Commit graph

353 commits

Author SHA1 Message Date
Thiébaud Weksteen
4d132a10b0 Fix build after upstream merge
- Reference renamed file: COPYING -> LICENSE in Android.bp
- Fix constext_str calls now returning const char *
- Comment out cil_write_src_info_node which is not used on Android
- Include new selinux_internal.c source file

Bug: 253327909
Test: build and boot on bramble
Test: sediff between current and new policy; no change
Change-Id: I506479befb3c0b99136cd842b2a77a6a8bea18ed
2022-11-25 14:10:15 +11:00
Thiébaud Weksteen
a5d093d150 Merge remote-tracking branch 'aosp/upstream-master' into rebase_20221110
Fix conflict in libselinux/src/label.c

Bug: 253327909
Test: n/a; follow up commit for fixing build
Change-Id: Ibdd5e384dda9e995dc52574dbcc7ad8d89698dc3
2022-11-14 14:29:35 +11:00
Paul Moore
a0a216ff7d docs: provide a top level LICENSE file
Provide a top level LICENSE file explaining how multiple the SELinux
userspace is released under multiple different licenses.  Also ensure
that all the different license files share a consistent file name,
LICENSE, to make it easier for people to identify the license files.

This is to help meet the OpenSSF Best Practices requirements.

Signed-off-by: Paul Moore <paul@paul-moore.com>
2022-10-05 08:20:38 -04:00
Juraj Marcin
c916f0884b checkpolicy: avoid passing NULL pointer to memset()
Function `class_perm_node_init()` is called with `dest_perms` before it
is checked that its allocation succeeded. If the allocation fails, then
a NULL pointer is passed to `memset()` inside the
`class_perm_node_init()` function.

Signed-off-by: Juraj Marcin <juraj@jurajmarcin.com>
2022-09-01 09:27:01 -04:00
Christian Göttsche
2a9c619b5f checkpolicy: use strict function prototype for definitions
Clang 15 starts to complain about non strict function definitions:

    policy_define.c:4907:30: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
    int define_devicetree_context()
                                 ^
                                  void
    policy_define.c:5298:29: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
    int define_ipv4_node_context()
                                ^
                                 void

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-08-15 08:46:41 -04:00
Christian Göttsche
25e9c91a8b checkpolicy: error out if required permission would exceed limit
A require statement for a class permission adds that permission to the
class representation for the current module.  In case the resulting
class would have more than the supported amount of 32 permissions
assigned the resulting binary module will fail to load at link-time
without an informative error message (since [1]).

Bail out if adding a permission would result in a class having more than
the supported amount of 32 permissions assigned.

[1]: 97af65f696

Closes: https://github.com/SELinuxProject/selinux/issues/356
Reported-by: Julie Pichon
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-06-21 15:20:58 +02:00
Petr Lautrbach
0a8c177dac
Update VERSIONs to 3.4 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2022-05-18 16:51:03 +02:00
Ondrej Mosnacek
9e096e6ef0 libsepol,checkpolicy: add support for self keyword in type transitions
With the addition of the anon_inode class in the kernel, 'self'
transition rules became useful, but haven't been implemented.

The typetransition, typemember, and typechange statements share the
relevant code, so this patch implements the self keyword in all of them
at the TE language level and adds the support to the module policydb
format. Note that changing the kernel policydb format is not necessary
at all, as type transitions are always expanded in the kernel policydb.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-05-16 10:37:17 -04:00
Petr Lautrbach
9df28c241a
Update VERSIONs to 3.4-rc3 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2022-05-04 19:20:37 +02:00
Christian Göttsche
5645f803e1 checkpolicy: mention class name on invalid permission
When a permission for a constraint statement cannot be found also
mention the related class name.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-05-04 15:12:04 +02:00
Petr Lautrbach
2a167d1156
Update VERSIONs to 3.4-rc2 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2022-04-20 21:48:57 +02:00
Petr Lautrbach
73562de8fc
Update VERSIONs to 3.4-rc1 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2022-04-06 19:53:39 +02:00
Thiébaud Weksteen
5ab1edf09d Merge remote-tracking branch 'aosp/upstream-master' into update_head
Change-Id: I294af47a0cc73b753d23d8449575015d21219ddf
2022-03-15 12:24:38 +11:00
Thiébaud Weksteen
c900816e93 libsepol: Populate and use policy name
When an assertion fails, the error message refers to a generic
"policy.conf" file. When parsing a policy in checkpolicy, populate its
name using the original filename (source_filename is still build using
the #line directives within the policy).

