Hello community, here is the log from the commit of package libsepol for openSUSE:Factory checked in at 2012-12-14 09:40:21 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libsepol (Old) and /work/SRC/openSUSE:Factory/.libsepol.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libsepol", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:Factory/libsepol/libsepol.changes 2012-10-27 13:23:45.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.libsepol.new/libsepol.changes 2012-12-14 09:40:24.000000000 +0100 @@ -1,0 +2,10 @@ +Mon Dec 10 17:34:14 UTC 2012 - [email protected] + +- Update to 2.1.8 version: + * fix neverallow checking on attributes + * Move context_copy() after switch block in ocontext_copy_*(). + * check for missing initial SID labeling statement. + * Add always_check_network policy capability + * role_fix_callback skips out-of-scope roles during expansion. + +------------------------------------------------------------------- Old: ---- libsepol-2.1.4.tar.gz New: ---- libsepol-2.1.8.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libsepol.spec ++++++ --- /var/tmp/diff_new_pack.vtlUj9/_old 2012-12-14 09:40:26.000000000 +0100 +++ /var/tmp/diff_new_pack.vtlUj9/_new 2012-12-14 09:40:26.000000000 +0100 @@ -17,13 +17,13 @@ Name: libsepol -Version: 2.1.4 +Version: 2.1.8 Release: 0 Url: http://www.nsa.gov/selinux/ Summary: SELinux binary policy manipulation library License: LGPL-2.1+ Group: System/Libraries -Source: http://userspace.selinuxproject.org/releases/20120216/%{name}-%{version}.tar.gz +Source: http://userspace.selinuxproject.org/releases/20120924/%{name}-%{version}.tar.gz Source2: baselibs.conf Patch: libsepol-2.1.4-role_fix_callback.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build ++++++ libsepol-2.1.4.tar.gz -> libsepol-2.1.8.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.1.4/Android.mk new/libsepol-2.1.8/Android.mk --- old/libsepol-2.1.4/Android.mk 1970-01-01 01:00:00.000000000 +0100 +++ new/libsepol-2.1.8/Android.mk 2012-09-14 19:41:22.000000000 +0200 @@ -0,0 +1,97 @@ +LOCAL_PATH:= $(call my-dir) + +common_src_files := \ + src/assertion.c \ + src/avrule_block.c \ + src/avtab.c \ + src/boolean_record.c \ + src/booleans.c \ + src/conditional.c \ + src/constraint.c \ + src/context.c \ + src/context_record.c \ + src/debug.c \ + src/ebitmap.c \ + src/expand.c \ + src/genbools.c \ + src/genusers.c \ + src/handle.c \ + src/hashtab.c \ + src/hierarchy.c \ + src/iface_record.c \ + src/interfaces.c \ + src/link.c \ + src/mls.c \ + src/module.c \ + src/node_record.c \ + src/nodes.c \ + src/polcaps.c \ + src/policydb.c \ + src/policydb_convert.c \ + src/policydb_public.c \ + src/port_record.c \ + src/ports.c \ + src/roles.c \ + src/services.c \ + src/sidtab.c \ + src/symtab.c \ + src/user_record.c \ + src/users.c \ + src/util.c \ + src/write.c + +common_cflags := \ + -Wall -W -Wundef \ + -Wshadow -Wmissing-noreturn \ + -Wmissing-format-attribute + +ifeq ($(HOST_OS), darwin) +common_cflags += -DDARWIN +endif + +common_includes := \ + $(LOCAL_PATH)/include/ \ + $(LOCAL_PATH)/src/ + +## +# libsepol.so +# +include $(CLEAR_VARS) + +LOCAL_MODULE := libsepol +LOCAL_MODULE_TAGS := optional +LOCAL_C_INCLUDES := $(common_includes) +LOCAL_CFLAGS := $(common_cflags) +LOCAL_SRC_FILES := $(common_src_files) +LOCAL_MODULE_CLASS := SHARED_LIBRARIES + +include $(BUILD_HOST_SHARED_LIBRARY) + +## +# libsepol.a +# +include $(CLEAR_VARS) + +LOCAL_MODULE := libsepol +LOCAL_MODULE_TAGS := optional +LOCAL_C_INCLUDES := $(common_includes) +LOCAL_CFLAGS := $(common_cflags) +LOCAL_SRC_FILES := $(common_src_files) +LOCAL_MODULE_CLASS := STATIC_LIBRARIES + +include $(BUILD_HOST_STATIC_LIBRARY) + +## +# chkcon +# +include $(CLEAR_VARS) + +LOCAL_MODULE := chkcon +LOCAL_MODULE_TAGS := optional +LOCAL_C_INCLUDES := $(common_includes) +LOCAL_CFLAGS := $(common_cflags) +LOCAL_SRC_FILES := utils/chkcon.c +LOCAL_SHARED_LIBRARIES := libsepol +LOCAL_MODULE_CLASS := EXECUTABLES + +include $(BUILD_HOST_EXECUTABLE) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.1.4/ChangeLog new/libsepol-2.1.8/ChangeLog --- old/libsepol-2.1.4/ChangeLog 