If you add some local file contexts via semanage fcontext -a and
later delete them all via semanage fcontext -D, you get an empty
file_contexts.local file. Then when you try to load it, getline()
returns 0 and we fall through to the out path without having set rc.
In label_file.c, rc will always be non-zero at this point because
we will have failed the load_mmap() call. In sefcontext_compile,
rc may contain random garbage at this point. Explicitly set rc
before the loop.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Update file contexts generation and loading to use common code.
Remove "status = 0; after "status = sort_specs(data);" otherwise
the function will never indicate a failure.
The file labeling code also has minor formatting, white space
removal etc. changes.
label_file.c - Move process_line function to label_file.h
sefcontext_compile.c - Update to use common process_line code. Now frees
all malloc'ed memory, checked by valgrind. Also added optional -o output
file parameter - updated man page to reflect this change.
V2 - Revert to using compat_validate instead of selabel_validate.
V3 - Revert to using callback for validation now the problem has been
fixed by commit e889148494
("libselinux: build sefcontext_compile with static libselinux")
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
sefcontext_compile depends on libselinux internals, so it might
as well use static libselinux. Hide read_spec_entries as this is not
intended as a public interface for shared library users.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Fix memory issues flagged by valgrind.
These changes bring the property service in line with Android [1]
V2 reverts to original upstream %u when logging errors. Android needs
these corrections also.
[1] https://android-review.googlesource.com/#/c/153580/
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
When Eamon created label_file.c, he drew code from the setfiles program,
which I originally wrote. At the time, setfiles had a comment
about being derived in part from the setfiles.pl script written by SCC, so
Eamon put a comment in label_file.c that tried to preserve that lineage.
However, there was no real code lineage there. The setfiles program
was inspired by the setfiles.pl perl script, but the implementation was
a complete rewrite. And while label_file.c drew some data structures and
code from the setfiles C program, it had nothing to do with the setfiles.pl
script at all. Just drop the comment; it serves no purpose.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Currently sscanf is used with %ms parameters that are not supported
on all platforms. The new read_spec_entries function may be used
to replace these where required. This patch updates
sefcontext_compile, label_file and label_android_property services
to use the new function.
The file and property services have been tested on Android emulator
and the file service on Fedora 21.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Currently sefcontext_compile defines the mode field as mode_t whose
size will vary depending on the architecture (e.g. 32 bit / 64 bit).
This patch sets the size when writing/reading binary files to
uint32_t. The file version is set to SELINUX_COMPILED_FCONTEXT_MODE
V2 fixes those listed in http://marc.info/?l=selinux&m=143273965514292&w=2
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
The reading of bin files has been changed to follow that of loading
policy to catch over-runs. Entries that should be NUL terminated are
also checked. If any error, then process the text file. This should
fix all problems highlighted in [1] with V2 fixing those in [2].
V3 corrects int32_t/uint32_t for *_len entries and V4 fixes [3]
and adds pcre_fullinfo checks to validate regex and study data
sizes. pcre_fullinfo also validates its magic number.
Tested with bin files built using sefcontext_compile PCRE_VERS 1 and 2.
The following is a rough guide to the difference in processing a bin
file against a text file:
6K entries - x5
4K entries - x4
1K entries - x3
500 entries - x2
[1] http://marc.info/?l=selinux&m=143101983922281&w=2
[2] http://marc.info/?l=selinux&m=143161763905159&w=2
[3] http://marc.info/?l=selinux&m=143204170705586&w=2
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
openssh in Fedora uses "sshd_net_t" type for privilege separated
processes in the preauthentication phase. Similarly, openssh portable uses
"sftp_t" for internal-sftp processes. Both type are hardcoded what is not ideal.
Therefore selinux_openssh_contexts_path() was created to get a path where sshd
can get a correct types prepared by a distribution or an administrator.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
As mcstransd is not installed/running by default, we should not impose
the overhead of trying to connect to it on each operation that takes or
returns a security context string. Test for the existence of the socket
file on first use, and if the socket file does not exist, then skip the
processing on all subsequent calls.
Previously we had a similar attempt at optimization by checking
whether MLS was enabled, but since the kernel MLS support is enabled
even for -mcs and mcstransd is no longer installed/running by default,
this is not a useful optimization. Just replace it with the new test.
Compare strace ls -Z /usr/bin |& grep .setrans-unix before and after
this patch to get a sense of the impact.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Ensure that the array of strings is NULL terminated to stop core
dumps. Also cleaned up code.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
To avoid regressions such as the one reported in:
https://bugzilla.redhat.com/show_bug.cgi?id=1219045
add a test for /etc/selinux/config to is_selinux_enabled().
This ensures that systems that do not install selinux-policy
will continue to return 0 from is_selinux_enabled().
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
As discussed in https://bugzilla.redhat.com/show_bug.cgi?id=1219718,
there are several inconsistencies between the matchpathcon man page
and the implementation. The same is true of the SELABEL_OPT_SUBSET
option for the selabel_file backend. Fix the man pages for both.
