Nicolas Iooss found while fuzzing secilc with AFL that the statement
"(class C (()))" will cause a segfault.
CIL expects a list of permissions in the class declaration and "(())"
is a valid list. Each item of the list is expected to be an identifier
and as the list is processed each item is checked to see if it is a
list. An error is given if it is a list, otherwise the item is assumed
to be an identifier. Unfortunately, the check only works if the list
is not empty. In this case, the item passes the check and is assumed
to be an identifier and a NULL is passed as the string for name
verification. If name verification assumes that a non-NULL value will
be passed in, a segfault will occur.
Add a check for an empty list when processing a permission list and
improve the error handling for permissions when building the AST.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Nicolas Iooss found while fuzzing secilc with AFL that the statement
"(class C (()))" will cause a segfault.
When CIL checks the syntax of the class statement it sees "(())" as a
valid permission list, but since "()" is not an identifier a NULL is
passed as the string for name verification. A segfault occurs because
name verification assumes that the string being checked is non-NULL.
Check if identifier is NULL when verifying name.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Nicolas Iooss found while fuzzing secilc with AFL that the statement
"(classpermissionset CPERM (CLASS (and unknow PERM)))" will cause a
segfault.
In order to support a policy module package using a permission that
does not exist on the system it is loaded on, CIL will only give a
warning when it fails to resolve an unknown permission. CIL itself will
just ignore the unknown permission. This means that an expression like
"(and UNKNOWN p1)" will look like "(and p1)" to CIL, but, since syntax
checking has already been done, CIL won't know that the expression is not
well-formed. When the expression is evaluated a segfault will occur
because all expressions are assumed to be well-formed at evaluation time.
Use an empty list to represent an unknown permission so that expressions
will continue to be well-formed and expression evaluation will work but
the unknown permission will still be ignored.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Nicolas Iooss found while fuzzing secilc with AFL that the following
policy will cause a segfault.
(category c0)
(category c1)
(categoryorder (c0 c1))
(sensitivity s0)
(sensitivitycategory s0 (not (all)))
The expression "(not (all))" is evaluated as containing no categories.
There is a check for the resulting empty list and the category datum
expression is set to NULL. The segfault occurs because the datum
expression is assumed to be non-NULL after evaluation.
Assign the list to the datum expression even if it is empty.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Nicolas Iooss found while fuzzing secilc with AFL that the following
policy will cause a segfault.
(category c0)
(category c1)
(categoryorder (c0 c1))
(sensitivity s0)
(sensitivitycategory s0 (range c1 c0))
The category range "(range c1 c0)" is invalid because c1 comes after c0
in order.
The invalid range is evaluated as containing no categories. There is a
check for the resulting empty list and the category datum expression is
set to NULL. The segfault occurs because the datum expression is assumed
to be non-NULL after evaluation.
Add a check for an invalid range when evaluating category ranges.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
We build booleans.c with DISABLE_BOOL set on Android host
and target. Add that file to the upstream Makefile.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Some systems, like Mac, don't have stdio_ext.h. Since we're
building with DISABLE_BOOL=y on Mac, just include the
header files with the DISABLE define, and use the bare
minimum headers for DISABLE_BOOL=y.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
To build on mac, first build libsepol with
no DESTDIR set.
Secondly, build libselinux with ANDROID_HOST=y
This configuration can be used to test the Android
host build on Mac.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
When building on mac, one encounters this error:
sefcontext_compile.c:270:1: error: function 'usage' could be declared with attribute 'noreturn' [-Werror,-Wmissing-noreturn]
To correct this, add the attribute noreturn to the function.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
When building on mac with ANDROID_HOST=y, clang complains:
sha1.c:73:33: error: cast from 'uint8_t *' (aka 'unsigned char *') to 'CHAR64LONG16 *' increases required alignment from 1 to 4 [-Werror,-Wcast-align]
CHAR64LONG16* block = (CHAR64LONG16*) workspace;
Rather then casting the bytearray to the CHAR64LONG16 union,
just create a stack workspace of type CHAR64LONG16.
This will prevent alignment issues with the data accesses.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
When building on Mac, outside of the Android tree, with ANDROID_HOST=y, this warning
is observed:
label.c:102:9: warning: implicit declaration of function 'fgets_unlocked' is invalid in C99 [-Wimplicit-function-declaration]
while (fgets_unlocked(buf, sizeof(buf) - 1, cfg)) {
Fix it by using the fgets_unlocked define that was introduced for Android, just apply it for mac builds
as well.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Correct the build issues on mac, mostly flags for tools.
libsepol and cil now build completley on Mac with a
simple make command.
Signed-off-by: William Roberts <william.c.roberts@intel.com>
When a non-MLS policy was used with genhomedircon context_from_record()
in sepol would report an error because an MLS level was present when MLS
is disabled. Based on a patch by Gary Tierney, amended to use
sepol_policydb_mls_enabled rather than semanage_mls_enabled because
we are testing the temporary working policy, not the active policy.
Reported-by: Jason Zaman <jason@perfinion.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
As reported by Gary Tierney, genhomedircon suppresses logging from
libsepol when validating contexts. This can result in an
empty file_contexts.homedirs file without any warning to the user
if policy has been incorrectly configured. Remove the code that
was suppressing the logging so that errors are reported to the user.
Reported-by: Gary Tierney <gary.tierney@gmx.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Treat a users prefix like a mapping to the role for file context
specifications in users homedirs. This behavior is only applicable when
the users prefix is the identifier of a role which is valid for the
given user. If the prefix is not a valid role, then genhomedircon will
write contexts out as normal.
