tequilaOS/platform_external_selinux
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

libsepol/cil: make reporting conflicting type transitions work

Browse source 
When compiling a CIL policy which defines conflicting type transitions,
secilc crashes when trying to format an error message with uninitialized
values. This is caused by __cil_typetransition_to_avtab() not
initializing the ..._str fields of its local variable "struct
cil_type_rule trans" before calling __cil_type_rule_to_avtab().

While at it, make the error report clearer about what is wrong by
showing the types and classes which got expanded in
__cil_type_rule_to_avtab(). Here is an example of the result:

    Conflicting type rules (scontext=testuser_emacs.subj
    tcontext=fs.tmpfs.fs tclass=dir
    result=users.generic_tmpfs.user_tmpfs_file),
    existing=emacs.tmpfs.user_tmpfs_file

    Expanded from type rule (scontext=ARG1 tcontext=fs tclass=ARG3
    result=ARG2)

Reported-By: Dominick Grift <dac.override@gmail.com>
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This commit is contained in:
Nicolas Iooss 2017-03-17 22:05:26 +01:00 committed by James Carter
parent 317743bbe2
commit 0864814583
1 changed files with 20 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
libsepol/cil/src/cil_binary.c
View file

@ -1018,7 +1018,14 @@ int __cil_insert_type_rule(policydb_t *pdb, uint32_t kind, uint32_t src, uint32_
* non-duplicate rule using the same key.
*/
if (existing->datum.data != res) {
cil_log(CIL_ERR, "Conflicting type rules (scontext=%s tcontext=%s tclass=%s result=%s)\n", cil_rule->src_str, cil_rule->tgt_str, cil_rule->obj_str, cil_rule->result_str);
cil_log(CIL_ERR, "Conflicting type rules (scontext=%s tcontext=%s tclass=%s result=%s), existing=%s\n",
pdb->p_type_val_to_name[src - 1],
pdb->p_type_val_to_name[tgt - 1],
pdb->p_class_val_to_name[obj - 1],
pdb->p_type_val_to_name[res - 1],
pdb->p_type_val_to_name[existing->datum.data - 1]);
cil_log(CIL_ERR, "Expanded from type rule (scontext=%s tcontext=%s tclass=%s result=%s)\n",
cil_rule->src_str, cil_rule->tgt_str, cil_rule->obj_str, cil_rule->result_str);
rc = SEPOL_ERR;
}
goto exit;
@ -1044,7 +1051,14 @@ int __cil_insert_type_rule(policydb_t *pdb, uint32_t kind, uint32_t src, uint32_
search_datum = cil_cond_av_list_search(&avtab_key, other_list);
if (search_datum == NULL) {
if (existing->datum.data != res) {
cil_log(CIL_ERR, "Conflicting type rules (scontext=%s tcontext=%s tclass=%s result=%s)\n", cil_rule->src_str, cil_rule->tgt_str, cil_rule->obj_str, cil_rule->result_str);
cil_log(CIL_ERR, "Conflicting type rules (scontext=%s tcontext=%s tclass=%s result=%s), existing=%s\n",
pdb->p_type_val_to_name[src - 1],
pdb->p_type_val_to_name[tgt - 1],
pdb->p_class_val_to_name[obj - 1],
pdb->p_type_val_to_name[res - 1],
pdb->p_type_val_to_name[existing->datum.data - 1]);
cil_log(CIL_ERR, "Expanded from type rule (scontext=%s tcontext=%s tclass=%s result=%s)\n",
cil_rule->src_str, cil_rule->tgt_str, cil_rule->obj_str, cil_rule->result_str);
rc = SEPOL_ERR;
goto exit;
}
@ -1146,6 +1160,10 @@ int __cil_typetransition_to_avtab(policydb_t *pdb, const struct cil_db *db, stru
trans.tgt = typetrans->tgt;
trans.obj = typetrans->obj;
trans.result = typetrans->result;
trans.src_str = typetrans->src_str;
trans.tgt_str = typetrans->tgt_str;
trans.obj_str = typetrans->obj_str;
trans.result_str = typetrans->result_str;
return __cil_type_rule_to_avtab(pdb, db, &trans, cond_node, cond_flavor);
}