The mudflap run time checker was removed in GCC 4.9. The
option no longer does anything and triggers a warning from gcc 4.9
and later. Remove it. We might want to add -fsanitize=address
to enable AddressSanitizer in its place, but that should be a separate
change.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Needed to allow Android to keep building with a copy of the SELinux
source code checked into external/selinux
Bug: 19963152
Change-Id: I4e192bb6ca5d185e11540aca7253e729d92a00c1
In the case where the SELinux security module is not loaded in the
kernel and it's early enough in the boot process that /proc has not yet
been mounted, selinuxfs_exists() will incorrectly return 1, and
selinux_init_load_policy() will print a message like this to the
console:
Mount failed for selinuxfs on /sys/fs/selinux: No such file or directory
To fix this, mount the procfs before attempting to open
/proc/filesystems, and unmount it when done if it was initially not
mounted. This is the same thing that selinux_init_load_policy() does
when reading /proc/cmdline.
Signed-off-by: Ben Shelton <ben.shelton@ni.com>
Libraries such as libqpol that link with libsepol statically do not understand
the symbolic versioning in libsepol. This patch disables the symbolic versioning
in libsepol if building the static library or building for Android.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Steve Lawrence <slawrence@tresys.com>
So that building from top-level as per the README does not
fail when it reaches the secilc directory.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The Android build does not like the symbol versioning introduced
by commit 8147bc7; the build fails with:
host SharedLib: libsepol (out/host/linux-x86/obj/lib/libsepol.so)
prebuilts/gcc/linux-x86/host/x86_64-linux-glibc2.15-4.8//x86_64-linux/bin/ld: error: symbol cil_build_policydb has undefined version
prebuilts/gcc/linux-x86/host/x86_64-linux-glibc2.15-4.8//x86_64-linux/bin/ld: error: symbol cil_build_policydb has undefined version LIBSEPOL_1.1
clang: error: linker command failed with exit code 1 (use -v to see invocation)
Omit the versioned symbols and simply use the current interfaces
when building on Android.
Commit 36f62b7 also broke the Android build by moving secilc out of
libsepol, because the libsepol headers were not installed by the Android.mk
file.
Export the required libsepol headers for use by secilc and adjust secilc
to pick them up from the right location on Android.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Add support to checkpolicy and checkmodule for generating CIL as their
output.
Add new options "-C" and "--cil" to specify CIL as the output format.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Add a new function, sepol_module_policydb_to_cil, that generates
CIL from a module (not kernel) policydb. Refactor
sepol_module_package_to_cil() to use the new function.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Move code to convert a policy module to CIL from the policy package to
CIL conversion tool, pp, in policycoreutils to libsepol. The only changes
to the code are the additions of the prefix "sepol_" to the functions
sepol_module_package_to_cil() and sepol_ppfile_to_module_package(). This
code is being changed from GPL to LGPL with permission from Tresys.
Convert pp to use the renamed functions in libsepol.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Since the secilc compiler is independent of libsepol, move secilc out of
libsepol. Linke secilc dynamically rather than statically with libsepol.
- Move secilc source, test policies, docs, and secilc manpage to secilc
directory.
- Remove unneeded Makefile from libsepol/cil. To build secilc, run make
in the secilc directory.
- Add target to install the secilc binary to /usr/bin/.
- Create an Android makefile for secilc and move secilc out of libsepol
Android makefile.
- Add cil_set_mls to libsepol public API as it is needed by secilc.
- Remove policy.conf from testing since it is no longer used.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
open_init_pty uses select() to handle all the file descriptors. There is
a very high CPU usage due to select() always returning immediately with
the fd is available for write. This uses a ring buffer and only calls
select on the read/write fds that have data that needs to be
read/written which eliminates the high CPU usage.
This also correctly returns the exit code from the child process.
This was originally from debian where they have been carrying it as a
patch for a long time. Then we got a bug report in gentoo which this
also happens to fix. The original debian patch had the ring buffer
written in C++ so I modified the class into a struct and some static
methods so it is C-only at the request of Steve Lawrence.
Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=474956
Gentoo bug: https://bugs.gentoo.org/show_bug.cgi?id=532616
Signed-off-by: Jason Zaman <jason@perfinion.com>
Tested-by: Laurent Bigonville <bigon@bigon.be>
If /usr/sbin/open_init_pty is not found or is not executable,
access("/usr/sbin/open_init_pty", X_OK) returns -1, not zero.
Use "!= 0" like in other places in SELinux userland libraries and tools.
Problems fixed:
1) Fix core dump when building CIL policy (corrupted double-linked list)
by Steve Lawrence <slawrence@tresys.com>
2) Binary policy failed to read with devicetreecon statement.
3) Free path name - With a Xen policy running secilc/valgrind
there are no memory errors.
Also added devicetreecon statement to CIL policy.cil and updated the CIL
Reference Guide.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Boolean states are only written on a declaration.
