diff --git a/.github/workflows/vm_testsuite.yml b/.github/workflows/vm_testsuite.yml index af2fad1e..601276dd 100644 --- a/.github/workflows/vm_testsuite.yml +++ b/.github/workflows/vm_testsuite.yml @@ -6,7 +6,8 @@ jobs: vm_testsuite: # Use VirtualBox+vagrant on macOS, as described in https://github.com/actions/virtual-environments/issues/433 - runs-on: macos-latest + # Use an old version of macOS until https://github.com/actions/virtual-environments/pull/4010 is merged. + runs-on: macos-10.15 steps: - uses: actions/checkout@v2 diff --git a/README.md b/README.md index d1338e87..e1c2fe64 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,8 @@ SELinux Userspace ================= ![SELinux logo](https://github.com/SELinuxProject.png) -[![Build Status](https://travis-ci.org/SELinuxProject/selinux.svg?branch=master)](https://travis-ci.org/SELinuxProject/selinux) +[![Run Tests](https://github.com/SELinuxProject/selinux/actions/workflows/run_tests.yml/badge.svg)](https://github.com/SELinuxProject/selinux/actions/workflows/run_tests.yml) +[![Run SELinux testsuite in a virtual machine](https://github.com/SELinuxProject/selinux/actions/workflows/vm_testsuite.yml/badge.svg)](https://github.com/SELinuxProject/selinux/actions/workflows/vm_testsuite.yml) [![OSS-Fuzz Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/selinux.svg)](https://oss-fuzz-build-logs.storage.googleapis.com/index.html#selinux) [![CIFuzz Status](https://github.com/SELinuxProject/selinux/actions/workflows/cifuzz.yml/badge.svg)](https://github.com/SELinuxProject/selinux/actions/workflows/cifuzz.yml) diff --git a/VERSION b/VERSION index e6852d8a..eb39e538 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -3.3-rc1 +3.3 diff --git a/checkpolicy/VERSION b/checkpolicy/VERSION index e6852d8a..eb39e538 100644 --- a/checkpolicy/VERSION +++ b/checkpolicy/VERSION @@ -1 +1 @@ -3.3-rc1 +3.3 diff --git a/checkpolicy/checkmodule.8 b/checkpolicy/checkmodule.8 index c4b1592b..1061a6f2 100644 --- a/checkpolicy/checkmodule.8 +++ b/checkpolicy/checkmodule.8 @@ -3,7 +3,7 @@ checkmodule \- SELinux policy module compiler .SH SYNOPSIS .B checkmodule -.I "[\-h] [\-b] [\-C] [\-m] [\-M] [\-U handle_unknown ] [\-V] [\-o output_file] [input_file]" +.I "[\-h] [\-b] [\-c policy_version] [\-C] [\-E] [\-m] [\-M] [\-U handle_unknown] [\-V] [\-o output_file] [input_file]" .SH "DESCRIPTION" This manual page describes the .BR checkmodule @@ -15,9 +15,12 @@ into a binary representation. It can generate either a base policy module (default) or a non-base policy module (\-m option); typically, you would build a non-base policy module to add to an existing module store that already has a base module provided by the base policy. Use -semodule_package to combine this module with its optional file -contexts to create a policy package, and then use semodule to install -the module package into the module store and load the resulting policy. +.B semodule_package(8) +to combine this module with its optional file +contexts to create a policy package, and then use +.B semodule(8) +to install the module package into the module store and load the resulting +policy. .SH OPTIONS .TP diff --git a/checkpolicy/checkmodule.c b/checkpolicy/checkmodule.c index 316b2898..3432608b 100644 --- a/checkpolicy/checkmodule.c +++ b/checkpolicy/checkmodule.c @@ -34,9 +34,6 @@ #include "checkpolicy.h" #include "parse_util.h" -extern char *optarg; -extern int optind; - static sidtab_t sidtab; extern int mlspol; @@ -126,7 +123,7 @@ static int write_binary_policy(policydb_t * p, FILE *outfp) static __attribute__((__noreturn__)) void usage(const char *progname) { - printf("usage: %s [-h] [-V] [-b] [-C] [-E] [-U handle_unknown] [-m] [-M] [-o FILE] [INPUT]\n", progname); + printf("usage: %s [-h] [-V] [-b] [-C] [-E] [-U handle_unknown] [-m] [-M] [-o FILE] [-c VERSION] [INPUT]\n", progname); printf("Build base and policy modules.\n"); printf("Options:\n"); printf(" INPUT build module from INPUT (else read from \"%s\")\n", @@ -155,7 +152,7 @@ int main(int argc, char **argv) int ch; int show_version = 0; policydb_t modpolicydb; - struct option long_options[] = { + const struct option long_options[] = { {"help", no_argument, NULL, 'h'}, {"output", required_argument, NULL, 'o'}, {"binary", no_argument, NULL, 'b'}, @@ -271,7 +268,7 @@ int main(int argc, char **argv) } else { if (policydb_init(&modpolicydb)) { fprintf(stderr, "%s: out of memory!\n", argv[0]); - return -1; + exit(1); } modpolicydb.policy_type = policy_type; @@ -283,7 +280,7 @@ int main(int argc, char **argv) } if (hierarchy_check_constraints(NULL, &modpolicydb)) { - return -1; + exit(1); } } @@ -336,7 +333,7 @@ int main(int argc, char **argv) FILE *outfp = fopen(outfile, "w"); if (!outfp) { - perror(outfile); + fprintf(stderr, "%s: error opening %s: %s\n", argv[0], outfile, strerror(errno)); exit(1); } @@ -352,7 +349,10 @@ int main(int argc, char **argv) } } - fclose(outfp); + if (fclose(outfp)) { + fprintf(stderr, "%s: error closing %s: %s\n", argv[0], outfile, strerror(errno)); + exit(1); + } } else if (cil) { fprintf(stderr, "%s: No file to write CIL was specified\n", argv[0]); exit(1); diff --git a/checkpolicy/checkpolicy.8 b/checkpolicy/checkpolicy.8 index f4e6fb24..2984c238 100644 --- a/checkpolicy/checkpolicy.8 +++ b/checkpolicy/checkpolicy.8 @@ -3,7 +3,7 @@ checkpolicy \- SELinux policy compiler .SH SYNOPSIS .B checkpolicy -.I "[\-b[F]] [\-C] [\-d] [\-U handle_unknown (allow,deny,reject)] [\-M] [\-c policyvers] [\-o output_file|\-] [\-S] [\-t target_platform (selinux,xen)] [\-V] [input_file]" +.I "[\-b[F]] [\-C] [\-d] [\-U handle_unknown (allow,deny,reject)] [\-M] [\-c policyvers] [\-o output_file|\-] [\-S] [\-t target_platform (selinux,xen)] [\-O] [\-E] [\-V] [input_file]" .br .SH "DESCRIPTION" This manual page describes the @@ -13,8 +13,10 @@ command. .B checkpolicy is a program that checks and compiles a SELinux security policy configuration into a binary representation that can be loaded into the kernel. If no -input file name is specified, checkpolicy will attempt to read from -policy.conf or policy, depending on whether the \-b flag is specified. +input file name is specified, +.B checkpolicy +will attempt to read from policy.conf or policy, depending on whether the \-b +flag is specified. .SH OPTIONS .TP diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c index e6cfd337..926ce72c 100644 --- a/checkpolicy/checkpolicy.c +++ b/checkpolicy/checkpolicy.c @@ -92,9 +92,6 @@ #include "checkpolicy.h" #include "parse_util.h" -extern char *optarg; -extern int optind; - static policydb_t policydb; static sidtab_t sidtab; @@ -112,7 +109,7 @@ static __attribute__((__noreturn__)) void usage(const char *progname) { printf ("usage: %s [-b[F]] [-C] [-d] [-U handle_unknown (allow,deny,reject)] [-M] " - "[-c policyvers (%d-%d)] [-o output_file|-] [-S] " + "[-c policyvers (%d-%d)] [-o output_file|-] [-S] [-O] " "[-t target_platform (selinux,xen)] [-E] [-V] [input_file]\n", progname, POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX); exit(1); @@ -297,9 +294,7 @@ static int identify_equiv_types(void) } #endif -extern char *av_to_string(uint32_t tclass, sepol_access_vector_t av); - -int display_bools(void) +static int display_bools(void) { uint32_t i; @@ -310,10 +305,10 @@ int display_bools(void) return 0; } -void display_expr(cond_expr_t * exp) +static void display_expr(const cond_expr_t * exp) { - cond_expr_t *cur; + const cond_expr_t *cur; for (cur = exp; cur != NULL; cur = cur->next) { switch (cur->expr_type) { case COND_BOOL: @@ -345,9 +340,9 @@ void display_expr(cond_expr_t * exp) } } -int display_cond_expressions(void) +static int display_cond_expressions(void) { - cond_node_t *cur; + const cond_node_t *cur; for (cur = policydbp->cond_list; cur != NULL; cur = cur->next) { printf("expression: "); @@ -357,7 +352,7 @@ int display_cond_expressions(void) return 0; } -int change_bool(char *name, int state) +static int change_bool(const char *name, int state) { cond_bool_datum_t *bool; @@ -412,7 +407,7 @@ int main(int argc, char **argv) unsigned int reason; int flags; struct policy_file pf; - struct option long_options[] = { + const struct option long_options[] = { {"output", required_argument, NULL, 'o'}, {"target", required_argument, NULL, 't'}, {"binary", no_argument, NULL, 'b'}, @@ -706,7 +701,10 @@ int main(int argc, char **argv) } if (outfp != stdout) { - fclose(outfp); + if(fclose(outfp)) { + fprintf(stderr, "%s: error closing %s: %s\n", argv[0], outfile, strerror(errno)); + exit(1); + } } } else if (cil) { fprintf(stderr, "%s: No file to write CIL was specified\n", argv[0]); @@ -796,7 +794,7 @@ int main(int argc, char **argv) case 0: printf("\nallowed {"); for (i = 1; i <= sizeof(avd.allowed) * 8; i++) { - if (avd.allowed & (1 << (i - 1))) { + if (avd.allowed & (UINT32_C(1) << (i - 1))) { v.val = i; ret = hashtab_map(cladatum-> diff --git a/checkpolicy/module_compiler.c b/checkpolicy/module_compiler.c index ada7cb2a..5f5b0b19 100644 --- a/checkpolicy/module_compiler.c +++ b/checkpolicy/module_compiler.c @@ -165,7 +165,7 @@ static int create_symbol(uint32_t symbol_type, hashtab_key_t key, hashtab_datum_ decl->decl_id, dest_value); if (ret == 1 && dest_value) { - symtab_datum_t *s = + hashtab_datum_t s = hashtab_search(policydbp->symtab[symbol_type].table, key); assert(s != NULL); @@ -173,7 +173,7 @@ static int create_symbol(uint32_t symbol_type, hashtab_key_t key, hashtab_datum_ if (symbol_type == SYM_LEVELS) { *dest_value = ((level_datum_t *)s)->level->sens; } else { - *dest_value = s->value; + *dest_value = ((symtab_datum_t *)s)->value; } } else if (ret == -2) { return -2; @@ -999,7 +999,7 @@ static int require_bool_tunable(int pass, int is_tunable) if (is_tunable) booldatum->flags |= COND_BOOL_FLAGS_TUNABLE; retval = - require_symbol(SYM_BOOLS, id, (hashtab_datum_t *) booldatum, + require_symbol(SYM_BOOLS, id, booldatum, &booldatum->s.value, &booldatum->s.value); if (retval != 0) { cond_destroy_bool(id, booldatum, NULL); @@ -1051,7 +1051,7 @@ int require_sens(int pass) return -1; } mls_level_init(level->level); - retval = require_symbol(SYM_LEVELS, id, (hashtab_datum_t *) level, + retval = require_symbol(SYM_LEVELS, id, level, &level->level->sens, &level->level->sens); if (retval != 0) { free(id); @@ -1089,7 +1089,7 @@ int require_cat(int pass) } cat_datum_init(cat); - retval = require_symbol(SYM_CATS, id, (hashtab_datum_t *) cat, + retval = require_symbol(SYM_CATS, id, cat, &cat->s.value, &cat->s.value); if (retval != 0) { free(id); @@ -1104,14 +1104,14 @@ int require_cat(int pass) return 0; } -static int is_scope_in_stack(scope_datum_t * scope, scope_stack_t * stack) +static int is_scope_in_stack(const scope_datum_t * scope, const scope_stack_t * stack) { uint32_t i; if (stack == NULL) { return 0; /* no matching scope found */ } if (stack->type == 1) { - avrule_decl_t *decl = stack->decl; + const avrule_decl_t *decl = stack->decl; for (i = 0; i < scope->decl_ids_len; i++) { if (scope->decl_ids[i] == decl->decl_id) { return 1; @@ -1126,9 +1126,9 @@ static int is_scope_in_stack(scope_datum_t * scope, scope_stack_t * stack) return is_scope_in_stack(scope, stack->parent); } -int is_id_in_scope(uint32_t symbol_type, hashtab_key_t id) +int is_id_in_scope(uint32_t symbol_type, const_hashtab_key_t id) { - scope_datum_t *scope = + const scope_datum_t *scope = (scope_datum_t *) hashtab_search(policydbp->scope[symbol_type]. table, id); if (scope == NULL) { @@ -1138,7 +1138,7 @@ int is_id_in_scope(uint32_t symbol_type, hashtab_key_t id) } static int is_perm_in_scope_index(uint32_t perm_value, uint32_t class_value, - scope_index_t * scope) + const scope_index_t * scope) { if (class_value > scope->class_perms_len) { return 1; @@ -1151,7 +1151,7 @@ static int is_perm_in_scope_index(uint32_t perm_value, uint32_t class_value, } static int is_perm_in_stack(uint32_t perm_value, uint32_t class_value, - scope_stack_t * stack) + const scope_stack_t * stack) { if (stack == NULL) { return 0; /* no matching scope found */ @@ -1173,12 +1173,12 @@ static int is_perm_in_stack(uint32_t perm_value, uint32_t class_value, return is_perm_in_stack(perm_value, class_value, stack->parent); } -int is_perm_in_scope(hashtab_key_t perm_id, hashtab_key_t class_id) +int is_perm_in_scope(const_hashtab_key_t perm_id, const_hashtab_key_t class_id) { - class_datum_t *cladatum = + const class_datum_t *cladatum = (class_datum_t *) hashtab_search(policydbp->p_classes.table, class_id); - perm_datum_t *perdatum; + const perm_datum_t *perdatum; if (cladatum == NULL) { return 1; } @@ -1361,17 +1361,17 @@ int begin_optional_else(int pass) return 0; } -static int copy_requirements(avrule_decl_t * dest, scope_stack_t * stack) +static int copy_requirements(avrule_decl_t * dest, const scope_stack_t * stack) { uint32_t i; if (stack == NULL) { return 0; } if (stack->type == 1) { - scope_index_t *src_scope = &stack->decl->required; + const scope_index_t *src_scope = &stack->decl->required; scope_index_t *dest_scope = &dest->required; for (i = 0; i < SYM_NUM; i++) { - ebitmap_t *src_bitmap = &src_scope->scope[i]; + const ebitmap_t *src_bitmap = &src_scope->scope[i]; ebitmap_t *dest_bitmap = &dest_scope->scope[i]; if (ebitmap_union(dest_bitmap, src_bitmap)) { yyerror("Out of memory!"); @@ -1397,7 +1397,7 @@ static int copy_requirements(avrule_decl_t * dest, scope_stack_t * stack) src_scope->class_perms_len; } for (i = 0; i < src_scope->class_perms_len; i++) { - ebitmap_t *src_bitmap = &src_scope->class_perms_map[i]; + const ebitmap_t *src_bitmap = &src_scope->class_perms_map[i]; ebitmap_t *dest_bitmap = &dest_scope->class_perms_map[i]; if (ebitmap_union(dest_bitmap, src_bitmap)) { diff --git a/checkpolicy/module_compiler.h b/checkpolicy/module_compiler.h index 72c2d9bb..29b824b4 100644 --- a/checkpolicy/module_compiler.h +++ b/checkpolicy/module_compiler.h @@ -65,12 +65,12 @@ int require_cat(int pass); /* Check if an identifier is within the scope of the current * declaration or any of its parents. Return 1 if it is, 0 if not. * If the identifier is not known at all then return 1 (truth). */ -int is_id_in_scope(uint32_t symbol_type, hashtab_key_t id); +int is_id_in_scope(uint32_t symbol_type, const_hashtab_key_t id); /* Check if a particular permission is within the scope of the current * declaration or any of its parents. Return 1 if it is, 0 if not. * If the identifier is not known at all then return 1 (truth). */ -int is_perm_in_scope(hashtab_key_t perm_id, hashtab_key_t class_id); +int is_perm_in_scope(const_hashtab_key_t perm_id, const_hashtab_key_t class_id); /* Search the current avrules block for a conditional with the same * expression as 'cond'. If the conditional does not exist then diff --git a/checkpolicy/parse_util.c b/checkpolicy/parse_util.c index 1795e93c..8c1f393c 100644 --- a/checkpolicy/parse_util.c +++ b/checkpolicy/parse_util.c @@ -36,7 +36,7 @@ int read_source_policy(policydb_t * p, const char *file, const char *progname) { yyin = fopen(file, "r"); if (!yyin) { - fprintf(stderr, "%s: unable to open %s\n", progname, file); + fprintf(stderr, "%s: unable to open %s: %s\n", progname, file, strerror(errno)); return -1; } set_source_file(file); diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c index 75a67d5c..d3eb6111 100644 --- a/checkpolicy/policy_define.c +++ b/checkpolicy/policy_define.c @@ -60,10 +60,13 @@ #include "module_compiler.h" #include "policy_define.h" +extern void init_parser(int pass_number); +__attribute__ ((format(printf, 1, 2))) +extern void yyerror2(const char *fmt, ...); + policydb_t *policydbp; queue_t id_queue = 0; unsigned int pass; -char *curfile = 0; int mlspol = 0; extern unsigned long policydb_lineno; @@ -74,12 +77,6 @@ extern char source_file[PATH_MAX]; extern int yywarn(const char *msg); extern int yyerror(const char *msg); -#define ERRORMSG_LEN 255 -static char errormsg[ERRORMSG_LEN + 1] = {0}; - -static int id_has_dot(const char *id); -static int parse_security_context(context_struct_t *c); - /* initialize all of the state variables for the scanner/parser */ void init_parser(int pass_number) { @@ -89,12 +86,12 @@ void init_parser(int pass_number) pass = pass_number; } -__attribute__ ((format(printf, 1, 2))) void yyerror2(const char *fmt, ...) { + char errormsg[256]; va_list ap; va_start(ap, fmt); - vsnprintf(errormsg, ERRORMSG_LEN, fmt, ap); + vsnprintf(errormsg, sizeof(errormsg), fmt, ap); yyerror(errormsg); va_end(ap); } @@ -1605,7 +1602,7 @@ static int set_types(type_set_t * set, char *id, int *add, char starallowed) return -1; } -int define_compute_type_helper(int which, avrule_t ** rule) +static int define_compute_type_helper(int which, avrule_t ** rule) { char *id; type_datum_t *datum; @@ -1832,7 +1829,7 @@ struct av_ioctl_range_list { struct av_ioctl_range_list *next; }; -int avrule_sort_ioctls(struct av_ioctl_range_list **rangehead) +static int avrule_sort_ioctls(struct av_ioctl_range_list **rangehead) { struct av_ioctl_range_list *r, *r2, *sorted, *sortedhead = NULL; @@ -1880,7 +1877,7 @@ error: return -1; } -int avrule_merge_ioctls(struct av_ioctl_range_list **rangehead) +static int avrule_merge_ioctls(struct av_ioctl_range_list **rangehead) { struct av_ioctl_range_list *r, *tmp; r = *rangehead; @@ -1900,7 +1897,7 @@ int avrule_merge_ioctls(struct av_ioctl_range_list **rangehead) return 0; } -int avrule_read_ioctls(struct av_ioctl_range_list **rangehead) +static int avrule_read_ioctls(struct av_ioctl_range_list **rangehead) { char *id; struct av_ioctl_range_list *rnew, *r = NULL; @@ -1953,7 +1950,7 @@ error: } /* flip to included ranges */ -int avrule_omit_ioctls(struct av_ioctl_range_list **rangehead) +static int avrule_omit_ioctls(struct av_ioctl_range_list **rangehead) { struct av_ioctl_range_list *rnew, *r, *newhead, *r2; @@ -2001,7 +1998,7 @@ error: return -1; } -int avrule_ioctl_ranges(struct av_ioctl_range_list **rangelist) +static int avrule_ioctl_ranges(struct av_ioctl_range_list **rangelist) { struct av_ioctl_range_list *rangehead; uint8_t omit; @@ -2029,7 +2026,7 @@ int avrule_ioctl_ranges(struct av_ioctl_range_list **rangelist) return 0; } -int define_te_avtab_xperms_helper(int which, avrule_t ** rule) +static int define_te_avtab_xperms_helper(int which, avrule_t ** rule) { char *id; class_perm_node_t *perms, *tail = NULL, *cur_perms = NULL; @@ -2129,7 +2126,7 @@ int define_te_avtab_xperms_helper(int which, avrule_t ** rule) policydbp->p_class_val_to_name[i]); continue; } else { - cur_perms->data |= 1U << (perdatum->s.value - 1); + cur_perms->data |= UINT32_C(1) << (perdatum->s.value - 1); } } @@ -2143,14 +2140,14 @@ out: } /* index of the u32 containing the permission */ -#define XPERM_IDX(x) (x >> 5) +#define XPERM_IDX(x) ((x) >> 5) /* set bits 0 through x-1 within the u32 */ -#define XPERM_SETBITS(x) ((1U << (x & 0x1f)) - 1) +#define XPERM_SETBITS(x) ((UINT32_C(1) << ((x) & 0x1f)) - 1) /* low value for this u32 */ -#define XPERM_LOW(x) (x << 5) +#define XPERM_LOW(x) ((x) << 5) /* high value for this u32 */ -#define XPERM_HIGH(x) (((x + 1) << 5) - 1) -void avrule_xperm_setrangebits(uint16_t low, uint16_t high, +#define XPERM_HIGH(x) ((((x) + 1) << 5) - 1) +static void avrule_xperm_setrangebits(uint16_t low, uint16_t high, av_extended_perms_t *xperms) { unsigned int i; @@ -2172,7 +2169,7 @@ void avrule_xperm_setrangebits(uint16_t low, uint16_t high, } } -int avrule_xperms_used(const av_extended_perms_t *xperms) +static int avrule_xperms_used(const av_extended_perms_t *xperms) { unsigned int i; @@ -2189,10 +2186,10 @@ int avrule_xperms_used(const av_extended_perms_t *xperms) * dir, size, driver, and function. Only the driver and function fields * are considered here */ -#define IOC_DRIV(x) (x >> 8) -#define IOC_FUNC(x) (x & 0xff) -#define IOC_CMD(driver, func) ((driver << 8) + func) -int avrule_ioctl_partialdriver(struct av_ioctl_range_list *rangelist, +#define IOC_DRIV(x) ((x) >> 8) +#define IOC_FUNC(x) ((x) & 0xff) +#define IOC_CMD(driver, func) (((driver) << 8) + (func)) +static int avrule_ioctl_partialdriver(struct av_ioctl_range_list *rangelist, av_extended_perms_t *complete_driver, av_extended_perms_t **extended_perms) { @@ -2231,7 +2228,7 @@ int avrule_ioctl_partialdriver(struct av_ioctl_range_list *rangelist, } -int avrule_ioctl_completedriver(struct av_ioctl_range_list *rangelist, +static int avrule_ioctl_completedriver(struct av_ioctl_range_list *rangelist, av_extended_perms_t **extended_perms) { struct av_ioctl_range_list *r; @@ -2273,7 +2270,7 @@ int avrule_ioctl_completedriver(struct av_ioctl_range_list *rangelist, return 0; } -int avrule_ioctl_func(struct av_ioctl_range_list *rangelist, +static int avrule_ioctl_func(struct av_ioctl_range_list *rangelist, av_extended_perms_t **extended_perms, unsigned int driver) { struct av_ioctl_range_list *r; @@ -2323,18 +2320,7 @@ int avrule_ioctl_func(struct av_ioctl_range_list *rangelist, return 0; } -void avrule_ioctl_freeranges(struct av_ioctl_range_list *rangelist) -{ - struct av_ioctl_range_list *r, *tmp; - r = rangelist; - while (r) { - tmp = r; - r = r->next; - free(tmp); - } -} - -unsigned int xperms_for_each_bit(unsigned int *bit, av_extended_perms_t *xperms) +static unsigned int xperms_for_each_bit(unsigned int *bit, av_extended_perms_t *xperms) { unsigned int i; for (i = *bit; i < sizeof(xperms->perms)*8; i++) { @@ -2347,7 +2333,7 @@ unsigned int xperms_for_each_bit(unsigned int *bit, av_extended_perms_t *xperms) return 0; } -int avrule_cpy(avrule_t *dest, const avrule_t *src) +static int avrule_cpy(avrule_t *dest, const avrule_t *src) { class_perm_node_t *src_perms; class_perm_node_t *dest_perms, *dest_tail; @@ -2395,10 +2381,10 @@ int avrule_cpy(avrule_t *dest, const avrule_t *src) return 0; } -int define_te_avtab_ioctl(const avrule_t *avrule_template) +static int define_te_avtab_ioctl(const avrule_t *avrule_template) { avrule_t *avrule; - struct av_ioctl_range_list *rangelist; + struct av_ioctl_range_list *rangelist, *r; av_extended_perms_t *complete_driver, *partial_driver, *xperms; unsigned int i; @@ -2456,6 +2442,12 @@ done: if (partial_driver) free(partial_driver); + while (rangelist != NULL) { + r = rangelist; + rangelist = rangelist->next; + free(r); + } + return 0; } @@ -2464,6 +2456,7 @@ int define_te_avtab_extended_perms(int which) char *id; unsigned int i; avrule_t *avrule_template; + int rc = 0; if (pass == 1) { for (i = 0; i < 4; i++) { @@ -2479,18 +2472,20 @@ int define_te_avtab_extended_perms(int which) id = queue_remove(id_queue); if (strcmp(id,"ioctl") == 0) { - free(id); - if (define_te_avtab_ioctl(avrule_template)) - return -1; + rc = define_te_avtab_ioctl(avrule_template); } else { yyerror("only ioctl extended permissions are supported"); - free(id); - return -1; + rc = -1; } - return 0; + + free(id); + avrule_destroy(avrule_template); + free(avrule_template); + + return rc; } -int define_te_avtab_helper(int which, avrule_t ** rule) +static int define_te_avtab_helper(int which, avrule_t ** rule) { char *id; class_datum_t *cladatum; @@ -2617,7 +2612,7 @@ int define_te_avtab_helper(int which, avrule_t ** rule) } continue; } else { - cur_perms->data |= 1U << (perdatum->s.value - 1); + cur_perms->data |= UINT32_C(1) << (perdatum->s.value - 1); } next: cur_perms = cur_perms->next; @@ -3620,7 +3615,7 @@ int define_constraint(constraint_expr_t * expr) return -1; } } - node->permissions |= (1 << (perdatum->s.value - 1)); + node->permissions |= (UINT32_C(1) << (perdatum->s.value - 1)); } free(id); } @@ -5470,7 +5465,7 @@ int define_fs_use(int behavior) return 0; } -int define_genfs_context_helper(char *fstype, int has_type) +static int define_genfs_context_helper(char *fstype, int has_type) { struct genfs *genfs_p, *genfs, *newgenfs; ocontext_t *newc, *c, *head, *p; diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y index 6098eb50..45f973ff 100644 --- a/checkpolicy/policy_parse.y +++ b/checkpolicy/policy_parse.y @@ -890,10 +890,26 @@ filename : FILENAME { yytext[strlen(yytext) - 1] = '\0'; if (insert_id(yytext + 1,0)) return -1; } ; number : NUMBER - { $$ = strtoul(yytext,NULL,0); } + { unsigned long x; + errno = 0; + x = strtoul(yytext, NULL, 0); + if (errno) + return -1; +#if ULONG_MAX > UINT_MAX + if (x > UINT_MAX) + return -1; +#endif + $$ = (unsigned int) x; + } ; number64 : NUMBER - { $$ = strtoull(yytext,NULL,0); } + { unsigned long long x; + errno = 0; + x = strtoull(yytext, NULL, 0); + if (errno) + return -1; + $$ = (uint64_t) x; + } ; ipv6_addr : IPV6_ADDR { if (insert_id(yytext,0)) return -1; } diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l index 4067268b..129a8a2a 100644 --- a/checkpolicy/policy_scan.l +++ b/checkpolicy/policy_scan.l @@ -59,12 +59,17 @@ alnum [a-zA-Z0-9] hexval [0-9A-Fa-f] %% -\n.* { strncpy(linebuf[lno], yytext+1, 255); - linebuf[lno][254] = 0; - lno = 1 - lno; - policydb_lineno++; - source_lineno++; - yyless(1); } +\n.* { + strncpy(linebuf[lno], yytext+1, 255); + linebuf[lno][254] = 0; + lno = 1 - lno; + policydb_lineno++; + if (source_lineno == ULONG_MAX) + yywarn("source line number overflow"); + else + source_lineno++; + yyless(1); + } CLONE | clone { return(CLONE); } COMMON | @@ -270,7 +275,13 @@ GLBLUB { return(GLBLUB); } {hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); } {digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); } #line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); } -#line[ ]{digit}+ { source_lineno = atoi(yytext+6)-1; } +#line[ ]{digit}+ { + errno = 0; + source_lineno = strtoul(yytext+6, NULL, 10) - 1; + if (errno) { + yywarn("source line number too big"); + } + } #[^\n]* { /* delete comments */ } [ \t\f]+ { /* delete whitespace */ } "==" { return(EQUALS); } diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c index 90c29318..ec2a3e9a 100644 --- a/checkpolicy/test/dismod.c +++ b/checkpolicy/test/dismod.c @@ -89,7 +89,7 @@ static void render_access_bitmap(ebitmap_t * map, uint32_t class, fprintf(fp, "{"); for (i = ebitmap_startbit(map); i < ebitmap_length(map); i++) { if (ebitmap_get_bit(map, i)) { - perm = sepol_av_to_string(p, class, 1 << i); + perm = sepol_av_to_string(p, class, UINT32_C(1) << i); if (perm) fprintf(fp, " %s", perm); } @@ -751,12 +751,14 @@ static int read_policy(char *filename, policydb_t * policy) fprintf(stderr, "%s: Out of memory!\n", __FUNCTION__); exit(1); } + sepol_policydb_free(package->policy); package->policy = (sepol_policydb_t *) policy; package->file_contexts = NULL; retval = sepol_module_package_read(package, (sepol_policy_file_t *) & f, 1); - free(package->file_contexts); + package->policy = NULL; + sepol_module_package_free(package); } else { if (policydb_init(policy)) { fprintf(stderr, "%s: Out of memory!