Commit Graph

1957 Commits

Author SHA1 Message Date
Nicolas Iooss
055d14a99a libselinux/utils: do not create an empty /sbin directory
When building libselinux package, "make install" creates /sbin directory
without putting anything in it. Remove this from the Makefile.

While at it, rename USRBINDIR variable USRSBINDIR (with an S) as it
refers to /usr/sbin.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-12-21 16:20:47 -05:00
Nicolas Iooss
920ee9ee18 libsemanage: remove ustr library from Makefiles, README and pkg-config
This library is no longer used by libsemanage.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-12-21 13:40:11 -05:00
Nicolas Iooss
300b8ad423 libsemanage: genhomedircon: drop ustr dependency
ustr library uses old (pre-C99) "extern inline" semantic. This makes it
incompatible with recent versions of gcc and clang, which default to
C99 standard. Distributions have shipped patched versions of this
library to fix issues (e.g. Gentoo package uses this patch:
https://gitweb.gentoo.org/repo/gentoo.git/tree/dev-libs/ustr/files/ustr-1.0.4-gcc_5-check.patch?id=7dea6f8820f36bf389e6315044bea7507553bed0
) but there is no upstream solution to make ustr compatible with C99
standard.

The git tree of ustr (http://www.and.org/ustr/ustr.git) has not been
updated since 2008 and the developer of this project did not reply to
emails.

Therefore update genhomedircon implementation in order to no longer
rely on ustr library.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-12-21 13:40:11 -05:00
Nicolas Iooss
57a3b1b4b0 libsemanage: add semanage_str_replace() utility function
This function will be used in the next commit.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-12-21 13:40:11 -05:00
Nicolas Iooss
a228bb3736 libsemanage: simplify string utilities functions
Use string functions from C standard library instead of ustr. This makes
the code simpler and make utilities.c no longer depend on ustr library.

This changes how semanage_split() behaves when delim is not empty (NULL
or "") and the input string contains several successive delimiters:
semanage_split("foo::::bar", ":") returned "bar" and now returns ":bar".
This would not have any impact in the current code as semanage_split()
is only called with delim="=" (through semanage_findval(), in
libsemanage/src/genhomedircon.c), in order to split a "key=value"
statement.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-12-21 13:40:11 -05:00
Nicolas Iooss
fd6bc593b8 libsemanage/tests: test more cases of semanage_split*()
Before modifying semanage_split_on_space() and semanage_split(), test in
test_utilities.c how these functions behave for example when several
delimiter tokens are concatenated in the input string.

While at it, fix the memory leaks which were present in libsemanage
tests.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-12-21 13:40:11 -05:00
Nicolas Iooss
9e0cf6ec8a libsemanage/tests: make tests standalone
In order to run libsemanage tests, libsepol and libselinux source
directories need to exist next to libsemanage source directory. This
prevents tests to be run when using the released package.

As libsemanage tests only use public API of libselinux and libsepol,
link with the shared objects which are likely to be installed on the
system (or at least present in $DESTDIR).

While at it, drop TESTSRC variable as it was used to find libsemanage
internal headers but not the tested library (libsemanage.a). Moreover
add ../src/libsemanage.a to the target dependencies of the test
executable in order to rebuild it after libsemanage.a has been updated.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-12-21 13:40:11 -05:00
Nicolas Iooss
e51b233831 libsemanage/tests: make "make test" fail when a CUnit test fails
When modifications to libsemanage functions break the test cases tested
with the CUnit framework, "make test" currently succeeds, even though it
prints an output similar to:

    Suite: semanage_store
      Test: semanage_store_access_check ...passed
      Test: semanage_get_lock ...passed
      Test: semanage_nc_sort ...passed
    Suite: semanage_utilities
      Test: semanage_is_prefix ...passed
      Test: semanage_split_on_space ...FAILED
        1. test_utilities.c:150  - CU_ASSERT_STRING_EQUAL(temp,"baz")
      Test: semanage_split ...passed
      Test: semanage_list ...passed
      Test: semanage_str_count ...passed
      Test: semanage_rtrim ...passed
      Test: semanage_str_replace ...passed
      Test: semanage_findval ...passed
      Test: slurp_file_filter ...passed

