Commit Graph

283 Commits

Author SHA1 Message Date
James Carter
dbc6d6d596 Updated libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-08-17 10:10:40 -04:00
William Roberts
8673854fb8 libsepol: fix overflow and 0 length allocations
Throughout libsepol, values taken from sepolicy are used in
places where length == 0 or length == <saturated> matter,
find and fix these.

Also, correct any type mismatches noticed along the way.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-17 09:58:19 -04:00
William Roberts
02081779f3 libsepol: fix unitialized jmp and invalid dereference
When initializing role_datum_t array, initialize the array.
This corrects this issue:

==25766== Conditional jump or move depends on uninitialised value(s)
==25766==    at 0x40ABFE: context_is_valid (context.c:59)
==25766==    by 0x40AAED: policydb_context_isvalid (context.c:19)
==25766==    by 0x43CBF4: context_read_and_validate (policydb.c:1881)
==25766==    by 0x43E7B3: ocontext_read_selinux (policydb.c:2631)
==25766==    by 0x43EC4D: ocontext_read (policydb.c:2729)
==25766==    by 0x442019: policydb_read (policydb.c:3937)
==25766==    by 0x442F15: sepol_policydb_read (policydb_public.c:174)
==25766==    by 0x407ED4: init (check_seapp.c:885)
==25766==    by 0x408D83: main (check_seapp.c:1230)

Also, check for NULL when determining if a role can be associated
with a type.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-17 09:56:45 -04:00
William Roberts
d13bff623b libsepol: bound attr_type_map access by nprim
Correct an invalid memory access when attr_type_map array
indexing is outside of bounds.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-17 09:56:25 -04:00
William Roberts
305986f58c genfs_read: fix use heap-use-after-free
The newc variable is calloc'd and assigned to a new
owner during a loop. After the first assignment of newc
to newgenfs->head, the subsequent iteration could fail
before the newc is reseated with a new heap allocation
pointer. When the subsequent iteration fails, the
newc variable is freed. Later, an attempt it made to
free the same pointer assigned to newgenfs->head.

To correct this, clear newc after every loop iteration.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-17 09:56:12 -04:00
William Roberts
33de30a284 ebitmap: detect invalid bitmap
When count is 0 and the highbit is not zero, the ebitmap is not
valid and the internal node is not allocated. This causes issues
when routines, like mls_context_isvalid() attempt to use the
ebitmap_for_each_bit() and ebitmap_node_get_bit() as they assume
a highbit > 0 will have a node allocated.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-17 09:55:57 -04:00
William Roberts
b612314bf3 libsepol: ensure key is valid before doing search
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-17 09:55:44 -04:00
William Roberts
8b4ad4fde5 libsepol: fix invalid access of NULL on type_val_to_struct
In type_set_expand:
When nprim, the table index counter, is greater than the value of initizalized
entries in the type_val_to_struct[] array, detect this as invalid
and return an error.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-17 09:55:31 -04:00
James Carter
50d8a181e8 Updated libsepol and policycoreutils ChangeLogs.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-08-09 16:16:58 -04:00
William Roberts
8e8a648e92 libsepol: fix memory leak in expand.c
ebitmap_set_bit() can possible allocate nodes, however, the bail early
style of type_set_expand() could leave internal ebitmaps allocated
but not free'd.

Modify type_set_expand() so that it free's all allocated ebitmaps
before returning the error code to the calling routine.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-09 15:55:22 -04:00
William Roberts
6e7d04ac0b libsepol: fix invalid read when policy file is corrupt
AFL Found this bug:
==6523== Invalid read of size 8
==6523==    at 0x4166B4: type_set_expand (expand.c:2508)
==6523==    by 0x43A0B8: policydb_role_cache (policydb.c:790)
==6523==    by 0x41CD70: hashtab_map (hashtab.c:235)
==6523==    by 0x43AC9E: policydb_index_others (policydb.c:1103)
==6523==    by 0x441B14: policydb_read (policydb.c:3888)
==6523==    by 0x442A1F: sepol_policydb_read (policydb_public.c:174)
==6523==    by 0x407ED4: init (check_seapp.c:885)
==6523==    by 0x408D97: main (check_seapp.c:1231)

This occurs when the type_val_to_struct[] mapping array
doesn't contain the type indicated in the ebitmap.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-09 15:55:15 -04:00
Steve Lawrence
4209c00afe Update libsepol ChangeLog
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2016-08-05 07:37:08 -04:00
William Roberts
ca3ec93ad0 module_to_cil: fix possible use of uninitialized value
Correct errors like these reported by gcc:

module_to_cil.c: In function ‘block_to_cil’:
module_to_cil.c:229:20: error: ‘attr_list’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
  struct list_node *curr = (*attr_list)->head;

Usages of attr_list_destroy() were called when list_init()
fails.

stack_init() and stack_destroy() also suffered from the
aforementioned issue.

