Test .gitignore and make clean distclean
error: missing .gitignore entry for libselinux/src/selinux.egg-info/
error: missing .gitignore entry for python/sepolicy/sepolicy.egg-info/
Error: Process completed with exit code 1.
error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/PKG-INFO
error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/SOURCES.txt
error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/dependency_links.txt
error: "make clean distclean" did not remove libselinux/src/selinux.egg-info/top_level.txt
error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/PKG-INFO
error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/SOURCES.txt
error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/dependency_links.txt
error: "make clean distclean" did not remove python/sepolicy/sepolicy.egg-info/top_level.txt
Error: Process completed with exit code 1.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Clang 15 starts to complain about non strict function definitions:
user.c:172:10: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
int start() {
^
void
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: James Carter <jwcart2@gmail.com>
Clang 15 starts to complain about non strict function definitions:
policy_define.c:4907:30: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
int define_devicetree_context()
^
void
policy_define.c:5298:29: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
int define_ipv4_node_context()
^
void
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: James Carter <jwcart2@gmail.com>
Refactor the ebitmap conversions in link.c into its own function.
Do not log an OOM message twice on type_set_or_convert() failure.
Drop the now unused state parameter from type_set_or_convert() and
type_set_convert().
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Validate that
- each constraint has at least one expression
- classes reference a valid common class identifier
- the role flavor is either ROLE or ATTRIB
- types reference a valid primary identifier
- types refer to a raw type, not an attribute, as bounds
- extended permissions in avtabs have a valid specifier
- type av rules refer to a raw type (e.g. type_transition)
- conditionals have at least one expression
- the state and flags of conditionals are valid
- filename transitions have at least one datum
- low ports are not bigger than high ones in port ocontexts
- genfs declarations refer to a valid class identifier
- genfs declarations contains a filesystem name
- filename transitions refer to a raw type
- permissive types are raw ones
- the range transition hashmap is valid
- the type-attribute-maps are valid
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Do not use `bool` as a parameter name, for future C version support.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
The actual policy should not be modified during validation, thus use
const pointers.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
The access vector table itself is not modified in avtab_map() thus
support passing a const pointer.
Logically the content might be changed by the passed callback, but C
does not support transitive const-ness well, and C also does not support
function overloading, e.g. like for strchr(3).
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Most global functions operating on a policy database use policydb as
prefix.
Since this function is not exported there should not be any external
use.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
The three members of struct ebitmap_node are all unconditionally
initialized. Hinder compilers to optimize malloc() and memset() into
calloc(), which might be slightly slower. Especially affects
ebitmap_or().
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Iterate on nodes instead of single bits to save node resolution for each
single bit.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Iterate on nodes instead of single bits to save node resolution for each
single bit.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Iterate on nodes instead of single bits to save node resolution for each
single bit.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Especially in the case of __cil_permissionx_expr_range_to_bitmap_helper()
it substitutes hundreds of thousand of calls to ebitmap_set_bit() during
semodule(8) on a policy widely using extended permissions.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Add an initializer for ebitmaps that sets all bits in a given range to
save node traversals for each bit to set, compared to calling
ebitmap_init() followed by iterating ebitmap_set_bit().
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Preparation for several ebitmap related optimizations.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Include policydb header file required for typedef policydb_t.
This is for example helpful when working with an IDE, which needs to
resolve those symbols.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Since `struct type_set` is forward declared including
policydb/policydb.h is not necessary and creates a circular include.
Also drop the unnecessary forward declaration of `struct policydb`.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
When the O_PATH emulation fails due to getxattr(2)/setxattr(2) failing
with ENOENT, e.g. because no procfs being available, override the errno
value to EBADF. This avoids confusion to the caller as it would suggest
the target of the operation does not exist, which is not the case:
setfiles: Could not set context for /: No such file or directory
Fixes: a782abf2 ("libselinux: emulate O_PATH support in fgetfilecon/fsetfilecon")
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
In certain cases, IOError caused the much more general exception OSError
to be unreachable.
