tequilaOS/platform_external_selinux
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge upstream '3.3' into update_3_3

Browse source 
Followed the following steps:
    # aosp mirror does not have the upstream tags. Manually mark the
    # 3.3 release. See
    # https://github.com/SELinuxProject/selinux/releases/tag/3.3
    git tag 3.3 7f600c40bc
    repo start update_3_3 .
    git merge 3.3 --no-ff # No merge conflicts were found.
    lunch && m
    repo upload .

Bug: 37755687
Test: Build aosp_bramble-userdebug and manually compare the generated
    /{system,vendor,product}/etc/selinux* files with their previous
    versions. All are identical.
Change-Id: I6a514d7db9a752c44cc61d343f7c1a60f750f317
This commit is contained in:
Thiébaud Weksteen 2021-12-21 10:25:53 +11:00
commit 671624ef61
58 changed files with 329 additions and 231 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
.github/workflows/vm_testsuite.yml vendored
View file

@ -6,7 +6,8 @@ jobs:
vm_testsuite:
# Use VirtualBox+vagrant on macOS, as described in https://github.com/actions/virtual-environments/issues/433
runs-on: macos-latest
# Use an old version of macOS until https://github.com/actions/virtual-environments/pull/4010 is merged.
runs-on: macos-10.15
steps:
- uses: actions/checkout@v2

3
README.md
View file

@ -2,7 +2,8 @@ SELinux Userspace
=================
![SELinux logo](https://github.com/SELinuxProject.png)
[![Build Status](https://travis-ci.org/SELinuxProject/selinux.svg?branch=master)](https://travis-ci.org/SELinuxProject/selinux)
[![Run Tests](https://github.com/SELinuxProject/selinux/actions/workflows/run_tests.yml/badge.svg)](https://github.com/SELinuxProject/selinux/actions/workflows/run_tests.yml)
[![Run SELinux testsuite in a virtual machine](https://github.com/SELinuxProject/selinux/actions/workflows/vm_testsuite.yml/badge.svg)](https://github.com/SELinuxProject/selinux/actions/workflows/vm_testsuite.yml)
[![OSS-Fuzz Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/selinux.svg)](https://oss-fuzz-build-logs.storage.googleapis.com/index.html#selinux)
[![CIFuzz Status](https://github.com/SELinuxProject/selinux/actions/workflows/cifuzz.yml/badge.svg)](https://github.com/SELinuxProject/selinux/actions/workflows/cifuzz.yml)

2
VERSION
View file

@ -1 +1 @@
3.3-rc1
3.3

2
checkpolicy/VERSION
View file

@ -1 +1 @@
3.3-rc1
3.3

11
checkpolicy/checkmodule.8
View file

@ -3,7 +3,7 @@
checkmodule \- SELinux policy module compiler
.SH SYNOPSIS
.B checkmodule
.I "[\-h] [\-b] [\-C] [\-m] [\-M] [\-U handle_unknown ] [\-V] [\-o output_file] [input_file]"
.I "[\-h] [\-b] [\-c policy_version] [\-C] [\-E] [\-m] [\-M] [\-U handle_unknown] [\-V] [\-o output_file] [input_file]"
.SH "DESCRIPTION"
This manual page describes the
.BR checkmodule
@ -15,9 +15,12 @@ into a binary representation. It can generate either a base policy
module (default) or a non-base policy module (\-m option); typically,
you would build a non-base policy module to add to an existing module
store that already has a base module provided by the base policy. Use
semodule_package to combine this module with its optional file
contexts to create a policy package, and then use semodule to install
the module package into the module store and load the resulting policy.
.B semodule_package(8)
to combine this module with its optional file
contexts to create a policy package, and then use
.B semodule(8)
to install the module package into the module store and load the resulting
policy.
.SH OPTIONS
.TP

18
checkpolicy/checkmodule.c
View file

@ -34,9 +34,6 @@
#include "checkpolicy.h"
#include "parse_util.h"
extern char *optarg;
extern int optind;
static sidtab_t sidtab;
extern int mlspol;
@ -126,7 +123,7 @@ static int write_binary_policy(policydb_t * p, FILE *outfp)
static __attribute__((__noreturn__)) void usage(const char *progname)
{
printf("usage: %s [-h] [-V] [-b] [-C] [-E] [-U handle_unknown] [-m] [-M] [-o FILE] [INPUT]\n", progname);
printf("usage: %s [-h] [-V] [-b] [-C] [-E] [-U handle_unknown] [-m] [-M] [-o FILE] [-c VERSION] [INPUT]\n", progname);
printf("Build base and policy modules.\n");
printf("Options:\n");
printf(" INPUT build module from INPUT (else read from \"%s\")\n",
@ -155,7 +152,7 @@ int main(int argc, char **argv)
int ch;
int show_version = 0;
policydb_t modpolicydb;
struct option long_options[] = {
const struct option long_options[] = {
{"help", no_argument, NULL, 'h'},
{"output", required_argument, NULL, 'o'},
{"binary", no_argument, NULL, 'b'},
@ -271,7 +268,7 @@ int main(int argc, char **argv)
} else {
if (policydb_init(&modpolicydb)) {
fprintf(stderr, "%s: out of memory!\n", argv[0]);
return -1;
exit(1);
}
modpolicydb.policy_type = policy_type;
@ -283,7 +280,7 @@ int main(int argc, char **argv)
}
if (hierarchy_check_constraints(NULL, &modpolicydb)) {
return -1;
exit(1);
}
}
@ -336,7 +333,7 @@ int main(int argc, char **argv)
FILE *outfp = fopen(outfile, "w");
if (!outfp) {
perror(outfile);
fprintf(stderr, "%s: error opening %s: %s\n", argv[0], outfile, strerror(errno));
exit(1);
}
@ -352,7 +349,10 @@ int main(int argc, char **argv)
}
}
fclose(outfp);
if (fclose(outfp)) {
fprintf(stderr, "%s: error closing %s: %s\n", argv[0], outfile, strerror(errno));
exit(1);
}
} else if (cil) {
fprintf(stderr, "%s: No file to write CIL was specified\n", argv[0]);
exit(1);

8
checkpolicy/checkpolicy.8
View file

@ -3,7 +3,7 @@
checkpolicy \- SELinux policy compiler
.SH SYNOPSIS
.B checkpolicy
.I "[\-b[F]] [\-C] [\-d] [\-U handle_unknown (allow,deny,reject)] [\-M] [\-c policyvers] [\-o output_file|\-] [\-S] [\-t target_platform (selinux,xen)] [\-V] [input_file]"
.I "[\-b[F]] [\-C] [\-d] [\-U handle_unknown (allow,deny,reject)] [\-M] [\-c policyvers] [\-o output_file|\-] [\-S] [\-t target_platform (selinux,xen)] [\-O] [\-E] [\-V] [input_file]"
.br
.SH "DESCRIPTION"
This manual page describes the
@ -13,8 +13,10 @@ command.
.B checkpolicy
is a program that checks and compiles a SELinux security policy configuration
into a binary representation that can be loaded into the kernel. If no
input file name is specified, checkpolicy will attempt to read from
policy.conf or policy, depending on whether the \-b flag is specified.
input file name is specified,
.B checkpolicy
will attempt to read from policy.conf or policy, depending on whether the \-b
flag is specified.
.SH OPTIONS
.TP

