when building packages (e.g. for openSUSE Linux)
(random) filesystem order of input files
influences ordering of functions in the output,
thus without the patch, builds (in disposable VMs) would usually differ.
See https://reproducible-builds.org/ for why this matters.
https://developers.redhat.com/blog/2017/03/10/wimplicit-fallthrough-in-gcc-7/
Fixes the following warnings by annotating with a /* FALLTHRU */ comment.
Unfortunately, the __attribute__ ((fallthrough)); approach does not appear
to work with older compilers.
../cil/src/cil_parser.c: In function ‘cil_parser’:
../cil/src/cil_parser.c:253:14: warning: this statement may fall through [-Wimplicit-fallthrough=]
tok.value = tok.value+1;
~~~~~~~~~~^~~~~~~~~~~~~
../cil/src/cil_parser.c:254:3: note: here
case SYMBOL:
^~~~
../cil/src/cil_parser.c:275:7: warning: this statement may fall through [-Wimplicit-fallthrough=]
if (tok.type != END_OF_FILE) {
^
../cil/src/cil_parser.c:279:3: note: here
case END_OF_FILE:
^~~~
../cil/src/cil_post.c: In function ‘cil_post_fc_fill_data’:
../cil/src/cil_post.c:104:5: warning: this statement may fall through [-Wimplicit-fallthrough=]
c++;
~^~
../cil/src/cil_post.c:105:3: note: here
default:
^~~~~~~
regex.c: In function ‘regex_format_error’:
regex.c:541:10: warning: this statement may fall through [-Wimplicit-fallthrough=]
*ptr++ = '.';
~~~~~~~^~~~~
regex.c:542:2: note: here
case 3:
^~~~
regex.c:543:10: warning: this statement may fall through [-Wimplicit-fallthrough=]
*ptr++ = '.';
~~~~~~~^~~~~
regex.c:544:2: note: here
case 2:
^~~~
regex.c:545:10: warning: this statement may fall through [-Wimplicit-fallthrough=]
*ptr++ = '.';
~~~~~~~^~~~~
regex.c:546:2: note: here
case 1:
^~~~
regex.c: In function ‘regex_format_error’:
regex.c:541:10: warning: this statement may fall through [-Wimplicit-fallthrough=]
*ptr++ = '.';
~~~~~~~^~~~~
regex.c:542:2: note: here
case 3:
^~~~
regex.c:543:10: warning: this statement may fall through [-Wimplicit-fallthrough=]
*ptr++ = '.';
~~~~~~~^~~~~
regex.c:544:2: note: here
case 2:
^~~~
regex.c:545:10: warning: this statement may fall through [-Wimplicit-fallthrough=]
*ptr++ = '.';
~~~~~~~^~~~~
regex.c:546:2: note: here
case 1:
^~~~
modules.c: In function ‘semanage_module_get_path’:
modules.c:602:7: warning: this statement may fall through [-Wimplicit-fallthrough=]
if (file == NULL) file = "hll";
^
modules.c:603:3: note: here
case SEMANAGE_MODULE_PATH_CIL:
^~~~
modules.c:604:7: warning: this statement may fall through [-Wimplicit-fallthrough=]
if (file == NULL) file = "cil";
^
modules.c:605:3: note: here
case SEMANAGE_MODULE_PATH_LANG_EXT:
^~~~
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Memory allocation failures in selabel_subs_init() should be fatal,
contrary to failures which come from the non-existence of the
substitution files (subs or subs_dist).
Modify selabel_subs_init()'s prototype in order to return the error
state. This forces the pointer to the created substitution list to be
moved to an output function argument.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
In selabel_subs_init(), when digest_add_specfile() fails, the returned
value is a pointer to data which has been freed (because label "err"
frees variable "sub" which is equals to the returned variable, "list").
Moreover since since commit fd56c5230c ("Separate out the calling of
local subs and dist subs in selabel_sub"), argument "list" of
selabel_subs_init() has always been NULL (rec->subs and rec->dist_subs
are both initialized to NULL in selabel_open() before
selabel_file_init() is called).
Drop selabel_file_init()'s "list" argument and free all the list items
which have been allocated in this function, when the code encounters an
error.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This check is not specific to Android devices. If libselinux were used
with Bionic on a normal Linux system this check would still be needed.
