Merge commit 'a3abb2c05301b24ad2f8307d07734d89ddf808d8' into merge

libsepol/cil/include/cil/cil.h

@@ -58,6 +58,10 @@ enum cil_log_level {
 };
 extern void cil_set_log_level(enum cil_log_level lvl);
 extern void cil_set_log_handler(void (*handler)(int lvl, char *msg));
+
+#ifdef __GNUC__
+__attribute__ ((format(printf, 2, 3)))
+#endif
 extern void cil_log(enum cil_log_level lvl, const char *msg, ...);
 
 extern void cil_set_malloc_error_handler(void (*handler)(void));

libsepol/cil/src/cil.c

@@ -1326,7 +1326,7 @@ int cil_filecons_to_string(struct cil_db *db, sepol_policydb_t *sepol_db, char *
 	for (i = 0; i < filecons->count; i++) {
 		struct cil_filecon *filecon = filecons->array[i];
 		struct cil_context *ctx = filecon->context;
-		char *str_type = NULL; 
+		const char *str_type = NULL;
 
 		buf_pos = sprintf(str_tmp, "%s", filecon->path_str);
 		str_tmp += buf_pos;

libsepol/cil/src/cil_build_ast.c

@@ -2271,7 +2271,7 @@ static int __cil_fill_expr(struct cil_tree_node *current, enum cil_flavor flavor
 	if (current->cl_head == NULL) {
 		enum cil_flavor op = __cil_get_expr_operator_flavor(current->data);
 		if (op != CIL_NONE) {
-			cil_log(CIL_ERR,"Operator (%s) not in an expression\n", current->data);
+			cil_log(CIL_ERR, "Operator (%s) not in an expression\n", (char*)current->data);
 			goto exit;
 		}
 		cil_list_append(expr, CIL_STRING, current->data);
@@ -2378,7 +2378,7 @@ static int __cil_fill_constraint_leaf_expr(struct cil_tree_node *current, enum c
 		leaf_expr_flavor = CIL_LEVEL;
 		break;
 	default:
-		cil_log(CIL_ERR,"Invalid left operand (%s)\n",current->next->data);
+		cil_log(CIL_ERR, "Invalid left operand (%s)\n", (char*)current->next->data);
 		goto exit;
 	}
 
@@ -2705,7 +2705,7 @@ int cil_gen_condblock(struct cil_db *db, struct cil_tree_node *parse_current, st
 
 exit:
 	cil_log(CIL_ERR, "Bad %s condition declaration at line %d of %s\n",
-		parse_current->data, parse_current->line, parse_current->path);
+		(char*)parse_current->data, parse_current->line, parse_current->path);
 	cil_destroy_condblock(cb);
 	return rc;
 }
@@ -2765,7 +2765,8 @@ int cil_gen_alias(struct cil_db *db, struct cil_tree_node *parse_current, struct
 	return SEPOL_OK;
 
 exit:
-	cil_log(CIL_ERR, "Bad %s declaration at line %d of %s\n", parse_current->data, parse_current->line, parse_current->path);
+	cil_log(CIL_ERR, "Bad %s declaration at line %d of %s\n",
+		(char*)parse_current->data, parse_current->line, parse_current->path);
 	cil_destroy_alias(alias);
 	cil_clear_node(ast_node);
 	return rc;

libsepol/cil/src/cil_log.h

@@ -34,8 +34,6 @@
 
 #define MAX_LOG_SIZE 512
 
-
-
-void cil_log(enum cil_log_level lvl, const char *msg, ...);
+__attribute__ ((format(printf, 2, 3))) void cil_log(enum cil_log_level lvl, const char *msg, ...);
 
 #endif // CIL_LOG_H_

libsepol/cil/src/cil_mem.c

@@ -83,7 +83,7 @@ void *cil_realloc(void *ptr, size_t size)
 }
 
 
-char *cil_strdup(char *str)
+char *cil_strdup(const char *str)
 {
 	char *mem = NULL;
 

libsepol/cil/src/cil_mem.h

@@ -34,7 +34,7 @@
 void *cil_malloc(size_t size);
 void *cil_calloc(size_t num_elements, size_t element_size);
 void *cil_realloc(void *ptr, size_t size);
-char *cil_strdup(char *str);
+char *cil_strdup(const char *str);
 void (*cil_mem_error_handler)(void);
 
