Do not write class definitions for classes without any permission and
any inherited common class. The classes are already declared in
write_class_decl_rules_to_conf(). Skipping those empty definitions,
which are equal to the corresponding class declarations, will enable to
parse the generated policy conf file with checkpolicy, as checkpolicy
does not accept class declarations after initial sid declarations.
This will enable simple round-trip tests with checkpolicy.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Found by codespell(1) and typos[1].
[1]: https://github.com/crate-ci/typos
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
The kernel does not support type attributes as source or target in type
av rules (type_transition, type_member, type_change)[1]. Such rules
should have been expanded[2].
[1]: abe3c63144/security/selinux/ss/services.c (L1843)
[2]: 0a8c177dac/libsepol/src/expand.c (L1981)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
In load_checks(), add return check for malloc() to avoid NULL reference.
Signed-off-by: Jie Lu <lujie54@huawei.com>
Acked-by: James Carter <jwcart2@gmail.com>
When installing to a destdir with pip install --prefix= --root=, pip tries to
uninstall the existing root-owned package and fails
Fixes:
python3 -m pip install --prefix=/usr `test -n "/tmp/selinux-release//build-master" && echo --root /tmp/selinux-release//build-master` .
Processing /tmp/selinux-release/selinux-master/python/sepolicy
Preparing metadata (setup.py) ... done
Building wheels for collected packages: sepolicy
Building wheel for sepolicy (setup.py) ... done
Created wheel for sepolicy: filename=sepolicy-3.4-py3-none-any.whl size=1663564 sha256=229546db123e7d84613d190d49c192291b1a4f7f2a037657b39283b04ac391a4
Stored in directory: /tmp/pip-ephem-wheel-cache-50r2x4cn/wheels/b2/9e/63/6a6212a84d65a709923228719d065ed34e66a90c7fed01e8cf
Successfully built sepolicy
Installing collected packages: sepolicy
Attempting uninstall: sepolicy
Found existing installation: sepolicy 3.4
Uninstalling sepolicy-3.4:
ERROR: Could not install packages due to an OSError: [Errno 13] Permission denied: 'generate.py'
Consider using the `--user` option or check the permissions.
Signed-off-by: Jason Zaman <jason@perfinion.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
When the python bindings are installed to a destdir with pip install
--prefix= --root=, pip tries to uninstall the existing root-owned
package and fails
Fixes:
running build_ext
python3 -m pip install --prefix=/usr `test -n "/tmp/selinux-release//build-master" && echo --root /tmp/selinux-release//build-master` .
Processing /tmp/selinux-release/selinux-master/libselinux/src
Preparing metadata (setup.py) ... done
Building wheels for collected packages: selinux
Building wheel for selinux (setup.py) ... done
Created wheel for selinux: filename=selinux-3.4-cp310-cp310-linux_x86_64.whl size=725511 sha256=b35e9cdb2a6efce389eeece45446826b4ac6b41f81fdc128893f947036f27e8e
Stored in directory: /tmp/pip-ephem-wheel-cache-kemjh99e/wheels/ca/2d/1e/d1ab52426d9add92931471cfa0d2558bcbeed89084af2388c9
Successfully built selinux
Installing collected packages: selinux
Attempting uninstall: selinux
Found existing installation: selinux 3.4
Uninstalling selinux-3.4:
ERROR: Could not install packages due to an OSError: [Errno 13] Permission denied: '__init__.cpython-310.pyc'
Consider using the `--user` option or check the permissions.
Signed-off-by: Jason Zaman <jason@perfinion.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
Fixes:
/usr/lib/python3.11/site-packages/setuptools/command/install.py:34: SetuptoolsDeprecationWarning: setup.py install is deprecated. Use build and pip and other standards-based tools.
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Since commit 7494bb1298 ("sepolicy: generate man pages in parallel")
man pages are generated in parallel and there's a race between
os.path.exists() and os.makedirs().
The check os.path.exists() is not necessary when os.makedirs() is called
with exist_ok=True.
Fixes:
/usr/bin/sepolicy manpage -a -p /__w/usr/share/man/man8/ -w -r /__w/
FileExistsError: [Errno 17] File exists: '/__w/usr/share/man/man8/'
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Commit c08cf24f39 ("python: Remove dependency on the Python module
distutils") replace usage of distutils.sysconfig by sysconfig but it was
forgotten on the fact that the later provide a different api.