\n", __FUNCTION__); diff --git a/dbus/VERSION b/dbus/VERSION index e6852d8a..eb39e538 100644 --- a/dbus/VERSION +++ b/dbus/VERSION @@ -1 +1 @@ -3.3-rc1 +3.3 diff --git a/gui/VERSION b/gui/VERSION index e6852d8a..eb39e538 100644 --- a/gui/VERSION +++ b/gui/VERSION @@ -1 +1 @@ -3.3-rc1 +3.3 diff --git a/libselinux/VERSION b/libselinux/VERSION index e6852d8a..eb39e538 100644 --- a/libselinux/VERSION +++ b/libselinux/VERSION @@ -1 +1 @@ -3.3-rc1 +3.3 diff --git a/libselinux/src/mapping.c b/libselinux/src/mapping.c index 96395fd4..dd2f1039 100644 --- a/libselinux/src/mapping.c +++ b/libselinux/src/mapping.c @@ -144,9 +144,9 @@ unmap_perm(security_class_t tclass, access_vector_t tperm) access_vector_t kperm = 0; for (i = 0; i < current_mapping[tclass].num_perms; i++) - if (tperm & (1<allowed & mapping->perms[i]) - result |= 1<perms[i]) - result |= 1<allowed = result; for (i = 0, result = 0; i < n; i++) { if (avd->decided & mapping->perms[i]) - result |= 1<perms[i]) - result |= 1<decided = result; for (i = 0, result = 0; i < n; i++) if (avd->auditallow & mapping->perms[i]) - result |= 1<auditallow = result; for (i = 0, result = 0; i < n; i++) { if (avd->auditdeny & mapping->perms[i]) - result |= 1<perms[i]) - result |= 1<auditdeny = result; } } diff --git a/libselinux/src/setup.py b/libselinux/src/setup.py index 958687a0..b79b2750 100644 --- a/libselinux/src/setup.py +++ b/libselinux/src/setup.py @@ -4,7 +4,7 @@ from distutils.core import Extension, setup setup( name="selinux", - version="3.3-rc1", + version="3.3", description="SELinux python 3 bindings", author="SELinux Project", author_email="selinux@vger.kernel.org", diff --git a/libselinux/src/stringrep.c b/libselinux/src/stringrep.c index 012a740a..2fe69f43 100644 --- a/libselinux/src/stringrep.c +++ b/libselinux/src/stringrep.c @@ -229,7 +229,7 @@ access_vector_t string_to_av_perm(security_class_t tclass, const char *s) size_t i; for (i = 0; i < MAXVECTORS && node->perms[i] != NULL; i++) if (strcmp(node->perms[i],s) == 0) - return map_perm(tclass, 1<perms[i]; return NULL; @@ -279,7 +279,7 @@ int security_av_string(security_class_t tclass, access_vector_t av, char **res) /* first pass computes the required length */ for (i = 0; tmp; tmp >>= 1, i++) { if (tmp & 1) { - str = security_av_perm_to_string(tclass, av & (1<>= 1, i++) { if (tmp & 1) { - str = security_av_perm_to_string(tclass, av & (1<s.value - 1); + *datum |= UINT32_C(1) << (sepol_perm->s.value - 1); return SEPOL_OK; @@ -1523,7 +1523,7 @@ int cil_avrule_to_policydb(policydb_t *pdb, const struct cil_db *db, struct cil_ /* index of the u32 containing the permission */ #define XPERM_IDX(x) (x >> 5) /* set bits 0 through x-1 within the u32 */ -#define XPERM_SETBITS(x) ((1U << (x & 0x1f)) - 1) +#define XPERM_SETBITS(x) ((UINT32_C(1) << (x & 0x1f)) - 1) /* low value for this u32 */ #define XPERM_LOW(x) (x << 5) /* high value for this u32 */ @@ -4760,7 +4760,7 @@ static struct cil_list *cil_classperms_from_sepol(policydb_t *pdb, uint16_t clas cil_list_init(&cp->perms, CIL_PERM); for (i = 0; i < sepol_class->permissions.nprim; i++) { struct cil_perm *perm; - if ((data & (1 << i)) == 0) continue; + if ((data & (UINT32_C(1) << i)) == 0) continue; perm = perm_value_to_cil[class][i+1]; if (!perm) goto exit; cil_list_append(cp->perms, CIL_PERM, perm); @@ -4825,6 +4825,7 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void avtab_ptr_t cur; struct cil_avrule target; struct cil_tree_node *n1 = NULL; + int count_bad = 0; *violation = CIL_TRUE; @@ -4838,10 +4839,13 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void for (cur = bad; cur; cur = cur->next) { struct cil_list_item *i2; struct cil_list *matching; + int num_matching = 0; + int count_matching = 0; rc = cil_avrule_from_sepol(pdb, cur, &target, type_value_to_cil, class_value_to_cil, perm_value_to_cil); if (rc != SEPOL_OK) { cil_log(CIL_ERR, "Failed to convert sepol avrule to CIL\n"); + bounds_destroy_bad(bad); goto exit; } __cil_print_rule(" ", "allow", &target); @@ -4854,6 +4858,9 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void bounds_destroy_bad(bad); goto exit; } + cil_list_for_each(i2, matching) { + num_matching++; + } cil_list_for_each(i2, matching) { struct cil_tree_node *n2 = i2->data; struct cil_avrule *r2 = n2->data; @@ -4864,9 +4871,19 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void __cil_print_parents(" ", n2); __cil_print_rule(" ", "allow", r2); } + count_matching++; + if (count_matching >= 2) { + cil_log(CIL_ERR, " Only first 2 of %d matching rules shown\n", num_matching); + break; + } } cil_list_destroy(&matching, CIL_FALSE); cil_list_destroy(&target.perms.classperms, CIL_TRUE); + count_bad++; + if (count_bad >= 2) { + cil_log(CIL_ERR, " Only first 2 of %d bad rules shown\n", numbad); + break; + } } bounds_destroy_bad(bad); } diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c index f1f09f11..9c34be23 100644 --- a/libsepol/cil/src/cil_build_ast.c +++ b/libsepol/cil/src/cil_build_ast.c @@ -134,8 +134,7 @@ int cil_add_decl_to_symtab(struct cil_db *db, symtab_t *symtab, hashtab_key_t ke /* multiple_decls is enabled and works for this datum type, add node */ cil_list_append(prev->nodes, CIL_NODE, node); node->data = prev; - cil_symtab_datum_destroy(datum); - free(datum); + return SEPOL_EEXIST; } return SEPOL_OK; @@ -2367,7 +2366,12 @@ int cil_gen_type(struct cil_db *db, struct cil_tree_node *parse_current, struct key = parse_current->next->data; rc = cil_gen_node(db, ast_node, (struct cil_symtab_datum*)type, (hashtab_key_t)key, CIL_SYM_TYPES, CIL_TYPE); if (rc != SEPOL_OK) { - goto exit; + if (rc == SEPOL_EEXIST) { + cil_destroy_type(type); + type = NULL; + } else { + goto exit; + } } return SEPOL_OK; @@ -2415,7 +2419,12 @@ int cil_gen_typeattribute(struct cil_db *db, struct cil_tree_node *parse_current key = parse_current->next->data; rc = cil_gen_node(db, ast_node, (struct cil_symtab_datum*)attr, (hashtab_key_t)key, CIL_SYM_TYPES, CIL_TYPEATTRIBUTE); if (rc != SEPOL_OK) { - goto exit; + if (rc == SEPOL_EEXIST) { + cil_destroy_typeattribute(attr); + attr = NULL; + } else { + goto exit; + } } return SEPOL_OK; @@ -5480,8 +5489,14 @@ int cil_gen_optional(struct cil_db *db, struct cil_tree_node *parse_current, str key = parse_current->next->data; rc = cil_gen_node(db, ast_node, (struct cil_symtab_datum*)optional, (hashtab_key_t)key, CIL_SYM_BLOCKS, CIL_OPTIONAL); - if (rc != SEPOL_OK) - goto exit; + if (rc != SEPOL_OK) { + if (rc == SEPOL_EEXIST) { + cil_destroy_optional(optional); + optional = NULL; + } else { + goto exit; + } + } return SEPOL_OK; diff --git a/libsepol/cil/src/cil_copy_ast.c b/libsepol/cil/src/cil_copy_ast.c index cdbc84e7..2fad972c 100644 --- a/libsepol/cil/src/cil_copy_ast.c +++ b/libsepol/cil/src/cil_copy_ast.c @@ -590,20 +590,12 @@ int cil_copy_roleallow(__attribute__((unused)) struct