Also note in the man pages that the entire matchpathcon family
of functions is deprecated and recommend use of the corresponding
selabel interfaces for new code.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Check buffer address limits when processing *.bin files
to catch any over-runs. On failure process text file instead.
To test, the bin files were corrupted by adding and removing
various bits of data. Various file sizes were also checked and
all were caught by the patch.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Add support for new API functions selabel_partial_match and
selabel_lookup_best_match ported from the Android libselinux
fork.
Add supporting man(3) pages and test utilities: selabel_lookup,
selabel_lookup_best_match and selabel_partial_match.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
os.path.walk() function is deprecated and has been removed in Python 3
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: Steve Lawrence <slawrence@tresys.com>
SELinux can be disabled via the selinux=0 kernel parameter or via
/sys/fs/selinux/disable (triggered by setting SELINUX=disabled in
/etc/selinux/config). In either case, selinuxfs will be unmounted
and unregistered and therefore it is sufficient to check for the
selinuxfs mount. We do not need to check for no-policy-loaded and
treat that as SELinux-disabled anymore; that is a relic of Fedora Core 2
days. Drop the no-policy-loaded test, which was a bit of a hack anyway
(checking whether getcon_raw() returned "kernel" as that can only happen
if no policy is yet loaded and therefore security_sid_to_context() only
has the initial SID name available to return as the context).
May possibly fix https://bugzilla.redhat.com/show_bug.cgi?id=1195074
by virtue of removing the call to getcon_raw() and therefore avoiding
use of tls on is_selinux_enabled() calls. Regardless, it will make
is_selinux_enabled() faster and simpler.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The mudflap run time checker was removed in GCC 4.9. The
option no longer does anything and triggers a warning from gcc 4.9
and later. Remove it. We might want to add -fsanitize=address
to enable AddressSanitizer in its place, but that should be a separate
change.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
In the case where the SELinux security module is not loaded in the
kernel and it's early enough in the boot process that /proc has not yet
been mounted, selinuxfs_exists() will incorrectly return 1, and
selinux_init_load_policy() will print a message like this to the
console:
Mount failed for selinuxfs on /sys/fs/selinux: No such file or directory
To fix this, mount the procfs before attempting to open
/proc/filesystems, and unmount it when done if it was initially not
mounted. This is the same thing that selinux_init_load_policy() does
when reading /proc/cmdline.
Signed-off-by: Ben Shelton <ben.shelton@ni.com>
Fixes two types of errors which appear when building with gcc-5.0.0
- format ‘%d’ expects argument of type ‘int’, but argument X has type ‘unsigned int’
- format ‘%a’ expects argument of type ‘float *’, but argument X has type ‘char **’
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
restorecon on file names with newlines are not handled properly.
Use PCRE_DOTALL so that dots in regular expressions match all
characters, and don't exclude the newline character.
See https://www.mail-archive.com/seandroid-list@tycho.nsa.gov/msg02001.html
for background.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
restorecon on file names with newlines are not handled properly.
Use PCRE_DOTALL so that dots in regular expressions match all
characters, and don't exclude the newline character.
See https://www.mail-archive.com/seandroid-list@tycho.nsa.gov/msg02001.html
for background.
Change-Id: I0dde8f2567305f746d19ebd75a9e2add7406eb9a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The man page description for setcon() was never updated for the
introduction of bounded transitions in Linux 2.6.28. Update it.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
If SELinux is disabled, then selinux_current_policy_path() returns NULL.
At present, if you run audit2allow on a SELinux-disabled host without
the -p option, you get:
unable to open (null): Bad address
We haven't seen this because most people running audit2allow are doing
it on SELinux-enabled hosts and using the host policy. But for Android,
the build host OS often has SELinux disabled and we need to pass audit2allow
the path to the Android policy. Handle this case and provide a hint to
the user.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Per the man page, pcre_study can return NULL without error if
it could not find any additional information. Errors are indicated
by the combination of a NULL return value and a non-NULL error string.
Fix the handling so that we do not incorrectly reject file_contexts
entries.
Change-Id: I2e7b7e01d85d96dd7fe78545d3ee3834281c4eba
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Allow the android property backend parser to accept the
SELABEL_OPT_VALIDATE option and to perform a validate
callback.
Extracted from the Android external/libselinux tree.
Change-Id: If061502c5e2489a1155798fac1d8357dbb8d13ba
Signed-off-by: Robert Craig <rpcraig@tycho.ncsc.mil>
Move the SELinux enabled check to the once handler so that we do
not perform this on each call to selinux_check_access(). Reduces
overhead in both the SELinux-enabled and the SELinux-disabled cases.
Extracted from the Android external/libselinux tree.
Change-Id: I61fe85bc04fe53cbf840ba712c81bdb06e4e0c2f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