Signed-off-by: Thiébaud Weksteen <tweek@google.com>
[Merge conflicts fixed by: James Carter <jwcart2@gmail.com>]
Signed-off-by: James Carter <jwcart2@gmail.com>
2022-02-24 10:44:46 -05:00
Christian Göttsche
4be0e2e19c checkpolicy: allow wildcard permissions in constraints
Allow all and complement permission sets in constraints, e.g.:

    constrain service ~ { status } (...);
    constrain service * (...);

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-02-18 14:48:57 -05:00
Thiébaud Weksteen
671624ef61 Merge upstream '3.3' into update_3_3
Followed the following steps:
    # aosp mirror does not have the upstream tags. Manually mark the
    # 3.3 release. See
    # https://github.com/SELinuxProject/selinux/releases/tag/3.3
    git tag 3.3 7f600c40bc
    repo start update_3_3 .
    git merge 3.3 --no-ff # No merge conflicts were found.
    lunch && m
    repo upload .

Bug: 37755687
Test: Build aosp_bramble-userdebug and manually compare the generated
    /{system,vendor,product}/etc/selinux* files with their previous
    versions. All are identical.
Change-Id: I6a514d7db9a752c44cc61d343f7c1a60f750f317
2021-12-22 09:15:13 +11:00
Christian Göttsche
01b88ac323 checkpolicy: warn on bogus IP address or netmask in nodecon statement
Warn if the netmask is not contiguous or the address has host bits set,
e.g.:

    127.0.0.0 255.255.245.0
    127.0.0.1 255.255.255.0

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-12-15 12:47:22 -05:00
Christian Göttsche
8a8275a5ac checkpolicy: ignore possible string truncation
The source code line content, saved to improve error reporting, might
get truncated, as the current Bison source buffer is 8192 bytes long and
only 254 bytes (plus NUL-terminator) are reserved.
As the saved string is only used for improving error reports and source
lines longer than 254 character are quite uncommon, simply silence the
GCC warning.

    In file included from /usr/include/string.h:519,
                     from lex.yy.c:20:
    In function ‘strncpy’,
        inlined from ‘yylex’ at policy_scan.l:63:7:
    /usr/include/x86_64-linux-gnu/bits/string_fortified.h:91:10: warning: ‘__builtin_strncpy’ output may be truncated copying 255 bytes from a string of length 8190 [-Wstringop-truncation]
       91 |   return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
          |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-11-15 16:00:54 -05:00
Christian Göttsche
cc671d6a5e checkpolicy: use correct unsigned format specifiers
The two variables policydb_lineno and source_lineno are both of the type
unsigned long; use the appropriate format specifier.

Found by Cppcheck

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-11-15 16:00:54 -05:00
Thiébaud Weksteen
454466e2e4 Revert "Revert "Merge remote-tracking branch 'aosp/upstream-mast..."
Revert^2 "Use cil_write_build_ast"

bde09de39feec91cf8220f0f798a6e52154d69e9

Change-Id: I3ab19bda9c1968409ad5a4f4d0866649036c683c
2021-10-27 04:50:56 +00:00
Petr Lautrbach
7f600c40bc
Update VERSIONs to 3.3 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2021-10-21 16:31:23 +02:00
James Carter
ce815bd11b checkpolicy: Fix potential undefined shifts
An expression of the form "1 << x" is undefined if x == 31 because
the "1" is an int and cannot be left shifted by 31.

Instead, use "UINT32_C(1) << x" which will be an unsigned int of
at least 32 bits.