Signed-off-by: Tom Cherry <tomcherry@google.com>
commit 16c123f4b1 ("libselinux:
support ANDROID_HOST=1 on Mac") split up warning flags in
CFLAGS based on compiler support in a manner that could lead to
including a subset that is invalid, e.g. upon
make DESTDIR=/path/to/dest install. Fix it.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
When building libselinux, clang reports the following warning:
selinux_check_access.c:8:1: error: function 'usage' could be
declared with attribute 'noreturn' [-Werror,-Wmissing-noreturn]
While at it, make progname const.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Remove util/selinux_restorecon.c and tidy up. This is removed as
the functionality is now in policycoreutils/setfiles.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Add audit log entry to specify whether the decision was made in
permissive mode/permissive domain or enforcing mode.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
This breaks every further call to e.g. `is_selinux_enabled()` after a policy
root has been set. This tripped up some code landed in libostree:
https://github.com/ostreedev/ostree/pull/797
Since in some cases we initialize a policy twice in process, and we'd
call `is_selinux_enabled()` each time.
More info in: http://marc.info/?l=selinux&m=149323809332417&w=2
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The toolchain automatically handles them and they break cross compiling.
LDFLAGS should also come before object files, some flags (eg,
-Wl,as-needed) can break things if they are in the wrong place)
Gentoo-Bug: https://bugs.gentoo.org/500674
Signed-off-by: Jason Zaman <jason@perfinion.com>
>From Make's manual:
LDFLAGS
Extra flags to give to compilers when they are supposed to invoke the
linker, ‘ld’, such as -L. Libraries (-lfoo) should be added to the
LDLIBS variable instead.
LDLIBS
Library flags or names given to compilers when they are supposed to
invoke the linker, ‘ld’. Non-library linker flags, such as -L, should go
in the LDFLAGS variable.
https://www.gnu.org/software/make/manual/html_node/Implicit-Variables.html
Signed-off-by: Jason Zaman <jason@perfinion.com>
Makes libselinux safer and less likely to leak file descriptors when
used as part of a multithreaded program.
Signed-off-by: Nick Kralevich <nnk@google.com>
When getsebool's main() fails to allocate memory for the boolean names,
it returns without freeing variables first, even though other errors do
this (with label "out").
This silences a warning reported by clang's static analyzer.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When curcon is NULL, calling strcmp(curcon, newcon) produces an undefined
behavior. Avoid this by checking whether curcon is NULL beforehand.
This issue has been found using clang's static analyzer.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
If exclude_non_seclabel_mounts() ever gets run on a kernel where
/proc/mounts only contains three columns, mount_info[3] will be used
"without being initialized in "strtok(mount_info[3], ",")" because
variable index would be 3 at the end of this loop:
index = 0;
item = strtok(buf, " ");
while (item != NULL) {
mount_info[index] = item;
if (index == 3)
break;
index++;
item = strtok(NULL, " ");
}
Swap the condition on index and its increment so that it gets to 4 only
when there are at least four columns.
This issue has been found using clang's static analyzer.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When security_load_booleans() calls process_boolean() to parse a boolean
definition, process_boolean() returns a successful value when it fails
to use strtok_r() (e.g. when there is no "=" in the parsed line). This
leads security_load_booleans() to use uninitialized name and/or val when
setting the boolean into the policy.
This issue has been found using clang's static analyzer and is similar
to the one which has been fixed in libsepol with commit 76f8c04c19
("libsepol: make process_boolean() fail on invalid lines"). Fix it in
the same way.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
selabel_is_digest_set() contains the following code:
digest = calloc(1, sizeof(*digest));
if (!digest)
goto err;
/* ... */
err:
free(digest->digest);
If calloc() failed, digest is NULL but is dereferenced when the
execution jumps to label err.
Check that digest is not NULL before freeing its fields.
This issue has been found using clang's static analyzer.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Currently this Python program triggers a segmentation fault in
libselinux SWIG wrapper:
import selinux
selinux.get_ordered_context_list()
gdb shows that the segmentation fault occurs when freeing some memory:
Reading symbols from python...(no debugging symbols found)...done.
Starting program: /usr/bin/python -c import\
selinux\;selinux.get_ordered_context_list\(\)
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff789a304 in free () from /usr/lib/libc.so.6
(gdb) bt
#0 0x00007ffff789a304 in free () from /usr/lib/libc.so.6
#1 0x00007ffff6011499 in freeconary (con=0x7ffff6ac5d00) at
freeconary.c:14
#2 0x00007ffff6296899 in _wrap_get_ordered_context_list
(self=<optimized out>, args=<optimized out>) at
selinuxswig_wrap.c:6185
#3 0x00007ffff741891f in _PyCFunction_FastCallDict () from
/usr/lib/libpython3.6m.so.1.0
...