28
checkpolicy/checkpolicy.c
View file

@ -92,9 +92,6 @@
#include "checkpolicy.h"
#include "parse_util.h"
extern char *optarg;
extern int optind;
static policydb_t policydb;
static sidtab_t sidtab;
@ -112,7 +109,7 @@ static __attribute__((__noreturn__)) void usage(const char *progname)
{
printf
("usage: %s [-b[F]] [-C] [-d] [-U handle_unknown (allow,deny,reject)] [-M] "
"[-c policyvers (%d-%d)] [-o output_file|-] [-S] "
"[-c policyvers (%d-%d)] [-o output_file|-] [-S] [-O] "
"[-t target_platform (selinux,xen)] [-E] [-V] [input_file]\n",
progname, POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
exit(1);
@ -297,9 +294,7 @@ static int identify_equiv_types(void)
}
#endif
extern char *av_to_string(uint32_t tclass, sepol_access_vector_t av);
int display_bools(void)
static int display_bools(void)
{
uint32_t i;
@ -310,10 +305,10 @@ int display_bools(void)
return 0;
}
void display_expr(cond_expr_t * exp)
static void display_expr(const cond_expr_t * exp)
{
cond_expr_t *cur;
const cond_expr_t *cur;
for (cur = exp; cur != NULL; cur = cur->next) {
switch (cur->expr_type) {
case COND_BOOL:
@ -345,9 +340,9 @@ void display_expr(cond_expr_t * exp)
}
}
int display_cond_expressions(void)
static int display_cond_expressions(void)
{
cond_node_t *cur;
const cond_node_t *cur;
for (cur = policydbp->cond_list; cur != NULL; cur = cur->next) {
printf("expression: ");
@ -357,7 +352,7 @@ int display_cond_expressions(void)
return 0;
}
int change_bool(char *name, int state)
static int change_bool(const char *name, int state)
{
cond_bool_datum_t *bool;
@ -412,7 +407,7 @@ int main(int argc, char **argv)
unsigned int reason;
int flags;
struct policy_file pf;
struct option long_options[] = {
const struct option long_options[] = {
{"output", required_argument, NULL, 'o'},
{"target", required_argument, NULL, 't'},
{"binary", no_argument, NULL, 'b'},
@ -706,7 +701,10 @@ int main(int argc, char **argv)
}
if (outfp != stdout) {
fclose(outfp);
if(fclose(outfp)) {
fprintf(stderr, "%s: error closing %s: %s\n", argv[0], outfile, strerror(errno));
exit(1);
}
}
} else if (cil) {
fprintf(stderr, "%s: No file to write CIL was specified\n", argv[0]);
@ -796,7 +794,7 @@ int main(int argc, char **argv)
case 0:
printf("\nallowed {");
for (i = 1; i <= sizeof(avd.allowed) * 8; i++) {
if (avd.allowed & (1 << (i - 1))) {
if (avd.allowed & (UINT32_C(1) << (i - 1))) {
v.val = i;
ret =
hashtab_map(cladatum->

36
checkpolicy/module_compiler.c
View file

@ -165,7 +165,7 @@ static int create_symbol(uint32_t symbol_type, hashtab_key_t key, hashtab_datum_
decl->decl_id, dest_value);
if (ret == 1 && dest_value) {
symtab_datum_t *s =
hashtab_datum_t s =
hashtab_search(policydbp->symtab[symbol_type].table,
key);
assert(s != NULL);
@ -173,7 +173,7 @@ static int create_symbol(uint32_t symbol_type, hashtab_key_t key, hashtab_datum_
if (symbol_type == SYM_LEVELS) {
*dest_value = ((level_datum_t *)s)->level->sens;
} else {
*dest_value = s->value;
*dest_value = ((symtab_datum_t *)s)->value;
}
} else if (ret == -2) {
return -2;
@ -999,7 +999,7 @@ static int require_bool_tunable(int pass, int is_tunable)
if (is_tunable)
booldatum->flags |= COND_BOOL_FLAGS_TUNABLE;
retval =
require_symbol(SYM_BOOLS, id, (hashtab_datum_t *) booldatum,
require_symbol(SYM_BOOLS, id, booldatum,
&booldatum->s.value, &booldatum->s.value);
if (retval != 0) {
cond_destroy_bool(id, booldatum, NULL);
@ -1051,7 +1051,7 @@ int require_sens(int pass)
return -1;
}
mls_level_init(level->level);
retval = require_symbol(SYM_LEVELS, id, (hashtab_datum_t *) level,
retval = require_symbol(SYM_LEVELS, id, level,
&level->level->sens, &level->level->sens);
if (retval != 0) {
free(id);
@ -1089,7 +1089,7 @@ int require_cat(int pass)
}
cat_datum_init(cat);
retval = require_symbol(SYM_CATS, id, (hashtab_datum_t *) cat,
retval = require_symbol(SYM_CATS, id, cat,
&cat->s.value, &cat->s.value);
if (retval != 0) {
free(id);
@ -1104,14 +1104,14 @@ int require_cat(int pass)
return 0;
}
static int is_scope_in_stack(scope_datum_t * scope, scope_stack_t * stack)
static int is_scope_in_stack(const scope_datum_t * scope, const scope_stack_t * stack)
{
uint32_t i;
if (stack == NULL) {
return 0; /* no matching scope found */
}
if (stack->type == 1) {
avrule_decl_t *decl = stack->decl;
const avrule_decl_t *decl = stack->decl;
for (i = 0; i < scope->decl_ids_len; i++) {
if (scope->decl_ids[i] == decl->decl_id) {
return 1;
@ -1126,9 +1126,9 @@ static int is_scope_in_stack(scope_datum_t * scope, scope_stack_t * stack)
return is_scope_in_stack(scope, stack->parent);
}
int is_id_in_scope(uint32_t symbol_type, hashtab_key_t id)
int is_id_in_scope(uint32_t symbol_type, const_hashtab_key_t id)
{
scope_datum_t *scope =
const scope_datum_t *scope =
(scope_datum_t *) hashtab_search(policydbp->scope[symbol_type].
table, id);
if (scope == NULL) {
@ -1138,7 +1138,7 @@ int is_id_in_scope(uint32_t symbol_type, hashtab_key_t id)
}
static int is_perm_in_scope_index(uint32_t perm_value, uint32_t class_value,
scope_index_t * scope)
const scope_index_t * scope)
{
if (class_value > scope->class_perms_len) {
return 1;
@ -1151,7 +1151,7 @@ static int is_perm_in_scope_index(uint32_t perm_value, uint32_t class_value,
}
static int is_perm_in_stack(uint32_t perm_value, uint32_t class_value,
scope_stack_t * stack)
const scope_stack_t * stack)
{
if (stack == NULL) {
return 0; /* no matching scope found */
@ -1173,12 +1173,12 @@ static int is_perm_in_stack(uint32_t perm_value, uint32_t class_value,
return is_perm_in_stack(perm_value, class_value, stack->parent);
}
int is_perm_in_scope(hashtab_key_t perm_id, hashtab_key_t class_id)
int is_perm_in_scope(const_hashtab_key_t perm_id, const_hashtab_key_t class_id)
{
class_datum_t *cladatum =
const class_datum_t *cladatum =
(class_datum_t *) hashtab_search(policydbp->p_classes.table,
class_id);
perm_datum_t *perdatum;
const perm_datum_t *perdatum;
if (cladatum == NULL) {
return 1;
}
@ -1361,17 +1361,17 @@ int begin_optional_else(int pass)
return 0;
}
static int copy_requirements(avrule_decl_t * dest, scope_stack_t * stack)
static int copy_requirements(avrule_decl_t * dest, const scope_stack_t * stack)
{
uint32_t i;
if (stack == NULL) {
return 0;
}
if (stack->type == 1) {
scope_index_t *src_scope = &stack->decl->required;
const scope_index_t *src_scope = &stack->decl->required;
scope_index_t *dest_scope = &dest->required;
for (i = 0; i < SYM_NUM; i++) {
ebitmap_t *src_bitmap = &src_scope->scope[i];
const ebitmap_t *src_bitmap = &src_scope->scope[i];
ebitmap_t *dest_bitmap = &dest_scope->scope[i];
if (ebitmap_union(dest_bitmap, src_bitmap)) {
yyerror("Out of memory!");
@ -1397,7 +1397,7 @@ static int copy_requirements(avrule_decl_t * dest, scope_stack_t * stack)
src_scope->class_perms_len;
}
for (i = 0; i < src_scope->class_perms_len; i++) {
ebitmap_t *src_bitmap = &src_scope->class_perms_map[i];
const ebitmap_t *src_bitmap = &src_scope->class_perms_map[i];
ebitmap_t *dest_bitmap =
&dest_scope->class_perms_map[i];
if (ebitmap_union(dest_bitmap, src_bitmap)) {