Signed-off-by: James Carter <jwcart2@gmail.com>
2021-10-12 13:44:55 -04:00
Petr Lautrbach
5319c49d8a
Update VERSIONs to 3.3-rc3 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2021-10-06 13:28:15 +02:00
Christian Göttsche
eac7fb001a checkpolicy: delay down-cast to avoid align warning
Delay the down-cast from hashtab_datum_t, alias void*, to the actual
type once its kind has been determined.

    module_compiler.c:174:19: warning: cast from 'symtab_datum_t *' (aka 'struct symtab_datum *') to 'level_datum_t *' (aka 'struct level_datum *') increases required alignment from 4 to 8 [-Wcast-align]
                            *dest_value = ((level_datum_t *)s)->level->sens;
                                           ^~~~~~~~~~~~~~~~~~

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-10-04 09:25:18 -04:00
Christian Göttsche
44ed3074bb checkpolicy: drop incorrect cast
The function require_symbol takes the type hashtab_datum_t (alias void*)
as third argument. Do not cast to hashtab_datum_t* alias void**. Since
explicit casting to void* is unnecessary, drop the casts.

    module_compiler.c:1002:36: warning: cast from 'cond_bool_datum_t *' (aka 'struct cond_bool_datum *') to 'hashtab_datum_t *' (aka 'void **') increases required alignment from 4 to 8 [-Wcast-align]
                require_symbol(SYM_BOOLS, id, (hashtab_datum_t *) booldatum,
                                              ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    module_compiler.c:1092:40: warning: cast from 'cat_datum_t *' (aka 'struct cat_datum *') to 'hashtab_datum_t *' (aka 'void **') increases required alignment from 4 to 8 [-Wcast-align]
            retval = require_symbol(SYM_CATS, id, (hashtab_datum_t *) cat,
                                                  ^~~~~~~~~~~~~~~~~~~~~~~

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-10-04 09:25:15 -04:00
Christian Göttsche
7a1c7e7a82 checkpolicy: update documentation
Add missing command-line arguments to synopsis and highlight mentions of
other tools in man pages.

Add missing space between arguments in help message.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-10-04 09:25:12 -04:00
Christian Göttsche
e32809155b checkpolicy: print reason of fopen failure
Print the reason why opening a source policy file failed, e.g:

    checkpolicy:  unable to open policy.conf:  No such file or directory

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-10-04 09:25:10 -04:00
Christian Göttsche
3d27e5a410 checkpolicy: policy_define: cleanup declarations
The variable curfile is nowhere used.

Static functions do not need to be forward declared if not used before
their definition.

The error buffer errormsg can be a simple scoped variable. Also
vsnprintf(3) always NUL-terminates the buffer, so the whole length can
be passed.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-10-04 09:25:07 -04:00
Petr Lautrbach
0b833973bf
Update VERSIONs to 3.3-rc2 for release.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2021-09-22 17:14:25 +02:00
Thiébaud Weksteen
c65aca49bb Revert "Merge remote-tracking branch 'aosp/upstream-master' into..."
Revert "Use cil_write_build_ast"

Revert submission 1827311-update_libselinux

Reason for revert: b/200771997 
Reverted Changes:
I088d1e94c:Fix build and use new cil_write_build_ast
I14dc4dc58:Merge remote-tracking branch 'aosp/upstream-master...
I7b77f4469:Use cil_write_build_ast

Change-Id: Iec17732997ab203787f021f437f31e51ef886425
2021-09-22 09:15:53 +00:00
Christian Göttsche
a0a342c37b checkpolicy: free extended permission memory
define_te_avtab_xperms_helper() allocates memory for the avrule, while
define_te_avtab_ioctl() does not transfer any ownership of it.
Free the affected memory.

    Direct leak of 272 byte(s) in 2 object(s) allocated from:
        #0 0x49bb8d in __interceptor_malloc (./checkpolicy/checkmodule+0x49bb8d)
        #1 0x4f379c in define_te_avtab_xperms_helper ./checkpolicy/policy_define.c:2047:24
        #2 0x4f379c in define_te_avtab_extended_perms ./checkpolicy/policy_define.c:2469:6
        #3 0x4cf417 in yyparse ./checkpolicy/policy_parse.y:494:30
        #4 0x4eaf35 in read_source_policy ./checkpolicy/parse_util.c:63:6
        #5 0x50cccd in main ./checkpolicy/checkmodule.c:278:7
        #6 0x7fbfa455ce49 in __libc_start_main csu/../csu/libc-start.c:314:16