SWIG generated the following code for _wrap_get_ordered_context_list():
char ***arg3 = (char ***) 0 ;
char **temp3 ;
arg3 = &temp3;
if (!PyArg_ParseTuple(args, "OO:get_ordered_context_list",&obj0,&obj1))
SWIG_fail;
/* ... */
fail:
if (*arg3) freeconary(*arg3);
If PyArg_ParseTuple fails, freeconary() is called on the value of
"temp3", which has not been initialized. Fix this by initializing temp
to NULL in the SWIG template.
A similar issue exists with security_get_boolean_names(). Fix it too.
This issue has been found using clang's static analyzer, on a system
which uses SWIG 3.0.12.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
On systems where $PYTHON is python3.5 (instead of python2 or python3),
pkg-config fails to find the Python package because it is named with a
dash (e.g. python-3.5).
Moreover the build system may have been using the pkg-config
configuration files for the wrong Python version when several Python
with the same major version number are installed (e.g. using python-3.5
on a system with both python-3.4 and python-3.5 and where
/usr/lib/pkgconfig/python3.pc is a symlink to python-3.5.pc).
In order to fix these two issues, compute $PYPREFIX from $PYTHON by
using the full major.minor version.
Moreover update Travis-Ci configuration to grab the relevant
configuration files for pkg-config from /opt/python (for example
/opt/python/3.5.2/lib/pkgconfig/python-3.5.pc) instead of using
system-provided files (/usr/lib/x86_64-linux-gnu/pkgconfig/python3.pc
and /usr/lib/x86_64-linux-gnu/pkgconfig/python2.pc).
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This fixes the following bug:
UX regression: setfiles progress indicator is now misleading and
confusing in fixfiles.
The outputting of * is replaced by the number of files in 1k increments
as the previous versions. If "/" is specified on the pathname, then this
will indicate a mass relabel, an example output will be:
restorecon -nRp /etc /tmp /boot /
/etc 100.0%
/tmp 100.0%
/boot 100.0%
3.2%
Also setfiles(8) and restorecon(8) versions that are implemented using
the selinux_restorecon(3) function do not support the [-o filename]
option as this was deprecated. This has now been made clear by displaying
a message to stderr.
The documentation has also been updated to reflect these changes.
Reported-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
libselinux 2.6 has added some code in regex.c that uses __BYTE_ORDER__
to determine the system endianness. Unfortunately, this definition
provided directly by the compiler doesn't exist in older gcc versions
such as gcc 4.4.
In order to address this, this commit extends the logic to use
<endian.h> definitions if __BYTE_ORDER__ is not provided by the
compiler. This allows libselinux to build properly with gcc 4.4.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Disable generating filespec hash table stats on non-debug builds,
as they are not useful information for users and cause fixfiles
check to produce noisy output.
Reported-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
libselinux/src/get_context_list.c defines
get_default_context_with_rolelevel(user, role, level...
libselinux/utils/getdefaultcon.c uses
get_default_context_with_rolelevel(seuser, role, level...
but libselinux/include/selinux/get_context_list.h declares
get_default_context_with_rolelevel(user, level, role...
and libselinux/man/man3/get_ordered_context_list.3 follows this
declaration.
Fix the header and the man page.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
After libsepol is modified (for example while developing new features or
fixing bugs), running "make install" in the top-level directory does not
update the programs which use libsepol.a. Add this static library to the
target dependencies in order to force their updates. This makes "make"
use libsepol.a in the linking command without using LDLIBS.
While at it, copy what commit 14d7064348 ("libselinux: Allow
overriding libsepol.a location during build") introduced in libselinux
Makefile by using a new LIBSEPOLA variable in all Makefiles.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
In commit 36f1ccbb57 ("policycoreutils: setfiles: print error if
no default label found"), a warning message was added to setfiles/restorecon
if the user explicitly does a restorecon /path/to/foo and
/path/to/foo does not have any matching label in file_contexts; in the
case of a restorecon -R or setfiles, the warning isn't supposed to be
logged. The check on the recursive flag got dropped when this logic was
taken into selinux_restorecon(3) in libselinux. Restore this check so
that we do not generate noisy log messages on restorecon -R or setfiles.
Reported-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Building with musl libc leads to some build errors:
setrans_client.c: In function ‘receive_response’:
setrans_client.c:147:19: error: implicit declaration of function
‘readv’ [-Werror=implicit-function-declaration]
while (((count = readv(fd, resp_hdr, 3)) < 0) && (errno == EINTR)) ;
^~~~~
and:
In file included from matchpathcon.c:10:0:
/usr/include/sys/errno.h:1:2: error: #warning redirecting incorrect
#include <sys/errno.h> to <errno.h> [-Werror=cpp]
#warning redirecting incorrect #include <sys/errno.h> to <errno.h>
^
Fix the first one by including <sys/uio.h> and the second one by using
<errno.h> instead of <sys/errno.h>.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When the restorecon method was added to the libselinux swig python
bindings, there was no libselinux restorecon implementation and it
he had to call matchpathcon() which is deprecated in favor of
selabel_lookup().
