Commit Graph

2044 Commits

Author SHA1 Message Date
Stephen Smalley
e0882cdbed Updated libsemanage ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-14 13:15:28 -05:00
Nicolas Iooss
b372170058 libsemanage: semanage_seuser_key_create: copy name
When removing a login using semanage with Python 3 the following error
occurs:

    # semanage login -l | grep my_user
    my_user                   user_u

    # semanage login --delete my_user
    ValueError: Login mapping for my_user is not defined

This is due to a use-after-free in the swig-generated code for python3
bindings.

Copy the user name in semanage_seuser_key_create() and free it in
semanage_seuser_key_free(), like commit eac6f1f1b5 ("libsepol:
sepol_{bool|iface|user}_key_create: copy name") did.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-11-14 13:14:33 -05:00
Stephen Smalley
bfe9360ca5 Updated libselinux ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-14 13:11:28 -05:00
Stephen Smalley
bbc930c756 libselinux: fix subdir build and usage of cmdline CFLAGS
commit 16c123f4b1 ("libselinux:
support ANDROID_HOST=1 on Mac") broke the ability to run make
in the src subdirectory of libselinux (because OS and COMPILER
were not defined) and also caused some warning flags that could
be overridden via command-line CFLAGS to be mandatory.  Fix it.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-14 13:10:51 -05:00
Stephen Smalley
a0149f6f4f Updated libsepol ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-14 12:45:57 -05:00
Stephen Smalley
6201bb5e25 libsepol: fix checkpolicy dontaudit compiler bug
The combining logic for dontaudit rules was wrong, causing
a dontaudit A B:C *; rule to be clobbered by a dontaudit A B:C p;
rule.

Reported-by: Nick Kralevich <nnk@google.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-14 12:43:32 -05:00
Stephen Smalley
30ef8d0993 Updated libsepol ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-08 10:53:42 -05:00
Stephen Smalley
eac6f1f1b5 libsepol: sepol_{bool|iface|user}_key_create: copy name
The sepol_{bool|iface|user}_key_create() functions were not
copying the name.  This produces a use-after-free in the
swig-generated code for python3 bindings.  Copy the name
in these functions, and free it upon sepol_{bool|iface|user}_key_free().

Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-08 10:46:14 -05:00
Stephen Smalley
5e911ee825 Updated policycoreutils ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-08 10:34:47 -05:00
Laurent Bigonville
2d7ca0b862 policycoreutils: Make sepolicy work with python3
Add python3 support for sepolicy

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2016-11-08 10:34:08 -05:00
Stephen Smalley
71ee7217d7 Updated policycoreutils ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-08 10:07:45 -05:00
Laurent Bigonville
eed0e4259f Sandbox: Use next() over the sepolicy.info() result
sepolicy.info() now returns a generator, use next() to get the results.

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2016-11-08 10:05:39 -05:00
Stephen Smalley
b42a293978 Updated libselinux and libsemanage ChangeLogs
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-07 16:02:42 -05:00
Nicolas Iooss
70b986539e libselinux, libsemanage: remove *swig_python_exception.i if its creation failed
When compiling libselinux with CC=clang, "make pywrap" reports the
following message:

    bash exception.sh > selinuxswig_python_exception.i
    clang-3.9: error: no such file or directory: 'temp.aux'
    awk: fatal: cannot open file `temp.aux' for reading (No such file or
    directory)

This does not make the build fail as exception.sh returns an "OK"
status. Use "bash -e" with this script to make it return an error value.

In order not to keep an empty selinuxswig_python_exception.i file after
a build fails (which would make a second run of "make pywrap" incorrectly
succeed), remove the file when exception.sh fails.

As libsemanage uses the same code to build
semanageswig_python_exception.i, modify its Makefile too.

By the way, on Linux clang does not seem to currently support -aux-info
so it cannot be used to craft selinuxswig_python_exception.i.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-11-07 15:58:05 -05:00
Nicolas Iooss
5c620ead20 libsemanage: remove ruby_semanage.so with "make clean"
The Python wrapper is already removed in the clean target (with
$(SWIGSO)) so remove the Ruby wrapper too.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-11-07 15:56:53 -05:00
Nicolas Iooss
581dde735a libselinux: remove rpm_execcon from SWIG wrappers
The Python wrapper of rpm_execcon() has several flaws:
* An invalid call like selinux.rpm_execcon() triggers a segmentation
  fault.
* The size of the buffer which is allocated to copy argv and envp is
  too small to hold all the values.
* This allocated memory is leaked if one argument of rpm_execon() is not
  a sequence of bytes.

