When compiling with -Wwrite-strings, clang reports some warnings like:
module_to_cil.c:784:13: error: assigning to 'char *' from 'const
char [5]' discards qualifiers
[-Werror,-Wincompatible-pointer-types-discards-qualifiers]
statement = "type";
^ ~~~~~~
module_to_cil.c:787:13: error: assigning to 'char *' from 'const
char [5]' discards qualifiers
[-Werror,-Wincompatible-pointer-types-discards-qualifiers]
statement = "role";
^ ~~~~~~
Add a const type attribute to local variables which only handle constant
strings.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
A check is made in symtab_insert() for the case when an identifier
had already been declared and was now being required. This meant
that a declaration followed by a require was treated differently
from a require followed by a declaration.
Remove that check and treat both cases the same (which means
returning +1).
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Policy modules do not have the concept of named IP addresses like CIL
does. So when converting nodecode statements from pp policy modules to
CIL, we need to wrap the IP address and mask parameters in parentheses
so that the CIL compiler does not try to resolve them as named
addresses, but instead treats them as anonymous.
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
ln on macOS doesn't support --relative, so use the gnu version by default.
Also document how to build on macOS.
Signed-off-by: Karl MacMillan <karlwmacmillan@gmail.com>
There is no point in initializing a variable which gets
almost-immediately assigned an other value.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Even though "hashtab_key_t" is an alias for "char *", "const
hashtab_key_t" is not an alias for "(const char) *" but means "(char *)
const".
Introduce const_hashtab_key_t to map "(const char) *" and use it in
hashtab_search() and hashtab key comparison functions.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When sepol_polcap_getname() is called with a negative capnum, it
dereferences polcap_names[capnum] which produces a segmentation fault
most of the time.
For information, here is a gdb session when hll/pp loads a policy module
which has been mutated by American Fuzzy Lop:
Program received signal SIGSEGV, Segmentation fault.
sepol_polcap_getname (capnum=capnum@entry=-4259840) at polcaps.c:34
34 return polcap_names[capnum];
=> 0x00007ffff7a8da07 <sepol_polcap_getname+135>: 48 8b 04 f8 mov
(%rax,%rdi,8),%rax
(gdb) bt
#0 sepol_polcap_getname (capnum=capnum@entry=-4259840) at
polcaps.c:34
#1 0x00007ffff7a7c440 in polcaps_to_cil (pdb=0x6042e0) at
module_to_cil.c:2492
#2 sepol_module_policydb_to_cil (fp=fp@entry=0x7ffff79c75e0
<_IO_2_1_stdout_>, pdb=0x6042e0, linked=linked@entry=0) at
module_to_cil.c:4039
#3 0x00007ffff7a7e695 in sepol_module_package_to_cil
(fp=fp@entry=0x7ffff79c75e0 <_IO_2_1_stdout_>, mod_pkg=0x604280) at
module_to_cil.c:4087
#4 0x0000000000401acc in main (argc=<optimized out>,
argv=<optimized out>) at pp.c:150
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When running "make test" with the Address Sanitizer (by adding
-fsanitize=address to compiler flags), a lot of memory leaks are
reported from checkpolicy. Anyway some leaks come from the tests and it
seems cleaner to start fixing these ones.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When compiling libsepol tests, clang complains about some uninitialized
variables:
test-common.c:171:14: error: variable 'my_primary' is used
uninitialized whenever 'if' condition is false
[-Werror,-Wsometimes-uninitialized]
} else if (my_flavor == TYPE_ALIAS) {
^~~~~~~~~~~~~~~~~~~~~~~
test-common.c:179:30: note: uninitialized use occurs here
CU_ASSERT(type->primary == my_primary);
^~~~~~~~~~
/usr/include/CUnit/CUnit.h:123:30: note: expanded from macro
'CU_ASSERT'
{ CU_assertImplementation((value), __LINE__, #value, __FILE__, "", CU_...
^
test-common.c:171:10: note: remove the 'if' if its condition is
always true
} else if (my_flavor == TYPE_ALIAS) {
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
test-common.c:153:25: note: initialize the variable 'my_primary' to
silence this warning
unsigned int my_primary, my_flavor, my_value;
^
= 0
test-common.c:171:14: error: variable 'my_value' is used
uninitialized whenever 'if' condition is false
[-Werror,-Wsometimes-uninitialized]
} else if (my_flavor == TYPE_ALIAS) {
^~~~~~~~~~~~~~~~~~~~~~~
test-common.c:181:30: note: uninitialized use occurs here
CU_ASSERT(type->s.value == my_value);
^~~~~~~~
/usr/include/CUnit/CUnit.h:123:30: note: expanded from macro
'CU_ASSERT'
{ CU_assertImplementation((value), __LINE__, #value, __FILE__, "", CU_...