4
checkpolicy/module_compiler.h
View file

@ -65,12 +65,12 @@ int require_cat(int pass);
/* Check if an identifier is within the scope of the current
* declaration or any of its parents. Return 1 if it is, 0 if not.
* If the identifier is not known at all then return 1 (truth). */
int is_id_in_scope(uint32_t symbol_type, hashtab_key_t id);
int is_id_in_scope(uint32_t symbol_type, const_hashtab_key_t id);
/* Check if a particular permission is within the scope of the current
* declaration or any of its parents. Return 1 if it is, 0 if not.
* If the identifier is not known at all then return 1 (truth). */
int is_perm_in_scope(hashtab_key_t perm_id, hashtab_key_t class_id);
int is_perm_in_scope(const_hashtab_key_t perm_id, const_hashtab_key_t class_id);
/* Search the current avrules block for a conditional with the same
* expression as 'cond'. If the conditional does not exist then

2
checkpolicy/parse_util.c
View file

@ -36,7 +36,7 @@ int read_source_policy(policydb_t * p, const char *file, const char *progname)
{
yyin = fopen(file, "r");
if (!yyin) {
fprintf(stderr, "%s: unable to open %s\n", progname, file);
fprintf(stderr, "%s: unable to open %s: %s\n", progname, file, strerror(errno));
return -1;
}
set_source_file(file);

103
checkpolicy/policy_define.c
View file

@ -60,10 +60,13 @@
#include "module_compiler.h"
#include "policy_define.h"
extern void init_parser(int pass_number);
__attribute__ ((format(printf, 1, 2)))
extern void yyerror2(const char *fmt, ...);
policydb_t *policydbp;
queue_t id_queue = 0;
unsigned int pass;
char *curfile = 0;
int mlspol = 0;
extern unsigned long policydb_lineno;
@ -74,12 +77,6 @@ extern char source_file[PATH_MAX];
extern int yywarn(const char *msg);
extern int yyerror(const char *msg);
#define ERRORMSG_LEN 255
static char errormsg[ERRORMSG_LEN + 1] = {0};
static int id_has_dot(const char *id);
static int parse_security_context(context_struct_t *c);
/* initialize all of the state variables for the scanner/parser */
void init_parser(int pass_number)
{
@ -89,12 +86,12 @@ void init_parser(int pass_number)
pass = pass_number;
}
__attribute__ ((format(printf, 1, 2)))
void yyerror2(const char *fmt, ...)
{
char errormsg[256];
va_list ap;
va_start(ap, fmt);
vsnprintf(errormsg, ERRORMSG_LEN, fmt, ap);
vsnprintf(errormsg, sizeof(errormsg), fmt, ap);
yyerror(errormsg);
va_end(ap);
}
@ -1605,7 +1602,7 @@ static int set_types(type_set_t * set, char *id, int *add, char starallowed)
return -1;
}
int define_compute_type_helper(int which, avrule_t ** rule)
static int define_compute_type_helper(int which, avrule_t ** rule)
{
char *id;
type_datum_t *datum;
@ -1832,7 +1829,7 @@ struct av_ioctl_range_list {
struct av_ioctl_range_list *next;
};
int avrule_sort_ioctls(struct av_ioctl_range_list **rangehead)
static int avrule_sort_ioctls(struct av_ioctl_range_list **rangehead)
{
struct av_ioctl_range_list *r, *r2, *sorted, *sortedhead = NULL;
@ -1880,7 +1877,7 @@ error:
return -1;
}
int avrule_merge_ioctls(struct av_ioctl_range_list **rangehead)
static int avrule_merge_ioctls(struct av_ioctl_range_list **rangehead)
{
struct av_ioctl_range_list *r, *tmp;
r = *rangehead;
@ -1900,7 +1897,7 @@ int avrule_merge_ioctls(struct av_ioctl_range_list **rangehead)
return 0;
}
int avrule_read_ioctls(struct av_ioctl_range_list **rangehead)
static int avrule_read_ioctls(struct av_ioctl_range_list **rangehead)
{
char *id;
struct av_ioctl_range_list *rnew, *r = NULL;
@ -1953,7 +1950,7 @@ error:
}
/* flip to included ranges */
int avrule_omit_ioctls(struct av_ioctl_range_list **rangehead)
static int avrule_omit_ioctls(struct av_ioctl_range_list **rangehead)
{
struct av_ioctl_range_list *rnew, *r, *newhead, *r2;
@ -2001,7 +1998,7 @@ error:
return -1;
}
int avrule_ioctl_ranges(struct av_ioctl_range_list **rangelist)
static int avrule_ioctl_ranges(struct av_ioctl_range_list **rangelist)
{
struct av_ioctl_range_list *rangehead;
uint8_t omit;
@ -2029,7 +2026,7 @@ int avrule_ioctl_ranges(struct av_ioctl_range_list **rangelist)
return 0;
}
int define_te_avtab_xperms_helper(int which, avrule_t ** rule)
static int define_te_avtab_xperms_helper(int which, avrule_t ** rule)
{
char *id;
class_perm_node_t *perms, *tail = NULL, *cur_perms = NULL;
@ -2129,7 +2126,7 @@ int define_te_avtab_xperms_helper(int which, avrule_t ** rule)
policydbp->p_class_val_to_name[i]);
continue;
} else {
cur_perms->data |= 1U << (perdatum->s.value - 1);
cur_perms->data |= UINT32_C(1) << (perdatum->s.value - 1);
}
}
@ -2143,14 +2140,14 @@ out:
}
/* index of the u32 containing the permission */
#define XPERM_IDX(x) (x >> 5)
#define XPERM_IDX(x) ((x) >> 5)
/* set bits 0 through x-1 within the u32 */
#define XPERM_SETBITS(x) ((1U << (x & 0x1f)) - 1)
#define XPERM_SETBITS(x) ((UINT32_C(1) << ((x) & 0x1f)) - 1)
/* low value for this u32 */
#define XPERM_LOW(x) (x << 5)
#define XPERM_LOW(x) ((x) << 5)
/* high value for this u32 */
#define XPERM_HIGH(x) (((x + 1) << 5) - 1)
void avrule_xperm_setrangebits(uint16_t low, uint16_t high,
#define XPERM_HIGH(x) ((((x) + 1) << 5) - 1)
static void avrule_xperm_setrangebits(uint16_t low, uint16_t high,
av_extended_perms_t *xperms)
{
unsigned int i;
@ -2172,7 +2169,7 @@ void avrule_xperm_setrangebits(uint16_t low, uint16_t high,
}
}
int avrule_xperms_used(const av_extended_perms_t *xperms)
static int avrule_xperms_used(const av_extended_perms_t *xperms)
{
unsigned int i;
@ -2189,10 +2186,10 @@ int avrule_xperms_used(const av_extended_perms_t *xperms)
* dir, size, driver, and function. Only the driver and function fields
* are considered here
*/
#define IOC_DRIV(x) (x >> 8)
#define IOC_FUNC(x) (x & 0xff)
#define IOC_CMD(driver, func) ((driver << 8) + func)
int avrule_ioctl_partialdriver(struct av_ioctl_range_list *rangelist,
#define IOC_DRIV(x) ((x) >> 8)
#define IOC_FUNC(x) ((x) & 0xff)
#define IOC_CMD(driver, func) (((driver) << 8) + (func))
static int avrule_ioctl_partialdriver(struct av_ioctl_range_list *rangelist,
av_extended_perms_t *complete_driver,
av_extended_perms_t **extended_perms)
{
@ -2231,7 +2228,7 @@ int avrule_ioctl_partialdriver(struct av_ioctl_range_list *rangelist,
}
int avrule_ioctl_completedriver(struct av_ioctl_range_list *rangelist,
static int avrule_ioctl_completedriver(struct av_ioctl_range_list *rangelist,
av_extended_perms_t **extended_perms)
{
struct av_ioctl_range_list *r;
@ -2273,7 +2270,7 @@ int avrule_ioctl_completedriver(struct av_ioctl_range_list *rangelist,
return 0;
}
int avrule_ioctl_func(struct av_ioctl_range_list *rangelist,
static int avrule_ioctl_func(struct av_ioctl_range_list *rangelist,
av_extended_perms_t **extended_perms, unsigned int driver)
{
struct av_ioctl_range_list *r;
@ -2323,18 +2320,7 @@ int avrule_ioctl_func(struct av_ioctl_range_list *rangelist,
return 0;
}
void avrule_ioctl_freeranges(struct av_ioctl_range_list *rangelist)
{
struct av_ioctl_range_list *r, *tmp;
r = rangelist;
while (r) {
tmp = r;
r = r->next;
free(tmp);
}
}
unsigned int xperms_for_each_bit(unsigned int *bit, av_extended_perms_t *xperms)
static unsigned int xperms_for_each_bit(unsigned int *bit, av_extended_perms_t *xperms)
{
unsigned int i;
for (i = *bit; i < sizeof(xperms->perms)*8; i++) {
@ -2347,7 +2333,7 @@ unsigned int xperms_for_each_bit(unsigned int *bit, av_extended_perms_t *xperms)
return 0;
}
int avrule_cpy(avrule_t *dest, const avrule_t *src)
static int avrule_cpy(avrule_t *dest, const avrule_t *src)
{
class_perm_node_t *src_perms;
class_perm_node_t *dest_perms, *dest_tail;
@ -2395,10 +2381,10 @@ int avrule_cpy(avrule_t *dest, const avrule_t *src)
return 0;
}
int define_te_avtab_ioctl(const avrule_t *avrule_template)
static int define_te_avtab_ioctl(const avrule_t *avrule_template)
{
avrule_t *avrule;
struct av_ioctl_range_list *rangelist;
struct av_ioctl_range_list *rangelist, *r;
av_extended_perms_t *complete_driver, *partial_driver, *xperms;
unsigned int i;
@ -2456,6 +2442,12 @@ done:
if (partial_driver)
free(partial_driver);
while (rangelist != NULL) {
r = rangelist;
rangelist = rangelist->next;
free(r);
}
return 0;
}
@ -2464,6 +2456,7 @@ int define_te_avtab_extended_perms(int which)
char *id;
unsigned int i;
avrule_t *avrule_template;
int rc = 0;
if (pass == 1) {
for (i = 0; i < 4; i++) {
@ -2479,18 +2472,20 @@ int define_te_avtab_extended_perms(int which)
id = queue_remove(id_queue);
if (strcmp(id,"ioctl") == 0) {
free(id);
if (define_te_avtab_ioctl(avrule_template))
return -1;
rc = define_te_avtab_ioctl(avrule_template);
} else {
yyerror("only ioctl extended permissions are supported");
free(id);
return -1;
rc = -1;
}
return 0;
free(id);
avrule_destroy(avrule_template);
free(avrule_template);
return rc;
}
int define_te_avtab_helper(int which, avrule_t ** rule)
static int define_te_avtab_helper(int which, avrule_t ** rule)
{
char *id;
class_datum_t *cladatum;
@ -2617,7 +2612,7 @@ int define_te_avtab_helper(int which, avrule_t ** rule)
}
continue;
} else {
cur_perms->data |= 1U << (perdatum->s.value - 1);
cur_perms->data |= UINT32_C(1) << (perdatum->s.value - 1);
}
next:
cur_perms = cur_perms->next;
@ -3620,7 +3615,7 @@ int define_constraint(constraint_expr_t * expr)
return -1;
}
}
node->permissions |= (1 << (perdatum->s.value - 1));
node->permissions |= (UINT32_C(1) << (perdatum->s.value - 1));
}
free(id);
}
@ -5470,7 +5465,7 @@ int define_fs_use(int behavior)
return 0;
}
int define_genfs_context_helper(char *fstype, int has_type)
static int define_genfs_context_helper(char *fstype, int has_type)
{
struct genfs *genfs_p, *genfs, *newgenfs;
ocontext_t *newc, *c, *head, *p;

