Commit c19395d722 fixed some handling of unknown
classes/permissions, but missed the case where an unknown permission is loaded
and then subsequently logged, either via denial or auditallow. If a permission
set has some valid values mixed with unknown values, say `{ read write foo }`,
a check on `{ read write foo }` would fail to log the entire set.
To fix this, skip over the bad permissions/classes when expanding them to
strings. The unknowns should be logged during `selinux_set_mapping`, so
there is no need for further logging of the actual unknown permissions.
Signed-off-by: Mike Palmiotto <mike.palmiotto@crunchydata.com>
In test_attr_types, the pointer decl is allowed to be NULL in the
beginning, but is dereferenced to produce a helpful message right before
a CU_ASSERT_FATAL. Make this derefence not happen if the pointer is
NULL.
This issue has been found using clang's static analyzer.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
chcat_add() defines variable cmd twice before calling
subprocess.check_call(cmd, ...). Remove the first definition.
This bug was found using lgtm.com analyzer:
eac5e661ca/files/python/chcat/chcat (L118)
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
semodule-utils/semodule_link/semodule_link.c contains:
static sepol_module_package_t *load_module(char *filename)
{
/* ... */
if (sepol_module_package_create(&p)) {
/* ... */
goto bad;
/* ... */
bad:
sepol_module_package_free(p);
When sepol_module_package_create() fails while having successfully
allocated p, it currently frees p without setting it back to NULL. This
causes a use-after-free in load_module().
Prevent this use-after-free by setting sepol_module_package_create's
argument back to NULL when an error happens.
This issue has been found using Infer static analyzer.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Doing this looks wrong:
len = scope->decl_ids_len;
if (scope == NULL) {
/* ... */
Move the dereferencing of scope after the NULL check.
This issue has been found using Infer static analyzer.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When strs_stack_init(&stack) fails to allocate memory and stack is still
NULL, it should not be dereferenced with strs_stack_pop(stack).
This issue has been found using Infer static analyzer.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
As reported by Nicolas Iooss (nicolas.iooss@m4x.org), static analyzers
have problems understanding that the default memory error handler does
not return since it is called through the cil_mem_error_handler()
function pointer. This results in a number of false positive warnings
about null pointer dereferencing.
Since the ability to set the cil_mem_error_handler() is only through
the function cil_set_mem_error_handler() which is never used and whose
definition is not in any header file, remove that function, remove the
use of cil_mem_error_handler() and directly in-line the contents of
the default handler, cil_default_mem_error_handler().
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
This patch is loosely based on a patch by Yuli Khodorkovskiy
<yuli@crunchydata.com> from June 13th, 2019.
Since any permission used in the policy should be defined, CIL
should return an error if it cannot resolve a permission used
in a policy. This was the original behavior of CIL.
The behavior was changed over three commits from July to November
2016 (See commits 46e157b47, da51020d6, and 2eefb20d8). The change
was motivated by Fedora trying to remove permissions from its
policy that were never upstreamed (ex/ process ptrace_child and
capability2 compromise_kernel). Local or third party modules
compiled with those permissions would break policy updates.
After three years it seems unlikely that we need to worry about
those local and third party modules and it is time for CIL to
give an error like it should.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
According to "check_dominance" function:
Range defined as "s15:c0.c1023" does not dominate any other range than
"s15:c0.c1023" (does not dominate "s15", "s15:c0.c200", etc.).
While range defined as "s15-s15:c0.c1023" dominates all of the above.
This is either a bug, or "s15:c0.c1023" should not be used in the
examples.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
This reverts commit fe17b3d2d9.
MLS ranges should be compared based on dominance.
This fixes mlscolor-test on mcstrans examples.