 #endif /* CIL_MEM_H_ */

libsepol/cil/src/cil_policy.c

@@ -542,7 +542,7 @@ void cil_constrain_to_policy(FILE **file_arr, __attribute__((unused)) uint32_t f
 	cil_constrain_to_policy_helper(file_arr, kind, cons->classperms, cons->datum_expr);
 }
 
-void cil_avrule_to_policy_helper(FILE **file_arr, uint32_t file_index, char *kind, char *src, char *tgt, struct cil_list *classperms)
+void cil_avrule_to_policy_helper(FILE **file_arr, uint32_t file_index, const char *kind, const char *src, const char *tgt, struct cil_list *classperms)
 {
 	struct cil_list_item *i;
 
@@ -573,9 +573,9 @@ void cil_avrule_to_policy_helper(FILE **file_arr, uint32_t file_index, char *kin
 
 int cil_avrule_to_policy(FILE **file_arr, uint32_t file_index, struct cil_avrule *rule)
 {
-	char *kind_str = NULL;
-	char *src_str = DATUM(rule->src)->name;
-	char *tgt_str = DATUM(rule->tgt)->name;
+	const char *kind_str = NULL;
+	const char *src_str = DATUM(rule->src)->name;
+	const char *tgt_str = DATUM(rule->tgt)->name;
 
 
 	switch (rule->rule_kind) {
@@ -974,7 +974,7 @@ int cil_name_to_policy(FILE **file_arr, struct cil_tree_node *current)
 		fprintf(file_arr[TYPEATTRTYPES], "role %s;\n", ((struct cil_symtab_datum*)current->data)->name);
 		break;
 	case CIL_BOOL: {
-		char *boolean = ((struct cil_bool*)current->data)->value ? "true" : "false";
+		const char *boolean = ((struct cil_bool*)current->data)->value ? "true" : "false";
 		fprintf(file_arr[TYPEATTRTYPES], "bool %s %s;\n", ((struct cil_symtab_datum*)current->data)->name, boolean);
 		break;
 	}

libsepol/cil/src/cil_reset_ast.c

@@ -27,7 +27,7 @@ static void cil_reset_class(struct cil_class *class)
 		/* during a re-resolve, we need to reset the common, so a classcommon
 		 * statement isn't seen as a duplicate */
 		class->num_perms -= common->num_perms;
-		class->common = NULL;
+		class->common = NULL; /* Must make this NULL or there will be an error when re-resolving */
 	}
 	class->ordered = CIL_FALSE;
 }
@@ -43,19 +43,9 @@ static inline void cil_reset_classperms(struct cil_classperms *cp)
 		return;
 	}
 
-	cp->class = NULL;
 	cil_list_destroy(&cp->perms, CIL_FALSE);
 }
 
-static inline void cil_reset_classperms_set(struct cil_classperms_set *cp_set)
-{
-	if (cp_set == NULL) {
-		return;
-	}
-
-	cp_set->set = NULL;
-}
-
 static inline void cil_reset_classperms_list(struct cil_list *cp_list)
 {
 	struct cil_list_item *curr;
@@ -65,10 +55,8 @@ static inline void cil_reset_classperms_list(struct cil_list *cp_list)
 	}
 
 	cil_list_for_each(curr, cp_list) {
-		if (curr->flavor == CIL_CLASSPERMS) { /* KERNEL or MAP */
+		if (curr->flavor == CIL_CLASSPERMS) { /* KERNEL or MAP, but not SET */
 			cil_reset_classperms(curr->data);
-		} else { /* SET */
-			cil_reset_classperms_set(curr->data);
 		}
 	}
 }
@@ -98,14 +86,16 @@ static void cil_reset_user(struct cil_user *user)
 {
 	/* reset the bounds to NULL during a re-resolve */
 	user->bounds = NULL;
+	user->dftlevel = NULL;
+	user->range = NULL;
 	cil_list_destroy(&user->roles, CIL_FALSE);
-	cil_reset_level(user->dftlevel);
-	cil_reset_levelrange(user->range);
 }
 