Signed-off-by: Elijah Conners <business@elijahpepe.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
Do not modify the in memory default_range value of a class datum while
writing a policy.
While on it fix indentation.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
A request is denied with SEPOL_COMPUTEAV_RBAC if the source role is not
allowed to transition to the target role, granted via a
allow source_role target_role;
statement.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Runners on https://circleci.com/ use a custom version of Python without
Debian-specific patches which added option --install-layout=deb. This
leads to the following error:
error: option --install-layout not recognized
Fix this by creating a new environment variable dedicated to detect
CircleCI platform.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Acked-by: James Carter <jwcart2@gmail.com>
clang's static analyzer reports that s[0] can be uninitialized when used
in:
sprintf(tmp_buf, "%s %s\n",
xcontext ? "Validatetrans" : "Constraint",
s[0] ? "GRANTED" : "DENIED");
Silence this false-positive issue by making s always initialized.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Acked-by: James Carter <jwcart2@gmail.com>
The parameter `reason` of `context_struct_compute_av()` is optional and
can be passed in as NULL, like from `type_attribute_bounds_av()`.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
The variable `curcon` is NULL in case the file has no current security
context. Most C standard libraries handle it fine, avoid it nonetheless
for standard conformance.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
After the last commit this option's name and description no longer
matches the semantic, so give it a new one and update the descriptions.
The old name is still recognized and aliased to the new one for
backwards compatibility.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
For the use case of rebuilding the policy after package updates, we need
the check_ext_changes operation to always do at least the do_write_kernel
step, because the various semanage dbs may have also changed content
relative to the current binary policy. As this step is itself relatively
fast, we can do it unconditionally.
Fixes: 286a679fad ("libsemanage: optionally rebuild policy when modules are changed externally")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
With "fallback=True" gettext.translation behaves the same as
gettext.install and uses NullTranslations in case the
translation file for given language was not found (as opposed to
throwing an exception).
Fixes:
# LANG is set to any "unsupported" language, e.g. en_US.UTF-8
$ chcat --help
Traceback (most recent call last):
File "/usr/bin/chcat", line 39, in <module>
t = gettext.translation(PROGNAME,
File "/usr/lib64/python3.9/gettext.py", line 592, in translation
raise FileNotFoundError(ENOENT,
FileNotFoundError: [Errno 2] No translation file found for domain: 'selinux-python'
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
A require statement for a class permission adds that permission to the
class representation for the current module. In case the resulting
class would have more than the supported amount of 32 permissions
assigned the resulting binary module will fail to load at link-time
without an informative error message (since [1]).
Bail out if adding a permission would result in a class having more than
the supported amount of 32 permissions assigned.
[1]: 97af65f696
Closes: https://github.com/SELinuxProject/selinux/issues/356
Reported-by: Julie Pichon
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Users are allowed to be declared in modules. Modules do not get expanded
leaving the `struct user_datum` members `exp_range` and `exp_dfltlevel`
empty.
Do no validate the expanded range and level for modular polices.
Reported-by: bauen1 <j2468h@gmail.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Fixes:
cil/src/cil_build_ast.c:4622:4: warning[deadcode.DeadStores]: Value stored to 'rc' is never read
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
sepolgen-ifgen-attr-helper.c: In function ‘load_policy’:
sepolgen-ifgen-attr-helper.c:196:17: warning: leak of FILE ‘fp’ [CWE-775] [-Wanalyzer-file-leak]
196 | fprintf(stderr, "Out of memory!\n");
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
security_load_policy(3) takes a read-only memory address for a binary
policy to be loaded.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
The following interfaces are documented but do not have a redirection:
- context_str(3)
- security_get_checkreqprot(3)
- security_set_boolean_list(3)
- selinux_sepgsql_context_path(3)
- setexecfilecon(3)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
To copy string safely, by always NULL-terminating them, and provide an
easy way to check for truncation introduce the nonstandard function
strlcpy(3). Use the system implementation if available.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
In case the function __policy_init() gets called with a NULL pointer,
the stack variable path remains uninitialized (except at its last
index). If parsing the binary policy fails in sepol_policydb_read() the
error branch would access those uninitialized memory.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
First transaction applies all deletion operations, so that there are no
collisions when applying the rest of the changes.
