libsepol: Populate and use policy name

When an assertion fails, the error message refers to a generic
"policy.conf" file. When parsing a policy in checkpolicy, populate its
name using the original filename (source_filename is still build using
the #line directives within the policy).

Signed-off-by: Thiébaud Weksteen <tweek@google.com>
[Merge conflicts fixed by: James Carter <jwcart2@gmail.com>]
Signed-off-by: James Carter <jwcart2@gmail.com>
This commit is contained in:
Thiébaud Weksteen 2022-02-16 11:53:26 +11:00 committed by James Carter
parent bc26ddc59c
commit c900816e93
4 changed files with 19 additions and 6 deletions

View file

@ -99,6 +99,7 @@ int define_policy(int pass, int module_header_given)
yyerror("no module name");
return -1;
}
free(policydbp->name);
policydbp->name = id;
if ((policydbp->version =
queue_remove(id_queue)) == NULL) {

View file

@ -47,6 +47,7 @@ int read_source_policy(policydb_t * p, const char *file, const char *progname)
}
policydbp = p;
policydbp->name = strdup(file);
mlspol = p->mls;
init_parser(1);

View file

@ -36,13 +36,21 @@ struct avtab_match_args {
unsigned long errors;
};
static const char* policy_name(policydb_t *p) {
const char *policy_file = "policy.conf";
if (p->name) {
policy_file = p->name;
}
return policy_file;
}
static void report_failure(sepol_handle_t *handle, policydb_t *p, const avrule_t *avrule,
unsigned int stype, unsigned int ttype,
const class_perm_node_t *curperm, uint32_t perms)
{
if (avrule->source_filename) {
ERR(handle, "neverallow on line %lu of %s (or line %lu of policy.conf) violated by allow %s %s:%s {%s };",
avrule->source_line, avrule->source_filename, avrule->line,
ERR(handle, "neverallow on line %lu of %s (or line %lu of %s) violated by allow %s %s:%s {%s };",
avrule->source_line, avrule->source_filename, avrule->line, policy_name(p),
p->p_type_val_to_name[stype],
p->p_type_val_to_name[ttype],
p->p_class_val_to_name[curperm->tclass - 1],
@ -171,9 +179,9 @@ static int report_assertion_extended_permissions(sepol_handle_t *handle,
/* failure on the extended permission check_extended_permissions */
if (rc) {
extended_permissions_violated(&error, avrule->xperms, xperms);
ERR(handle, "neverallowxperm on line %lu of %s (or line %lu of policy.conf) violated by\n"
ERR(handle, "neverallowxperm on line %lu of %s (or line %lu of %s) violated by\n"
"allowxperm %s %s:%s %s;",
avrule->source_line, avrule->source_filename, avrule->line,
avrule->source_line, avrule->source_filename, avrule->line, policy_name(p),
p->p_type_val_to_name[i],
p->p_type_val_to_name[j],
p->p_class_val_to_name[curperm->tclass - 1],
@ -187,9 +195,9 @@ static int report_assertion_extended_permissions(sepol_handle_t *handle,
/* failure on the regular permissions */
if (!found_xperm) {
ERR(handle, "neverallowxperm on line %lu of %s (or line %lu of policy.conf) violated by\n"
ERR(handle, "neverallowxperm on line %lu of %s (or line %lu of %s) violated by\n"
"allow %s %s:%s {%s };",
avrule->source_line, avrule->source_filename, avrule->line,
avrule->source_line, avrule->source_filename, avrule->line, policy_name(p),
p->p_type_val_to_name[stype],
p->p_type_val_to_name[ttype],
p->p_class_val_to_name[curperm->tclass - 1],

View file

@ -2970,6 +2970,9 @@ int expand_module(sepol_handle_t * handle,
state.out->policy_type = POLICY_KERN;
state.out->policyvers = POLICYDB_VERSION_MAX;
if (state.base->name) {
state.out->name = strdup(state.base->name);
}
/* Copy mls state from base to out */
out->mls = base->mls;