    Direct leak of 32 byte(s) in 2 object(s) allocated from:
        #0 0x49bb8d in __interceptor_malloc (./checkpolicy/checkmodule+0x49bb8d)
        #1 0x4f4a38 in avrule_sort_ioctls ./checkpolicy/policy_define.c:1844:12
        #2 0x4f4a38 in avrule_ioctl_ranges ./checkpolicy/policy_define.c:2021:6
        #3 0x4f4a38 in define_te_avtab_ioctl ./checkpolicy/policy_define.c:2399:6
        #4 0x4f4a38 in define_te_avtab_extended_perms ./checkpolicy/policy_define.c:2475:7
        #5 0x4cf417 in yyparse ./checkpolicy/policy_parse.y:494:30
        #6 0x4eaf35 in read_source_policy ./checkpolicy/parse_util.c:63:6
        #7 0x50cccd in main ./checkpolicy/checkmodule.c:278:7
        #8 0x7fbfa455ce49 in __libc_start_main csu/../csu/libc-start.c:314:16

Reported-by: liwugang <liwugang@163.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-09-15 10:14:42 -04:00
Christian Göttsche
ba18cf0cdf checkpolicy: print warning on source line overflow
In case the source line value overflows or has a too big value in the
source policy print a warning.

    policy_scan.l:273:19: runtime error: implicit conversion from type 'int' of value -2 (32-bit, signed) to type 'unsigned long' changed the value to 18446744073709551614 (64-bit, unsigned)
    policy_scan.l:66:20: runtime error: unsigned integer overflow: 18446744073709551615 + 1 cannot be represented in type 'unsigned long'

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-09-15 10:14:37 -04:00
Christian Göttsche
15fcc6df66 checkpolicy: error out on parsing too big integers
Error out instead of silently converting too big integer values in
policy sources.

    policy_parse.y:893:41: runtime error: implicit conversion from type 'unsigned long' of value 18446744073709551615 (64-bit, unsigned) to type 'unsigned int' changed the value to 4294967295 (32-bit, unsigned)

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-09-15 10:14:33 -04:00
Christian Göttsche
c7c582a0ef checkpolicy: avoid implicit conversion
Avoid implicit conversions from signed to unsigned values, found by
UB sanitizers, by using unsigned values in the first place.

    dismod.c:92:42: runtime error: left shift of 1 by 31 places cannot be represented in type 'int'

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-09-15 10:14:27 -04:00
Christian Göttsche
16d7dde41c checkpolicy: resolve dismod memory leaks
Example leak:

    Indirect leak of 4 byte(s) in 1 object(s) allocated from:
        #0 0x49bacd in __interceptor_malloc (./checkpolicy/test/dismod+0x49bacd)
        #1 0x58ae54 in add_i_to_a ./libsepol/src/util.c:55:21
        #2 0x53ea8e in symtab_insert ./libsepol/src/policydb.c:1729:6
        #3 0x536252 in roles_init ./libsepol/src/policydb.c:772:7
        #4 0x536252 in policydb_init ./libsepol/src/policydb.c:892:7
        #5 0x562ff1 in sepol_policydb_create ./libsepol/src/policydb_public.c:69:6
        #6 0x521a7c in module_package_init ./libsepol/src/module.c:96:6
        #7 0x521a7c in sepol_module_package_create ./libsepol/src/module.c:126:7
        #8 0x4cfb80 in read_policy ./checkpolicy/test/dismod.c:750:7
        #9 0x4cda10 in main ./checkpolicy/test/dismod.c:878:6
        #10 0x7f8538d01e49 in __libc_start_main csu/../csu/libc-start.c:314:16

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-09-15 10:14:20 -04:00
Christian Göttsche
e6bab7bf45 checkpolicy: add missing function declarations
Ideally they should be declared in the corresponding header file, but
the overall include style in the checkpolicy code is quite messy.
Declare them for now in the source file before defining them to silence
related compiler warnings:

    policy_define.c:84:6: error: no previous prototype for function 'init_parser' [-Werror,-Wmissing-prototypes]
    void init_parser(int pass_number)
         ^
    policy_define.c:93:6: error: no previous prototype for function 'yyerror2' [-Werror,-Wmissing-prototypes]
    void yyerror2(const char *fmt, ...)
         ^