The Ruby wrapper has no such flaws but can not be used as it is because
it misses some glue code to convert argv and envp arguments to char
*const [] values (even though the destructor is present!).

As it is not possible to remove rpm_execcon() without changing
libselinux soname (it would be an ABI break) like b67fefd991
("libselinux: set DISABLE_RPM default to y.") tried to do, disable this
interface locally in the SWIG wrappers.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-11-07 15:55:08 -05:00
Stephen Smalley
1ce3e23b89 Updated libselinux ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-04 15:41:20 -04:00
Laurent Bigonville
b8711e2eaf Revert "libselinux: support new python3 functions"
With the reverted commit applied, some functions were returning arrays
of bytes instead of python strings under python3 this was causing issues
with string manipulation functions like split().

Swig (checked with 3.0.7) is adding compatibility macros that take care
of the differences between python2 and python3.

This reverts commit 63df0f7ef1.

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2016-11-04 15:41:20 -04:00
James Carter
9a834cf877 Updated libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-11-02 12:28:58 -04:00
James Carter
2eefb20d8f libsepol/cil: Exit with an error for an unknown map permission
Nicholas Iooss discovered that using an unknown permission with a
map class will cause a segfault.

CIL will only give a warning when it fails to resolve an unknown
permission to support the use of policy module packages that use
permissions that don't exit on the current system. When resolving
the unknown map class permission an empty list is used to represent
the unknown permission. When it is evaluated later the list is
assumed to be a permission and a segfault occurs.

There is no reason to allow unknown class map permissions because
the class maps and permissions are defined by the policy.

Exit with an error when failing to resolve a class map permission.

Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-11-02 12:14:21 -04:00
Stephen Smalley
ff413bb55e Updated policycoreutils ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-02 09:13:14 -04:00
Laurent Bigonville
22e8b70867 policycoreutils: Use "new" sepolicy icon in .desktop file for sepolicy gui
New hires icons have been added to the repository end 2013 but the
sepolicy .desktop file is not using it, let's fix that.
2016-11-02 09:12:32 -04:00
Stephen Smalley
6ff9318af9 Updated ChangeLogs
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-02 09:01:38 -04:00
Stephen Smalley
a0bd296a0d libsemanage: fix kernel pathname in semanage_verify_kernel()
Building with CC=clang, we get the following errors:

semanage_store.c:2177:20: error: implicit conversion from enumeration type 'enum semanage_final_defs' to different enumeration type 'enum semanage_store_defs' [-Werror,-Wenum-conversion]
            semanage_path(SEMANAGE_FINAL_TMP, SEMANAGE_KERNEL);
            ~~~~~~~~~~~~~ ^~~~~~~~~~~~~~~~~~
semanage_store.c:2177:40: error: implicit conversion from enumeration type 'enum semanage_final_path_defs' to different enumeration type 'enum semanage_sandbox_defs' [-Werror,-Wenum-conversion]
            semanage_path(SEMANAGE_FINAL_TMP, SEMANAGE_KERNEL);
            ~~~~~~~~~~~~~                     ^~~~~~~~~~~~~~~

This is an actual bug; semanage_verify_kernel() was never updated to
use semanage_final_path() when the rest were converted.  Fix it.
This pathname is only used if a kernel policy verifier is specified
in semanage.conf, so this is not used by default.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-02 08:54:19 -04:00
Stephen Smalley
9dcbc12e1f Updated libselinux ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-01 17:31:11 -04:00
William Roberts
e4f2bcce24 libselinux/utils: fix all the noreturn errors
When building with clang, multiple noreturn issues arise,
for instance:

selabel_partial_match.c:11:1: error: function 'usage' could be declared with attribute 'noreturn' [-Werror,-Wmissing-noreturn]

Fix these.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-11-01 17:29:49 -04:00
Stephen Smalley
4c519cd730 libselinux: avc_internal.c: allow building with clang
Resolves the following errors from clang:
avc_internal.c:105:25: error: cast from 'char *' to 'struct nlmsghdr *' increases required alignment from 1 to 4 [-Werror,-Wcast-align]
        struct nlmsghdr *nlh = (struct nlmsghdr *)buf;
                               ^~~~~~~~~~~~~~~~~~~~~~
avc_internal.c:161:25: error: cast from 'char *' to 'struct nlmsghdr *' increases required alignment from 1 to 4 [-Werror,-Wcast-align]
        struct nlmsghdr *nlh = (struct nlmsghdr *)buf;
                               ^~~~~~~~~~~~~~~~~~~~~~