If a module is turned off which includes a tunable declaration that
is required in another module, the state is never set. This patch
sets the state when the booldatum is created so that an uninitialized
memory read does not occur in cond_write_bool and write garbage to
the link binary. This can cause a failure in cond_read_bool when
running semodule_expand.
Signed-off-by: Thomas Hurd <thurd@tresys.com>
Unconditionally check the magic number before BZ2_bzReadOpen()
instead of only when bzip_blocksize=0, since it falls through.
That way if the file is not compressed it will return immediately
and map_file can mmap it. If the file is compressed then it will
go through the BZ2 functions and any errors will be reported correctly.
This fixes 0afd5de5c1 so that a bz2 error
isn't reported when a uncompressed pp is installed successfully.
Signed-off-by: Thomas Hurd <thurd@tresys.com>
In Xen on ARM, device tree nodes identified by a path (string) need to
be labeled by the security policy.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
This expands IOMEMCON device context entries to 64 bits. This change is
required to support static I/O memory range labeling for systems with
over 16TB of physical address space. The policy version number change
is shared with the next patch.
While this makes no changes to SELinux policy, a new SELinux policy
compatibility entry was added in order to avoid breaking compilation of
an SELinux policy without explicitly specifying the policy version.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
In order to support paths containing spaces or other characters, allow a
quoted string with these characters to be parsed as a path in addition
to the existing unquoted string.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
There's no guaranty that last item in "char fname[]" will be a null character.
Fixes segfault on some systems:
Test: semanage_nc_sort ...passedtest_semanage_findval: : Invalid argument
libsemanage-tests: TestRun.c:160: CU_assertImplementation: Assertion `((void *)0) != f_pCurTest' failed.
make[1]: *** [test] Aborted (core dumped)
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Fixes two types of errors which appear when building with gcc-5.0.0
- format ‘%d’ expects argument of type ‘int’, but argument X has type ‘unsigned int’
- format ‘%a’ expects argument of type ‘float *’, but argument X has type ‘char **’
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
When the FILESYSTEM token was added to support filesystem names that
start with a digit (e.g. 9p), it was given higher precedence than
NUMBER and therefore all values specified in hex (with 0x prefix)
in policy will incorrectly match FILESYSTEM and yield a syntax error.
This breaks use of iomem ranges in Xen policy and will break ioctl
command ranges in a future SELinux policy version. Switch the
precedence. This does mean that you cannot currently have a filesystem
with a name that happens to be 0x followed by a hexval but hopefully
that isn't an issue.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
- Do not pass in the policydb where not necessary
- Tell CIL what policy version and target platform to use when building
the policydb
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
- No longer require the caller to create a sepol_policydb. CIL is now
responsible for that
- Since the user is no longer responsible for creating the policydb, two
functions are added to let CIL know how it should configure the
policydb, to set the policy version and the target platform
- Some functions, like cil_compile, do not need a policydb. Additionally
some functions, like cil_filecons_to_string use the policydb, but could
be rewritten to not require it. In these cases, remove the policydb
from the API, and rewrite functions so they don't depend on it. The
only function that uses a policydb is cil_build_policydb
- Add functions and symbolic versioning to maintain binary backwards
compatability. API backwards compatability is not maintained
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
- Free args as they are parsed and strdup args when neccessary. Memory used for
lex initialization is now freed using yylex_destroy().
- Add noyywrap option to flex. This is the correct way to make the scanner
not call yywrap upon an end of file. Before, we were overriding the
function and returning 1.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Acked-by: Steve Lawrence <slawrence@tresys.com>
This adds a 'remove-hll' option to semanage.conf. If set to 'true', all
HLL files will be removed from the SELinux store after successfully
buildling the SELinux modules. The default for this option is 'false'.
In order to delete already compiled HLL files, the modules need to be
recompiled with the ignore-module-cache option.
Signed-off-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
Acked-by: Steve Lawrence <slawrence@tresys.com>
Fixes segfault on systems with less than 256K stack size.
After change, I was able to run semodule -l with a 32K stack size.
Additionally, fix potential memory leak on realloc failure.
Signed-off-by: Thomas Hurd <thurd@tresys.com>
Acked-by: Steve Lawrence <slawrence@tresys.com>
Reformat secilc(8) man page for readability and correct url
Remove unused/obsolete info and correct portcon statement in the
Reference Guide.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
restorecon on file names with newlines are not handled properly.
Use PCRE_DOTALL so that dots in regular expressions match all
characters, and don't exclude the newline character.
See https://www.mail-archive.com/seandroid-list@tycho.nsa.gov/msg02001.html
for background.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
restorecon on file names with newlines are not handled properly.
Use PCRE_DOTALL so that dots in regular expressions match all
characters, and don't exclude the newline character.
See https://www.mail-archive.com/seandroid-list@tycho.nsa.gov/msg02001.html
for background.
Change-Id: I0dde8f2567305f746d19ebd75a9e2add7406eb9a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