 static void cil_reset_selinuxuser(struct cil_selinuxuser *selinuxuser)
 {
-	cil_reset_levelrange(selinuxuser->range);
+	if (selinuxuser->range_str == NULL) {
+		cil_reset_levelrange(selinuxuser->range);
+	}
 }
 
 static void cil_reset_role(struct cil_role *role)
@@ -174,7 +164,9 @@ static void cil_reset_avrule(struct cil_avrule *rule)
 
 static void cil_reset_rangetransition(struct cil_rangetransition *rangetrans)
 {
-	cil_reset_levelrange(rangetrans->range);
+	if (rangetrans->range_str == NULL) {
+		cil_reset_levelrange(rangetrans->range);
+	}
 }
 
 static void cil_reset_sens(struct cil_sens *sens)
@@ -211,77 +203,120 @@ static void cil_reset_catset(struct cil_catset *catset)
 
 static inline void cil_reset_level(struct cil_level *level)
 {
-	level->sens = NULL;
 	cil_reset_cats(level->cats);
 }
 
 static inline void cil_reset_levelrange(struct cil_levelrange *levelrange)
 {
-	cil_reset_level(levelrange->low);
-	cil_reset_level(levelrange->high);
+	if (levelrange->low_str == NULL) {
+		cil_reset_level(levelrange->low);
+	}
+
+	if (levelrange->high_str == NULL) {
+		cil_reset_level(levelrange->high);
+	}
+}
+
+static inline void cil_reset_userlevel(struct cil_userlevel *userlevel)
+{
+	if (userlevel->level_str == NULL) {
+		cil_reset_level(userlevel->level);
+	}
+}
+
+static inline void cil_reset_userrange(struct cil_userrange *userrange)
+{
+	if (userrange->range_str == NULL) {
+		cil_reset_levelrange(userrange->range);
+	}
 }
 
 static inline void cil_reset_context(struct cil_context *context)
 {
-	cil_reset_levelrange(context->range);
+	if (context->range_str == NULL) {
+		cil_reset_levelrange(context->range);
+	}
 }
 
 static void cil_reset_sidcontext(struct cil_sidcontext *sidcontext)
 {
-	cil_reset_context(sidcontext->context);
+	if (sidcontext->context_str == NULL) {
+		cil_reset_context(sidcontext->context);
+	}
 }
 
 static void cil_reset_filecon(struct cil_filecon *filecon)
 {
-	if (filecon->context != NULL) {
+	if (filecon->context_str == NULL && filecon->context != NULL) {
 		cil_reset_context(filecon->context);
 	}
 }
 
 static void cil_reset_portcon(struct cil_portcon *portcon)
 {
-	cil_reset_context(portcon->context);
+	if (portcon->context_str == NULL) {
+		cil_reset_context(portcon->context);
+	}
 }
 
 static void cil_reset_nodecon(struct cil_nodecon *nodecon)
 {
-	cil_reset_context(nodecon->context);
+	if (nodecon->context_str == NULL) {
+		cil_reset_context(nodecon->context);
+	}
 }
 
 static void cil_reset_genfscon(struct cil_genfscon *genfscon)
 {
-	cil_reset_context(genfscon->context);
+	if (genfscon->context_str == NULL) {
+		cil_reset_context(genfscon->context);
+	}
 }
 
 static void cil_reset_netifcon(struct cil_netifcon *netifcon)
 {
-	cil_reset_context(netifcon->if_context);
-	cil_reset_context(netifcon->packet_context);
+	if (netifcon->if_context_str == NULL) {
+		cil_reset_context(netifcon->if_context);
+	}
+
+	if (netifcon->packet_context_str == NULL) {
+		cil_reset_context(netifcon->packet_context);
+	}
 }
 