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-01 16:59:47 -04:00
Stephen Smalley
6e6134cb7e Updated libselinux ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-01 16:31:27 -04:00
William Roberts
8fee76a538 libselinux: fix compiler flags for linux + clang
As reported by Nicolas Iooss, the clang + linux build seems
broken:

 clang-3.9: warning: argument unused during compilation: '-undefined
dynamic_lookup'
  /usr/bin/ld: unrecognised option: -install_name
  clang-3.9: error: linker command failed with exit code 1 (use -v to
see invocation)

We already have those options set for Darwin, just drop them from the
clang side.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-11-01 16:30:51 -04:00
Stephen Smalley
9f6c6324c2 Updated libsepol ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-10-31 12:51:11 -04:00
Jason Zaman
2d1380f811 libsepol: Add symver with explicit version to build with ld.gold
The blank default symver fails to compile with ld.gold. This updates the
symver from blank to LIBSEPOL_1.0. The dynamic linker will first look
for the symbol with the explicit version specified. If there is none, it
will pick the first listed symbol so there is no breakage.
This also matches how symvers are defined in libsemanage.

Signed-off-by: Jason Zaman <jason@perfinion.com>
2016-10-31 12:50:24 -04:00
Stephen Smalley
3a8f55efc0 Updated policycoreutils ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-10-31 12:50:08 -04:00
Nicolas Iooss
266c16ff53 policycoreutils: semodule_package: do not fail with an empty fc file
When running sepolgen tests on a Linux 4.7 kernel, one test fails with
the following message:

    /usr/bin/semodule_package:  Failed to mmap
    tmp/module_compile_test.mod.fc:  Invalid argument

The .fc file is empty, which is why it cannot be used with mmap().
Anyway the current code supports empty files (with if() conditions in
main()) so do not try to mmap an empty file in file_to_data().

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-10-31 12:46:54 -04:00
Nicolas Iooss
cb68b534e3 policycoreutils: restorecond: use pkg-config to find dbus-glib-1 files
On Ubuntu some header files are located in /usr/lib/x86_64-linux-gnu/,
not /usr/lib64/:

    $ pkg-config --cflags dbus-glib-1
    -I/usr/include/dbus-1.0 -I/usr/lib/x86_64-linux-gnu/dbus-1.0/include
    -I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include

Use pkg-config instead of hard-coded paths to find glib and dbus-glib
headers and libraries.

This is needed in order to use environments provided for example by
https://travis-ci.org/.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-10-31 12:44:10 -04:00
Stephen Smalley
5917a96f39 Updated libselinux ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-10-27 10:42:04 -04:00
vmojzis
0776dca575 libselinux: fix pointer handling in realpath_not_final
Loop designed for stripping leading "//" was changing
the only pointer referencing block of memory allocated
by "strdup", resulting in "free()" failure. The loop
had no effect because "realpath" is used later on.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1376598

Signed-off-by: vmojzis <vmojzis@redhat.com>
2016-10-27 10:40:36 -04:00
Stephen Smalley
7a4cd7f8ff Updated libselinux ChangeLog.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-10-27 10:40:19 -04:00
Laurent Bigonville
14d7064348 libselinux: Allow overriding libsepol.a location during build
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2016-10-27 10:38:04 -04:00
Stephen Smalley
f6f58732aa Updated libselinux ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-10-27 10:37:12 -04:00
Laurent Bigonville
640edd601b libselinux: Add clean-pywrap and clean-rubywrap targets
Add clean targets to just clean the python and ruby wrapper objects

Also clean $(SWIGRUBYSO) and $(AUDIT2WHYLOBJ) objects

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
2016-10-27 10:35:37 -04:00
Stephen Smalley
a610f08d2e Updated policycoreutils ChangeLog
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-10-21 12:59:37 -04:00
Vit Mojzis
530904eaaa policycoreutils/gui: fix system-config-selinux editing features
Return column definitions to portsPage (gui fails to load otherwise).

fcontextPage:
  "ftype" dropdown was filled from 2 sources (system-config-selinux.glade
  and fcontextPage - from seobject module) which resulted in duplicate
  and invalid options. When given to "semanage fcontext -f", ftype has to be
  converted to 1 letter argument mode.

TreeView.get_selection().get_selected() can return "None" if no item is selected
(the list can be empty). Test if correct iterator was acquired.