Like commit 2489b50a91 ("libsepol: make "make test" fails when a CUnit
test fails") did for libsepol tests, modify the logic of function
do_tests() to return an error value when there has been at least one
failure. This makes "make test" fail as expected.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-12-21 13:40:11 -05:00
Vit Mojzis
bec41c4ff6 policycoreutils/setfiles: Mention customizable types in restorecon man page
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2016-12-21 09:36:22 -05:00
Gary Tierney
af18b86e0b libsepol/cil: remove avrules with no affected types
Adds a check for avrules with type attributes that have a bitmap cardinality
of 0 (i.e., no types in their set) before adding them to the libsepol policy in
__cil_avrule_to_avtab().  Also adds an exception for neverallow rules to
prevent breaking anything from AOSP mentioned in
f9927d9370.

Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
2016-12-13 10:56:59 -05:00
Mike Frysinger
7179fd8738 man: standardize spacing with pointers in prototypes
The majority of prototypes don't put a space between the "*" and the
parameter name.  i.e. this style is incorrect:
	char * foo;
Instead, we want:
	char *foo;

Fix a bunch of references that use this uncommon style.

Signed-off-by: Mike Frysinger <vapier@gentoo.org>
2016-12-12 14:44:26 -05:00
Mike Frysinger
fc3d8ceafc selinux(8): fix display of man page references
The section number shouldn't be bolded.  Fix a few references in
selinux(8) to match all the other man pages.

Signed-off-by: Mike Frysinger <vapier@gentoo.org>
2016-12-12 14:44:22 -05:00
Vit Mojzis
8fe1b0ca27 python/sepolicy/sepolicy: optimise sepolicy gui loading
Significantly speed up sepolicy gui loading by aggregating setools
queries.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2016-12-09 12:16:45 -05:00
Vit Mojzis
ef387e88bd python/sepolicy/sepolicy: Cleanup of gui code
Based on 77589dd354218f1f56d1c83747799606fa1b4899 by Dan Walsh.
Speed up gui loading.
Some minor bug fixes.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2016-12-09 12:16:45 -05:00
Stephen Smalley
d479baa82d libsepol: Define extended_socket_class policy capability
Define the extended_socket_class policy capability used to enable
the use of separate socket security classes for all network address
families rather than the generic socket class. This also enables
separate security classes for ICMP and SCTP sockets, which were previously
mapped to the rawip_socket class.

The legacy redhat1 policy capability that was only ever used in testing
within Fedora for ptrace_child is reclaimed for this purpose; as far as
I can tell, this policy capability is not enabled in any supported distro
policy.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-12-08 09:17:17 -05:00
Vit Mojzis
31fcd66d39 python/sepolicy/sepolicy/gui: Reflect sepolicy changes into gui
sepolicy.get_init_entrypoint() now returns list of Type objects
instead of single string, which caused sepolicy gui to crash.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2016-12-06 12:31:37 -05:00
Vit Mojzis
4791a99d67 python: Fix some typos
Aside from typos, change the way markup is applied to a tooltip
in sepolicy/gui so that the text can be translated.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2016-12-05 15:11:08 -05:00
Kyle Walker
468a0dbac8 seobject: Handle python error returns correctly
After 9406ace8 ("libsemanage: throw exceptions in python rather than
return NULL"), calls to libsemanage functions return Python exceptions
instead of returning negative error return codes. For systems that did not
have the applicable headers installed prior to build, the difference was
not seen. Following commit 9792099f ("Properly build the swig exception
file even if the headers are missing"), that issue has been resolved and
the underlying semanage_fcontext_query_local and semanage_fcontext_query
calls now result in an OSError return. This results in the following error
when attempting to modify a fcontext defined in the systems base policy.

    libsemanage.dbase_llist_query: could not query record value (No such file or directory).
    OSError: No such file or directory

To resolve the error, handle the OSError exception, but retain the
previous query operation.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1398427

Signed-off-by: Kyle Walker <kwalker@redhat.com>
2016-11-30 11:00:51 -05:00
James Carter
9e81e611c7 libsepol: Fix neverallow checking to also check the other types when
self is included in a target type set.