cil_db *db, void *data, vo return SEPOL_OK; } -int cil_copy_type(__attribute__((unused)) struct cil_db *db, void *data, void **copy, symtab_t *symtab) +int cil_copy_type(__attribute__((unused)) struct cil_db *db, __attribute__((unused)) void *data, void **copy, __attribute__((unused)) symtab_t *symtab) { - struct cil_type *orig = data; - char *key = orig->datum.name; - struct cil_symtab_datum *datum = NULL; + struct cil_type *new; - cil_symtab_get_datum(symtab, key, &datum); - if (datum == NULL) { - struct cil_type *new; - cil_type_init(&new); - *copy = new; - } else { - *copy = datum; - } + cil_type_init(&new); + *copy = new; return SEPOL_OK; } @@ -622,20 +614,12 @@ int cil_copy_typepermissive(__attribute__((unused)) struct cil_db *db, void *dat return SEPOL_OK; } -int cil_copy_typeattribute(__attribute__((unused)) struct cil_db *db, void *data, void **copy, symtab_t *symtab) +int cil_copy_typeattribute(__attribute__((unused)) struct cil_db *db, __attribute__((unused)) void *data, void **copy, __attribute__((unused)) symtab_t *symtab) { - struct cil_typeattribute *orig = data; - char *key = orig->datum.name; - struct cil_symtab_datum *datum = NULL; + struct cil_typeattribute *new; - cil_symtab_get_datum(symtab, key, &datum); - if (datum == NULL) { - struct cil_typeattribute *new; - cil_typeattribute_init(&new); - *copy = new; - } else { - *copy = datum; - } + cil_typeattribute_init(&new); + *copy = new; return SEPOL_OK; } @@ -2056,7 +2040,14 @@ int __cil_copy_node_helper(struct cil_tree_node *orig, uint32_t *finished, void rc = cil_add_decl_to_symtab(db, symtab, DATUM(orig->data)->name, DATUM(data), new); if (rc != SEPOL_OK) { - goto exit; + if (rc == SEPOL_EEXIST) { + cil_symtab_datum_destroy(data); + free(data); + data = NULL; + rc = SEPOL_OK; + } else { + goto exit; + } } namespace = new; diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c index 2cf94368..e97a9f46 100644 --- a/libsepol/cil/src/cil_resolve_ast.c +++ b/libsepol/cil/src/cil_resolve_ast.c @@ -3946,7 +3946,7 @@ int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished } if (node->flavor == CIL_MACRO) { - if (pass != CIL_PASS_TIF) { + if (pass > CIL_PASS_IN_AFTER) { *finished = CIL_TREE_SKIP_HEAD; rc = SEPOL_OK; goto exit; diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c index 5502c4d5..d994d717 100644 --- a/libsepol/cil/src/cil_verify.c +++ b/libsepol/cil/src/cil_verify.c @@ -1689,6 +1689,15 @@ exit: return rc; } +static int __add_perm_to_list(__attribute__((unused)) hashtab_key_t k, hashtab_datum_t d, void *args) +{ + struct cil_list *perm_list = (struct cil_list *)args; + + cil_list_append(perm_list, CIL_DATUM, d); + + return SEPOL_OK; +} + static int __cil_verify_classperms(struct cil_list *classperms, struct cil_symtab_datum *orig, struct cil_symtab_datum *parent, @@ -1730,13 +1739,34 @@ static int __cil_verify_classperms(struct cil_list *classperms, if (FLAVOR(cp->class) != CIL_CLASS) { /* MAP */ struct cil_list_item *i = NULL; cil_list_for_each(i, cp->perms) { - struct cil_perm *cmp = i->data; - rc = __cil_verify_classperms(cmp->classperms, orig, &cp->class->datum, &cmp->datum, CIL_MAP_PERM, steps, limit); - if (rc != SEPOL_OK) { - goto exit; + if (i->flavor != CIL_OP) { + struct cil_perm *cmp = i->data; + rc = __cil_verify_classperms(cmp->classperms, orig, &cp->class->datum, &cmp->datum, CIL_MAP_PERM, steps, limit); + if (rc != SEPOL_OK) { + goto exit; + } + } else { + enum cil_flavor op = (enum cil_flavor)(uintptr_t)i->data; + if (op == CIL_ALL) { + struct cil_class *mc = cp->class; + struct cil_list *perm_list; + struct cil_list_item *j = NULL; + + cil_list_init(&perm_list, CIL_MAP_PERM); + cil_symtab_map(&mc->perms, __add_perm_to_list, perm_list); + cil_list_for_each(j, perm_list) { + struct cil_perm *cmp = j->data; + rc = __cil_verify_classperms(cmp->classperms, orig, &cp->class->datum, &cmp->datum, CIL_MAP_PERM, steps, limit); + if (rc != SEPOL_OK) { + cil_list_destroy(&perm_list, CIL_FALSE); + goto exit; + } + } + cil_list_destroy(&perm_list, CIL_FALSE); + } } } - } + } } else { /* SET */ struct cil_classperms_set *cp_set = curr->data; struct cil_classpermission *cp = cp_set->set; diff --git a/libsepol/src/avtab.c b/libsepol/src/avtab.c index 93505b20..46e1e75d 100644 --- a/libsepol/src/avtab.c +++ b/libsepol/src/avtab.c @@ -376,7 +376,7 @@ int avtab_alloc(avtab_t *h, uint32_t nrules) } if (shift > 2) shift = shift - 2; - nslot = 1 << shift; + nslot = UINT32_C(1) << shift; if (nslot > MAX_AVTAB_HASH_BUCKETS) nslot = MAX_AVTAB_HASH_BUCKETS; mask = nslot - 1; diff --git a/libsepol/src/conditional.c b/libsepol/src/conditional.c index e3ede694..037dc7e2 100644 --- a/libsepol/src/conditional.c +++ b/libsepol/src/conditional.c @@ -411,13 +411,13 @@ int cond_normalize_expr(policydb_t * p, cond_node_t * cn) } /* loop through all possible combinations of values for bools in expression */ - for (test = 0x0; test < (0x1U << cn->nbools); test++) { + for (test = 0x0; test < (UINT32_C(1) << cn->nbools); test++) { /* temporarily set the value for all the bools in the * expression using the corr. bit in test */ for (j = 0; j < cn->nbools; j++) { p->bool_val_to_struct[cn->bool_ids[j] - 1]->state = - (test & (0x1 << j)) ? 1 : 0; + (test & (UINT32_C(1) << j)) ? 1 : 0; } k = cond_evaluate_expr(p, cn->expr); if (k == -1) { @@ -428,7 +428,7 @@ int cond_normalize_expr(policydb_t * p, cond_node_t * cn) } /* set the bit if expression evaluates true */ if (k) - cn->expr_pre_comp |= 0x1 << test; + cn->expr_pre_comp |= UINT32_C(1) << test; } /* restore bool default values */ diff --git a/libsepol/src/ebitmap.c b/libsepol/src/ebitmap.c index 4e9acdf8..1de3816a 100644 --- a/libsepol/src/ebitmap.c +++ b/libsepol/src/ebitmap.c @@ -17,7 +17,8 @@ int ebitmap_or(ebitmap_t * dst, const ebitmap_t * e1, const ebitmap_t * e2) { - ebitmap_node_t *n1, *n2, *new, *prev; + const ebitmap_node_t *n1, *n2; + ebitmap_node_t *new, *prev; ebitmap_init(dst); @@ -154,7 +155,7 @@ int ebitmap_hamming_distance(const ebitmap_t * e1, const ebitmap_t * e2) int ebitmap_cmp(const ebitmap_t * e1, const ebitmap_t * e2) { - ebitmap_node_t *n1, *n2; + const ebitmap_node_t *n1, *n2; if (e1->highbit != e2->highbit) return 0; @@ -175,7 +176,8 @@ int ebitmap_cmp(const ebitmap_t * e1, const ebitmap_t * e2) int ebitmap_cpy(ebitmap_t * dst, const ebitmap_t * src) { - ebitmap_node_t *n, *new, *prev; + const ebitmap_node_t *n; + ebitmap_node_t *new, *prev; ebitmap_init(dst); n = src->node; @@ -204,7 +206,7 @@ int ebitmap_cpy(ebitmap_t * dst, const ebitmap_t * src) int ebitmap_contains(const ebitmap_t * e1, const ebitmap_t * e2) { - ebitmap_node_t *n1, *n2; + const ebitmap_node_t *n1, *n2; if (e1->highbit < e2->highbit) return 0; @@ -231,8 +233,8 @@ int ebitmap_contains(const ebitmap_t * e1, const ebitmap_t * e2) int ebitmap_match_any(const ebitmap_t *e1, const ebitmap_t *e2) { - ebitmap_node_t *n1 = e1->node; - ebitmap_node_t *n2 = e2->node; + const ebitmap_node_t *n1 = e1->node; + const ebitmap_node_t *n2 = e2->node; while (n1 && n2) { if (n1->startbit < n2->startbit) { @@ -253,7 +255,7 @@ int ebitmap_match_any(const ebitmap_t *e1, const ebitmap_t *e2) int ebitmap_get_bit(const ebitmap_t * e, unsigned int bit) { - ebitmap_node_t *n; + const ebitmap_node_t *n; if (e->highbit < bit) return 0; diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c index aac5b35f..a6a466f7 100644 --- a/libsepol/src/expand.c +++ b/libsepol/src/expand.c @@ -243,7 +243,7 @@ static int perm_copy_callback(hashtab_key_t key, hashtab_datum_t datum, new_perm->s.value = perm->s.value; s->nprim++; - ret = hashtab_insert(s->table, new_id, (hashtab_datum_t *) new_perm); + ret = hashtab_insert(s->table, new_id, (hashtab_datum_t) new_perm); if (ret) { free(new_id); free(new_perm); @@ -294,7 +294,7 @@ static int common_copy_callback(hashtab_key_t key, hashtab_datum_t datum, ret = hashtab_insert(state->out->p_commons.table, new_id, - (hashtab_datum_t *) new_common); + (hashtab_datum_t) new_common); if (ret) { ERR(state->handle, "hashtab overflow"); free(new_common); @@ -492,7 +492,7 @@ static int class_copy_callback(hashtab_key_t key, hashtab_datum_t datum, ret = hashtab_insert(state->out->p_classes.table, new_id, - (hashtab_datum_t *) new_class); + (hashtab_datum_t) new_class); if (ret) { ERR(state->handle, "hashtab overflow"); free(new_class); diff --git a/libsepol/src/link.c b/libsepol/src/link.c index 461d2feb..7512a4d9 100644 --- a/libsepol/src/link.c +++ b/libsepol/src/link.c @@ -1291,10 +1291,10 @@ static int copy_avrule_list(avrule_t * list, avrule_t ** dst, i < module->perm_map_len[cur_perm->tclass - 1]; i++) { - if (!(cur_perm->data & (1U << i))) + if (!(cur_perm->data & (UINT32_C(1) << i))) continue; new_perm->data |= - (1U << + (UINT32_C(1) << (module-> perm_map[cur_perm->tclass - 1][i] - 1)); diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c index 9c7e3d3a..16e4004e 100644 --- a/libsepol/src/module_to_cil.c +++ b/libsepol/src/module_to_cil.c @@ -573,7 +573,7 @@ static int avrule_to_cil(int indent, struct policydb *pdb, uint32_t type, const rule = "auditallow"; break; case AVRULE_AUDITDENY: - rule = "auditdenty"; + rule = "auditdeny"; break; case AVRULE_DONTAUDIT: rule = "dontaudit"; @@ -3354,9 +3354,14 @@ static int typealiases_to_cil(int indent, struct policydb *pdb, struct avrule_bl char *type_name; struct list_node *curr; struct avrule_decl *decl = stack_peek(decl_stack); - struct list *alias_list = typealias_lists[decl->decl_id]; + struct list *alias_list; int rc = -1; + if (decl == NULL) { + return -1; + } + + alias_list = typealias_lists[decl->decl_id]; if (alias_list == NULL) { return 0; } diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c index 7093d9b7..587ba64a 100644 --- a/libsepol/src/policydb.c +++ b/libsepol/src/policydb.c @@ -4166,7 +4166,7 @@ static sepol_access_vector_t policydb_string_to_av_perm( hashtab_search(tclass_datum->permissions.table, (hashtab_key_t)perm_name); if (perm_datum != NULL) - return 0x1U << (perm_datum->s.value - 1); + return UINT32_C(1) << (perm_datum->s.value - 1); if (tclass_datum->comdatum == NULL) return 0; @@ -4176,7 +4176,7 @@ static sepol_access_vector_t policydb_string_to_av_perm( (hashtab_key_t)perm_name); if (perm_datum != NULL) - return 0x1U << (perm_datum->s.value - 1); + return UINT32_C(1) << (perm_datum->s.value - 1); return 0; } diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c index 246aa6e3..5804d247 100644 --- a/libsepol/src/policydb_validate.c +++ b/libsepol/src/policydb_validate.c @@ -722,12 +722,21 @@ bad: return -1; } +static void validate_array_destroy(validate_t flavors[]) +{ + unsigned int i; + + for (i = 0; i < SYM_NUM; i++) { + ebitmap_destroy(&flavors[i].gaps); + } +} + /* * Validate policydb */ int validate_policydb(sepol_handle_t *handle, policydb_t *p) { - validate_t flavors[SYM_NUM]; + validate_t flavors[SYM_NUM] = {}; if (validate_array_init(p, flavors)) goto bad; @@ -756,9 +765,12 @@ int validate_policydb(sepol_handle_t *handle, policydb_t *p) if (validate_datum_arrays(handle, p, flavors)) goto bad; + validate_array_destroy(flavors); + return 0; bad: ERR(handle, "Invalid policydb"); + validate_array_destroy(flavors); return -1; } diff --git a/libsepol/src/services.c b/libsepol/src/services.c index 673b3971..3407058f 100644 --- a/libsepol/src/services.c +++ b/libsepol/src/services.c @@ -1213,7 +1213,7 @@ int sepol_string_to_av_perm(sepol_security_class_t tclass, hashtab_search(tclass_datum->permissions.table, perm_name); if (perm_datum != NULL) { - *av = 0x1 << (perm_datum->s.value - 1); + *av = UINT32_C(1) << (perm_datum->s.value - 1); return STATUS_SUCCESS; } @@ -1225,7 +1225,7 @@ int sepol_string_to_av_perm(sepol_security_class_t tclass, perm_name); if (perm_datum != NULL) { - *av = 0x1 << (perm_datum->s.value - 1); + *av = UINT32_C(1) << (perm_datum->s.value - 1); return STATUS_SUCCESS; } out: diff --git a/libsepol/src/util.c b/libsepol/src/util.c index a47cae87..902c63c5 100644 --- a/libsepol/src/util.c +++ b/libsepol/src/util.c @@ -92,7 +92,7 @@ char *sepol_av_to_string(policydb_t * policydbp, uint32_t tclass, cladatum = policydbp->class_val_to_struct[tclass - 1]; p = avbuf; for (i = 0; i < cladatum->permissions.nprim; i++) { - if (av & (1 << i)) { + if (av & (UINT32_C(1) << i)) { v.val = i + 1; rc = hashtab_map(cladatum->permissions.table, perm_name, &v); diff --git a/mcstrans/VERSION b/mcstrans/VERSION index e6852d8a..eb39e538 100644 --- a/mcstrans/VERSION +++ b/mcstrans/VERSION @@ -1 +1 @@ -3.3-rc1 +3.3 diff --git a/policycoreutils/VERSION b/policycoreutils/VERSION index e6852d8a..eb39e538 100644 --- a/policycoreutils/VERSION +++ b/policycoreutils/VERSION @@ -1 +1 @@ -3.3-rc1 +3.3 diff --git a/policycoreutils/newrole/Makefile b/policycoreutils/newrole/Makefile index 0e7ebce3..4dedb7dd 100644 --- a/policycoreutils/newrole/Makefile +++ b/policycoreutils/newrole/Makefile @@ -12,7 +12,7 @@ AUDITH ?= $(shell test -f $(INCLUDEDIR)/libaudit.h && echo y) # This will make newrole a setuid root program. # The capabilities used are: CAP_AUDIT_WRITE. AUDIT_LOG_PRIV ?