20
checkpolicy/policy_parse.y
View file

@ -890,10 +890,26 @@ filename : FILENAME
{ yytext[strlen(yytext) - 1] = '\0'; if (insert_id(yytext + 1,0)) return -1; }
;
number : NUMBER
{ $$ = strtoul(yytext,NULL,0); }
{ unsigned long x;
errno = 0;
x = strtoul(yytext, NULL, 0);
if (errno)
return -1;
#if ULONG_MAX > UINT_MAX
if (x > UINT_MAX)
return -1;
#endif
$$ = (unsigned int) x;
}
;
number64 : NUMBER
{ $$ = strtoull(yytext,NULL,0); }
{ unsigned long long x;
errno = 0;
x = strtoull(yytext, NULL, 0);
if (errno)
return -1;
$$ = (uint64_t) x;
}
;
ipv6_addr : IPV6_ADDR
{ if (insert_id(yytext,0)) return -1; }

25
checkpolicy/policy_scan.l
View file

@ -59,12 +59,17 @@ alnum [a-zA-Z0-9]
hexval [0-9A-Fa-f]
%%
\n.* { strncpy(linebuf[lno], yytext+1, 255);
linebuf[lno][254] = 0;
lno = 1 - lno;
policydb_lineno++;
source_lineno++;
yyless(1); }
\n.* {
strncpy(linebuf[lno], yytext+1, 255);
linebuf[lno][254] = 0;
lno = 1 - lno;
policydb_lineno++;
if (source_lineno == ULONG_MAX)
yywarn("source line number overflow");
else
source_lineno++;
yyless(1);
}
CLONE |
clone { return(CLONE); }
COMMON |
@ -270,7 +275,13 @@ GLBLUB { return(GLBLUB); }
{hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); }
{digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); }
#line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); }
#line[ ]{digit}+ { source_lineno = atoi(yytext+6)-1; }
#line[ ]{digit}+ {
errno = 0;
source_lineno = strtoul(yytext+6, NULL, 10) - 1;
if (errno) {
yywarn("source line number too big");
}
}
#[^\n]* { /* delete comments */ }
[ \t\f]+ { /* delete whitespace */ }
"==" { return(EQUALS); }

6
checkpolicy/test/dismod.c
View file

@ -89,7 +89,7 @@ static void render_access_bitmap(ebitmap_t * map, uint32_t class,
fprintf(fp, "{");
for (i = ebitmap_startbit(map); i < ebitmap_length(map); i++) {
if (ebitmap_get_bit(map, i)) {
perm = sepol_av_to_string(p, class, 1 << i);
perm = sepol_av_to_string(p, class, UINT32_C(1) << i);
if (perm)
fprintf(fp, " %s", perm);
}
@ -751,12 +751,14 @@ static int read_policy(char *filename, policydb_t * policy)
fprintf(stderr, "%s: Out of memory!\n", __FUNCTION__);
exit(1);
}
sepol_policydb_free(package->policy);
package->policy = (sepol_policydb_t *) policy;
package->file_contexts = NULL;
retval =
sepol_module_package_read(package,
(sepol_policy_file_t *) & f, 1);
free(package->file_contexts);
package->policy = NULL;
sepol_module_package_free(package);
} else {
if (policydb_init(policy)) {
fprintf(stderr, "%s: Out of memory!\n", __FUNCTION__);

