for permissions of security classes and
common classes:
  * check their value is valid
  * check their values are unique
  * check permission values of classes do not reuse values from
    inherited permissions

This simplifies validating permissions of access vectors a lot, since it
is now only a binary and against the valid permission mask of the class.

Use UINT32_MAX instead of 0 as the special value for validating
constraints signaling a validate-trans rule, since classes with no
permissions are permitted, but they must not have a normal constraint
attached.

Reported-by: oss-fuzz (issue 67893)
Improves: 8c64e5bb6f ("libsepol: validate access vector permissions")
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2024-05-01 16:49:17 -04:00
Christian Göttsche
fa3a1bcaf3 libsepol: improve policy lookup failure message
If a policy version cannot be found include the policy target, and a
module prefix for non kernel policies in the message.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2024-05-01 16:48:20 -04:00
Christian Göttsche
e81a05a505 libsepol: constify function pointer arrays
The function pointer arrays are never changed, declare them const.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2024-04-04 11:17:55 -04:00
Christian Göttsche
8c64e5bb6f libsepol: validate access vector permissions
Since commit c205b924e2 ("libsepol: Fix buffer overflow when using
sepol_av_to_string()") writing an access vector with no valid permission
results in an error instead of an empty string being written.

Validate that at least one permission of an access vector is valid.
There might be invalid bits set, e.g. by previous versions of
checkpolicy setting all bits for the wildcard (*) permission.

Reported-by: oss-fuzz (issue 67730)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2024-04-04 11:17:46 -04:00
James Carter
c071aa2e63 libsepol/cil: Check common perms when verifiying "all"
Commit e81c466 "Fix class permission verification in CIL", added a
check for the use of "all" in a permission expression for a class
that had no permissions. Unfortunately, that change did not take
into account a class that had common permissions, so a class that
has no permmissions of its own, but inherits permissions from a
common, will fail the verification check.

If the class inherits from a common, then add those permissions to
the permmission list when verifying the permission expression.

Example/
(common co1 (cop1))
(class cl1 ())
(classcommon cl1 co1)
(classorder (CLASS cl1))

(classpermission cp1)
(classpermissionset cp1 (cl1 (all)))

(classmap cm1 (cmp1))
(classmapping cm1 cmp1 (cl1 (all)))

Previously, both the classpermissionset and the classmapping rules
would fail verification, but now they pass as expected.

Patch originally from Ben Cressey <bcressey@amazon.com>, I have
expanded the explanation.

Reported-by: Ben Cressey <bcressey@amazon.com>
Signed-off-by: James Carter <jwcart2@gmail.com>
2024-04-04 11:17:40 -04:00
James Carter
af543f1ba7 libselinux, libsepol: Add CFLAGS and LDFLAGS to Makefile checks
In libselinux there is an availability check for strlcpy() and
in both libselinux and libsepol there are availability checks for
reallocarray() in the src Makfiles. CFLAGS and LDFLAGS are needed
for cross-compiling, but, unfortunately, the default CFLAGS cause
all of these availability checks to fail to compile because of
compilationerrors (rather than just the function not being available).

Add CFLAGS and LDFLAGS to the availibility checks, update the checks
so that a compilation error will only happen if the function being
checked for is not available, and make checks for the same function
the same in both libselinux and libsepol.

Suggested-by: Jordan Williams <jordan@jwillikers.com>
Suggested-by: Winfried Dobbe <winfried_mb2@xmsnet.nl>
Signed-off-by: James Carter <jwcart2@gmail.com>
2024-03-20 14:18:06 -04:00
Christian Göttsche
6f7ddf2742 libsepol: reject MLS support in pre-MLS policies
If MLS support is enabled check the policy version supports MLS.

Reported-by: oss-fuzz (issue #67322)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2024-03-20 14:16:21 -04:00
James Carter
c205b924e2 libsepol: Fix buffer overflow when using sepol_av_to_string()
The function sepol_av_to_string() normally returns a list of
permissions with a space at the beginning, but it will return '\0'
if there are no permissions. Unfortunately, functions in
kernel_to_cil, kernel_to_conf, and module_to_cil assume there is a
space at the beginning and skip the space by using "perms+1".

In kernel_to_cil, kernel_to_conf, and module_to_cil, check for the
permission string being '\0' and return an error if it is.

Reported-by: oss-fuzz (issue 67276)
Signed-off-by: James Carter <jwcart2@gmail.com>
2024-03-20 14:15:05 -04:00
James Carter
fe16f586d5 checkpolicy, libsepol: Fix potential double free of mls_level_t
In checkpolicy, a sensitivity that has one or more aliases will
temporarily share the mls_level_t structure with its aliases until
a level statement is processed for the sensitivity (or one of the
aliases) and the aliases are updated to have their own mls_level_t
structure. If the policydb is destroyed while they are sharing the
mls_level_t structure, then a double free of the shared mls_level_t
will occur. This does not currently occur only because checkpolicy
does very little clean-up before exiting.

The "defined" field of the level_datum_t is set after a level
statement is processed for a sensitivity and its aliases. This means
that we know an alias has its own mls_level_t if the "defined" field
is set. The double free can be avoided by not destroying the
mls_leve_t structure for an alias unless the "defined" field is set.

Since the "defined" field is only set to false while the mls_level_t
structure is being shared, it would be clearer to rename the field
as "notdefined". It would only be set during the time the sensitivity
and its aliases are sharing the mls_level_t structure. Outside of
checkpolicy, the "notdefined" field will always be set to 0.

Also, do more validation of the level_datum_t when validating the
policydb.

Signed-off-by: James Carter <jwcart2@gmail.com>
2024-03-04 10:01:59 -05:00
Christian Göttsche
162a0884cc libsepol/cil: ensure transitivity in compare functions
Ensure comparison functions used by qsort(3) fulfill transitivity, since
otherwise the resulting array might not be sorted correctly or worse[1]
in case of integer overflows.

