The combining logic for dontaudit rules was wrong, causing
a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p;
rule.
Reported-by: Nick Kralevich <nnk@google.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The sepol_{bool|iface|user}_key_create() functions were not
copying the name. This produces a use-after-free in the
swig-generated code for python3 bindings. Copy the name
in these functions, and free it upon sepol_{bool|iface|user}_key_free().
Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
When compiling libselinux with CC=clang, "make pywrap" reports the
following message:
bash exception.sh > selinuxswig_python_exception.i
clang-3.9: error: no such file or directory: 'temp.aux'
awk: fatal: cannot open file `temp.aux' for reading (No such file or
directory)
This does not make the build fail as exception.sh returns an "OK"
status. Use "bash -e" with this script to make it return an error value.
In order not to keep an empty selinuxswig_python_exception.i file after
a build fails (which would make a second run of "make pywrap" incorrectly
succeed), remove the file when exception.sh fails.
As libsemanage uses the same code to build
semanageswig_python_exception.i, modify its Makefile too.
By the way, on Linux clang does not seem to currently support -aux-info
so it cannot be used to craft selinuxswig_python_exception.i.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The Python wrapper is already removed in the clean target (with
$(SWIGSO)) so remove the Ruby wrapper too.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The Python wrapper of rpm_execcon() has several flaws:
* An invalid call like selinux.rpm_execcon() triggers a segmentation
fault.
* The size of the buffer which is allocated to copy argv and envp is
too small to hold all the values.
* This allocated memory is leaked if one argument of rpm_execon() is not
a sequence of bytes.
The Ruby wrapper has no such flaws but can not be used as it is because
it misses some glue code to convert argv and envp arguments to char
*const [] values (even though the destructor is present!).
As it is not possible to remove rpm_execcon() without changing
libselinux soname (it would be an ABI break) like b67fefd991
("libselinux: set DISABLE_RPM default to y.") tried to do, disable this
interface locally in the SWIG wrappers.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
With the reverted commit applied, some functions were returning arrays
of bytes instead of python strings under python3 this was causing issues
with string manipulation functions like split().
Swig (checked with 3.0.7) is adding compatibility macros that take care
of the differences between python2 and python3.
This reverts commit 63df0f7ef1.
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
Nicholas Iooss discovered that using an unknown permission with a
map class will cause a segfault.
CIL will only give a warning when it fails to resolve an unknown
permission to support the use of policy module packages that use
permissions that don't exit on the current system. When resolving
the unknown map class permission an empty list is used to represent
the unknown permission. When it is evaluated later the list is
assumed to be a permission and a segfault occurs.
There is no reason to allow unknown class map permissions because
the class maps and permissions are defined by the policy.
Exit with an error when failing to resolve a class map permission.
Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Building with CC=clang, we get the following errors:
semanage_store.c:2177:20: error: implicit conversion from enumeration type 'enum semanage_final_defs' to different enumeration type 'enum semanage_store_defs' [-Werror,-Wenum-conversion]
semanage_path(SEMANAGE_FINAL_TMP, SEMANAGE_KERNEL);
~~~~~~~~~~~~~ ^~~~~~~~~~~~~~~~~~
semanage_store.c:2177:40: error: implicit conversion from enumeration type 'enum semanage_final_path_defs' to different enumeration type 'enum semanage_sandbox_defs' [-Werror,-Wenum-conversion]
semanage_path(SEMANAGE_FINAL_TMP, SEMANAGE_KERNEL);
~~~~~~~~~~~~~ ^~~~~~~~~~~~~~~
This is an actual bug; semanage_verify_kernel() was never updated to
use semanage_final_path() when the rest were converted. Fix it.
This pathname is only used if a kernel policy verifier is specified
in semanage.conf, so this is not used by default.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
When building with clang, multiple noreturn issues arise,
for instance:
selabel_partial_match.c:11:1: error: function 'usage' could be declared with attribute 'noreturn' [-Werror,-Wmissing-noreturn]
Fix these.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
As reported by Nicolas Iooss, the clang + linux build seems
broken:
clang-3.9: warning: argument unused during compilation: '-undefined
dynamic_lookup'
/usr/bin/ld: unrecognised option: -install_name
clang-3.9: error: linker command failed with exit code 1 (use -v to
see invocation)
We already have those options set for Darwin, just drop them from the
clang side.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
The blank default symver fails to compile with ld.gold. This updates the
symver from blank to LIBSEPOL_1.0. The dynamic linker will first look
for the symbol with the explicit version specified. If there is none, it
will pick the first listed symbol so there is no breakage.
This also matches how symvers are defined in libsemanage.
Signed-off-by: Jason Zaman <jason@perfinion.com>
When running sepolgen tests on a Linux 4.7 kernel, one test fails with
the following message:
/usr/bin/semodule_package: Failed to mmap
tmp/module_compile_test.mod.fc: Invalid argument
The .fc file is empty, which is why it cannot be used with mmap().
Anyway the current code supports empty files (with if() conditions in
main()) so do not try to mmap an empty file in file_to_data().
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
On Ubuntu some header files are located in /usr/lib/x86_64-linux-gnu/,
not /usr/lib64/:
$ pkg-config --cflags dbus-glib-1
-I/usr/include/dbus-1.0 -I/usr/lib/x86_64-linux-gnu/dbus-1.0/include
-I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include
Use pkg-config instead of hard-coded paths to find glib and dbus-glib
headers and libraries.