Fixes:
# semanage port -a -t http_cache_port_t -r s0 -p tcp 3024
# semanage export | semanage import
ValueError: Port tcp/3024 already defined
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
libselinux implements a cache mechanism for get*con() functions, such
that when a thread calls setcon(...) then getcon(...), the context is
directly returned. Unfortunately, getpidcon(pid, &context) uses the same
cached variable, so when a program uses setcon("something"), all later
calls to getpidcon(pid, ...) returns "something". This is a bug.
Here is a program which illustrates this bug:
#include <stdio.h>
#include <selinux/selinux.h>
int main() {
char *context = "";
if (getpidcon(1, &context) < 0) {
perror("getpidcon(1)");
}
printf("getpidcon(1) = %s\n", context);
if (getcon(&context) < 0) {
perror("getcon()");
}
printf("getcon() = %s\n", context);
if (setcon(context) < 0) {
perror("setcon()");
}
if (getpidcon(1, &context) < 0) {
perror("getpidcon(1)");
}
printf("getpidcon(1) = %s\n", context);
return 0;
}
On an Arch Linux system using unconfined user, this program displays:
getpidcon(1) = system_u:system_r:init_t
getcon() = unconfined_u:unconfined_r:unconfined_t
getpidcon(1) = unconfined_u:unconfined_r:unconfined_t
With this commit, this program displays:
getpidcon(1) = system_u:system_r:init_t
getcon() = unconfined_u:unconfined_r:unconfined_t
getpidcon(1) = system_u:system_r:init_t
This bug was present in the first commit of
https://github.com/SELinuxProject/selinux git history. It was reported
in https://lore.kernel.org/selinux/20220121084012.GS7643@suse.com/ and a
patch to fix it was sent in
https://patchwork.kernel.org/project/selinux/patch/20220127130741.31940-1-jsegitz@suse.de/
without a clear explanation. This patch added pid checks, which made
sense but were difficult to read. Instead, it is possible to change the
way the functions are called so that they directly know which cache
variable to use.
Moreover, as the code is not clear at all (I spent too much time trying
to understand what the switch did and what the thread-local variable
contained), this commit also reworks libselinux/src/procattr.c to:
- not use hard-to-understand switch/case constructions on strings (they
are replaced by a new argument filled by macros)
- remove getpidattr_def macro (it was only used once, for pidcon, and
the code is clearer with one less macro)
- remove the pid parameter of setprocattrcon() and setprocattrcon_raw()
(it is always zero)
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Cc: Johannes Segitz <jsegitz@suse.de>
This reverts commit 7e979b56fd.
The reverted commit broke `setfiles` when it's run from a chroot
without /proc mounted, e.g.
# chroot /mnt/sysimage
chroot# setfiles -e /proc -e /sys /sys /etc/selinux/targeted/contexts/files/file_contexts /
[strace]
openat(AT_FDCWD, "/", O_RDONLY|O_EXCL|O_NOFOLLOW|O_PATH) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0555, st_size=4096, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 2101248, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f1697c91000
fgetxattr(3, "security.selinux", 0x55be8881d3f0, 255) = -1 EBADF (Bad file descriptor)
fcntl(3, F_GETFL) = 0x220000 (flags O_RDONLY|O_NOFOLLOW|O_PATH)
getxattr("/proc/self/fd/3", "security.selinux", 0x55be8881d3f0, 255) = -1 ENOENT (No such file or directory)
[/strace]
setfiles: Could not set context for /: No such file or directory
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Do not check for file existence and open afterwards, open with the
exclusive flag (supported in Glibc and musl 0.9.6 and also standardized
in C11).
Found by GitHub CodeQL.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