When neverallow checking was refactored in commit 9e6840e, self
was not handled correctly. The assumption was made that self only
appeared by itself as a target type, when it may appear in a list of
types. Because of this, if self appears in a target type set of a
neverallow, the other types in the type set are not checked.

Example:

allow TYPE1 TYPE2:CLASS1 { PERM1 };
neverallow TYPE1 {TYPE2 self}:CLASS1 { PERM1 };

The old assertion checking would not find a violation in the rules
above because the target type TYPE2 would be ignored.

This fix will cause all of the types in a target list that includes
self to be checked.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-11-30 10:19:02 -05:00
James Carter
93e677d830 secilc: Add secil2conf which creates a policy.conf from CIL policy
The program secil2conf uses the libsepol function
cil_write_policy_conf() to create a policy.conf file from CIL policy.

By default a file called "policy.conf" will be created, but the "-o"
option can be used to write to a different file. The "-M" option can
be used to override the mls statement in CIL. The "-P" option will
cause tunables to be treated as booleans.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-11-30 10:18:19 -05:00
James Carter
3fe4499f7d libsepol/cil: Add ability to write policy.conf file from CIL AST
The ability to create a policy.conf file from the CIL AST has been
a desire from the beginning to assist in debugging and for general
flexibility. Some work towards this end was started early in CIL's
history, but cil_policy.c has not been remotely functional in a long
time. Until now.

The function cil_write_policy_conf() will write a policy.conf file
from a CIL AST after cil_build_ast(), cil_resolve_ast(),
cil_fqn_qualify(), and cil_post_process() have been called.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-11-30 10:18:12 -05:00
Vit Mojzis
86e568c27b python/semanage/semanage: Unify argument handling
Missing argument checks for "fcontext" and "boolean" were performed
outside of "argparse", resulting in shortened help message (without
argument details) and no error description.
Fix: perform these checks using "argparse" as is the case with other
semanage options.

Some "required argument" check were performed outside of "handle_opts"
obscuring the code.
Fix: Add required arguments to {fcontext boolean}_args and remove the
checks from handle{Fcontext Boolean}.

Remove unpaired parentheses from "semanage fcontext" usage message.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2016-11-30 09:33:58 -05:00
Vit Mojzis
041e00106f python/sepolicy/sepolicy/gui: Fix getting python lib path
Python code is not platform specific and resides always in
lib (as opposed to lib64 on x64 architectures).

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2016-11-30 08:49:26 -05:00
Stephen Smalley
7e09f584e1 libsepol,libselinux,audit2allow: teach audit2why about type bounds failures
Teach audit2why to recognize type bounds failures.  This required
updating libsepol sepol_compute_av_reason() to identify bounds
failures, and updating libsepol context_struct_compute_av() to
include the type bounds logic from the kernel.

This could potentially be further augmented to provide more detailed
reporting via the reason buffer to include information similar to
what security_dump_masked_av() reports in the kernel.  However, it
is unclear if this is needed.  It is already possible to get type
bounds checking at policy build time by enabling expand-check=1
in /etc/selinux/semanage.conf (or by default when compiling
monolithic policy).

Before:
type=AVC msg=audit(1480451925.038:3225): avc:  denied  { getattr } for  pid=7118 comm="chmod" path="/home/sds/selinux-testsuite/tests/bounds/bounds_file_blue" dev="dm-2" ino=23337697 scontext=unconfined_u:unconfined_r:test_bounds_child_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:test_bounds_file_blue_t:s0 tclass=file permissive=0

	Was caused by:
		Unknown - would be allowed by active policy
		Possible mismatch between this policy and the one under which the audit message was generated.

		Possible mismatch between current in-memory boolean settings vs. permanent ones.

After:
type=AVC msg=audit(1480451925.038:3225): avc:  denied  { getattr } for  pid=7118 comm="chmod" path="/home/sds/selinux-testsuite/tests/bounds/bounds_file_blue" dev="dm-2" ino=23337697 scontext=unconfined_u:unconfined_r:test_bounds_child_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:test_bounds_file_blue_t:s0 tclass=file permissive=0
        Was caused by:
                Typebounds violation.