Eg. mlscolor-test using /usr/share/mcstrans/examples/urcsts when executed on mls
machine fails as follows:
\#pushd /usr/share/mcstrans/examples/urcsts
\#cp -f secolor.conf /etc/selinux/mls/secolor.conf
\#cp -f setrans.conf /etc/selinux/mls/setrans.conf
\#systemctl restart mcstransd
\#python3 /usr/share/mcstrans/util/mlscolor-test urcsts.color
For 'system_u:system_r:inetd_t:SystemLow' got
'#000000#000000#000000#000000#000000#000000#000000#000000' expected
'#000000#000000#000000#000000#000000#000000#000000#008000'
...
mlscolor-test done with 19 errors
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Policy developers can set a default_range default to glblub and
computed contexts will be the intersection of the ranges of the
source and target contexts. This can be used by MLS userspace
object managers to find the range of clearances that two contexts
have in common. An example usage is computing a transition between
the network context and the context of a user logging into an MLS
application.
For example, one can add a default with
this cil:
(defaultrange db_table glblub)
or in te (base module only):
default_range db_table glblub;
and then test using the compute_create utility:
$ ./compute_create system_u:system_r:kernel_t:s0:c1,c2,c5-s0:c1.c20 system_u:system_r:kernel_t:s0:c0.c20-s0:c0.c36 db_table
system_u:object_r:kernel_t:s0:c1,c2,c5-s0:c1.c20
Some example range transitions are:
User Permitted Range | Network Device Label | Computed Label
---------------------|----------------------|----------------
s0-s1:c0.c12 | s0 | s0
s0-s1:c0.c12 | s0-s1:c0.c1023 | s0-s1:c0.c12
s0-s4:c0.c512 | s1-s1:c0.c1023 | s1-s1:c0.c512
s0-s15:c0,c2 | s4-s6:c0.c128 | s4-s6:c0,c2
s0-s4 | s2-s6 | s2-s4
s0-s4 | s5-s8 | INVALID
s5-s8 | s0-s4 | INVALID
Signed-off-by: Joshua Brindle <joshua.brindle@crunchydata.com>
When functions from libsemanage calls other functions that are exported,
these functions need to be "wrapped" using hidden_proto() macro. This is
done in headers such as "user_internal.h". Several functions in
genhomedircon.c are not doing this, which makes building with -flto
fail with errors such as:
/usr/bin/ld: /tmp/libsemanage.so.1.KebOLC.ltrans1.ltrans.o: in
function `user_sort_func':
/home/tkloczko/rpmbuild/BUILD/libsemanage-2.9-rc1/src/genhomedircon.c:758:
undefined reference to `semanage_user_get_name'
/usr/bin/ld:
/home/tkloczko/rpmbuild/BUILD/libsemanage-2.9-rc1/src/genhomedircon.c:758:
undefined reference to `semanage_user_get_name'
/usr/bin/ld: /tmp/libsemanage.so.1.KebOLC.ltrans1.ltrans.o: in
function `fcontext_matches':
/home/tkloczko/rpmbuild/BUILD/libsemanage-2.9-rc1/src/genhomedircon.c:240:
undefined reference to `semanage_fcontext_get_expr'
/usr/bin/ld:
/home/tkloczko/rpmbuild/BUILD/libsemanage-2.9-rc1/src/genhomedircon.c:248:
undefined reference to `semanage_fcontext_get_type'
/usr/bin/ld: /tmp/libsemanage.so.1.KebOLC.ltrans1.ltrans.o: in
function `add_user.isra.0':
/home/tkloczko/rpmbuild/BUILD/libsemanage-2.9-rc1/src/genhomedircon.c:992:
undefined reference to `semanage_user_get_mlslevel'
/usr/bin/ld: /tmp/libsemanage.so.1.KebOLC.ltrans1.ltrans.o: in
function `write_context_file':
/home/tkloczko/rpmbuild/BUILD/libsemanage-2.9-rc1/src/genhomedircon.c:892:
undefined reference to `semanage_user_key_create'
/usr/bin/ld:
/home/tkloczko/rpmbuild/BUILD/libsemanage-2.9-rc1/src/genhomedircon.c:764:
undefined reference to `semanage_user_get_name'
/usr/bin/ld:
/home/tkloczko/rpmbuild/BUILD/libsemanage-2.9-rc1/src/genhomedircon.c:897:
undefined reference to `semanage_user_query'
/usr/bin/ld:
/home/tkloczko/rpmbuild/BUILD/libsemanage-2.9-rc1/src/genhomedircon.c:905:
undefined reference to `semanage_user_get_mlslevel'
Include the missing headers.