To correct the issue, initialize stack and list variables to
NULL.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-08-05 07:36:24 -04:00
Stephen Smalley
a736d9d070 Updated libsepol ChangeLog.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-07-28 10:52:34 -04:00
James Carter
46e157b470 libsepol/cil: Warn instead of fail if permission is not resolve
If a policy module package has been created with a policy that contains
a permission and then is used on a system without that permission CIL
will fail with an error when it cannot resolve the permission.

This will prevent the installation on policy and the user will not
know that the policy has not been installed.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-07-28 10:51:38 -04:00
James Carter
d5396d8312 Updated libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-07-26 13:43:18 -04:00
Steve Lawrence
7a137eb75f libsepol/cil: Ignore object_r in userrole mappings when creating policy binary
Commit 77779d2ca, which added support for userattributes in CIL,
accidentally removed code that ignored object_r when adding userrole
mappings to the policydb. This meant that running commands like
`semanage user -l` would incorrectly show object_r. This patch adds that
code back in. Note that CIL requires that these mappings exist to
properly validate file contexts, so pp2cil's behavior of creating these
mappings is not modified.

Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2016-07-26 13:41:43 -04:00
James Carter
77e86c0b8c Updated libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-07-12 14:27:57 -04:00
Petr Lautrbach
747a440fdd libsepol: Add missing return to sepol_node_query()
Due to the missing return in sepol_node_query(), the function always
set *response to NULL whenever a protocol was SEPOL_PROTO_IP6

Fixes:
sudo semanage node -a -M ::1 -p ipv6 -t node_t ::1
sudo semanage node -m -M ::1 -p ipv6 -t node_t ::1
[1]    12968 segmentation fault (core dumped)  semanage node -m -M ::1 -p ipv6 -t node_t ::1

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2016-07-12 13:48:05 -04:00
Stephen Smalley
144b74905c Updated libsepol ChangeLog.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-07-01 13:04:15 -04:00
Thomas Petazzoni
0635cd495b Add missing <stdarg.h> include
Add missing <stdarg.h> include

This is needed to fix the build on uClibc, due to the usage of
va_list.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-07-01 13:02:15 -04:00
Stephen Smalley
28e92c5325 libsepol: rewrite sepol_string_to_security_class to use hashtab_search
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-06-20 16:28:45 -04:00
Stephen Smalley
69da2076e5 Updated libselinux and libsepol ChangeLogs.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-06-20 16:24:35 -04:00
Joshua Brindle
94df3f7d24 Correctly detect unknown classes in sepol_string_to_security_class
Bail before running off the end of the class index

Change-Id: I47c4eaac3c7d789f8d85047e34e37e3f0bb38b3a
Signed-off-by: Joshua Brindle <brindle@quarksecurity.com>
2016-06-20 16:10:32 -04:00
James Carter
999747aa57 Updated libselinux, libsemanage, libsepol, and policycoreutils ChangeLogs.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-06-06 13:08:17 -04:00
Laurent Bigonville
fb85e5cc95 Sort object files for deterministic linking order
This patch is part of the Debian effort to make the build reproducible

Thank to Reiner Herrmann <reiner@reiner-h.de> for the patches

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2016-06-06 12:52:55 -04:00
Stephen Smalley
3749315847 Updated ChangeLogs.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-05-19 14:22:55 -04:00
Jeff Vander Stoep
44c359aa05 Fix neverallowxperm checking on attributes
The following test incorrectly asserts a neverallowxperm failure.

	attribute test1_attr1;
	attribute test1_attr2;
	type test1_type1, test1_attr1, test1_attr2;

	allow test1_type1 test1_attr1:socket ioctl;
	allowxperm test1_type1 test1_attr2:socket ioctl { 1 };
	neverallowxperm test1_attr1 test1_attr1:socket ioctl { 0 }

To handle attributes correctly, the neverallowxperm checking has been
modified. Now when the ioctl permission is granted on an avtab entry
that matches an avrule neverallowxperm entry, the assertion checking
first determines the matching source/target/class sets between the
avtab entry and the neverallowxperm entry. Only the matching sets are
enumerated over to determine if the neverallowed extended permissions
exist and if they are granted. This is similar to how
report_assertion_avtab_matches() reports neverallow failures.

Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
2016-05-19 14:22:07 -04:00
Stephen Smalley
77475b2228 Updated libsepol and sepolgen ChangeLogs.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-05-09 08:19:30 -04:00
Nicolas Iooss
2c2c81dcdc libsepol: remove libsepol.map when cleaning
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-05-09 08:16:05 -04:00
Nicolas Iooss
8e30f76c6d Update .gitignore files
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-05-09 08:14:54 -04:00
James Carter
65bf9ae14a Updated libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-05-06 09:43:42 -04:00
James Carter
175aba387b libsepol: When generating CIL use HLL line mark for neverallows
When converting pp files to CIL or generating CIL using checkpolicy
or checkmodule use CIL's HLL line mark annotations to record the
original file and line numbers for neverallow rules so that CIL can
produce more informative error messages. (Unfortunately, the original
line number information is not saved in pp files, so there is no benefit
for policy modules.)

This is only done for neverallow rules currently.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-05-05 16:33:29 -04:00
James Carter
67560cc7ac libsepol/cil: Remove path field from cil_tree_node struct
Remove path field from cil_tree_node struct and all references
to it in CIL. This will reduce memory usage by 5%.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-05-05 16:32:07 -04:00
James Carter
46b3a55598 libsepol/cil: Replace cil_log() calls with cil_tree_log()
Replace all calls to cil_log() that print path information with a
call to cil_tree_log() which will also print information about any
high-level sources.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-05-05 16:23:36 -04:00
James Carter
73aac8fc1e libsepol/cil: Add cil_tree_log() and supporting functions
Provide more detailed log messages containing all relevant CIL and
high-level language source file information through cil_tree_log().

cil_tree_log() uses two new functions: cil_tree_get_next_path() and
cil_tree_get_cil_path().

cil_tree_get_next_path() traverses up the parse tree or AST until
it finds the next CIL or high-level language source information nodes.
It will return the path and whether or not the path is for a CIL file.

cil_tree_get_cil_path() uses cil_tree_get_next_path() to return
the CIL path.

Example cil_tree_log() message:
    Problem at policy.cil:21 from foo.hll:11 from bar.hll:2

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-05-05 16:19:45 -04:00
James Carter
681341f2f4 libsepol/cil: Store CIL filename in parse tree and AST
Use some of the functionality recently added to support high-level
language line marking to track the CIL filename.

The goal is to eventually remove the path field from the tree node
struct and offset the addtion of the hll_line field.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-05-05 16:15:23 -04:00
James Carter
875a6bcbe8 libsepol/cil: Add high-level language line marking support
Adds support for tracking original file and line numbers for
better error reporting when a high-level language is translated
into CIL.

This adds a field called "hll_line" to struct cil_tree_node which
increases memory usage by 5%.

Syntax:

;;* lm(s|x) LINENO FILENAME
(CIL STATEMENTS)
;;* lme

lms is used when each of the following CIL statements corresponds
to a line in the original file.

lmx is used when the following CIL statements are all expanded
from a single high-level language line.

lme ends a line mark block.

Example:

;;* lms 1 foo.hll
(CIL-1)
(CIL-2)
;;* lme
;;* lmx 10 bar.hll
(CIL-3)
(CIL-4)
;;* lms 100 baz.hll
(CIL-5)
(CIL-6)
;;* lme
(CIL-7)
;;* lme

CIL-1 is from line   1 of foo.hll
CIL-2 is from line   2 of foo.hll
CIL-3 is from line  10 of bar.hll
CIL-4 is from line  10 of bar.hll
CIL-5 is from line 100 of baz.hll
CIL-6 is from line 101 of baz.hll
CIL-7 is from line  10 of bar.hll

Based on work originally done by Yuli Khodorkovskiy of Tresys.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-05-05 16:13:49 -04:00
James Carter
aff78ca3da Updated libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-05-04 13:32:03 -04:00
James Carter
5cd5ffcc50 libsepol: Change logic of bounds checking
Change logic of bounds checking to match kernel's bound checking.

The following explanation is taken from Stephen Smalley's kernel
patch.

Under the new logic, if the source type and target types are both
bounded, then the parent of the source type must be allowed the same
permissions to the parent of the target type.  If only the source
type is bounded, then the parent of the source type must be allowed
the same permissions to the target type.