2
dbus/VERSION
View file

@ -1 +1 @@
3.3-rc1
3.3

2
gui/VERSION
View file

@ -1 +1 @@
3.3-rc1
3.3

2
libselinux/VERSION
View file

@ -1 +1 @@
3.3-rc1
3.3

22
libselinux/src/mapping.c
View file

@ -144,9 +144,9 @@ unmap_perm(security_class_t tclass, access_vector_t tperm)
access_vector_t kperm = 0;
for (i = 0; i < current_mapping[tclass].num_perms; i++)
if (tperm & (1<<i)) {
if (tperm & (UINT32_C(1)<<i)) {
kperm |= current_mapping[tclass].perms[i];
tperm &= ~(1<<i);
tperm &= ~(UINT32_C(1)<<i);
}
return kperm;
}
@ -191,7 +191,7 @@ map_perm(security_class_t tclass, access_vector_t kperm)
for (i = 0; i < current_mapping[tclass].num_perms; i++)
if (kperm & current_mapping[tclass].perms[i]) {
tperm |= 1<<i;
tperm |= UINT32_C(1)<<i;
kperm &= ~current_mapping[tclass].perms[i];
}
@ -216,30 +216,30 @@ map_decision(security_class_t tclass, struct av_decision *avd)
for (i = 0, result = 0; i < n; i++) {
if (avd->allowed & mapping->perms[i])
result |= 1<<i;
result |= UINT32_C(1)<<i;
else if (allow_unknown && !mapping->perms[i])
result |= 1<<i;
result |= UINT32_C(1)<<i;
}
avd->allowed = result;
for (i = 0, result = 0; i < n; i++) {
if (avd->decided & mapping->perms[i])
result |= 1<<i;
result |= UINT32_C(1)<<i;
else if (allow_unknown && !mapping->perms[i])
result |= 1<<i;
result |= UINT32_C(1)<<i;
}
avd->decided = result;
for (i = 0, result = 0; i < n; i++)
if (avd->auditallow & mapping->perms[i])
result |= 1<<i;
result |= UINT32_C(1)<<i;
avd->auditallow = result;
for (i = 0, result = 0; i < n; i++) {
if (avd->auditdeny & mapping->perms[i])
result |= 1<<i;
result |= UINT32_C(1)<<i;
else if (!allow_unknown && !mapping->perms[i])
result |= 1<<i;
result |= UINT32_C(1)<<i;
}
/*
@ -248,7 +248,7 @@ map_decision(security_class_t tclass, struct av_decision *avd)
* a bug in the object manager.
*/
for (; i < (sizeof(result)*8); i++)
result |= 1<<i;
result |= UINT32_C(1)<<i;
avd->auditdeny = result;
}
}

2
libselinux/src/setup.py
View file

@ -4,7 +4,7 @@ from distutils.core import Extension, setup
setup(
name="selinux",
version="3.3-rc1",
version="3.3",
description="SELinux python 3 bindings",
author="SELinux Project",
author_email="selinux@vger.kernel.org",

8
libselinux/src/stringrep.c
View file

@ -229,7 +229,7 @@ access_vector_t string_to_av_perm(security_class_t tclass, const char *s)
size_t i;
for (i = 0; i < MAXVECTORS && node->perms[i] != NULL; i++)
if (strcmp(node->perms[i],s) == 0)
return map_perm(tclass, 1<<i);
return map_perm(tclass, UINT32_C(1)<<i);
}
errno = EINVAL;
@ -261,7 +261,7 @@ const char *security_av_perm_to_string(security_class_t tclass,
node = get_class_cache_entry_value(tclass);
if (av && node)
for (i = 0; i<MAXVECTORS; i++)
if ((1<<i) & av)
if ((UINT32_C(1)<<i) & av)
return node->perms[i];
return NULL;
@ -279,7 +279,7 @@ int security_av_string(security_class_t tclass, access_vector_t av, char **res)
/* first pass computes the required length */
for (i = 0; tmp; tmp >>= 1, i++) {
if (tmp & 1) {
str = security_av_perm_to_string(tclass, av & (1<<i));
str = security_av_perm_to_string(tclass, av & (UINT32_C(1)<<i));
if (str)
len += strlen(str) + 1;
}
@ -303,7 +303,7 @@ int security_av_string(security_class_t tclass, access_vector_t av, char **res)
ptr += sprintf(ptr, "{ ");
for (i = 0; tmp; tmp >>= 1, i++) {
if (tmp & 1) {
str = security_av_perm_to_string(tclass, av & (1<<i));
str = security_av_perm_to_string(tclass, av & (UINT32_C(1)<<i));
if (str)
ptr += sprintf(ptr, "%s ", str);
}

4
libselinux/utils/Makefile
View file

@ -52,9 +52,7 @@ else
TARGETS=$(patsubst %.c,%,$(sort $(wildcard *.c)))
endif
sefcontext_compile: LDLIBS += $(PCRE_LDLIBS) ../src/libselinux.a -lsepol
sefcontext_compile: sefcontext_compile.o ../src/regex.o
sefcontext_compile: LDLIBS += ../src/libselinux.a $(PCRE_LDLIBS) -lsepol
all: $(TARGETS)

2
libsemanage/VERSION
View file

@ -1 +1 @@
3.3-rc1
3.3

2
libsepol/VERSION
View file

@ -1 +1 @@
3.3-rc1
3.3

23
libsepol/cil/src/cil_binary.c
View file

@ -1225,7 +1225,7 @@ int __perm_str_to_datum(char *perm_str, class_datum_t *sepol_class, uint32_t *da
goto exit;
}
}
*datum |= 1 << (sepol_perm->s.value - 1);
*datum |= UINT32_C(1) << (sepol_perm->s.value - 1);
return SEPOL_OK;
@ -1523,7 +1523,7 @@ int cil_avrule_to_policydb(policydb_t *pdb, const struct cil_db *db, struct cil_
/* index of the u32 containing the permission */
#define XPERM_IDX(x) (x >> 5)
/* set bits 0 through x-1 within the u32 */
#define XPERM_SETBITS(x) ((1U << (x & 0x1f)) - 1)
#define XPERM_SETBITS(x) ((UINT32_C(1) << (x & 0x1f)) - 1)
/* low value for this u32 */
#define XPERM_LOW(x) (x << 5)
/* high value for this u32 */
@ -4760,7 +4760,7 @@ static struct cil_list *cil_classperms_from_sepol(policydb_t *pdb, uint16_t clas
cil_list_init(&cp->perms, CIL_PERM);
for (i = 0; i < sepol_class->permissions.nprim; i++) {
struct cil_perm *perm;
if ((data & (1 << i)) == 0) continue;
if ((data & (UINT32_C(1) << i)) == 0) continue;
perm = perm_value_to_cil[class][i+1];
if (!perm) goto exit;
cil_list_append(cp->perms, CIL_PERM, perm);
@ -4825,6 +4825,7 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void
avtab_ptr_t cur;
struct cil_avrule target;
struct cil_tree_node *n1 = NULL;
int count_bad = 0;
*violation = CIL_TRUE;
@ -4838,10 +4839,13 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void
for (cur = bad; cur; cur = cur->next) {
struct cil_list_item *i2;
struct cil_list *matching;
int num_matching = 0;
int count_matching = 0;
rc = cil_avrule_from_sepol(pdb, cur, &target, type_value_to_cil, class_value_to_cil, perm_value_to_cil);
if (rc != SEPOL_OK) {
cil_log(CIL_ERR, "Failed to convert sepol avrule to CIL\n");
bounds_destroy_bad(bad);
goto exit;
}
__cil_print_rule(" ", "allow", &target);
@ -4854,6 +4858,9 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void
bounds_destroy_bad(bad);
goto exit;
}
cil_list_for_each(i2, matching) {
num_matching++;
}
cil_list_for_each(i2, matching) {
struct cil_tree_node *n2 = i2->data;
struct cil_avrule *r2 = n2->data;
@ -4864,9 +4871,19 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void
__cil_print_parents(" ", n2);
__cil_print_rule(" ", "allow", r2);
}
count_matching++;
if (count_matching >= 2) {
cil_log(CIL_ERR, " Only first 2 of %d matching rules shown\n", num_matching);
break;
}
}
cil_list_destroy(&matching, CIL_FALSE);
cil_list_destroy(&target.perms.classperms, CIL_TRUE);
count_bad++;
if (count_bad >= 2) {
cil_log(CIL_ERR, " Only first 2 of %d bad rules shown\n", numbad);
break;
}
}
bounds_destroy_bad(bad);
}