The new restorecon method uses selinux_restorecon method from libselinux
and which is exported by the previous commit.
https://github.com/SELinuxProject/selinux/issues/29
Fixes:
>>> selinux.restorecon('/var/lib', recursive=True)
Traceback (most recent call last):
File "/usr/lib64/python3.5/site-packages/selinux/__init__.py", line 114, in restorecon
status, context = matchpathcon(path, mode)
FileNotFoundError: [Errno 2] No such file or directory
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Fix unitialized variable compiler warnings when using the
"-O3 -Werror" flags on gcc6 by initializing the variables in
question. The variables were never used before being initialized.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
When building libselinux package, "make install" creates /sbin directory
without putting anything in it. Remove this from the Makefile.
While at it, rename USRBINDIR variable USRSBINDIR (with an S) as it
refers to /usr/sbin.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The majority of prototypes don't put a space between the "*" and the
parameter name. i.e. this style is incorrect:
char * foo;
Instead, we want:
char *foo;
Fix a bunch of references that use this uncommon style.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
The section number shouldn't be bolded. Fix a few references in
selinux(8) to match all the other man pages.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Teach audit2why to recognize type bounds failures. This required
updating libsepol sepol_compute_av_reason() to identify bounds
failures, and updating libsepol context_struct_compute_av() to
include the type bounds logic from the kernel.
This could potentially be further augmented to provide more detailed
reporting via the reason buffer to include information similar to
what security_dump_masked_av() reports in the kernel. However, it
is unclear if this is needed. It is already possible to get type
bounds checking at policy build time by enabling expand-check=1
in /etc/selinux/semanage.conf (or by default when compiling
monolithic policy).
Before:
type=AVC msg=audit(1480451925.038:3225): avc: denied { getattr } for pid=7118 comm="chmod" path="/home/sds/selinux-testsuite/tests/bounds/bounds_file_blue" dev="dm-2" ino=23337697 scontext=unconfined_u:unconfined_r:test_bounds_child_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:test_bounds_file_blue_t:s0 tclass=file permissive=0
Was caused by:
Unknown - would be allowed by active policy
Possible mismatch between this policy and the one under which the audit message was generated.
Possible mismatch between current in-memory boolean settings vs. permanent ones.
After:
type=AVC msg=audit(1480451925.038:3225): avc: denied { getattr } for pid=7118 comm="chmod" path="/home/sds/selinux-testsuite/tests/bounds/bounds_file_blue" dev="dm-2" ino=23337697 scontext=unconfined_u:unconfined_r:test_bounds_child_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:test_bounds_file_blue_t:s0 tclass=file permissive=0
Was caused by:
Typebounds violation.
Add an allow rule for the parent type.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
When code is compiled within the Android tree, the resulting binaries
are intended to run either on the "host" (the machine doing the
building) or the "target" (the machine running the Android operating
system).
"ANDROID" is defined if the code is being compiled for the host or the
target, whereas "__ANDROID__" is only defined for code being compiled for
the target. (yes, I agree, this is not obvious).
gettid() is only declared in the target environment, not the host
environment, so adjust the #ifdef to properly emit the gettid()
definition for binaries targeting the host.
Signed-off-by: Nick Kralevich <nnk@google.com>
process_line called compat_validate, but never actually looked at the
return value. When an invalid entry is found, a warning is printed, but
since the upper layers of the code don't see the error, validation
appears to succeed.
Steps to reproduce on Android:
1) Edit system/sepolicy/private/file_contexts and create an entry with
an invalid label.
2) Recompile Android, which executes out/host/linux-x86/bin/checkfc to
check if file_contexts is valid.
Expected: Compile failure.
Actual: Compile succeeds with warnings.
Change-Id: I20fa18c7b11b5ffdd243c3274bedc4518431e1fb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Normalize enforce values received from the kernel via
/sys/fs/selinux/enforce or netlink selinux notifications
to ensure that we always return a 0 or 1 to userspace code.
selinux_status_getenforce(), which reads the enforce value
via the SELinux kernel status page (/sys/fs/selinux/status)
already normalizes its result, so we do not need to update it.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The Makefiles currently install the Python wrapper libraries using .so
suffix (_selinux.so, audit2why.so and _semanage.so). Even though this
works well with CPython 2 and 3, PyPy fails to find these files because
it is looking for files with a specific version token in the suffix (eg.
_selinux.pypy-41.so).