= n -# Enable capabilities to permit newrole to utilitize the pam_namespace module. +# Enable capabilities to permit newrole to utilize the pam_namespace module. # This will make newrole a setuid root program. # The capabilities used are: CAP_SYS_ADMIN, CAP_CHOWN, CAP_FOWNER and # CAP_DAC_OVERRIDE. diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c index 7c1f062f..31b51c5a 100644 --- a/policycoreutils/newrole/newrole.c +++ b/policycoreutils/newrole/newrole.c @@ -1022,7 +1022,7 @@ static int set_signal_handles(void) int main(int argc, char *argv[]) { char *new_context = NULL; /* target security context */ - char *old_context = NULL; /* original securiy context */ + char *old_context = NULL; /* original security context */ char *tty_context = NULL; /* current context of tty */ char *new_tty_context = NULL; /* new context of tty */ diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c index a1f75e16..c815f015 100644 --- a/policycoreutils/semodule/semodule.c +++ b/policycoreutils/semodule/semodule.c @@ -452,8 +452,7 @@ int main(int argc, char *argv[]) } semanage_module_info_get_priority(sh, extract_info, &curr_priority); - printf("Module '%s' does not exist at the default priority '%d'. " - "Extracting at highest existing priority '%d'.\n", mode_arg, priority, curr_priority); + printf("Extracting at highest existing priority '%d'.\n", curr_priority); priority = curr_priority; } diff --git a/python/VERSION b/python/VERSION index e6852d8a..eb39e538 100644 --- a/python/VERSION +++ b/python/VERSION @@ -1 +1 @@ -3.3-rc1 +3.3 diff --git a/python/semanage/semanage b/python/semanage/semanage index 18a27105..ff9fb66b 100644 --- a/python/semanage/semanage +++ b/python/semanage/semanage @@ -129,7 +129,7 @@ class SetImportFile(argparse.Action): sys.exit(1) setattr(namespace, self.dest, values) -# define dictonary for seobject OBEJCTS +# define dictionary for seobject OBEJCTS object_dict = { 'login': seobject.loginRecords, 'user': seobject.seluserRecords, @@ -146,7 +146,7 @@ object_dict = { } def generate_custom_usage(usage_text, usage_dict): - # generate custom usage from given text and dictonary + # generate custom usage from given text and dictionary sorted_keys = [] for i in usage_dict.keys(): sorted_keys.append(i) @@ -160,7 +160,7 @@ def generate_custom_usage(usage_text, usage_dict): def handle_opts(args, dict, target_key): - # handle conflict and required options for given dictonary + # handle conflict and required options for given dictionary # {action:[conflict_opts,require_opts]} # first we need to catch conflicts diff --git a/python/sepolgen/VERSION b/python/sepolgen/VERSION index e6852d8a..eb39e538 100644 --- a/python/sepolgen/VERSION +++ b/python/sepolgen/VERSION @@ -1 +1 @@ -3.3-rc1 +3.3 diff --git a/python/sepolgen/src/sepolgen/refpolicy.py b/python/sepolgen/src/sepolgen/refpolicy.py index 74763687..3e907e91 100644 --- a/python/sepolgen/src/sepolgen/refpolicy.py +++ b/python/sepolgen/src/sepolgen/refpolicy.py @@ -42,7 +42,7 @@ PERMS = 3 ROLE = 4 DEST_TYPE = 5 -# String represenations of the above constants +# String representations of the above constants field_to_str = ["source", "target", "object", "permission", "role", "destination" ] str_to_field = { "source" : SRC_TYPE, "target" : TGT_TYPE, "object" : OBJ_CLASS, "permission" : PERMS, "role" : ROLE, "destination" : DEST_TYPE } diff --git a/python/sepolgen/src/sepolgen/yacc.py b/python/sepolgen/src/sepolgen/yacc.py index 55c1ef7d..c1c79880 100644 --- a/python/sepolgen/src/sepolgen/yacc.py +++ b/python/sepolgen/src/sepolgen/yacc.py @@ -1502,7 +1502,7 @@ class Grammar(object): self.Precedence = {} # Precedence rules for each terminal. Contains tuples of the # form ('right',level) or ('nonassoc', level) or ('left',level) - self.UsedPrecedence = set() # Precedence rules that were actually used by the grammer. + self.UsedPrecedence = set() # Precedence rules that were actually used by the grammar. # This is only used to provide error checking and to generate # a warning about unused precedence rules. diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py index 2f847abb..3e61e333 100755 --- a/python/sepolicy/sepolicy/manpage.py +++ b/python/sepolicy/sepolicy/manpage.py @@ -797,7 +797,7 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d .B STANDARD FILE CONTEXT SELinux defines the file context types for the %(domainname)s, if you wanted to -store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. +store files with these types in a diffent paths, you need to execute the semanage command to specify alternate labeling and then use restorecon to put the labels on disk. .B semanage fcontext -a -t %(type)s '/srv/%(domainname)s/content(/.*)?' .br diff --git a/python/sepolicy/setup.py b/python/sepolicy/setup.py index 2b1e4b50..e81b6cc7 100644 --- a/python/sepolicy/setup.py +++ b/python/sepolicy/setup.py @@ -6,7 +6,7 @@ from distutils.core import setup setup( name="sepolicy", - version="3.3-rc1", + version="3.3", description="Python SELinux Policy Analyses bindings", author="Daniel Walsh", author_email="dwalsh@redhat.com", diff --git a/restorecond/VERSION b/restorecond/VERSION index e6852d8a..eb39e538 100644 --- a/restorecond/VERSION +++ b/restorecond/VERSION @@ -1 +1 @@ -3.3-rc1 +3.3 diff --git a/sandbox/VERSION b/sandbox/VERSION index e6852d8a..eb39e538 100644 --- a/sandbox/VERSION +++ b/sandbox/VERSION @@ -1 +1 @@ -3.3-rc1 +3.3 diff --git a/secilc/VERSION b/secilc/VERSION index e6852d8a..eb39e538 100644 --- a/secilc/VERSION +++ b/secilc/VERSION @@ -1 +1 @@ -3.3-rc1 +3.3 diff --git a/secilc/docs/cil_access_vector_rules.md b/secilc/docs/cil_access_vector_rules.md index fa68609e..f0ba4a90 100644 --- a/secilc/docs/cil_access_vector_rules.md +++ b/secilc/docs/cil_access_vector_rules.md @@ -360,7 +360,7 @@ dontauditx Do not audit the access rights defined when access denied. This stops excessive log entries for known events. -Note that for this to work there must *also* be atleast one [`allowx`](cil_access_vector_rules.md#allowx) rule associated with the target type. +Note that for this to work there must *also* be at least one [`allowx`](cil_access_vector_rules.md#allowx) rule associated with the target type. Note that these rules can be omitted by the CIL compiler command line parameter `-D` or `--disable-dontaudit` flags. diff --git a/secilc/docs/secil.xml b/secilc/docs/secil.xml index daa80ded..b015490d 100644 --- a/secilc/docs/secil.xml +++ b/secilc/docs/secil.xml @@ -208,7 +208,7 @@ - + diff --git a/secilc/test/block_test.cil b/secilc/test/block_test.cil index 2dfcb899..2dd30c23 100644 --- a/secilc/test/block_test.cil +++ b/secilc/test/block_test.cil @@ -84,7 +84,7 @@ ) -;; Inherting the abstract block causes the allow rule to be in the policy +;; Inheriting the abstract block causes the allow rule to be in the policy (type t5) (block b5 (blockabstract b5) diff --git a/semodule-utils/VERSION b/semodule-utils/VERSION index e6852d8a..eb39e538 100644 --- a/semodule-utils/VERSION +++ b/semodule-utils/VERSION @@ -1 +1 @@ -3.3-rc1 +3.3