                Add an allow rule for the parent type.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-29 15:53:59 -05:00
Stephen Smalley
fff90bd22b libsepol: sepol_av_to_string: clear static buffer
chenxiaolong reported this via
https://github.com/SELinuxProject/selinux/issues/23

A nicer fix would be to rework the interface to be more
like security_av_string() in libselinux, but that requires
updating all callers.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-29 11:20:43 -05:00
Stephen Smalley
dd8d5671e2 libselinux: avcstat: Clean up redundant condition
dcb314 reported this via https://github.com/SELinuxProject/selinux/issues/20

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-29 11:11:26 -05:00
Stephen Smalley
cf8625be58 libsepol: do not #include <sys/cdefs.h>
ratbert90 submitted this patch via
https://github.com/SELinuxProject/selinux/issues/19.
Apparently musl does not provide sys/cdefs.h, see
http://wiki.musl-libc.org/wiki/FAQ#Q:_I.27m_trying_to_compile_something_against_musl_and_I_get_error_messages_about_sys.2Fcdefs.h.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-29 11:03:17 -05:00
Vit Mojzis
c034875c14 policycoreutils/sepolicy/gui: fix current selinux state radiobutton
Radiobutton was always set to "Permissive" and couldn't be switched.
Update radiobutton together with status text in bottom left corner.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2016-11-29 08:49:48 -05:00
Nicolas Iooss
ab27085099 libsepol,libsemanage: write file name in flex output
Tools like lcov (for code coverage) does not like files named
"<stdout>". For example it reports errors like:

    genhtml: ERROR: cannot read
    /usr/src/selinux/libsemanage/src/<stdout>

When using flex -o option, the output file name gets written in the
generated C code, which solves this issue.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-11-29 08:47:36 -05:00
Nicolas Iooss
1c187d797f checkpolicy: remove -lfl from LDLIBS
When building checkpolicy/test, the linker reports the following error:

    cc   dispol.o  -lfl /usr/src/selinux/DESTDIR/usr/lib/libsepol.a
    -L/usr/src/selinux/DESTDIR/usr/lib -o dispol

    /usr/lib/gcc/x86_64-pc-linux-gnu/6.2.1/../../../../lib/libfl.so:
    undefined reference to `yylex'

    collect2: error: ld returned 1 exit status

According to flex documentation
(https://github.com/westes/flex/blob/master/doc/flex.texi), -lfl is used
to provide an implementation for yywrap(). However every flex file now
uses "%option noyywrap", which makes -lfl no longer mandatory. Remove
this option from checkpolicy Makefiles.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-11-29 08:46:43 -05:00
Nicolas Iooss
527380a193 libsepol/tests: use LDFLAGS when linking
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-11-29 08:45:26 -05:00
Nicolas Iooss
a206297ece mcstrans/utils: make "make all" use $DESTDIR
When running "make all" in the root directory on a system where SELinux
is not installed and where $DESTDIR targets a directory where the
libraries have been installed, the build fails in mcstrans/utils with
the following error:

    transcon.c:7:10: fatal error: 'selinux/selinux.h' file not found

and then:

    /usr/bin/ld: cannot find -lselinux

Fix this by adding -I$(PREFIX)/include to CFLAGS and -L$(LIBDIR) to
LDLIBS like other subdirectories do.

While at it, remove the useless -L../src parameter.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-11-29 08:44:46 -05:00
Nicolas Iooss
fb237459c8 libsepol: detect duplicated symbol IDs
A valid policy would not have two symbols (classes, roles, users...)
sharing the same unique identifier. Make policydb_read() rejects such
policy files.

When ..._val_to_name translation tables were allocated with malloc(),
change to calloc() in order to initialize the tables with NULLs.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-11-29 08:43:41 -05:00
Nicolas Iooss
9872b04a80 libsepol: check decl_id bounds before using it
When loading an invalid module which uses a declaration ID 0,
semodule_package crashes in policydb_index_decls():

    p->decl_val_to_struct[decl->decl_id - 1] = decl;

gdb shows the following stack trace:

    #0  0x00007ffff7aa1bbd in policydb_index_decls (p=p@entry=0x605360)
    at policydb.c:1034
    #1  0x00007ffff7aaa9fc in policydb_read (p=<optimized out>,
    fp=fp@entry=0x605090, verbose=verbose@entry=0) at policydb.c:3958
    #2  0x00007ffff7ab4764 in sepol_policydb_read (p=<optimized out>,
    pf=pf@entry=0x605090) at policydb_public.c:174
    #3  0x0000000000401d33 in main (argc=<optimized out>,
    argv=0x7fffffffdc88) at semodule_package.c:220

Change policydb_index_decls() to report an error instead:

    libsepol.policydb_index_decls: invalid decl ID 0

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-11-29 08:41:23 -05:00
Stephen Smalley
8fdb225521 libsepol,checkpolicy: convert rangetrans and filenametrans to hashtabs
range transition and name-based type transition rules were originally
simple unordered lists.  They were converted to hashtabs in the kernel
by commit 2f3e82d694d3d7a2db019db1bb63385fbc1066f3 ("selinux: convert range
transition list to a hashtab") and by commit
2463c26d50adc282d19317013ba0ff473823ca47 ("SELinux: put name based
create rules in a hashtable"), but left unchanged in libsepol and
checkpolicy. Convert libsepol and checkpolicy to use the same hashtabs
as the kernel for the range transitions and name-based type transitions.

With this change and the preceding one, it is possible to directly compare
a policy file generated by libsepol/checkpolicy and the kernel-generated
/sys/fs/selinux/policy pseudo file after normalizing them both through
checkpolicy.  To do so, you can run the following sequence of commands:

checkpolicy -M -b /etc/selinux/targeted/policy/policy.30 -o policy.1
checkpolicy -M -b /sys/fs/selinux/policy -o policy.2
cmp policy.1 policy.2

Normalizing the two files via checkpolicy is still necessary to ensure
consistent ordering of the avtab entries.  There may still be potential
for other areas of difference, e.g. xperms entries may lack a well-defined
order.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-28 13:10:59 -05:00
Stephen Smalley
2e47b69c53 libsepol: do not write object_r types to policy file
Originally object_r's types bitmap was empty since we exempt
object_r from the normal user-role and role-type checks.  CIL
however sets object_r's types to all types to avoid special case
logic.  However, the kernel does not load object_r types from the
policy file; it predefines object_r and merely validates that the
object_r definition in the policy has the expected value.  Thus,
the actual policy file and the /sys/fs/selinux/policy file were
differing in their object_r entry.  Fix this by not writing object_r's
types to the policy file, since they are ignored by the kernel
anyway.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-28 09:44:30 -05:00
stephensmalley
6f32d87a2a Merge pull request #35 from cgzones/semanage_fcontext_description
fix semanage fcontext help message
2016-11-28 09:39:10 -05:00
Nick Kralevich
044f6ef104 procattr.c: Use __ANDROID__ instead of ANDROID
When code is compiled within the Android tree, the resulting binaries
are intended to run either on the "host" (the machine doing the
building) or the "target" (the machine running the Android operating
system).

"ANDROID" is defined if the code is being compiled for the host or the
target, whereas "__ANDROID__" is only defined for code being compiled for
the target. (yes, I agree, this is not obvious).

gettid() is only declared in the target environment, not the host
environment, so adjust the #ifdef to properly emit the gettid()
definition for binaries targeting the host.

Signed-off-by: Nick Kralevich <nnk@google.com>
2016-11-28 09:32:21 -05:00
Nick Kralevich
bb96e1305d enabled.c: Remove stdio_ext.h header
This appears to be unused.

Signed-off-by: Nick Kralevich <nnk@google.com>
2016-11-28 09:29:41 -05:00
Nicolas Iooss
75b14a5de1 libsepol: ebitmap: reject loading bitmaps with incorrect high bit
Currently ebitmap_load() accepts loading a bitmap with highbit=192 and
one node {startbit=0, map=0x2}. When iterating over the bitmap,
ebitmap_for_each_bit() is expected to only yield "1" but it gives the
following bits: 1, 65, 129.

This is due to two facts in ebitmap_for_each_bit() implementation:
* ebitmap_next() stays on the first (and only) node of the bitmap
  instead of stopping the iteration.
* the end condition of the for loop consists in comparing the bit with
  ebitmap_length() (ie. the bitmap highbit), which is above the limit of
  the last node here.