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-09-15 10:14:09 -04:00
Christian Göttsche
5c376d6db1 checkpolicy: mark file local functions in policy_define static
Also remove the unused function `avrule_ioctl_freeranges()`.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-09-15 10:14:00 -04:00
Christian Göttsche
6388cfe7f3 checkpolicy: mark read-only parameters in module compiler const
Make it more obvious which parameters are read-only and not being
modified and allow callers to pass const pointers.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-09-15 10:13:58 -04:00
Christian Göttsche
9eebc4b731 checkpolicy: misc checkpolicy tweaks
Add missing argument in usage message.
Drop redundant includes `optarg` and `optind`, which are declared in
<getopt.h>.
Mark file local functions static.
Drop unused function declaration.

Check closing file streams after writing, which can signal a failed
write or sync to disk and should be checked.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-09-15 10:13:54 -04:00
Christian Göttsche
9696bb5449 checkpolicy: misc checkmodule tweaks
Add missing argument in usage message.
Drop redundant includes `optarg` and `optind`, which are declared in
<getopt.h>.
Use consistent quit style by using `exit(1)`.
Mark read-only options struct const.
Check closing file streams after writing, which can signal a failed
write or sync to disk and should be checked.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-09-15 10:13:51 -04:00
Christian Göttsche
5570c2e394 checkpolicy: enclose macro argument in parentheses
Found by clang-tidy

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-09-15 10:13:48 -04:00
Thiébaud Weksteen
9e8922418a Merge remote-tracking branch 'aosp/upstream-master' into update_3_3
Change-Id: I14dc4dc589a5f72af6ba6d2cc1800d145f0234aa
2021-09-09 15:05:30 +02:00
Petr Lautrbach
38cb18e931 Update VERSIONs and Python bindings version to 3.3-rc1 for release
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2021-09-08 09:49:46 +02:00
Christian Göttsche
1711757378
checkpolicy: mark read-only parameters in policy define const
Make it more obvious which parameters are read-only and not being
modified and allow callers to pass const pointers.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-07-13 21:02:10 +02:00
Christian Göttsche
b306cd5b90
checkpolicy/test: mark file local functions static
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-07-13 21:02:09 +02:00
Christian Göttsche
47f4cbd357
checkpolicy: parse_util drop unused declaration
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-07-13 21:02:09 +02:00
Christian Göttsche
4e3d0990c6
checkpolicy: drop redundant cast to the same type
Found by clang-tidy.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-07-13 21:02:09 +02:00
Christian Göttsche
5218bf4b26
checkpolicy: avoid potential use of uninitialized variable
checkpolicy.c: In function ‘main’:
    checkpolicy.c:1000:25: error: ‘tsid’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
     1000 |                         printf("if_sid %d default_msg_sid %d\n", ssid, tsid);
          |                         ^

    checkpolicy.c: In function ‘main’:
    checkpolicy.c:971:25: error: ‘tsid’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
      971 |                         printf("fs_sid %d default_file_sid %d\n", ssid, tsid);
          |                         ^

Found by GCC 11 with LTO enabled.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-07-13 21:02:09 +02:00
Christian Göttsche
5a10f05f53
checkpolicy: check before potential NULL dereference
policy_define.c: In function ‘define_te_avtab_extended_perms’:
    policy_define.c:1946:17: error: potential null pointer dereference [-Werror=null-dereference]
     1946 |         r->omit = omit;
          |                 ^

In the case of `r` being NULL, avrule_read_ioctls() would return
with its parameter `rangehead` being a pointer to NULL, which is
considered a failure in its caller `avrule_ioctl_ranges`.
So it is not necessary to alter the return value.

Found by GCC 11 with LTO enabled.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-07-13 21:02:08 +02:00
Christian Göttsche
7723180fa0
checkpolicy: remove dead assignments
The variable `cladatum` is otherwise always assigned before used, so
these two assignments without a follow up usages are not needed.

Found by clang-analyzer.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-07-13 21:02:08 +02:00