27
libsepol/cil/src/cil_build_ast.c
View file

@ -134,8 +134,7 @@ int cil_add_decl_to_symtab(struct cil_db *db, symtab_t *symtab, hashtab_key_t ke
/* multiple_decls is enabled and works for this datum type, add node */
cil_list_append(prev->nodes, CIL_NODE, node);
node->data = prev;
cil_symtab_datum_destroy(datum);
free(datum);
return SEPOL_EEXIST;
}
return SEPOL_OK;
@ -2367,7 +2366,12 @@ int cil_gen_type(struct cil_db *db, struct cil_tree_node *parse_current, struct
key = parse_current->next->data;
rc = cil_gen_node(db, ast_node, (struct cil_symtab_datum*)type, (hashtab_key_t)key, CIL_SYM_TYPES, CIL_TYPE);
if (rc != SEPOL_OK) {
goto exit;
if (rc == SEPOL_EEXIST) {
cil_destroy_type(type);
type = NULL;
} else {
goto exit;
}
}
return SEPOL_OK;
@ -2415,7 +2419,12 @@ int cil_gen_typeattribute(struct cil_db *db, struct cil_tree_node *parse_current
key = parse_current->next->data;
rc = cil_gen_node(db, ast_node, (struct cil_symtab_datum*)attr, (hashtab_key_t)key, CIL_SYM_TYPES, CIL_TYPEATTRIBUTE);
if (rc != SEPOL_OK) {
goto exit;
if (rc == SEPOL_EEXIST) {
cil_destroy_typeattribute(attr);
attr = NULL;
} else {
goto exit;
}
}
return SEPOL_OK;
@ -5480,8 +5489,14 @@ int cil_gen_optional(struct cil_db *db, struct cil_tree_node *parse_current, str
key = parse_current->next->data;
rc = cil_gen_node(db, ast_node, (struct cil_symtab_datum*)optional, (hashtab_key_t)key, CIL_SYM_BLOCKS, CIL_OPTIONAL);
if (rc != SEPOL_OK)
goto exit;
if (rc != SEPOL_OK) {
if (rc == SEPOL_EEXIST) {
cil_destroy_optional(optional);
optional = NULL;
} else {
goto exit;
}
}
return SEPOL_OK;

41
libsepol/cil/src/cil_copy_ast.c
View file

@ -590,20 +590,12 @@ int cil_copy_roleallow(__attribute__((unused)) struct cil_db *db, void *data, vo
return SEPOL_OK;
}
int cil_copy_type(__attribute__((unused)) struct cil_db *db, void *data, void **copy, symtab_t *symtab)
int cil_copy_type(__attribute__((unused)) struct cil_db *db, __attribute__((unused)) void *data, void **copy, __attribute__((unused)) symtab_t *symtab)
{
struct cil_type *orig = data;
char *key = orig->datum.name;
struct cil_symtab_datum *datum = NULL;
struct cil_type *new;
cil_symtab_get_datum(symtab, key, &datum);
if (datum == NULL) {
struct cil_type *new;
cil_type_init(&new);
*copy = new;
} else {
*copy = datum;
}
cil_type_init(&new);
*copy = new;
return SEPOL_OK;
}
@ -622,20 +614,12 @@ int cil_copy_typepermissive(__attribute__((unused)) struct cil_db *db, void *dat
return SEPOL_OK;
}
int cil_copy_typeattribute(__attribute__((unused)) struct cil_db *db, void *data, void **copy, symtab_t *symtab)
int cil_copy_typeattribute(__attribute__((unused)) struct cil_db *db, __attribute__((unused)) void *data, void **copy, __attribute__((unused)) symtab_t *symtab)
{
struct cil_typeattribute *orig = data;
char *key = orig->datum.name;
struct cil_symtab_datum *datum = NULL;
struct cil_typeattribute *new;
cil_symtab_get_datum(symtab, key, &datum);
if (datum == NULL) {
struct cil_typeattribute *new;
cil_typeattribute_init(&new);
*copy = new;
} else {
*copy = datum;
}
cil_typeattribute_init(&new);
*copy = new;
return SEPOL_OK;
}
@ -2056,7 +2040,14 @@ int __cil_copy_node_helper(struct cil_tree_node *orig, uint32_t *finished, void
rc = cil_add_decl_to_symtab(db, symtab, DATUM(orig->data)->name, DATUM(data), new);
if (rc != SEPOL_OK) {
goto exit;
if (rc == SEPOL_EEXIST) {
cil_symtab_datum_destroy(data);
free(data);
data = NULL;
rc = SEPOL_OK;
} else {
goto exit;
}
}
namespace = new;

2
libsepol/cil/src/cil_resolve_ast.c
View file

@ -3946,7 +3946,7 @@ int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished
}
if (node->flavor == CIL_MACRO) {
if (pass != CIL_PASS_TIF) {
if (pass > CIL_PASS_IN_AFTER) {
*finished = CIL_TREE_SKIP_HEAD;
rc = SEPOL_OK;
goto exit;

40
libsepol/cil/src/cil_verify.c
View file

@ -1689,6 +1689,15 @@ exit:
return rc;
}
static int __add_perm_to_list(__attribute__((unused)) hashtab_key_t k, hashtab_datum_t d, void *args)
{
struct cil_list *perm_list = (struct cil_list *)args;
cil_list_append(perm_list, CIL_DATUM, d);
return SEPOL_OK;
}
static int __cil_verify_classperms(struct cil_list *classperms,
struct cil_symtab_datum *orig,
struct cil_symtab_datum *parent,
@ -1730,13 +1739,34 @@ static int __cil_verify_classperms(struct cil_list *classperms,
if (FLAVOR(cp->class) != CIL_CLASS) { /* MAP */
struct cil_list_item *i = NULL;
cil_list_for_each(i, cp->perms) {
struct cil_perm *cmp = i->data;
rc = __cil_verify_classperms(cmp->classperms, orig, &cp->class->datum, &cmp->datum, CIL_MAP_PERM, steps, limit);
if (rc != SEPOL_OK) {
goto exit;
if (i->flavor != CIL_OP) {
struct cil_perm *cmp = i->data;
rc = __cil_verify_classperms(cmp->classperms, orig, &cp->class->datum, &cmp->datum, CIL_MAP_PERM, steps, limit);
if (rc != SEPOL_OK) {
goto exit;
}
} else {
enum cil_flavor op = (enum cil_flavor)(uintptr_t)i->data;
if (op == CIL_ALL) {
struct cil_class *mc = cp->class;
struct cil_list *perm_list;
struct cil_list_item *j = NULL;
cil_list_init(&perm_list, CIL_MAP_PERM);
cil_symtab_map(&mc->perms, __add_perm_to_list, perm_list);
cil_list_for_each(j, perm_list) {
struct cil_perm *cmp = j->data;
rc = __cil_verify_classperms(cmp->classperms, orig, &cp->class->datum, &cmp->datum, CIL_MAP_PERM, steps, limit);
if (rc != SEPOL_OK) {
cil_list_destroy(&perm_list, CIL_FALSE);
goto exit;
}
}
cil_list_destroy(&perm_list, CIL_FALSE);
}
}
}
}
}
} else { /* SET */
struct cil_classperms_set *cp_set = curr->data;
struct cil_classpermission *cp = cp_set->set;