This suffix is advertised by the imp module. Here is the result of
'import imp;print([s for s, m, t in imp.get_suffixes() if t ==
imp.C_EXTENSION])' for several Python versions:
Python 2.7.12: ['.so', 'module.so']
Python 3.5.2: ['.cpython-35m-x86_64-linux-gnu.so', '.abi3.so', '.so']
PyPy 5.4.1 (Python 2.7.10): ['.pypy-41.so']
PyPy3 5.5.0-alpha0 (Python 3.3.5): ['.pypy3-55.so', '.pypy3-55.so']
Define the name of the installed Python-C extension using the first
extension of these lists, in order to make the Python extensions
compatible with pypy.
When building the Python wrappers for PyPy and PyPy3 on Linux, the
following environment variables need to be set (PyPy does not provide a
pkg-config file nor a platform-agnostic way to build the string
"-lpypy-c"):
PYTHON=pypy (or PYTHON=pypy3)
PYINC=-I$($PYTHON -c 'import sys;print(sys.prefix)')/include
PYLIBS=-lpypy-c (or PYLIBS= if LDFLAGS does not have
-Wl,-no-undefined)
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This structure has been empty since its introduction and makes clang
complain when $(filter-out -Werror, $(CFLAGS)) is removed in the
Makefile target for audit2why.lo:
audit2why.c:443:1: error: empty struct has size 0 in C, size 1 in
C++ [-Werror,-Wc++-compat]
struct module_state {
^
1 error generated.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Using SWIG_fail in the Python SWIG wrappers makes the wrapping function
destroy/free the memory which could have been dynamically allocated
before calling the wrapped function. This thus prevents possible memory
leaks in the wrappers of set*con(), set*con_raw(), security_compute_*(),
etc.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
clang does not support -aux-info option. When exception.sh is run with
CC=clang, use gcc to build selinuxswig_python_exception.i and
semanageswig_python_exception.i.
This does not solve the issue of building libselinux and libsemanage
Python wrappers on a system without gcc. However parsing the result of
"gcc -aux-info" is easier than parsing the header files so stay with
this command at least for now.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When linking with -Wl,-no-undefined in LDFLAGS (in order to find
possible link-time errors), the Python wrapper module needs to be
linked with the right libpython.so. This library is found using
pkg-config in a new PYLIBS variable.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When linking with -Wl,-no-undefined in LDFLAGS (in order to find
possible link-time errors), the Ruby wrapper module needs to be linked
with the libruby.so which is used by $(RUBY). Introduce a new RUBYLIBS
variable to find this library.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This makes building libselinux and libsemanage more robust on systems
with several versions of Ruby installed: when building, only RUBY needs
to be set, without wondering about PKG_CONFIG_PATH or other environment
variables.
Using RbConfig::CONFIG["rubyarchhdrdir"] only works with Ruby >= 2.0 but
since previous Ruby versions are retired since 2015-02-23 this should
not have any impact
(https://www.ruby-lang.org/en/news/2015/02/23/support-for-ruby-1-9-3-has-ended/).
While at it, in libsemanage, use RbConfig::CONFIG["vendorarchdir"] to
install the Ruby extension, like commit 1cd80faa53 ("libselinux:
versioned ruby pkg-config and query vendorarchdir properly") did for
libselinux.
My main motivation with this patch is to make the build configuration
easier to define on Travis-CI or other continuous integration platforms.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
commit 16c123f4b1 ("libselinux:
support ANDROID_HOST=1 on Mac") broke the ability to run make
in the src subdirectory of libselinux (because OS and COMPILER
were not defined) and also caused some warning flags that could
be overridden via command-line CFLAGS to be mandatory. Fix it.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
When compiling libselinux with CC=clang, "make pywrap" reports the
following message:
bash exception.sh > selinuxswig_python_exception.i
clang-3.9: error: no such file or directory: 'temp.aux'
awk: fatal: cannot open file `temp.aux' for reading (No such file or
directory)
This does not make the build fail as exception.sh returns an "OK"
status. Use "bash -e" with this script to make it return an error value.
In order not to keep an empty selinuxswig_python_exception.i file after
a build fails (which would make a second run of "make pywrap" incorrectly
succeed), remove the file when exception.sh fails.
As libsemanage uses the same code to build
semanageswig_python_exception.i, modify its Makefile too.
By the way, on Linux clang does not seem to currently support -aux-info
so it cannot be used to craft selinuxswig_python_exception.i.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The Python wrapper of rpm_execcon() has several flaws:
* An invalid call like selinux.rpm_execcon() triggers a segmentation
fault.
* The size of the buffer which is allocated to copy argv and envp is
too small to hold all the values.
* This allocated memory is leaked if one argument of rpm_execon() is not
a sequence of bytes.