Fixes: https://github.com/SELinuxProject/selinux/issues/169
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
In add_xattr_entry(), if selabel_get_digests_all_partial_matches()
returns with digest_len = 0, the code gets executed as:
sha1_buf = malloc(digest_len * 2 + 1); /* Allocate 1 byte */
/* ... */
for (i = 0; i < digest_len; i++) /* Do not do anything */
sprintf((&sha1_buf[i * 2]), "%02x", xattr_digest[i]);
/* ... */
new_entry->digest = strdup(sha1_buf); /* use of uninitiliazed content */
This is reported by some static code analyzers, even though in practise
digest_len should never be zero, and the call to sprintf() ensures that
the content of sha1_buf is initialized and terminated by '\0'.
Make sure to never call strdup() on an uninitialized string by verifying
that digest_len != 0.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Remove legacy local boolean and user code, and to preserve API/ABI
compatibility the following functions int values should be set to '0'
as they are no longer used:
selinux_mkload_policy(int preservebools)
security_set_boolean_list(.... int permanent)
and the following are now no-op and return '-1':
security_load_booleans()
sepol_genusers()
sepol_set_delusers()
sepol_genbools()
sepol_genbools_array()
and these still return their paths for compatibility, however they are
marked as deprecated:
selinux_booleans_path()
selinux_users_path()
These have been removed as they are local functions only:
sepol_genusers_policydb()
sepol_genbools_policydb()
Also "SETLOCALDEFS" removed from SELinux config file and code.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Update restorecon_xattr and man pages for new digest scheme
managed by selinux_restorecon(3).
Note that the Russian man pages require updating.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
We used to hash the file_context and skip the restorecon on the top
level directory if the hash doesn't change. But the file_context
might change after an OTA update; and some users experienced long
restorecon time as they have lots of files under directories like
/data/media.
This CL tries to hash all the partial match entries in the
file_context for each directory; and skips the restorecon if that
digest stays the same, regardless of the changes to the other parts
of file_context.
This is a version ported from Android that was originally written by:
xunchang <xunchang@google.com>
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
This is a follow up fix to the restorecon change in
commit 6ab5fbaabc84f7093b37c1afae855292e918090f This change has been
tested in android for a while.
The stem is a list of top level directory (without regex metachar)
covered in the file context. And it constructs from finding the
second '/' in the regex_string; and aims to speed up the lookup by
skipping unnecessary regex matches. More contexts in
https://lore.kernel.org/selinux/200309231522.25749.russell@coker.com.au/
However, this caused some issue when we try to find all the partial
matches for a root directory. For example, the path "/data" doesn't
have a stem while the regex "/data/misc/(/.*)?" has "/data" as the
stem. As a result, all the regex for the subdirs of /data will not
considered as a match for "/data". And the restorecon will wrongly
skip on top level "/data" when there's a context change to one of
subdir.
This CL always includes the stem when compiling the regex in all
circumstances. Also, it ignores the stem id check in the "match all"
case, while the behavior for the single match stays unchanged. I will
collect more data to find out if stem id check is still necessary at
all with the new restorecon logic.
Test: run restorecon on "/data"; change the context of one subdir and
run again, and the context is restored on that subdir; search the caller
of regex_match
Signed-off-by: Tianjie Xu <xunchang@google.com>
We used to hash the file_context and skip the restorecon on the top
level directory if the hash doesn't change. But the file_context might
change after an update; and some users experienced long restorecon
time as they have lots of files under directories like /data/media.
Therefore, we try to skip unnecessary restores if the file context
relates to the given directory doesn't change.
This CL is the first step that factors out a lookup helper function
and returns an array of matched pointers instead of a single one.
The old loopup_common function is then modified to take the first
element in the array.
This change has already been submitted in android selinux branch. And
porting it upstream will make these two branches more consistent and
save some work for the future merges.