^
test-common.c:171:10: note: remove the 'if' if its condition is
always true
} else if (my_flavor == TYPE_ALIAS) {
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
test-common.c:153:46: note: initialize the variable 'my_value' to
silence this warning
unsigned int my_primary, my_flavor, my_value;
^
= 0
This is because the call to CU_FAIL("not an alias") is not fatal in
test_alias_datum(), and variables my_primary and my_value are indeed
used uninitialized in a CU_ASSERT statement later.
Silent the warning by moving the elseif condition to a CU_ASSERT
statement which replaces the CU_FAIL.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Adds a check for avrules with type attributes that have a bitmap cardinality
of 0 (i.e., no types in their set) before adding them to the libsepol policy in
__cil_avrule_to_avtab(). Also adds an exception for neverallow rules to
prevent breaking anything from AOSP mentioned in
f9927d9370.
Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
Define the extended_socket_class policy capability used to enable
the use of separate socket security classes for all network address
families rather than the generic socket class. This also enables
separate security classes for ICMP and SCTP sockets, which were previously
mapped to the rawip_socket class.
The legacy redhat1 policy capability that was only ever used in testing
within Fedora for ptrace_child is reclaimed for this purpose; as far as
I can tell, this policy capability is not enabled in any supported distro
policy.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
self is included in a target type set.
When neverallow checking was refactored in commit 9e6840e, self
was not handled correctly. The assumption was made that self only
appeared by itself as a target type, when it may appear in a list of
types. Because of this, if self appears in a target type set of a
neverallow, the other types in the type set are not checked.
Example:
allow TYPE1 TYPE2:CLASS1 { PERM1 };
neverallow TYPE1 {TYPE2 self}:CLASS1 { PERM1 };
The old assertion checking would not find a violation in the rules
above because the target type TYPE2 would be ignored.
This fix will cause all of the types in a target list that includes
self to be checked.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
The ability to create a policy.conf file from the CIL AST has been
a desire from the beginning to assist in debugging and for general
flexibility. Some work towards this end was started early in CIL's
history, but cil_policy.c has not been remotely functional in a long
time. Until now.
The function cil_write_policy_conf() will write a policy.conf file
from a CIL AST after cil_build_ast(), cil_resolve_ast(),
cil_fqn_qualify(), and cil_post_process() have been called.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Teach audit2why to recognize type bounds failures. This required
updating libsepol sepol_compute_av_reason() to identify bounds
failures, and updating libsepol context_struct_compute_av() to
include the type bounds logic from the kernel.
This could potentially be further augmented to provide more detailed
reporting via the reason buffer to include information similar to
what security_dump_masked_av() reports in the kernel. However, it
is unclear if this is needed. It is already possible to get type
bounds checking at policy build time by enabling expand-check=1
in /etc/selinux/semanage.conf (or by default when compiling
monolithic policy).
Before:
type=AVC msg=audit(1480451925.038:3225): avc: denied { getattr } for pid=7118 comm="chmod" path="/home/sds/selinux-testsuite/tests/bounds/bounds_file_blue" dev="dm-2" ino=23337697 scontext=unconfined_u:unconfined_r:test_bounds_child_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:test_bounds_file_blue_t:s0 tclass=file permissive=0
Was caused by:
Unknown - would be allowed by active policy
Possible mismatch between this policy and the one under which the audit message was generated.
Possible mismatch between current in-memory boolean settings vs. permanent ones.
After:
type=AVC msg=audit(1480451925.038:3225): avc: denied { getattr } for pid=7118 comm="chmod" path="/home/sds/selinux-testsuite/tests/bounds/bounds_file_blue" dev="dm-2" ino=23337697 scontext=unconfined_u:unconfined_r:test_bounds_child_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:test_bounds_file_blue_t:s0 tclass=file permissive=0
Was caused by:
Typebounds violation.
Add an allow rule for the parent type.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
chenxiaolong reported this via
https://github.com/SELinuxProject/selinux/issues/23
A nicer fix would be to rework the interface to be more
like security_av_string() in libselinux, but that requires
updating all callers.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Tools like lcov (for code coverage) does not like files named
"<stdout>". For example it reports errors like:
genhtml: ERROR: cannot read
/usr/src/selinux/libsemanage/src/<stdout>
When using flex -o option, the output file name gets written in the
generated C code, which solves this issue.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
A valid policy would not have two symbols (classes, roles, users...)
sharing the same unique identifier. Make policydb_read() rejects such
policy files.