The Ruby wrapper has no such flaws but can not be used as it is because
it misses some glue code to convert argv and envp arguments to char
*const [] values (even though the destructor is present!).
As it is not possible to remove rpm_execcon() without changing
libselinux soname (it would be an ABI break) like b67fefd991
("libselinux: set DISABLE_RPM default to y.") tried to do, disable this
interface locally in the SWIG wrappers.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
With the reverted commit applied, some functions were returning arrays
of bytes instead of python strings under python3 this was causing issues
with string manipulation functions like split().
Swig (checked with 3.0.7) is adding compatibility macros that take care
of the differences between python2 and python3.
This reverts commit 63df0f7ef1.
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
When building with clang, multiple noreturn issues arise,
for instance:
selabel_partial_match.c:11:1: error: function 'usage' could be declared with attribute 'noreturn' [-Werror,-Wmissing-noreturn]
Fix these.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
As reported by Nicolas Iooss, the clang + linux build seems
broken:
clang-3.9: warning: argument unused during compilation: '-undefined
dynamic_lookup'
/usr/bin/ld: unrecognised option: -install_name
clang-3.9: error: linker command failed with exit code 1 (use -v to
see invocation)
We already have those options set for Darwin, just drop them from the
clang side.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Loop designed for stripping leading "//" was changing
the only pointer referencing block of memory allocated
by "strdup", resulting in "free()" failure. The loop
had no effect because "realpath" is used later on.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1376598
Signed-off-by: vmojzis <vmojzis@redhat.com>
Add clean targets to just clean the python and ruby wrapper objects
Also clean $(SWIGRUBYSO) and $(AUDIT2WHYLOBJ) objects
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
We build booleans.c with DISABLE_BOOL set on Android host
and target. Add that file to the upstream Makefile.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Some systems, like Mac, don't have stdio_ext.h. Since we're
building with DISABLE_BOOL=y on Mac, just include the
header files with the DISABLE define, and use the bare
minimum headers for DISABLE_BOOL=y.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
To build on mac, first build libsepol with
no DESTDIR set.
Secondly, build libselinux with ANDROID_HOST=y
This configuration can be used to test the Android
host build on Mac.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
When building on mac, one encounters this error:
sefcontext_compile.c:270:1: error: function 'usage' could be declared with attribute 'noreturn' [-Werror,-Wmissing-noreturn]
To correct this, add the attribute noreturn to the function.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
When building on mac with ANDROID_HOST=y, clang complains:
sha1.c:73:33: error: cast from 'uint8_t *' (aka 'unsigned char *') to 'CHAR64LONG16 *' increases required alignment from 1 to 4 [-Werror,-Wcast-align]
CHAR64LONG16* block = (CHAR64LONG16*) workspace;
Rather then casting the bytearray to the CHAR64LONG16 union,
just create a stack workspace of type CHAR64LONG16.
This will prevent alignment issues with the data accesses.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
When building on Mac, outside of the Android tree, with ANDROID_HOST=y, this warning
is observed:
label.c:102:9: warning: implicit declaration of function 'fgets_unlocked' is invalid in C99 [-Wimplicit-function-declaration]
while (fgets_unlocked(buf, sizeof(buf) - 1, cfg)) {
Fix it by using the fgets_unlocked define that was introduced for Android, just apply it for mac builds
as well.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
The realpath logic in selinux_restorecon() was taken from the
Android libselinux fork. However, bionic dirname() and basename()
do not modify their argument and therefore are safe to call on a
const string. POSIX dirname() and basename() can modify their argument.
There is a GNU basename() that does not modify its argument, but not
for dirname().
For portability, create copies of the original pathname for each call
and keep them around until finished using the result.
Fixes "restorecon -r goes up the tree?" bug reported by Jason Zaman.
Reported-by: Jason Zaman <jason@perfinion.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Gentoo and Arch have pkg-config entries for "ruby-$(RUBYLIBVER)" but not
for "ruby". Check if that exists first then fall back to plain ruby if
it does not.
The ruby install paths were incorrect. Fedora 20 installed to
/usr/lib64/ruby/vendor_ruby/, Arch needs it to be vendor_ruby as well,
site_ruby does not work. Thanks to Nicolas Iooss for the correct way to
query for the path.
Signed-off-by: Jason Zaman <jason@perfinion.com>
Provide stubs to the public boolean API that always returns -1.
On Android, boolean symbols are needed for:
external/ltrace/sysdeps/linux-gnu/trace.c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Android label back ends are now configurable by NO_ANDROID_BACKEND,
which is set if on ANDROID_HOST != y.