 static void cil_reset_pirqcon(struct cil_pirqcon *pirqcon)
 {
-	cil_reset_context(pirqcon->context);
+	if (pirqcon->context_str == NULL) {
+		cil_reset_context(pirqcon->context);
+	}
 }
 
 static void cil_reset_iomemcon(struct cil_iomemcon *iomemcon)
 {
-	cil_reset_context(iomemcon->context);
+	if (iomemcon->context_str == NULL) {
+		cil_reset_context(iomemcon->context);
+	}
 }
 
 static void cil_reset_ioportcon(struct cil_ioportcon *ioportcon)
 {
-	cil_reset_context(ioportcon->context);
+	if (ioportcon->context_str == NULL) {
+		cil_reset_context(ioportcon->context);
+	}
 }
 
 static void cil_reset_pcidevicecon(struct cil_pcidevicecon *pcidevicecon)
 {
-	cil_reset_context(pcidevicecon->context);
+	if (pcidevicecon->context_str == NULL) {
+		cil_reset_context(pcidevicecon->context);
+	}
 }
 
 static void cil_reset_fsuse(struct cil_fsuse *fsuse)
 {
-	cil_reset_context(fsuse->context);
+	if (fsuse->context_str == NULL) {
+		cil_reset_context(fsuse->context);
+	}
 }
 
 static void cil_reset_sid(struct cil_sid *sid)
@@ -341,6 +376,12 @@ int __cil_reset_node(struct cil_tree_node *node,  __attribute__((unused)) uint32
 	case CIL_CATALIAS:
 		cil_reset_alias(node->data);
 		break;
+	case CIL_USERRANGE:
+		cil_reset_userrange(node->data);
+		break;
+	case CIL_USERLEVEL:
+		cil_reset_userlevel(node->data);
+		break;
 	case CIL_USER:
 		cil_reset_user(node->data);
 		break;

libsepol/cil/src/cil_resolve_ast.c

@@ -128,7 +128,7 @@ static int __cil_resolve_perms(symtab_t *class_symtab, symtab_t *common_symtab,
 				}
 			}
 			if (rc != SEPOL_OK) {
-				cil_log(CIL_ERR, "Failed to resolve permission %s\n", curr->data);
+				cil_log(CIL_ERR, "Failed to resolve permission %s\n", (char*)curr->data);
 				goto exit;
 			}
 			cil_list_append(*perm_datums, CIL_DATUM, perm_datum);
@@ -2210,7 +2210,7 @@ int cil_resolve_bounds(struct cil_tree_node *current, void *extra_args, enum cil
 
 		if (user->bounds != NULL) {
 			struct cil_tree_node *node = user->bounds->datum.nodes->head->data;
-			cil_log(CIL_ERR, "User %s already bound by parent at line %n of %s\n", bounds->child_str, node->line, node->path);
+			cil_log(CIL_ERR, "User %s already bound by parent at line %u of %s\n", bounds->child_str, node->line, node->path);
 			rc = SEPOL_ERR;
 			goto exit;
 		}
@@ -2223,7 +2223,7 @@ int cil_resolve_bounds(struct cil_tree_node *current, void *extra_args, enum cil
 
 		if (role->bounds != NULL) {
 			struct cil_tree_node *node = role->bounds->datum.nodes->head->data;
-			cil_log(CIL_ERR, "Role %s already bound by parent at line %n of %s\n", bounds->child_str, node->line, node->path);
+			cil_log(CIL_ERR, "Role %s already bound by parent at line %u of %s\n", bounds->child_str, node->line, node->path);
 			rc = SEPOL_ERR;
 			goto exit;
 		}
@@ -2237,8 +2237,8 @@ int cil_resolve_bounds(struct cil_tree_node *current, void *extra_args, enum cil
 