[1]: https://www.qualys.com/2024/01/30/qsort.txt

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2024-03-04 09:55:36 -05:00
Christian Göttsche
b52e27aeaa libsepol: ensure transitivity in compare functions
Ensure comparison functions used by qsort(3) fulfill transitivity, since
otherwise the resulting array might not be sorted correctly or worse[1]
in case of integer overflows.

[1]: https://www.qualys.com/2024/01/30/qsort.txt

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2024-03-04 09:55:33 -05:00
Christian Göttsche
fbd6c0f018 libsepol: use typedef
Convert the only usage of the raw type struct level_datum to use the
typedef.  Simplifies refactorizations on the type.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2024-03-04 09:55:04 -05:00
James Carter
90db06c524 libsepol: Use a dynamic buffer in sepol_av_to_string()
In the internal function sepol_av_to_string(), use a dynamically
allocated buffer for the permission names of an access vector instead
of a fixed static buffer to support very long permission names.

Update the internal users of sepol_av_to_string() to free the buffer.

The exported function sepol_perm_to_string() is just a wrapper to
the internal function. To avoid changing the behavior of this function,
use a static buffer and copy the resulting string from the internal
function. If the string is too long for the buffer or there was an
error in creating the string, return a string indicating the error.

All of the changes to the internal function and users was the work
of Christian Göttsche <cgzones@googlemail.com>.

Reported-by: oss-fuzz (issue 64832, 64933)
Suggested-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: James Carter <jwcart2@gmail.com>
2024-03-04 09:45:41 -05:00
Fabrice Fontaine
3e3661f602 libsepol/src/Makefile: fix reallocarray detection
Pass LDFLAGS when checking for reallocarray to avoid the following
static build failure with musl raised since version 3.4 and
f0a5f6e330
because -static is not passed when checking for reallocarray:

/home/autobuild/autobuild/instance-9/output-1/host/bin/armeb-buildroot-linux-musleabi-gcc -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64  -O0 -g0  -static -I. -I../include -D_GNU_SOURCE -I../cil/include -fPIC -c -o assertion.o assertion.c
In file included from assertion.c:28:
private.h:88:21: error: static declaration of 'reallocarray' follows non-static declaration
   88 | static inline void* reallocarray(void *ptr, size_t nmemb, size_t size) {
      |                     ^~~~~~~~~~~~
In file included from ../include/sepol/policydb/mls_types.h:35,
                 from ../include/sepol/policydb/context.h:23,
                 from ../include/sepol/policydb/policydb.h:62,
                 from assertion.c:24:
/home/autobuild/autobuild/instance-9/output-1/host/armeb-buildroot-linux-musleabi/sysroot/usr/include/stdlib.h:150:7: note: previous declaration of 'reallocarray' with type 'void *(void *, size_t,  size_t)' {aka 'void *(void *, unsigned int,  unsigned int)'}
  150 | void *reallocarray (void *, size_t, size_t);
      |       ^~~~~~~~~~~~

Fixes:
 - http://autobuild.buildroot.org/results/0170032548a38e2c991d62dc5823808458ad03b3

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2024-01-25 13:05:50 -05:00
Christian Göttsche
a0ff05efca libsepol: reorder calloc(3) arguments
The canonical order of calloc(3) parameters is the number of elements
first and the size of each element second.

Reported by GCC 14:

    kernel_to_conf.c:814:47: warning: 'calloc' sizes specified with 'sizeof' in the earlier argument and not in the later argument [-Wcalloc-transposed-args]
    kernel_to_conf.c:945:46: warning: 'calloc' sizes specified with 'sizeof' in the earlier argument and not in the later argument [-Wcalloc-transposed-args]
    kernel_to_conf.c:2109:35: warning: 'calloc' sizes specified with 'sizeof' in the earlier argument and not in the later argument [-Wcalloc-transposed-args]
    kernel_to_common.c:578:29: warning: 'calloc' sizes specified with 'sizeof' in the earlier argument and not in the later argument [-Wcalloc-transposed-args]

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2024-01-25 12:58:12 -05:00
Petr Lautrbach
97fa708d86
Update VERSIONs to 3.6 for release.
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
2023-12-13 15:46:22 +01:00
Christian Göttsche
e54bedce80 libsepol: validate empty common classes in scope indices
Validate no common classes inside scope indices are defined.

Reported-by: oss-fuzz (issue 64849)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-12-12 10:34:15 -05:00
Christian Göttsche
d0b1400afb libsepol: extended permission formatting cleanup
Declare the read-only permission parameter const.
Use a more readable overflow check, which is also resilient against
changes of the growth factor or initial size.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-12-12 10:33:21 -05:00
Christian Göttsche
a55cd37461 libsepol: avoid integer overflow in add_i_to_a()
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-12-12 10:33:18 -05:00
Christian Göttsche
22d3609b13 libsepol: constify tokenized input
The input string to be tokenized is not modified.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2023-12-12 10:33:15 -05:00
James Carter
2752043dab libsepol/cil: Clear AST node after destroying bad filecon rule
Commit fb0a4ce1 (libsepol/cil: Allow paths in filecon rules to be
passed as arguments) changed when the new AST node data would be set
to point to the new filecon struct when creating a filecon rule.
This causes cil_destroy_filecon() to be called twice on the filecon
struct if there is an error when creating the filecon rule.

If there is an error when creating a filecon rule, call
cil_clear_node() after destroying the filecon struct.

Reported-by: oss-fuzz (issue 64385)
Signed-off-by: James Carter <jwcart2@gmail.com>
2023-12-12 10:26:39 -05:00