When ..._val_to_name translation tables were allocated with malloc(),
change to calloc() in order to initialize the tables with NULLs.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When loading an invalid module which uses a declaration ID 0,
semodule_package crashes in policydb_index_decls():
p->decl_val_to_struct[decl->decl_id - 1] = decl;
gdb shows the following stack trace:
#0 0x00007ffff7aa1bbd in policydb_index_decls (p=p@entry=0x605360)
at policydb.c:1034
#1 0x00007ffff7aaa9fc in policydb_read (p=<optimized out>,
fp=fp@entry=0x605090, verbose=verbose@entry=0) at policydb.c:3958
#2 0x00007ffff7ab4764 in sepol_policydb_read (p=<optimized out>,
pf=pf@entry=0x605090) at policydb_public.c:174
#3 0x0000000000401d33 in main (argc=<optimized out>,
argv=0x7fffffffdc88) at semodule_package.c:220
Change policydb_index_decls() to report an error instead:
libsepol.policydb_index_decls: invalid decl ID 0
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
range transition and name-based type transition rules were originally
simple unordered lists. They were converted to hashtabs in the kernel
by commit 2f3e82d694d3d7a2db019db1bb63385fbc1066f3 ("selinux: convert range
transition list to a hashtab") and by commit
2463c26d50adc282d19317013ba0ff473823ca47 ("SELinux: put name based
create rules in a hashtable"), but left unchanged in libsepol and
checkpolicy. Convert libsepol and checkpolicy to use the same hashtabs
as the kernel for the range transitions and name-based type transitions.
With this change and the preceding one, it is possible to directly compare
a policy file generated by libsepol/checkpolicy and the kernel-generated
/sys/fs/selinux/policy pseudo file after normalizing them both through
checkpolicy. To do so, you can run the following sequence of commands:
checkpolicy -M -b /etc/selinux/targeted/policy/policy.30 -o policy.1
checkpolicy -M -b /sys/fs/selinux/policy -o policy.2
cmp policy.1 policy.2
Normalizing the two files via checkpolicy is still necessary to ensure
consistent ordering of the avtab entries. There may still be potential
for other areas of difference, e.g. xperms entries may lack a well-defined
order.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Originally object_r's types bitmap was empty since we exempt
object_r from the normal user-role and role-type checks. CIL
however sets object_r's types to all types to avoid special case
logic. However, the kernel does not load object_r types from the
policy file; it predefines object_r and merely validates that the
object_r definition in the policy has the expected value. Thus,
the actual policy file and the /sys/fs/selinux/policy file were
differing in their object_r entry. Fix this by not writing object_r's
types to the policy file, since they are ignored by the kernel
anyway.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Currently ebitmap_load() accepts loading a bitmap with highbit=192 and
one node {startbit=0, map=0x2}. When iterating over the bitmap,
ebitmap_for_each_bit() is expected to only yield "1" but it gives the
following bits: 1, 65, 129.
This is due to two facts in ebitmap_for_each_bit() implementation:
* ebitmap_next() stays on the first (and only) node of the bitmap
instead of stopping the iteration.
* the end condition of the for loop consists in comparing the bit with
ebitmap_length() (ie. the bitmap highbit), which is above the limit of
the last node here.
These are not bugs when the bitmap highbit is equals to
l->startbit+MAPSIZE, where l is the last node (this is how
ebitmap_set_bit() sets it). So a simple fix consists in making
ebitmap_load() reject bitmaps which are loaded with an invalid highbit
value.
This issue has been found while fuzzing semodule_package with the
American Fuzzy Lop.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Commit 02a7d77ef2 ("libsepol: make parsing symbol table headers more
robust") broke refpolicy build, because checkmodule generates avrule
decl blocks with "decl->symtab[i].nprim = 0" for all possible i, even
when decl->symtab[SYM_ROLES] and decl->symtab[SYM_TYPES] are not
empty.
More precisely, decl->symtab[i].nprim seems to be only updated in
libsepol/src/link.c (in *_copy_callback() functions).
Revert the buggy part of commit 02a7d77ef2 to fix this regression.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
There is no reason to modify the number of roles defined in a policy
when no role is being inserted.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When running hll/pp on some invalid policy module, it can output:
libsepol.sepol_module_package_read: unknown magic number at section
1, offset: 251, number: 0x
The last number looks funny and was caused by using "%ux". "u" is not a
prefix like "l", "h", "z"... and "%x" already expects an unsigned
integer (cf. http://man7.org/linux/man-pages/man3/printf.3.html).
