Report source file and line information for neverallow failures.
Change-Id: I0def97a5f2f6097e2dad7bcd5395b8fa740d7073 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
Stephen Smalley
parent
8c5171d76e
commit
ef24ade029
5 changed files with 27 additions and 6 deletions
|
|
@ -260,6 +260,9 @@ typedef struct avrule {
|
|||
class_perm_node_t *perms;
|
||||
unsigned long line; /* line number from policy.conf where
|
||||
* this rule originated */
|
||||
/* source file name and line number (e.g. .te file) */
|
||||
char *source_filename;
|
||||
unsigned long source_line;
|
||||
struct avrule *next;
|
||||
} avrule_t;
|
||||
|
||||
|
|
|
|||
|
|
@ -31,13 +31,13 @@ static int check_assertion_helper(sepol_handle_t * handle,
|
|||
policydb_t * p,
|
||||
avtab_t * te_avtab, avtab_t * te_cond_avtab,
|
||||
unsigned int stype, unsigned int ttype,
|
||||
class_perm_node_t * perm, unsigned long line)
|
||||
avrule_t * avrule)
|
||||
{
|
||||
avtab_key_t avkey;
|
||||
avtab_ptr_t node;
|
||||
class_perm_node_t *curperm;
|
||||
|
||||
for (curperm = perm; curperm != NULL; curperm = curperm->next) {
|
||||
for (curperm = avrule->perms; curperm != NULL; curperm = curperm->next) {
|
||||
avkey.source_type = stype + 1;
|
||||
avkey.target_type = ttype + 1;
|
||||
avkey.target_class = curperm->class;
|
||||
|
|
@ -59,9 +59,17 @@ static int check_assertion_helper(sepol_handle_t * handle,
|
|||
return 0;
|
||||
|
||||
err:
|
||||
if (line) {
|
||||
if (avrule->source_filename) {
|
||||
ERR(handle, "neverallow on line %lu of %s (or line %lu of policy.conf) violated by allow %s %s:%s {%s };",
|
||||
avrule->source_line, avrule->source_filename, avrule->line,
|
||||
p->p_type_val_to_name[stype],
|
||||
p->p_type_val_to_name[ttype],
|
||||
p->p_class_val_to_name[curperm->class - 1],
|
||||
sepol_av_to_string(p, curperm->class,
|
||||
node->datum.data & curperm->data));
|
||||
} else if (avrule->line) {
|
||||
ERR(handle, "neverallow on line %lu violated by allow %s %s:%s {%s };",
|
||||
line, p->p_type_val_to_name[stype],
|
||||
avrule->line, p->p_type_val_to_name[stype],
|
||||
p->p_type_val_to_name[ttype],
|
||||
p->p_class_val_to_name[curperm->class - 1],
|
||||
sepol_av_to_string(p, curperm->class,
|
||||
|
|
@ -121,7 +129,7 @@ int check_assertions(sepol_handle_t * handle, policydb_t * p,
|
|||
if (a->flags & RULE_SELF) {
|
||||
if (check_assertion_helper
|
||||
(handle, p, &te_avtab, &te_cond_avtab, i, i,
|
||||
a->perms, a->line)) {
|
||||
a)) {
|
||||
rc = -1;
|
||||
goto out;
|
||||
}
|
||||
|
|
@ -131,7 +139,7 @@ int check_assertions(sepol_handle_t * handle, policydb_t * p,
|
|||
continue;
|
||||
if (check_assertion_helper
|
||||
(handle, p, &te_avtab, &te_cond_avtab, i, j,
|
||||
a->perms, a->line)) {
|
||||
a)) {
|
||||
rc = -1;
|
||||
goto out;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2650,6 +2650,10 @@ static int copy_neverallow(policydb_t * dest_pol, uint32_t * typemap,
|
|||
avrule->specified = AVRULE_NEVERALLOW;
|
||||
avrule->line = source_rule->line;
|
||||
avrule->flags = source_rule->flags;
|
||||
avrule->source_line = source_rule->source_line;
|
||||
avrule->source_filename = strdup(source_rule->source_filename);
|
||||
if (!avrule->source_filename)
|
||||
goto err;
|
||||
|
||||
if (ebitmap_cpy(&avrule->stypes.types, &stypes))
|
||||
goto err;
|
||||
|
|
|
|||
|
|
@ -1325,6 +1325,10 @@ static int copy_avrule_list(avrule_t * list, avrule_t ** dst,
|
|||
cur_perm = cur_perm->next;
|
||||
}
|
||||
new_rule->line = cur->line;
|
||||
new_rule->source_line = cur->source_line;
|
||||
new_rule->source_filename = strdup(cur->source_filename);
|
||||
if (!new_rule->source_filename)
|
||||
goto cleanup;
|
||||
|
||||
cur = cur->next;
|
||||
|
||||
|
|
|
|||
|
|
@ -535,6 +535,8 @@ void avrule_destroy(avrule_t * x)
|
|||
type_set_destroy(&x->stypes);
|
||||
type_set_destroy(&x->ttypes);
|
||||
|
||||
free(x->source_filename);
|
||||
|
||||
next = x->perms;
|
||||
while (next) {
|
||||
cur = next;
|
||||
|
|
|
|||
Loading…
Reference in a new issue