2
libsepol/src/avtab.c
View file

@ -376,7 +376,7 @@ int avtab_alloc(avtab_t *h, uint32_t nrules)
}
if (shift > 2)
shift = shift - 2;
nslot = 1 << shift;
nslot = UINT32_C(1) << shift;
if (nslot > MAX_AVTAB_HASH_BUCKETS)
nslot = MAX_AVTAB_HASH_BUCKETS;
mask = nslot - 1;

6
libsepol/src/conditional.c
View file

@ -411,13 +411,13 @@ int cond_normalize_expr(policydb_t * p, cond_node_t * cn)
}
/* loop through all possible combinations of values for bools in expression */
for (test = 0x0; test < (0x1U << cn->nbools); test++) {
for (test = 0x0; test < (UINT32_C(1) << cn->nbools); test++) {
/* temporarily set the value for all the bools in the
* expression using the corr. bit in test */
for (j = 0; j < cn->nbools; j++) {
p->bool_val_to_struct[cn->bool_ids[j] -
1]->state =
(test & (0x1 << j)) ? 1 : 0;
(test & (UINT32_C(1) << j)) ? 1 : 0;
}
k = cond_evaluate_expr(p, cn->expr);
if (k == -1) {
@ -428,7 +428,7 @@ int cond_normalize_expr(policydb_t * p, cond_node_t * cn)
}
/* set the bit if expression evaluates true */
if (k)
cn->expr_pre_comp |= 0x1 << test;
cn->expr_pre_comp |= UINT32_C(1) << test;
}
/* restore bool default values */

16
libsepol/src/ebitmap.c
View file

@ -17,7 +17,8 @@
int ebitmap_or(ebitmap_t * dst, const ebitmap_t * e1, const ebitmap_t * e2)
{
ebitmap_node_t *n1, *n2, *new, *prev;
const ebitmap_node_t *n1, *n2;
ebitmap_node_t *new, *prev;
ebitmap_init(dst);
@ -154,7 +155,7 @@ int ebitmap_hamming_distance(const ebitmap_t * e1, const ebitmap_t * e2)
int ebitmap_cmp(const ebitmap_t * e1, const ebitmap_t * e2)
{
ebitmap_node_t *n1, *n2;
const ebitmap_node_t *n1, *n2;
if (e1->highbit != e2->highbit)
return 0;
@ -175,7 +176,8 @@ int ebitmap_cmp(const ebitmap_t * e1, const ebitmap_t * e2)
int ebitmap_cpy(ebitmap_t * dst, const ebitmap_t * src)
{
ebitmap_node_t *n, *new, *prev;
const ebitmap_node_t *n;
ebitmap_node_t *new, *prev;
ebitmap_init(dst);
n = src->node;
@ -204,7 +206,7 @@ int ebitmap_cpy(ebitmap_t * dst, const ebitmap_t * src)
int ebitmap_contains(const ebitmap_t * e1, const ebitmap_t * e2)
{
ebitmap_node_t *n1, *n2;
const ebitmap_node_t *n1, *n2;
if (e1->highbit < e2->highbit)
return 0;
@ -231,8 +233,8 @@ int ebitmap_contains(const ebitmap_t * e1, const ebitmap_t * e2)
int ebitmap_match_any(const ebitmap_t *e1, const ebitmap_t *e2)
{
ebitmap_node_t *n1 = e1->node;
ebitmap_node_t *n2 = e2->node;
const ebitmap_node_t *n1 = e1->node;
const ebitmap_node_t *n2 = e2->node;
while (n1 && n2) {
if (n1->startbit < n2->startbit) {
@ -253,7 +255,7 @@ int ebitmap_match_any(const ebitmap_t *e1, const ebitmap_t *e2)
int ebitmap_get_bit(const ebitmap_t * e, unsigned int bit)
{
ebitmap_node_t *n;
const ebitmap_node_t *n;
if (e->highbit < bit)
return 0;

6
libsepol/src/expand.c
View file

@ -243,7 +243,7 @@ static int perm_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
new_perm->s.value = perm->s.value;
s->nprim++;
ret = hashtab_insert(s->table, new_id, (hashtab_datum_t *) new_perm);
ret = hashtab_insert(s->table, new_id, (hashtab_datum_t) new_perm);
if (ret) {
free(new_id);
free(new_perm);
@ -294,7 +294,7 @@ static int common_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
ret =
hashtab_insert(state->out->p_commons.table, new_id,
(hashtab_datum_t *) new_common);
(hashtab_datum_t) new_common);
if (ret) {
ERR(state->handle, "hashtab overflow");
free(new_common);
@ -492,7 +492,7 @@ static int class_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
ret =
hashtab_insert(state->out->p_classes.table, new_id,
(hashtab_datum_t *) new_class);
(hashtab_datum_t) new_class);
if (ret) {
ERR(state->handle, "hashtab overflow");
free(new_class);

4
libsepol/src/link.c
View file

@ -1291,10 +1291,10 @@ static int copy_avrule_list(avrule_t * list, avrule_t ** dst,
i <
module->perm_map_len[cur_perm->tclass - 1];
i++) {
if (!(cur_perm->data & (1U << i)))
if (!(cur_perm->data & (UINT32_C(1) << i)))
continue;
new_perm->data |=
(1U <<
(UINT32_C(1) <<
(module->
perm_map[cur_perm->tclass - 1][i] -
1));

9
libsepol/src/module_to_cil.c
View file

@ -573,7 +573,7 @@ static int avrule_to_cil(int indent, struct policydb *pdb, uint32_t type, const
rule = "auditallow";
break;
case AVRULE_AUDITDENY:
rule = "auditdenty";
rule = "auditdeny";
break;
case AVRULE_DONTAUDIT:
rule = "dontaudit";
@ -3354,9 +3354,14 @@ static int typealiases_to_cil(int indent, struct policydb *pdb, struct avrule_bl
char *type_name;
struct list_node *curr;
struct avrule_decl *decl = stack_peek(decl_stack);
struct list *alias_list = typealias_lists[decl->decl_id];
struct list *alias_list;
int rc = -1;
if (decl == NULL) {
return -1;
}
alias_list = typealias_lists[decl->decl_id];
if (alias_list == NULL) {
return 0;
}

4
libsepol/src/policydb.c
View file

@ -4166,7 +4166,7 @@ static sepol_access_vector_t policydb_string_to_av_perm(
hashtab_search(tclass_datum->permissions.table,
(hashtab_key_t)perm_name);
if (perm_datum != NULL)
return 0x1U << (perm_datum->s.value - 1);
return UINT32_C(1) << (perm_datum->s.value - 1);
if (tclass_datum->comdatum == NULL)
return 0;
@ -4176,7 +4176,7 @@ static sepol_access_vector_t policydb_string_to_av_perm(
(hashtab_key_t)perm_name);
if (perm_datum != NULL)
return 0x1U << (perm_datum->s.value - 1);
return UINT32_C(1) << (perm_datum->s.value - 1);
return 0;
}

14
libsepol/src/policydb_validate.c
View file

@ -722,12 +722,21 @@ bad:
return -1;
}
static void validate_array_destroy(validate_t flavors[])
{
unsigned int i;
for (i = 0; i < SYM_NUM; i++) {
ebitmap_destroy(&flavors[i].gaps);
}
}
/*
* Validate policydb
*/
int validate_policydb(sepol_handle_t *handle, policydb_t *p)
{
validate_t flavors[SYM_NUM];
validate_t flavors[SYM_NUM] = {};
if (validate_array_init(p, flavors))
goto bad;
@ -756,9 +765,12 @@ int validate_policydb(sepol_handle_t *handle, policydb_t *p)
if (validate_datum_arrays(handle, p, flavors))
goto bad;
validate_array_destroy(flavors);
return 0;
bad:
ERR(handle, "Invalid policydb");
validate_array_destroy(flavors);
return -1;
}