Signed-off-by: Tianjie Xu <xunchang@google.com>
Follow officially documented way how to build C extension modules using
distutils - https://docs.python.org/3.8/extending/building.html#building
Fixes:
- selinux python module fails to load when it's built using SWIG-4.0:
>>> import selinux
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib64/python3.7/site-packages/selinux/__init__.py", line 13, in <module>
from . import _selinux
ImportError: cannot import name '_selinux' from 'selinux' (/usr/lib64/python3.7/site-packages/selinux/__init__.py)
SWIG-4.0 changed (again?) its behavior so that it uses: from . import _selinux
which looks for _selinux module in the same directory as where __init__.py is -
$(PYLIBDIR)/site-packages/selinux. But _selinux module is installed into
$(PYLIBDIR)/site-packages/ since a9604c30a5 ("libselinux: Change the location
of _selinux.so").
- audit2why python module fails to build with Python 3.8
cc -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -DOVERRIDE_GETTID=0 -I../include -D_GNU_SOURCE -DDISABLE_RPM -DNO_ANDROID_BACKEND -DUSE_PCRE2 -DPCRE2_CODE_UNIT_WIDTH=8 -Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -L. -shared -o python-3.8audit2why.so python-3.8audit2why.lo -lselinux -l:libsepol.a -Wl,-soname,audit2why.so,--version-script=audit2why.map,-z,defs
/usr/bin/ld: python-3.8audit2why.lo: in function `finish':
/builddir/build/BUILD/libselinux-2.9/src/audit2why.c:166: undefined reference to `PyArg_ParseTuple'
/usr/bin/ld: python-3.8audit2why.lo: in function `_Py_INCREF':
/usr/include/python3.8/object.h:449: undefined reference to `_Py_NoneStruct'
/usr/bin/ld: /usr/include/python3.8/object.h:449: undefined reference to `_Py_NoneStruct'
/usr/bin/ld: python-3.8audit2why.lo: in function `check_booleans':
/builddir/build/BUILD/libselinux-2.9/src/audit2why.c:84: undefined reference to `PyExc_RuntimeError'
...
It's related to the following Python change
https://docs.python.org/dev/whatsnew/3.8.html#debug-build-uses-the-same-abi-as-release-build
Python distutils adds correct link options automatically.
- selinux python module doesn't provide any Python metadata
When selinux python module was built manually, it didn't provide any metadata.
distutils takes care about that so that selinux Python module is visible for
pip:
$ pip3 list | grep selinux
selinux 2.9
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
When running 'make' from libselinux on Fedora 30 (gcc 9.1.1) the
following error is reported:
bute=const -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -Wstrict-overflow=5
-I../include -D_GNU_SOURCE -DNO_ANDROID_BACKEND -c -o booleans.o
booleans.c
booleans.c: In function ‘security_get_boolean_names’:
booleans.c:39:5: error: assuming signed overflow does not occur when
changing X +- C1 cmp C2 to X cmp C2 -+ C1 [-Werror=strict-overflow]
39 | int security_get_boolean_names(char ***names, int *len)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
make[1]: *** [Makefile:171: booleans.o] Error 1
This is caused by the '--i' in the: 'for (--i; i >= 0; --i)' loop.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
Move setrans.conf manpage to section 5 as it describes the documentation
for "File formats and conventions"
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
In module_to_cil.c, sepol_ppfile_to_module_package() calls functions
from module.c without including the internal header. This makes building
libsepol with "gcc -flto -fuse-ld=gold" fails when linking libsepol.so:
/tmp/ccHYAKVZ.ltrans21.ltrans.o:<artificial>:function
sepol_ppfile_to_module_package: error: undefined reference to
'sepol_module_package_free'
/tmp/ccHYAKVZ.ltrans21.ltrans.o:<artificial>:function
sepol_ppfile_to_module_package: error: undefined reference to
'sepol_module_package_create'
/tmp/ccHYAKVZ.ltrans21.ltrans.o:<artificial>:function
sepol_ppfile_to_module_package: error: undefined reference to
'sepol_module_package_create'
collect2: error: ld returned 1 exit status
Fixes: https://github.com/SELinuxProject/selinux/issues/165
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Add the command-line option 'O' to checkpolicy to cause kernel policies
to be optimized by calling policydb_optimize() before being written out.
This option can be used on conf files and binary kernel policies, but
not when converting a conf file to CIL.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
[omosnace: make commit desc more consistent with the other patches]
[omosnace: fix a typo in the commit message]
[omosnace: directly use policydb_optimize() as also the rest of code already uses
other policydb_*() functions...]