Examples of the new logic and comparisons with the old logic:
1. If we have:
	typebounds A B;
then:
	allow B self:process <permissions>;
will satisfy the bounds constraint iff:
	allow A self:process <permissions>;
is also allowed in policy.

Under the old logic, the allow rule on B satisfies the
bounds constraint if any of the following three are allowed:
	allow A B:process <permissions>; or
	allow B A:process <permissions>; or
	allow A self:process <permissions>;
However, either of the first two ultimately require the third to satisfy
the bounds constraint under the old logic, and therefore this degenerates
to the same result (but is more efficient - we only need to perform
one compute_av call).

2. If we have:
	typebounds A B;
	typebounds A_exec B_exec;
then:
	allow B B_exec:file <permissions>;
will satisfy the bounds constraint iff:
	allow A A_exec:file <permissions>;
is also allowed in policy.

This is essentially the same as #1; it is merely included as
an example of dealing with object types related to a bounded domain
in a manner that satisfies the bounds relationship.  Note that
this approach is preferable to leaving B_exec unbounded and having:
	allow A B_exec:file <permissions>;
in policy because that would allow B's entrypoints to be used to
enter A.  Similarly for _tmp or other related types.

3. If we have:
	typebounds A B;
and an unbounded type T, then:
	allow B T:file <permissions>;
will satisfy the bounds constraint iff:
	allow A T:file <permissions>;
is allowed in policy.

The old logic would have been identical for this example.

4. If we have:
	typebounds A B;
and an unbounded domain D, then:
	allow D B:unix_stream_socket <permissions>;
is not subject to any bounds constraints under the new logic
because D is not bounded.  This is desirable so that we can
allow a domain to e.g. connectto a child domain without having
to allow it to do the same to its parent.

The old logic would have required:
	allow D A:unix_stream_socket <permissions>;
to also be allowed in policy.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-05-04 13:29:56 -04:00
Stephen Smalley
bedef7d124 libsepol,checkpolicy,secilc: Replace #ifdef DARWIN with __APPLE__.
As per discussion in https://android-review.googlesource.com/#/c/221980,
we should be using #ifdef __APPLE__ rather than our own custom-defined
DARWIN for building on MacOS X.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-05-03 11:54:20 -04:00
Stephen Smalley
6ad28de149 Updated libselinux, libsemanage, libsepol, and policycoreutils ChangeLogs.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-05-02 08:45:45 -04:00
Laurent Bigonville
8586ee56be Fix multiple spelling errors
Thanks to the lintian utility from Debian
2016-05-02 08:45:45 -04:00
James Carter
2acddf0459 Updated libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-04-29 15:50:47 -04:00
James Carter
3cf8669135 libsepol: Only apply bounds checking to source types in rules
The current bounds checking of both source and target types
requires allowing any domain that has access to the child domain
to also have the same permissions to the parent, which is undesirable.
Drop the target bounds expansion and checking.

Making this change fully functional requires a corresponding kernel
change; this change only allows one to build policies that would
otherwise violate the bounds checking on target type.  The kernel
change is required to allow the permissions at runtime.

Based on patch by Stephen Smalley.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-04-29 15:49:01 -04:00
James Carter
65fb72cee8 Updated libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-04-29 14:31:26 -04:00
James Carter
74bde7fa16 libsepol/cil: Do not add an attribute as a type in the attr_type_map
The attribute to type map is used to get all of the types that are
asociated with an attribute. To make neverallow and bounds checking
easier it was convienent to map a type to itself. However, CIL was
wrongly mapping an attribute to itself in addition to the types
associated with it. This caused type bounds checking to fail if the
parent was granted a permission through one attribute while the child
was granted the permission through another attribute.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-04-29 13:23:07 -04:00
Stephen Smalley
c9ada3e470 Updated checkpolicy and libsepol ChangeLogs.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-04-25 15:34:06 -04:00
Richard Haines
aac9360581 selinux: Build policy on systems not supporting DCCP protocol
Commit 3895fbbe0c ("selinux: Add support
for portcon dccp protocol") added support for the (portcon dccp ..)
statement. This fix will allow policy to be built on platforms
(see [1]) that do not have DCCP support by defining the IANA
assigned IP Protocol Number 33 to IPPROTO_DCCP.

[1] https://android-review.googlesource.com/#/c/219568/

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2016-04-25 15:31:45 -04:00
Stephen Smalley
6327d62fd0 Updated libsepol ChangeLog.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-04-21 13:32:18 -04:00