Signed-off-by: Janis Danisevskis <jdanis@android.com>
We use the same lookup function for service contexts
that we use for property contexts. However, property
contexts are namespace based and only compare the
prefix. This may lead to service associations with
a wrong label.
This patch introduces a new back end for android
services with a stricter lookup function. Now the
service name must match the key of the service label
exactly.
Signed-off-by: Janis Danisevskis <jdanis@android.com>
Change the default build behavior to always use DISABLE_RPM.
To get the old behavior call make with DISABLE_RPM=n.
eg.)
make DISABLE_RPM=n
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Change EMFLAGS variable, used for setting additional CFLAGS
to DISABLE_FLAGS, to indicate its usage better.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
When building for Android, this error manifests itself:
label_file.c:570:7: error: unused variable ‘subs_file’ [-Werror=unused-variable]
char subs_file[PATH_MAX + 1];
Fix it by moving the variable into the ifdef'd usage block.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
The "-r" flag of sefcontext_compile now causes it to omit the
precompiled regular expressions from the output.
Signed-off-by: Janis Danisevskis <jdanis@android.com>
Adds the "-i" flag, which prints the version and
architecture identifier of the regular expression back end.
Signed-off-by: Janis Danisevskis <jdanis@android.com>
Serialized precompiled regular expressins are architecture
dependent when using PCRE2. This patch
- bumps the SELINUX_COMPILED_FCONTEXT version to 5 and
- adds a field to the output indicating the architecture
compatibility.
libselinux can cope with an architecture mismatch by
ignoring the precompiled data in the input file and recompiling
the regular expressions at runtime. It can also load older
versions of file_contexts.bin if they where built with
sefcontext_compile using the exact same version of the
pcre1/2 as selinux.
Signed-off-by: Janis Danisevskis <jdanis@android.com>
sefcontext_compile was failing silently on various error paths.
Generate a suitable error message to stderr for each error.
Before:
$ sefcontext_compile /path/to/unwritabledirectory/file_contexts
<no output, although non-zero exit status>
After:
$ sefcontext_compile /path/to/unwritabledirectory/file_contexts
sefcontext_compile: mkstemp /path/to/unwritabledirectory/file_contexts.binNmQJqa failed: Permission denied
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
On Android, certain discrepancies arise for unused functionality or
for dealing with the differences in Bionic libc. This patch includes
all the "ifdef'ing" required and introduces the BUILD_HOST define.
The BUILD_HOST define removes functionality not needed when building
libselinux for the Android build host machine.
Note that not all the libselinux src files are used to build
the host and target libraries on Android.
Change-Id: I7984e7b769c4dfa627d6cf311411fa2c93bb7ef7
Signed-off-by: William Roberts <william.c.roberts@intel.com>
On Android for both the host build, and the target, certain
backends are not needed:
- X Backend
- DB Backend
- Media Backend
Introduce the following defines for removing them from the
built library:
- NO_X_BACKEND
- NO_DB_BACKEND
- NO_MEDIA_BACKEND
When configured with these options and an attempt
is made to use them, selabel_open() will return
ENOTSUP.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
This patch adds a new selinux_restorecon_xattr(3) function to find
and/or remove security.restorecon_last entries added by setfiles(8)
or restorecon(8).
Also review and update the man pages.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
When building libselinux with gcc and many warning flags, the build
fails with the following errors:
selinux_restorecon.c: In function ‘selinux_restorecon’:
selinux_restorecon.c:784:36: error: comparison between signed and
unsigned integer expressions [-Werror=sign-compare]
if (!flags.ignore_digest && size == fc_digest_len &&
^~
selabel_digest.c: In function ‘main’:
selabel_digest.c:162:16: error: comparison between signed and
unsigned integer expressions [-Werror=sign-compare]
for (i = 0; i < digest_len; i++)
^
selabel_digest.c:173:17: error: comparison between signed and
unsigned integer expressions [-Werror=sign-compare]
for (i = 0; i < num_specfiles; i++) {
^
clang reports the precise type information of the variables:
selinux_restorecon.c:784:36: error: comparison of integers of
different signs: 'ssize_t' (aka 'long') and 'size_t' (aka 'unsigned
long') [-Werror,-Wsign-compare]
if (!flags.ignore_digest && size == fc_digest_len &&
~~~~ ^ ~~~~~~~~~~~~~
selabel_digest.c:162:16: error: comparison of integers of different
signs: 'int' and 'size_t' (aka 'unsigned long')
[-Werror,-Wsign-compare]
for (i = 0; i < digest_len; i++)
~ ^ ~~~~~~~~~~
selabel_digest.c:173:17: error: comparison of integers of different
signs: 'int' and 'size_t' (aka 'unsigned long')
[-Werror,-Wsign-compare]
for (i = 0; i < num_specfiles; i++) {
~ ^ ~~~~~~~~~~~~~
Silent the warnings by using size_t where appropriate.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Nothing was being used from the stdio_ext.h header file, so
remove it. Additionally, Mac builds, required for the
Android build, do not have this header.