Additionally, this commit enables configuring RBACSEP in policy:
(tunableif enable_rbacsep
(true
(userprefix user_u user_r)
(false
(userprefix user_u object_r))))
Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
The local: * entry should only be in the base entry, not in each of them.
This is part of resolving gold linker build failures reported by
Jason Zaman.
Reported-by: Jason Zaman <jason@perfinion.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The realpath logic in selinux_restorecon() was taken from the
Android libselinux fork. However, bionic dirname() and basename()
do not modify their argument and therefore are safe to call on a
const string. POSIX dirname() and basename() can modify their argument.
There is a GNU basename() that does not modify its argument, but not
for dirname().
For portability, create copies of the original pathname for each call
and keep them around until finished using the result.
Fixes "restorecon -r goes up the tree?" bug reported by Jason Zaman.
Reported-by: Jason Zaman <jason@perfinion.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
__cil_fill_expr() initializes 'cil_list *sub_expr' but does not destroy
it when __cil_fill_expr_helper() fails. This list is therefore leaked
when __cil_fill_expr() returns.
This occurs when secilc compiles the following policy:
(class CLASS (PERM))
(classorder (CLASS))
(sid SID)
(sidorder (SID))
(user USER)
(role ROLE)
(type TYPE)
(category CAT)
(categoryorder (CAT))
(sensitivity SENS)
(sensitivityorder (SENS))
(sensitivitycategory SENS (CAT))
(allow TYPE self (CLASS (PERM)))
(roletype ROLE TYPE)
(userrole USER ROLE)
(userlevel USER (SENS))
(userrange USER ((SENS)(SENS (CAT))))
(sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))
(categoryset cats (not (range unknown)))
This bug has been found using gcc address sanitizer.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When cil_fill_cats() fails to parse an expression and destroys a
category set, it fails to reset *cats to NULL. This makes this object be
destroyed again in cil_destroy_catset().
This bug can be triggered by the following policy:
(class CLASS (PERM))
(classorder (CLASS))
(sid SID)
(sidorder (SID))
(user USER)
(role ROLE)
(type TYPE)
(category CAT)
(categoryorder (CAT))
(sensitivity SENS)
(sensitivityorder (SENS))
(sensitivitycategory SENS (CAT))
(allow TYPE self (CLASS (PERM)))
(roletype ROLE TYPE)
(userrole USER ROLE)
(userlevel USER (SENS))
(userrange USER ((SENS)(SENS (CAT))))
(sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))
(categoryset cats (range unknown))
This bug has been found by fuzzing secilc with american fuzzy lop.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This CIL policy makes secilc crash with a NULL pointer dereference:
(class CLASS (PERM))
(classorder (CLASS))
(sid SID)
(sidorder (SID))
(user USER)
(role ROLE)
(type TYPE)
(category CAT)
(categoryorder (CAT))
(sensitivity SENS)
(sensitivityorder (SENS))
(sensitivitycategory SENS (CAT))
(allow TYPE self (CLASS (PERM)))
(roletype ROLE TYPE)
(userrole USER ROLE)
(userlevel USER (SENS))
(userrange USER ((SENS)(SENS (CAT))))
(sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))
(allow . self (CLASS (PERM)))
Using "." in the allow statement makes strtok_r() return NULL in
cil_resolve_name() and this result is then used in a call to
cil_symtab_get_datum(), which is thus invalid.
Instead of crashing, make secilc fail with an error message.
This bug has been found by fuzzing secilc with american fuzzy lop.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Checkpolicy has an option to produce CIL output and is dependent on
the policydb-to-CIL conversion in libsepol for that option. Add
support for converting extended permissions to CIL so that checlpolicy
can generate CIL.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Pre-expands the role and user caches used in context validation when
conerting a cildb to a binary policydb. This is currently only done
when loading a binary policy and prevents context validation from
working correctly with a newly built policy (i.e., when semanage builds
a new policy and then runs genhomedircon).
Also adds declarations for the hashtable mapping functions used:
policydb_role_cache and policydb_user_cache().
Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
Commit 7a728e46 changed module installation so that a module pp would
be installed using its module name instead of its filename and a warning
would be printed if they were different. With this change, base modules
could no longer be installed because of the way error handling was done.
This change fixes the error handling, so that when a base module is
installed it will be installed using its filename (since it does not
have a module name).
Based on bug report by Jason Zaman
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Gentoo and Arch have pkg-config entries for "ruby-$(RUBYLIBVER)" but not
for "ruby". Check if that exists first then fall back to plain ruby if
it does not.
The ruby install paths were incorrect. Fedora 20 installed to
/usr/lib64/ruby/vendor_ruby/, Arch needs it to be vendor_ruby as well,
site_ruby does not work. Thanks to Nicolas Iooss for the correct way to
query for the path.
Signed-off-by: Jason Zaman <jason@perfinion.com>
Reverse the sense of the -D option, from disabling setting/use of
security.restorecon_last to enabling it, making disabled the default state.
Rationale:
1) Users often use restorecon to fix labels on files whose labels are
wrong even through nothing has changed in file_contexts, e.g. after
copying/moving files to a different location. They won't expect
restorecon to suddenly stop relabeling by default because the hash of
file_contexts hasn't changed.
2) Only processes running with CAP_SYS_ADMIN can set
security.restorecon_last, so this will fail for non-root users anyway.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