These are not bugs when the bitmap highbit is equals to
l->startbit+MAPSIZE, where l is the last node (this is how
ebitmap_set_bit() sets it). So a simple fix consists in making
ebitmap_load() reject bitmaps which are loaded with an invalid highbit
value.

This issue has been found while fuzzing semodule_package with the
American Fuzzy Lop.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-11-28 09:06:50 -05:00
Nicolas Iooss
73313a7528 libsepol: do not check decl->symtab[i].nprim
Commit 02a7d77ef2 ("libsepol: make parsing symbol table headers more
robust") broke refpolicy build, because checkmodule generates avrule
decl blocks with "decl->symtab[i].nprim = 0" for all possible i, even
when decl->symtab[SYM_ROLES] and decl->symtab[SYM_TYPES] are not
empty.

More precisely, decl->symtab[i].nprim seems to be only updated in
libsepol/src/link.c (in *_copy_callback() functions).

Revert the buggy part of commit 02a7d77ef2 to fix this regression.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-11-28 09:04:44 -05:00
Nicolas Iooss
86bad3dbf9 libsepol: do not modify p->p_roles.nprim in role_set_expand
There is no reason to modify the number of roles defined in a policy
when no role is being inserted.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-11-28 09:04:19 -05:00
cgzones
1e605e9905 fix semanage fcontext help message
the ftype options were incorrect
2016-11-24 20:01:26 +01:00
Nicolas Iooss
2907caa33c libsepol: fix unknown magic section number error message
When running hll/pp on some invalid policy module, it can output:

    libsepol.sepol_module_package_read: unknown magic number at section
    1, offset: 251, number: 0x

The last number looks funny and was caused by using "%ux". "u" is not a
prefix like "l", "h", "z"... and "%x" already expects an unsigned
integer (cf. http://man7.org/linux/man-pages/man3/printf.3.html).

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-11-23 12:31:55 -05:00
Nicolas Iooss
d10725649e libsepol: make scope_index_destroy() more robust
When scope_index_read() fails while attempting to allocate memory for
scope_index->class_perms_map, scope_index_destroy() gets called with
scope->class_perms_len != 0 and scope->class_perms_map == NULL. This
triggers the following segmentation fault (in semodule_package):

    Program received signal SIGSEGV, Segmentation fault.
    ebitmap_destroy (e=0x10) at ebitmap.c:362
    362     n = e->node;
    => 0x00007ffff79ff7f6 <ebitmap_destroy+134>:    48 8b 3f    mov
    (%rdi),%rdi

    (gdb) bt
    #0  ebitmap_destroy (e=0x10) at ebitmap.c:362
    #1  0x00007ffff79e2c37 in scope_index_destroy (scope=0x608860) at
    avrule_block.c:87
    #2  avrule_decl_destroy (x=0x608830) at avrule_block.c:103
    #3  0x00007ffff7aae99c in avrule_block_read (fp=0x605090,
    num_scope_syms=8, block=0x6054e8, p=0x605360) at policydb.c:3598
    #4  policydb_read (p=0x605360, fp=fp@entry=0x605090,
    verbose=verbose@entry=0) at policydb.c:3946
    #5  0x00007ffff7ab4ab4 in sepol_policydb_read (p=<optimized out>,
    pf=pf@entry=0x605090) at policydb_public.c:174
    #6  0x0000000000401d33 in main (argc=<optimized out>,
    argv=0x7fffffffdc88) at semodule_package.c:220

    (gdb) f 1

    (gdb) p *scope
    $1 = {scope = {{node = 0x0, highbit = 0}, {node = 0x0, highbit = 0},
    {node = 0x0, highbit = 0}, {node = 0x0, highbit = 0}, {node = 0x0,
    highbit = 0}, {node = 0x0, highbit = 0}, {node = 0x0, highbit = 0},
    {node = 0x0, highbit = 0}}, class_perms_map = 0x0, class_perms_len =
    4294934272}