This is needed in order to use environments provided for example by
https://travis-ci.org/.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Loop designed for stripping leading "//" was changing
the only pointer referencing block of memory allocated
by "strdup", resulting in "free()" failure. The loop
had no effect because "realpath" is used later on.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1376598
Signed-off-by: vmojzis <vmojzis@redhat.com>
Add clean targets to just clean the python and ruby wrapper objects
Also clean $(SWIGRUBYSO) and $(AUDIT2WHYLOBJ) objects
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
Return column definitions to portsPage (gui fails to load otherwise).
fcontextPage:
"ftype" dropdown was filled from 2 sources (system-config-selinux.glade
and fcontextPage - from seobject module) which resulted in duplicate
and invalid options. When given to "semanage fcontext -f", ftype has to be
converted to 1 letter argument mode.
TreeView.get_selection().get_selected() can return "None" if no item is selected
(the list can be empty). Test if correct iterator was acquired.
Fixes:
https://bugzilla.redhat.com/show_bug.cgi?id=1344842
Signed-off-by: vmojzis <vmojzis@redhat.com>
cil_strpool currently provides an interface to a statically stored
global data structure. This interface does not accomodate multiple
consumers, however, as two calls to cil_strpool_init() will lead to a
memory leak and a call to cil_strpool_destroy() by one consumer will
remove data from use by others, and subsequently lead to a segfault on
the next cil_strpool_destroy() invocation.
Add a reference counter so that the strpool is only initialized once and
protect the exported interface with a mutex.
Tested by calling cil_db_init() on two cil_dbs and then calling
cil_db_destroy() on each.
Signed-off-by: Daniel Cashman <dcashman@android.com>
Nicolas Iooss found while fuzzing secilc with AFL that using an attribute
as a child in a typebounds statement will cause a segfault.
This happens because the child datum is assumed to be part of a cil_type
struct when it is really part of a cil_typeattribute struct. The check to
verify that it is a type and not an attribute comes after it is used.
This bug effects user and role bounds as well because they do not check
whether a datum refers to an attribute or not.
Add checks to verify that neither the child nor the parent datum refer
to an attribute before using them in user, role, and type bounds.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Nicolas Iooss found while fuzzing secilc with AFL that the statement
"(sensitivityaliasactual SENS SENS)" will cause a segfault.
The segfault occurs because when the aliasactual is resolved the first
identifier is assumed to refer to an alias structure, but it is not.
Add a check to verify that the datum retrieved is actually an alias
and exit with an error if it is not.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Nicolas Iooss found while fuzzing secilc with AFL that the statement
"(class C (()))" will cause a segfault.
CIL expects a list of permissions in the class declaration and "(())"
is a valid list. Each item of the list is expected to be an identifier
and as the list is processed each item is checked to see if it is a
list. An error is given if it is a list, otherwise the item is assumed
to be an identifier. Unfortunately, the check only works if the list
is not empty. In this case, the item passes the check and is assumed
to be an identifier and a NULL is passed as the string for name
verification. If name verification assumes that a non-NULL value will
be passed in, a segfault will occur.
Add a check for an empty list when processing a permission list and
improve the error handling for permissions when building the AST.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Nicolas Iooss found while fuzzing secilc with AFL that the statement
"(class C (()))" will cause a segfault.
When CIL checks the syntax of the class statement it sees "(())" as a
valid permission list, but since "()" is not an identifier a NULL is
passed as the string for name verification. A segfault occurs because
name verification assumes that the string being checked is non-NULL.
Check if identifier is NULL when verifying name.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Nicolas Iooss found while fuzzing secilc with AFL that the statement
"(classpermissionset CPERM (CLASS (and unknow PERM)))" will cause a
segfault.
In order to support a policy module package using a permission that
does not exist on the system it is loaded on, CIL will only give a
warning when it fails to resolve an unknown permission. CIL itself will
just ignore the unknown permission. This means that an expression like
"(and UNKNOWN p1)" will look like "(and p1)" to CIL, but, since syntax
checking has already been done, CIL won't know that the expression is not
well-formed. When the expression is evaluated a segfault will occur
because all expressions are assumed to be well-formed at evaluation time.
Use an empty list to represent an unknown permission so that expressions
will continue to be well-formed and expression evaluation will work but
the unknown permission will still be ignored.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Nicolas Iooss found while fuzzing secilc with AFL that the following
policy will cause a segfault.
(category c0)
(category c1)
(categoryorder (c0 c1))
(sensitivity s0)
(sensitivitycategory s0 (not (all)))
The expression "(not (all))" is evaluated as containing no categories.
There is a check for the resulting empty list and the category datum
expression is set to NULL. The segfault occurs because the datum
expression is assumed to be non-NULL after evaluation.
Assign the list to the datum expression even if it is empty.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Nicolas Iooss found while fuzzing secilc with AFL that the following
policy will cause a segfault.
(category c0)
(category c1)
(categoryorder (c0 c1))
(sensitivity s0)
(sensitivitycategory s0 (range c1 c0))
The category range "(range c1 c0)" is invalid because c1 comes after c0
in order.
The invalid range is evaluated as containing no categories. There is a
check for the resulting empty list and the category datum expression is
set to NULL. The segfault occurs because the datum expression is assumed
to be non-NULL after evaluation.
Add a check for an invalid range when evaluating category ranges.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
We build booleans.c with DISABLE_BOOL set on Android host
and target. Add that file to the upstream Makefile.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Some systems, like Mac, don't have stdio_ext.h. Since we're
building with DISABLE_BOOL=y on Mac, just include the
header files with the DISABLE define, and use the bare
minimum headers for DISABLE_BOOL=y.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