Fixes:
  https://bugzilla.redhat.com/show_bug.cgi?id=1344842

Signed-off-by: vmojzis <vmojzis@redhat.com>
2016-10-21 12:58:41 -04:00
James Carter
58f892399b Updated libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-10-19 10:46:42 -04:00
dcashman
d7cb38ff87 libsepol: cil: cil_strpool: Allow multiple strpool users.
cil_strpool currently provides an interface to a statically stored
global data structure.  This interface does not accomodate multiple
consumers, however, as two calls to cil_strpool_init() will lead to a
memory leak and a call to cil_strpool_destroy() by one consumer will
remove data from use by others, and subsequently lead to a segfault on
the next cil_strpool_destroy() invocation.

Add a reference counter so that the strpool is only initialized once and
protect the exported interface with a mutex.

Tested by calling cil_db_init() on two cil_dbs and then calling
cil_db_destroy() on each.

Signed-off-by: Daniel Cashman <dcashman@android.com>
2016-10-19 10:17:03 -04:00
James Carter
ff47e2d921 Updated libsepol ChangeLog.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-10-19 10:10:07 -04:00
James Carter
410634d650 libsepol/cil: Verify neither child nor parent in a bounds is an attribute
Nicolas Iooss found while fuzzing secilc with AFL that using an attribute
as a child in a typebounds statement will cause a segfault.

This happens because the child datum is assumed to be part of a cil_type
struct when it is really part of a cil_typeattribute struct. The check to
verify that it is a type and not an attribute comes after it is used.

This bug effects user and role bounds as well because they do not check
whether a datum refers to an attribute or not.

Add checks to verify that neither the child nor the parent datum refer
to an attribute before using them in user, role, and type bounds.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-10-19 10:08:15 -04:00
James Carter
0fcc430add libsepol/cil: Verify alias in aliasactual statement is really an alias
Nicolas Iooss found while fuzzing secilc with AFL that the statement
"(sensitivityaliasactual SENS SENS)" will cause a segfault.

The segfault occurs because when the aliasactual is resolved the first
identifier is assumed to refer to an alias structure, but it is not.

Add a check to verify that the datum retrieved is actually an alias
and exit with an error if it is not.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-10-19 10:08:09 -04:00
James Carter
166b260d75 libsepol/cil: Check that permission is not an empty list
Nicolas Iooss found while fuzzing secilc with AFL that the statement
"(class C (()))" will cause a segfault.

CIL expects a list of permissions in the class declaration and "(())"
is a valid list. Each item of the list is expected to be an identifier
and as the list is processed each item is checked to see if it is a
list. An error is given if it is a list, otherwise the item is assumed
to be an identifier. Unfortunately, the check only works if the list
is not empty. In this case, the item passes the check and is assumed
to be an identifier and a NULL is passed as the string for name
verification. If name verification assumes that a non-NULL value will
be passed in, a segfault will occur.

Add a check for an empty list when processing a permission list and
improve the error handling for permissions when building the AST.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-10-19 10:08:02 -04:00
James Carter
3aa292620c libsepol/cil: Check if identifier is NULL when verifying name
Nicolas Iooss found while fuzzing secilc with AFL that the statement
"(class C (()))" will cause a segfault.

When CIL checks the syntax of the class statement it sees "(())" as a
valid permission list, but since "()" is not an identifier a NULL is
passed as the string for name verification. A segfault occurs because
name verification assumes that the string being checked is non-NULL.

Check if identifier is NULL when verifying name.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-10-19 10:07:51 -04:00
James Carter
da51020d6f libsepol/cil: Use an empty list to represent an unknown permission
Nicolas Iooss found while fuzzing secilc with AFL that the statement
"(classpermissionset CPERM (CLASS (and unknow PERM)))" will cause a
segfault.

In order to support a policy module package using a permission that
does not exist on the system it is loaded on, CIL will only give a
warning when it fails to resolve an unknown permission. CIL itself will
just ignore the unknown permission. This means that an expression like
"(and UNKNOWN p1)" will look like "(and p1)" to CIL, but, since syntax
checking has already been done, CIL won't know that the expression is not
well-formed. When the expression is evaluated a segfault will occur
because all expressions are assumed to be well-formed at evaluation time.

Use an empty list to represent an unknown permission so that expressions
will continue to be well-formed and expression evaluation will work but
the unknown permission will still be ignored.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2016-10-19 10:07:43 -04:00