 		if (type->bounds != NULL) {
 			node = ((struct cil_symtab_datum *)type->bounds)->nodes->head->data;
-			cil_log(CIL_ERR, "Type %s already bound by parent at line %n of %s\n", bounds->child_str, node->line, node->path);
-			cil_log(CIL_ERR, "Now being bound to parent %s at line %n of %s\n", bounds->parent_str, current->line, current->path);
+			cil_log(CIL_ERR, "Type %s already bound by parent at line %u of %s\n", bounds->child_str, node->line, node->path);
+			cil_log(CIL_ERR, "Now being bound to parent %s at line %u of %s\n", bounds->parent_str, current->line, current->path);
 			rc = SEPOL_ERR;
 			goto exit;
 		}
@@ -2267,7 +2267,7 @@ int cil_resolve_bounds(struct cil_tree_node *current, void *extra_args, enum cil
 	return SEPOL_OK;
 
 exit:
-	cil_log(CIL_ERR, "Bad bounds statement at line %n of %s\n", current->line, current->path);
+	cil_log(CIL_ERR, "Bad bounds statement at line %u of %s\n", current->line, current->path);
 	return rc;
 }
 

libsepol/cil/src/cil_strpool.c

@@ -64,7 +64,7 @@ static int cil_strpool_compare(hashtab_t h __attribute__ ((unused)), hashtab_key
 	return strcmp(keyp1, keyp2);
 }
 
-char *cil_strpool_add(char *str)
+char *cil_strpool_add(const char *str)
 {
 	struct cil_strpool_entry *strpool_ref = NULL;
 

libsepol/cil/src/cil_strpool.h

@@ -32,7 +32,7 @@
 
 #include <sepol/policydb/hashtab.h>
 
-char *cil_strpool_add(char *str);
+char *cil_strpool_add(const char *str);
 void cil_strpool_init(void);
 void cil_strpool_destroy(void);
 #endif /* CIL_STRPOOL_H_ */

libsepol/cil/src/cil_verify.c

@@ -166,13 +166,13 @@ int cil_verify_expr_syntax(struct cil_tree_node *current, enum cil_flavor op, en
 	case CIL_EQ:
 	case CIL_NEQ:
 		if (expr_flavor != CIL_BOOL && expr_flavor != CIL_TUNABLE ) {
-			cil_log(CIL_ERR,"Invalid operator (%s) for set expression\n", current->data);
+			cil_log(CIL_ERR,"Invalid operator (%s) for set expression\n", (char*)current->data);
 			goto exit;
 		}
 		break;
 	case CIL_ALL:
 		if (expr_flavor == CIL_BOOL || expr_flavor == CIL_TUNABLE) {
-			cil_log(CIL_ERR,"Invalid operator (%s) for boolean or tunable expression\n", current->data);
+			cil_log(CIL_ERR,"Invalid operator (%s) for boolean or tunable expression\n", (char*)current->data);
 			goto exit;
 		}
 		syntax[1] = CIL_SYN_END;
@@ -180,7 +180,7 @@ int cil_verify_expr_syntax(struct cil_tree_node *current, enum cil_flavor op, en
 		break;
 	case CIL_RANGE:
 		if (expr_flavor != CIL_CAT) {
-			cil_log(CIL_ERR,"Operator (%s) only valid for catset expression\n", current->data);
+			cil_log(CIL_ERR,"Operator (%s) only valid for catset expression\n", (char*)current->data);
 			goto exit;
 		}
 		syntax[1] = CIL_SYN_STRING;
@@ -192,7 +192,7 @@ int cil_verify_expr_syntax(struct cil_tree_node *current, enum cil_flavor op, en
 		syntax_len = 2;
 		break;
 	default:
-		cil_log(CIL_ERR,"Unexpected value (%s) for expression operator\n", current->data);
+		cil_log(CIL_ERR,"Unexpected value (%s) for expression operator\n", (char*)current->data);
 		goto exit;
 	}
 
@@ -298,7 +298,7 @@ int cil_verify_constraint_expr_syntax(struct cil_tree_node *current, enum cil_fl
 		syntax[2] = CIL_SYN_STRING;
 		break;
 	default:
-		cil_log(CIL_ERR,"Invalid operator (%s) for constraint expression\n",current->data);
+		cil_log(CIL_ERR, "Invalid operator (%s) for constraint expression\n", (char*)current->data);
 		goto exit;
 	}