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-11-23 12:31:55 -05:00
Nicolas Iooss
8d31f8053c libsepol: do not crash when block->branch_list is NULL
When fuzzing hll/pp, the fuzzer created a policy module with a block
which has no declaration. With block->branch_list = NULL,
typealias_list_create() triggered a NULL pointer dereference when
computing max_decl_id.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-11-23 12:31:55 -05:00
Nicolas Iooss
6675e12cc1 libsepol: do not crash when a symbol does not exist
When hll/pp reads an invalid policy module where some scopes use
required symbols which are not defined, the program crashes with a
segmentation fault in required_scopes_to_cil():

    Program received signal SIGSEGV, Segmentation fault.
    required_scopes_to_cil (decl_stack=0x6040b0, block=0x607780,
    pdb=0x6042e0, indent=0) at module_to_cil.c:3479
    3479                for (j = 0; j < scope_datum->decl_ids_len; j++)
    {
    => 0x00007ffff7a7b1a8 <block_to_cil+5224>:  44 8b 58 10 mov
    0x10(%rax),%r11d

    (gdb) bt
    #0  required_scopes_to_cil (decl_stack=0x6040b0, block=0x607780,
    pdb=0x6042e0, indent=0) at module_to_cil.c:3479
    #1  block_to_cil (pdb=pdb@entry=0x6042e0,
    block=block@entry=0x607780, stack=stack@entry=0x6040b0,
    indent=indent@entry=0) at module_to_cil.c:3622
    #2  0x00007ffff7a85a18 in global_block_to_cil (stack=0x6040b0,
    block=0x607780, pdb=0x6042e0) at module_to_cil.c:3738
    #3  blocks_to_cil (pdb=0x6042e0) at module_to_cil.c:3764
    #4  sepol_module_policydb_to_cil (fp=fp@entry=0x7ffff79d05e0
    <_IO_2_1_stdout_>, pdb=0x6042e0, linked=linked@entry=0) at
    module_to_cil.c:4051
    #5  0x00007ffff7a86b55 in sepol_module_package_to_cil
    (fp=fp@entry=0x7ffff79d05e0 <_IO_2_1_stdout_>, mod_pkg=0x604280) at
    module_to_cil.c:4080
    #6  0x0000000000401acc in main (argc=<optimized out>,
    argv=<optimized out>) at pp.c:150

    (gdb) p scope_datum
    $1 = (struct scope_datum *) 0x0

Detect such errors and exit with an error return value.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-11-23 12:31:55 -05:00
Nicolas Iooss
52b3b625b6 libsepol: do not call a NULL function in additive_scopes_to_cil()
When hll/pp operates on an invalid policy module which defines blocks
with non-empty decl->symtab[SYM_COMMONS], additive_scopes_to_cil_map()
calls func_to_cil[SYM_COMMONS], which is NULL.

In additive_scopes_to_cil(), filter out NULL elements of func_to_cil
before calling additive_scopes_to_cil_map().

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-11-23 12:31:55 -05:00
Nick Kralevich
8f9057c2ea label_file.h: actually use the results of compat_validate
process_line called compat_validate, but never actually looked at the
return value. When an invalid entry is found, a warning is printed, but
since the upper layers of the code don't see the error, validation
appears to succeed.

Steps to reproduce on Android:

1) Edit system/sepolicy/private/file_contexts and create an entry with
an invalid label.
2) Recompile Android, which executes out/host/linux-x86/bin/checkfc to
check if file_contexts is valid.

Expected: Compile failure.
Actual: Compile succeeds with warnings.

Change-Id: I20fa18c7b11b5ffdd243c3274bedc4518431e1fb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-21 09:24:31 -05:00
Stephen Smalley
49bfee8562 checkpolicy: treat -self as an error
checkpolicy wrongly handles "-self". At the least, it should handle it as
an error. At best, it should support it correctly (which would involve
libsepol support as well). At present, it looks like it will end up
negating (-) the next type/attribute in the list after self, or if
there are no entries after self, ignoring it entirely.

This originally was raised by the Android team, which wanted to support
something like the following:
neverallow domain { domain -self }:dir search;
to prohibit cross domain access to some resource but allow access within
the same domain.

This change just makes it a fatal error during compilation.
Implementing real support for -self is left as future work.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-18 11:09:38 -05:00