4
libsepol/src/services.c
View file

@ -1213,7 +1213,7 @@ int sepol_string_to_av_perm(sepol_security_class_t tclass,
hashtab_search(tclass_datum->permissions.table,
perm_name);
if (perm_datum != NULL) {
*av = 0x1 << (perm_datum->s.value - 1);
*av = UINT32_C(1) << (perm_datum->s.value - 1);
return STATUS_SUCCESS;
}
@ -1225,7 +1225,7 @@ int sepol_string_to_av_perm(sepol_security_class_t tclass,
perm_name);
if (perm_datum != NULL) {
*av = 0x1 << (perm_datum->s.value - 1);
*av = UINT32_C(1) << (perm_datum->s.value - 1);
return STATUS_SUCCESS;
}
out:

2
libsepol/src/util.c
View file

@ -92,7 +92,7 @@ char *sepol_av_to_string(policydb_t * policydbp, uint32_t tclass,
cladatum = policydbp->class_val_to_struct[tclass - 1];
p = avbuf;
for (i = 0; i < cladatum->permissions.nprim; i++) {
if (av & (1 << i)) {
if (av & (UINT32_C(1) << i)) {
v.val = i + 1;
rc = hashtab_map(cladatum->permissions.table,
perm_name, &v);

2
mcstrans/VERSION
View file

@ -1 +1 @@
3.3-rc1
3.3

2
policycoreutils/VERSION
View file

@ -1 +1 @@
3.3-rc1
3.3

2
policycoreutils/newrole/Makefile
View file

@ -12,7 +12,7 @@ AUDITH ?= $(shell test -f $(INCLUDEDIR)/libaudit.h && echo y)
# This will make newrole a setuid root program.
# The capabilities used are: CAP_AUDIT_WRITE.
AUDIT_LOG_PRIV ?= n
# Enable capabilities to permit newrole to utilitize the pam_namespace module.
# Enable capabilities to permit newrole to utilize the pam_namespace module.
# This will make newrole a setuid root program.
# The capabilities used are: CAP_SYS_ADMIN, CAP_CHOWN, CAP_FOWNER and
# CAP_DAC_OVERRIDE.

2
policycoreutils/newrole/newrole.c
View file

@ -1022,7 +1022,7 @@ static int set_signal_handles(void)
int main(int argc, char *argv[])
{
char *new_context = NULL; /* target security context */
char *old_context = NULL; /* original securiy context */
char *old_context = NULL; /* original security context */
char *tty_context = NULL; /* current context of tty */
char *new_tty_context = NULL; /* new context of tty */

3
policycoreutils/semodule/semodule.c
View file

@ -452,8 +452,7 @@ int main(int argc, char *argv[])
}
semanage_module_info_get_priority(sh, extract_info, &curr_priority);
printf("Module '%s' does not exist at the default priority '%d'. "
"Extracting at highest existing priority '%d'.\n", mode_arg, priority, curr_priority);
printf("Extracting at highest existing priority '%d'.\n", curr_priority);
priority = curr_priority;
}

2
python/VERSION
View file

@ -1 +1 @@
3.3-rc1
3.3

6
python/semanage/semanage
View file

@ -129,7 +129,7 @@ class SetImportFile(argparse.Action):
sys.exit(1)
setattr(namespace, self.dest, values)
# define dictonary for seobject OBEJCTS
# define dictionary for seobject OBEJCTS
object_dict = {
'login': seobject.loginRecords,
'user': seobject.seluserRecords,
@ -146,7 +146,7 @@ object_dict = {
}
def generate_custom_usage(usage_text, usage_dict):
# generate custom usage from given text and dictonary
# generate custom usage from given text and dictionary
sorted_keys = []
for i in usage_dict.keys():
sorted_keys.append(i)
@ -160,7 +160,7 @@ def generate_custom_usage(usage_text, usage_dict):
def handle_opts(args, dict, target_key):
# handle conflict and required options for given dictonary
# handle conflict and required options for given dictionary
# {action:[conflict_opts,require_opts]}
# first we need to catch conflicts

2
python/sepolgen/VERSION
View file

@ -1 +1 @@
3.3-rc1
3.3

2
python/sepolgen/src/sepolgen/refpolicy.py
View file

@ -42,7 +42,7 @@ PERMS = 3
ROLE = 4
DEST_TYPE = 5
# String represenations of the above constants
# String representations of the above constants
field_to_str = ["source", "target", "object", "permission", "role", "destination" ]
str_to_field = { "source" : SRC_TYPE, "target" : TGT_TYPE, "object" : OBJ_CLASS,
"permission" : PERMS, "role" : ROLE, "destination" : DEST_TYPE }

2
python/sepolgen/src/sepolgen/yacc.py
View file

@ -1502,7 +1502,7 @@ class Grammar(object):
self.Precedence = {} # Precedence rules for each terminal. Contains tuples of the
# form ('right',level) or ('nonassoc', level) or ('left',level)
self.UsedPrecedence = set() # Precedence rules that were actually used by the grammer.
self.UsedPrecedence = set() # Precedence rules that were actually used by the grammar.
# This is only used to provide error checking and to generate
# a warning about unused precedence rules.

2
python/sepolicy/sepolicy/manpage.py
View file

@ -797,7 +797,7 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
.B STANDARD FILE CONTEXT
SELinux defines the file context types for the %(domainname)s, if you wanted to
store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk.
store files with these types in a diffent paths, you need to execute the semanage command to specify alternate labeling and then use restorecon to put the labels on disk.
.B semanage fcontext -a -t %(type)s '/srv/%(domainname)s/content(/.*)?'
.br

2
python/sepolicy/setup.py
View file

@ -6,7 +6,7 @@ from distutils.core import setup
setup(
name="sepolicy",
version="3.3-rc1",
version="3.3",
description="Python SELinux Policy Analyses bindings",
author="Daniel Walsh",
author_email="dwalsh@redhat.com",

2
restorecond/VERSION
View file

@ -1 +1 @@
3.3-rc1
3.3

2
sandbox/VERSION
View file

@ -1 +1 @@
3.3-rc1
3.3

2
secilc/VERSION
View file

@ -1 +1 @@
3.3-rc1
3.3

2
secilc/docs/cil_access_vector_rules.md
View file

@ -360,7 +360,7 @@ dontauditx
Do not audit the access rights defined when access denied. This stops excessive log entries for known events.
Note that for this to work there must *also* be atleast one [`allowx`](cil_access_vector_rules.md#allowx) rule associated with the target type.
Note that for this to work there must *also* be at least one [`allowx`](cil_access_vector_rules.md#allowx) rule associated with the target type.
Note that these rules can be omitted by the CIL compiler command line parameter `-D` or `--disable-dontaudit` flags.

2
secilc/docs/secil.xml
View file

@ -208,7 +208,7 @@
<context name="String" attribute="String" lineEndContext="#stay">
<RegExpr attribute="Char" context="#stay" String="#\\."/>
<!-- allow escaping " or similiar -->
<!-- allow escaping " or similar -->
<HlCStringChar attribute="String Char" context="#stay"/>
<DetectChar attribute="String" context="#pop" char="&quot;"/>

2
secilc/test/block_test.cil
View file

@ -84,7 +84,7 @@
)
;; Inherting the abstract block causes the allow rule to be in the policy
;; Inheriting the abstract block causes the allow rule to be in the policy
(type t5)
(block b5
(blockabstract b5)

2
semodule-utils/VERSION
View file

@ -1 +1 @@
3.3-rc1
3.3