Fixes:
self.code_path = sysconfig.get_python_lib(plat_specific=False) + "/sepolicy/"
^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: module 'sysconfig' has no attribute 'get_python_lib'
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Add return check for regex_data_create() to avoid NULL reference of regex_data
(gdb) bt
#0 0x00007fbde5caec14 in pthread_mutex_init () from /usr/lib64/libc.so.6
#1 0x00007fbde5e3a489 in regex_data_create () at regex.c:260
#2 0x00007fbde5e3a4af in regex_prepare_data (regex=regex@entry=0x7fbde4613770, pattern_string=pattern_string@entry=0x563c6799a820 "^/home$", errordata=errordata@entry=0x7ffeb83fa950) at regex.c:76
#3 0x00007fbde5e32fe6 in compile_regex (errbuf=0x0, spec=0x7fbde4613748) at label_file.h:407
#4 lookup_all (key=0x563c679974e5 "/var/log/kadmind.log", type=<optimized out>, partial=partial@entry=false, match_count=match_count@entry=0x0, rec=<optimized out>, rec=<optimized out>)
at label_file.c:949
#5 0x00007fbde5e33350 in lookup (rec=<optimized out>, key=<optimized out>, type=<optimized out>) at label_file.c:1092
#6 0x00007fbde5e31878 in selabel_lookup_common (rec=0x563c67998cc0, translating=1, key=<optimized out>, type=<optimized out>) at label.c:167
Signed-off-by: Jie Lu <lujie54@huawei.com>
Acked-by: James Carter <jwcart2@gmail.com>
Fixes:
/usr/lib/python3.11/site-packages/setuptools/command/install.py:34: SetuptoolsDeprecationWarning: setup.py install is deprecated. Use build and pip and other standards-based tools.
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
1. check the return of strdup to avoid a potential NULL reference.
2. make sure line_buf is freed.
Signed-off-by: Jie Lu <lujie54@huawei.com>
Acked-by: James Carter <jwcart2@gmail.com>
Bionic provides its own version of strlcpy. Ignore the re-definition
from SELinux for devices.
Bug: 260539369
Test: lunch sdk && m sdk
Change-Id: Icb9d8678c29562ab7b73d7a0f14a233fd71dfefd
- Reference renamed file: COPYING -> LICENSE in Android.bp
- Fix constext_str calls now returning const char *
- Comment out cil_write_src_info_node which is not used on Android
- Include new selinux_internal.c source file
Bug: 253327909
Test: build and boot on bramble
Test: sediff between current and new policy; no change
Change-Id: I506479befb3c0b99136cd842b2a77a6a8bea18ed
`fixfiles -M relabel` temporary bind mounts file systems before
relabeling, but it left the / directory mounted in /tmp/tmp.XXXX when a
user hit CTRL-C. It means that if the user run `fixfiles -M relabel`
again and answered Y to clean out /tmp directory, it would remove all
data from mounted fs.
This patch changes the location where `fixfiles` mounts fs to /run, uses
private mount namespace via unshare and adds a handler for exit signals
which tries to umount fs mounted by `fixfiles`.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2125355
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Tested-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
distro module uses /etc/os-release file which contains operating system
identification data, see os-release(5). Given that the mechanism doesn't
use `rpm` it should be possible to generate man pages on other
distributions.
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Commit 7494bb1298 ("sepolicy: generate man pages in parallel")
improved sepolicy performance but broke `sepolicy manpage -w ...` as it
didn't collect data about domains and roles from ManPage() and so
HTMLManPages() generated only empty page. This is fixed now, domains
and roles are being collected and used for HTML pages.
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Boolean names, taken by security_get_boolean_pending(3),
security_get_boolean_active(3) and security_set_boolean(3), as well as
user names, taken by security_get_initial_context(3), are used in path
constructions. Ensure they do not contain path separators to avoid
unwanted path traversal.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Bail out if computed paths based on user input are being truncated, to
avoid wrong files to be opened.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Using strndup(3) instead of malloc(3) followed by strncpy(3) simplifies
the code and pleases GCC:
In file included from /usr/include/string.h:535,
from context.c:2:
In function ‘strncpy’,
inlined from ‘context_new’ at context.c:74:3:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:95:10: error: ‘__builtin_strncpy’ destination unchanged after copying no bytes [-Werror=stringop-truncation]
95 | return __builtin___strncpy_chk (__dest, __src, __len,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
96 | __glibc_objsize (__dest));
| ~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Add tests for neverallow assertion checks.
This creates a foundation for the status quo, and enables to spot
regressions in future changes to the - quite complex - assertion logic.
One example is the support for not-self rules.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Use the more strict C compiler warnings from the root Makefile.
Also fail on warnings from the m4 macro processor.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
The internal variable avc_netlink_trouble is only assigned but never
read from.
Unused since the initial commit 13cd4c8960 ("initial import from svn
trunk revision 2950").
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Use strdup(3) instead of allocating memory and then manually copying the
content.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Use strdup(3) instead of allocating memory and then manually copying the
content.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Use strdup(3)/strndup(3) instead of allocating memory and then manually
copying the content.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
selinux_check_access relies on string_to_security_class to resolve the
class index from its char* argument. There is no input validation done
on the string provided. It is possible to supply an argument containing
trailing backslashes (i.e., "sock_file//////") so that the paths built
in discover_class get truncated. The processing will then reference the
same permission file multiple time (e.g., perms/watch_reads will be
truncated to perms/watch). This will leak the memory allocated when
strdup'ing the permission name. The discover_class_cache will end up in
an invalid state (but not corrupted).
Ensure that the class provided does not contain any path separator.
Signed-off-by: Thiébaud Weksteen <tweek@google.com>
Acked-by: James Carter <jwcart2@gmail.com>
Currently "-i" only ignores a file whose parent directory exists. Start also
ignoring paths with missing components.
Fixes:
# restorecon -i -v -R /var/log/missingdir/missingfile; echo $?
255
restorecon: SELinux: Could not get canonical path for /var/log/missingdir/missingfile restorecon: No such file or directory.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