Change-Id: Ic61c87fcda79ffebeef93a20a2b3802f048bb0b0
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Drop the check for selinux_enabled() on logging. The
caller can silence the logs by setting the logging
callback and discarding the messages.
Change-Id: Ia6769ef7ad8cc2144ad2bb73e5bf7c76ebfe487b
Signed-off-by: William Roberts <william.c.roberts@intel.com>
_D_ALLOC_NAMLEN is not very portable. Currently, the code
mallocs based on _D_ALLOC_NAMLEN() and then strcpy's dirent
d_name into the buffer. Instead, just use strdup.
Change-Id: I5c8ca47da2c593ea2726caba5781f5e9d9d910ae
Signed-off-by: William Roberts <william.c.roberts@intel.com>
The file will initially contain:
run_init=run_init_t
There can not be any spaces around the = since OpenRC's existing config
files and the methods it uses require it.
Signed-off-by: Jason Zaman <jason@perfinion.com>
When the Kernel UAPI header is present, this error occurs:
external/selinux/libselinux/src/policy.h:7:9: warning: 'XATTR_NAME_SELINUX' macro redefined [-Wmacro-redefined]
\#define XATTR_NAME_SELINUX "security.selinux"
^
bionic/libc/kernel/uapi/linux/xattr.h:52:9: note: previous definition is here
\#define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
Just use the kernel UAPI version on that case.
Change-Id: I1b2d34e463477adaec227ac8c3364f1b9d49e997
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Hide or remove symbols that should not be public.
All uses of obj_class_compat were removed by
commit 76913d8adb
("Deprecate use of flask.h and av_permissions.h")
and it never should have been public regardless,
so remove it.
myprintf is used by matchpathcon internally but should
not be public, so hide it.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
patch 5e15a52aaa cleans up the process_file() routine,
but introduced a bug. If the binary file cannot be
opened, always attempt to fall back to the textual file,
this was not occurring.
The logic should be:
1. Open the newest file between base path + suffix and
base_path + suffix + ".bin"
2. If anything fails, attempt to load the oldest file.
The result, with a concrete example, would be:
If file_contexts is the newest file, and it cannot be
processed, the code will fall back to file_contexts.bin
and vice versa.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
This patch moves all pcre1/2 dependencies into the new files regex.h
and regex.c implementing the common denominator of features needed
by libselinux. The compiler flag -DUSE_PCRE2 toggles between the
used implementations.
As of this patch libselinux supports either pcre or pcre2 but not
both at the same time. The persistently stored file contexts
information differs. This means libselinux can only load file
context files generated by sefcontext_compile build with the
same pcre variant.
Also, for pcre2 the persistent format is architecture dependent.
Stored precompiled regular expressions can only be used on the
same architecture they were generated on. If pcre2 is used,
sefcontext_compile now respects the "-r". This flag makes
sefcontext_compile include the precompiled regular expressions
in the output file. The default is to omit them, so that the
output remains portable at the cost of having to recompile
the regular expressions at load time, or rather on first use.
Signed-off-by: Janis Danisevskis <jdanis@google.com>
The current process_file() code will open the file
twice on the case of a binary file, correct this.
The general flow through process_file() was a bit
difficult to read, streamline the routine to be
more readable.
Detailed statistics of before and after:
Source lines of code reported by cloc on modified files:
before: 735
after: 742
Object size difference:
before: 195530 bytes
after: 195485 bytes
Signed-off-by: William Roberts <william.c.roberts@intel.com>
pcre_study() can return a NULL result if no additional information
could be determined for the pattern. Thus, sefcontext_compile
needs to correctly handle the case where the study data is NULL
when generating file_contexts.bin, and libselinux needs to correctly
handle it when loading file_contexts.bin. Fix them both.
This change enables:
semanage fcontext -a -t httpd_exec_t "(/.*)?"
to succeed, since the regex itself is valid but there is no
additional information produced by pcre_study().
Reported-by: Vit Mojzis <vmojzis@redhat.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Add additional error handling, flags, xdev handling, alt_rootpath and
add/remove non-seclabel fs's to support setfiles(8), restorecon(8)
and restorecond(8) functionality.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
This patch adds inode evaluation services from policycoreutiles/setfiles
to selinux_restorecon.c
The overall objective is to modify restorecon(8) and setfiles(8)
to use selinux_restorecon(3) services.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