[omosnace: update man page]
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Add a command-line option -O/--optimize to optimize the final policydb
using sepol_policydb_optimize() before writing it out.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
When building binary policy, optionally run it through
sepol_policydb_optimize() just before writing it out.
Add an optimize-policy variable to semanage.conf(5) that controls
whether optimization will be applied during libsemanage operations.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Add sepol_policydb_optimize(), which checks a kernel policy for
redundant rules (i.e. those that are covered by an existing more general
rule) and removes them.
Results on Fedora 29 policy:
WITHOUT OPTIMIZATION:
# time semodule -B
real 0m21,280s
user 0m18,636s
sys 0m2,525s
$ wc -c /sys/fs/selinux/policy
8692158 /sys/fs/selinux/policy
$ seinfo (edited)
Allow: 113159
Dontaudit: 10297
Total: 123156
WITH OPTIMIZATION ENABLED:
# time semodule -B
real 0m22,825s
user 0m20,178s
sys 0m2,520s
$ wc -c /sys/fs/selinux/policy
8096158 /sys/fs/selinux/policy
$ seinfo (edited)
Allow: 66334
Dontaudit: 7480
Total: 73814
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Add new test suite for semanage_user_* functions. The test suite aims for line
coverage and covers expected usage of functions. The test suite uses custom
semanage store and policy written in CIL, it does not require running on SELinux
enabled system.
Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
Add new test suite for semanage_port_* functions. The test suite aims for line
coverage and covers expected usage of functions. The test suite uses custom
semanage store and policy written in CIL, it does not require running on SELinux
enabled system.
Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
Add new test suite for semanage_node_* functions. The test suite aims for line
coverage and covers expected usage of functions. The test suite uses custom
semanage store and policy written in CIL, it does not require running on SELinux
enabled system.
Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
Add new test suite for semanage_ibendport_* functions. The test suite aims for
line coverage and covers expected usage of functions. The test suite uses custom
semanage store and policy written in CIL, it does not require running on SELinux
enabled system.
Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
Add new test suite for semanage_iface_* functions. The test suite aims for line
coverage and covers expected usage of functions. The test suite uses custom
semanage store and policy written in CIL, it does not require running on SELinux
enabled system.
Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
Add new test suite for semanage_fcontext_* functions. The test suite aims for
line coverage and covers expected usage of functions. The test suite uses custom
semanage store and policy written in CIL, it does not require running on SELinux
enabled system.
Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
Add new test suite for semanage_bool_* functions. The test suite aims for line
coverage and covers expected usage of functions. The test suite uses custom
semanage store and policy written in CIL, it does not require running on SELinux
enabled system.
Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
Add new test suite for semanage_handle_* functions. The test suite aims for line
coverage and covers expected usage of functions. The test suite uses custom
semanage store and policy written in CIL, it does not require running on SELinux
enabled system.
Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
- Add functions for creating and destroying test semanage store.
- Add functions for writing SELinux policy to the test store.
- Add functions for creating semanage handle, connecting to the store and for
beginning a transaction.
- Update Makefile to compile test policies from CIL source.
Signed-off-by: Jan Zarsky <jzarsky@redhat.com>
Installing a cil module with invalid mlsconstrain syntax currently
results in a segfault. In the following module, the right-hand side of
the second operand of the OR is a list (mlstrustedobject):
$ cat test.cil
(class test (foo) )
(classorder (unordered test))
(mlsconstrain (test (foo))
(or
(dom h1 h2)
(eq t2 (mlstrustedobject))
)
)
$ sudo semodule -i test.cil
zsh: segmentation fault sudo semodule -i test.cil
This syntax is invalid and should error accordingly, rather than
segfaulting. This patch provides this syntax error for the same module:
$ sudo semodule -i test.cil
t1, t2, r1, r2, u1, u2 cannot be used on the left side with a list on the right side
Bad expression tree for constraint
Bad constrain declaration at /var/lib/selinux/mls/tmp/modules/400/test/cil:4
semodule: Failed!
Signed-off-by: Mike Palmiotto <mike.palmiotto@crunchydata.com>