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When fuzzing hll/pp, the fuzzer created a policy module with a block
which has no declaration. With block->branch_list = NULL,
typealias_list_create() triggered a NULL pointer dereference when
computing max_decl_id.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When hll/pp reads an invalid policy module where some scopes use
required symbols which are not defined, the program crashes with a
segmentation fault in required_scopes_to_cil():
Program received signal SIGSEGV, Segmentation fault.
required_scopes_to_cil (decl_stack=0x6040b0, block=0x607780,
pdb=0x6042e0, indent=0) at module_to_cil.c:3479
3479 for (j = 0; j < scope_datum->decl_ids_len; j++)
{
=> 0x00007ffff7a7b1a8 <block_to_cil+5224>: 44 8b 58 10 mov
0x10(%rax),%r11d
(gdb) bt
#0 required_scopes_to_cil (decl_stack=0x6040b0, block=0x607780,
pdb=0x6042e0, indent=0) at module_to_cil.c:3479
#1 block_to_cil (pdb=pdb@entry=0x6042e0,
block=block@entry=0x607780, stack=stack@entry=0x6040b0,
indent=indent@entry=0) at module_to_cil.c:3622
#2 0x00007ffff7a85a18 in global_block_to_cil (stack=0x6040b0,
block=0x607780, pdb=0x6042e0) at module_to_cil.c:3738
#3 blocks_to_cil (pdb=0x6042e0) at module_to_cil.c:3764
#4 sepol_module_policydb_to_cil (fp=fp@entry=0x7ffff79d05e0
<_IO_2_1_stdout_>, pdb=0x6042e0, linked=linked@entry=0) at
module_to_cil.c:4051
#5 0x00007ffff7a86b55 in sepol_module_package_to_cil
(fp=fp@entry=0x7ffff79d05e0 <_IO_2_1_stdout_>, mod_pkg=0x604280) at
module_to_cil.c:4080
#6 0x0000000000401acc in main (argc=<optimized out>,
argv=<optimized out>) at pp.c:150
(gdb) p scope_datum
$1 = (struct scope_datum *) 0x0
Detect such errors and exit with an error return value.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When hll/pp operates on an invalid policy module which defines blocks
with non-empty decl->symtab[SYM_COMMONS], additive_scopes_to_cil_map()
calls func_to_cil[SYM_COMMONS], which is NULL.
In additive_scopes_to_cil(), filter out NULL elements of func_to_cil
before calling additive_scopes_to_cil_map().
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
1. Use the new helper to convert from AVRULE to AVTAB values.
2. Only check once for invalid AVRULE specified parameter.
3. Drop assert and just return error on invalid specification.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
General clean up for expand_avrule_helper:
1. Minimize the conversions of AVRULE specification to AVTAB specification,
they are almost the same, the one exception is AVRULE_DONTAUDIT.
2. Clean up the if/else logic, collapse with a switch.
3. Move xperms allocation and manipulation to its own helper.
4. Only write avkey for values that change.
5. Return error rather than assert on invalid specification.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Rather than having multiple copies of the AVTAB and AVRULE
defines, consolidate them.
This makes it clear that AVRULE to AVTAB conversion no longer
need to occur.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
When hll/pp loads a policy file which has been modified so that the
nprim field of one of its non-empty symbol table was changed to zero, it
crashes with a segmentation fault. A quick analysis leads to
"p->sym_val_to_name[i] = (char **)alloc(p->symtab[i].nprim, sizeof(char
*));" in policydb_index_others(), which is not executed when
p->symtab[i].nprim is zero even though there are items in
p->symtab[i].table.
Detect such an oddity in the policy file early to exit with a clean
error message.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
While fuzzing hll/pp, the fuzzer (AFL) crafted a policy which triggered
the following message without making the policy loading fail (the
program crashed with a segmentation fault later):
security: ebitmap: map size 192 does not match my size 64 (high bit
was 0)
This is because ebitmap_read() returned -EINVAL and this value was
handled as a successful return value by scope_index_read() because it
was not -1.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When fuzzing hll/pp inputs, a policy module where the value of
scope->decl_ids_len has been modified to zero makes the program abort
(when it has been compiled without -DNDEBUG).
Change the behavior to report an error message instead. This eases
fuzzing functions like policydb_read().
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The combining logic for dontaudit rules was wrong, causing
a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p;
rule.
This is a reimplementation of:
commit 6201bb5e25 ("libsepol:
fix checkpolicy dontaudit compiler bug")
that avoids the cumbersome pointer assignments on alloced.
Reported-by: Nick Kralevich <nnk@google.com>
Signed-off-by: William Roberts <william.c.roberts@intel.com>
The flex skeleton often triggers compiler warnings; make these
non-fatal for building. We already do likewise for checkpolicy.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The combining logic for dontaudit rules was wrong, causing
a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p;
rule.
Reported-by: Nick Kralevich <nnk@google.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The sepol_{bool|iface|user}_key_create() functions were not
copying the name. This produces a use-after-free in the
swig-generated code for python3 bindings. Copy the name
in these functions, and free it upon sepol_{bool|iface|user}_key_free().
Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