2011-12-21 18:46:04.000000000 +0100 +++ new/libsepol-2.1.8/ChangeLog 2012-09-14 19:41:22.000000000 +0200 @@ -1,3 +1,22 @@ +2.1.8 2011-09-13 + * fix neverallow checking on attributes + * Move context_copy() after switch block in ocontext_copy_*(). + * check for missing initial SID labeling statement. + * Add always_check_network policy capability + * role_fix_callback skips out-of-scope roles during expansion. + +2.1.7 2011-06-28 + * reserve policycapability for redhat testing of ptrace child + * cosmetic changes to make the source easier to read + * prepend instead of append to filename_trans list + * Android/MacOS X build support + +2.1.6 2011-04-23 + * allocate enough space to hold filename in trans rules + +2.1.5 2011-03-28 + * checkpolicy: implement new default labeling behaviors + 2.1.4 2011-10-03 * regenerate .pc on VERSION change * Move ebitmap_* functions from mcstrans to libsepol diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.1.4/VERSION new/libsepol-2.1.8/VERSION --- old/libsepol-2.1.4/VERSION 2011-12-21 18:46:04.000000000 +0100 +++ new/libsepol-2.1.8/VERSION 2012-09-14 19:41:22.000000000 +0200 @@ -1 +1 @@ -2.1.4 +2.1.8 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.1.4/include/sepol/policydb/polcaps.h new/libsepol-2.1.8/include/sepol/policydb/polcaps.h --- old/libsepol-2.1.4/include/sepol/policydb/polcaps.h 2011-12-21 18:46:04.000000000 +0100 +++ new/libsepol-2.1.8/include/sepol/policydb/polcaps.h 2012-09-14 19:41:22.000000000 +0200 @@ -5,6 +5,8 @@ enum { POLICYDB_CAPABILITY_NETPEER, POLICYDB_CAPABILITY_OPENPERM, + POLICYDB_CAPABILITY_REDHAT1, /* reserved for RH testing of ptrace_child */ + POLICYDB_CAPABILITY_ALWAYSNETWORK, __POLICYDB_CAPABILITY_MAX }; #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.1.4/include/sepol/policydb/policydb.h new/libsepol-2.1.8/include/sepol/policydb/policydb.h --- old/libsepol-2.1.4/include/sepol/policydb/policydb.h 2011-12-21 18:46:04.000000000 +0100 +++ new/libsepol-2.1.8/include/sepol/policydb/policydb.h 2012-09-14 19:41:22.000000000 +0200 @@ -111,6 +111,19 @@ symtab_t permissions; /* class-specific permission symbol table */ constraint_node_t *constraints; /* constraints on class permissions */ constraint_node_t *validatetrans; /* special transition rules */ +/* Options how a new object user and role should be decided */ +#define DEFAULT_SOURCE 1 +#define DEFAULT_TARGET 2 + char default_user; + char default_role; +/* Options how a new object range should be decided */ +#define DEFAULT_SOURCE_LOW 1 +#define DEFAULT_SOURCE_HIGH 2 +#define DEFAULT_SOURCE_LOW_HIGH 3 +#define DEFAULT_TARGET_LOW 4 +#define DEFAULT_TARGET_HIGH 5 +#define DEFAULT_TARGET_LOW_HIGH 6 + char default_range; } class_datum_t; /* Role attributes */ @@ -667,10 +680,11 @@ #define POLICYDB_VERSION_BOUNDARY 24 #define POLICYDB_VERSION_FILENAME_TRANS 25 #define POLICYDB_VERSION_ROLETRANS 26 +#define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 27 /* Range of policy versions we understand*/ #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE -#define POLICYDB_VERSION_MAX POLICYDB_VERSION_ROLETRANS +#define POLICYDB_VERSION_MAX POLICYDB_VERSION_NEW_OBJECT_DEFAULTS /* Module versions and specific changes*/ #define MOD_POLICYDB_VERSION_BASE 4 @@ -686,9 +700,10 @@ #define MOD_POLICYDB_VERSION_ROLETRANS 12 #define MOD_POLICYDB_VERSION_ROLEATTRIB 13 #define MOD_POLICYDB_VERSION_TUNABLE_SEP 14 +#define MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 15 #define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE -#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_TUNABLE_SEP +#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS #define POLICYDB_CONFIG_MLS 1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.1.4/src/expand.c new/libsepol-2.1.8/src/expand.c --- old/libsepol-2.1.4/src/expand.c 2011-12-21 18:46:04.000000000 +0100 +++ new/libsepol-2.1.8/src/expand.c 2012-09-14 19:41:22.000000000 +0200 @@ -358,6 +358,35 @@ return -1; } +static int class_copy_default_new_object(expand_state_t *state, + class_datum_t *olddatum, + class_datum_t *newdatum) +{ + if (olddatum->default_user) { + if (newdatum->default_user && olddatum->default_user != newdatum->default_user) { + ERR(state->handle, "Found conflicting default user definitions"); + return SEPOL_ENOTSUP; + } + newdatum->default_user = olddatum->default_user; + + } + if (olddatum->default_role) { + if (newdatum->default_role && olddatum->default_role != newdatum->default_role) { + ERR(state->handle, "Found conflicting default role definitions"); + return SEPOL_ENOTSUP; + } + newdatum->default_role = olddatum->default_role; + } + if (olddatum->default_range) { + if (newdatum->default_range && olddatum->default_range != newdatum->default_range) { + ERR(state->handle, "Found conflicting default range definitions"); + return SEPOL_ENOTSUP; + } + newdatum->default_range = olddatum->default_range; + } + return 0; +} + static int class_copy_callback(hashtab_key_t key, hashtab_datum_t datum, void *data) { @@ -393,6 +422,12 @@ new_class->s.value = class->s.value; state->out->p_classes.nprim++; + ret = class_copy_default_new_object(state, class, new_class); + if (ret) { + free(new_class); + return ret; + } + new_id = strdup(id); if (!new_id) { ERR(state->handle, "Out of memory!"); @@ -688,6 +723,11 @@ return 0; } + if (!is_id_enabled(id, state->base, SYM_ROLES)) { + /* identifier's scope is not enabled */ + return 0; + } + if (role->flavor != ROLE_ATTRIB) return 0; @@ -1317,16 +1357,11 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *rules) { unsigned int i, j; - filename_trans_t *new_trans, *tail, *cur_trans; + filename_trans_t *new_trans, *cur_trans; filename_trans_rule_t *cur_rule; ebitmap_t stypes, ttypes; ebitmap_node_t *snode, *tnode; - /* start at the end of the list */ - tail = state->out->filename_trans; - while (tail && tail->next) - tail = tail->next; - cur_rule = rules; while (cur_rule) { uint32_t mapped_otype; @@ -1387,11 +1422,8 @@ return -1; } memset(new_trans, 0, sizeof(*new_trans)); - if (tail) - tail->next = new_trans; - else - state->out->filename_trans = new_trans; - tail = new_trans; + new_trans->next = state->out->filename_trans; + state->out->filename_trans = new_trans; new_trans->name = strdup(cur_rule->name); if (!new_trans->name) { @@ -1791,58 +1823,36 @@ continue; if (source_rule->flags & RULE_SELF) { if (source_rule->specified & AVRULE_AV) { - if ((retval = - expand_avrule_helper(handle, - source_rule-> - specified, cond, i, i, - source_rule->perms, - dest_avtab, - enabled)) != - EXPAND_RULE_SUCCESS) { + retval = expand_avrule_helper(handle, source_rule->specified, + cond, i, i, source_rule->perms, + dest_avtab, enabled); + if (retval != EXPAND_RULE_SUCCESS) return retval; - } } else { - if ((retval = - expand_terule_helper(handle, p, - typemap, - source_rule-> - specified, cond, - other, i, i, - source_rule->perms, - dest_avtab, - enabled)) != - EXPAND_RULE_SUCCESS) { + retval = expand_terule_helper(handle, p, typemap, + source_rule->specified, cond, + other, i, i, source_rule->perms, + dest_avtab, enabled); + if (retval != EXPAND_RULE_SUCCESS) return retval; - } } } ebitmap_for_each_bit(ttypes, tnode, j) { if (!ebitmap_node_get_bit(tnode, j)) continue; if (source_rule->specified & AVRULE_AV) { - if ((retval = - expand_avrule_helper(handle, - source_rule-> - specified, cond, i, j, - source_rule->perms, - dest_avtab, - enabled)) != - EXPAND_RULE_SUCCESS) { + retval = expand_avrule_helper(handle, source_rule->specified, + cond, i, j, source_rule->perms, + dest_avtab, enabled); + if (retval != EXPAND_RULE_SUCCESS) return retval; - } } else { - if ((retval = - expand_terule_helper(handle, p, - typemap, - source_rule-> - specified, cond, - other, i, j, - source_rule->perms, - dest_avtab, - enabled)) != - EXPAND_RULE_SUCCESS) { + retval = expand_terule_helper(handle, p, typemap, + source_rule->specified, cond, + other, i, j, source_rule->perms, + dest_avtab, enabled); + if (retval != EXPAND_RULE_SUCCESS) return retval; - } } } } @@ -2027,13 +2037,14 @@ else state->out->ocontexts[i] = n; l = n; - if (context_copy(&n->context[0], &c->context[0], - state)) { - ERR(state->handle, "Out of memory!"); - return -1; - } switch (i) { case OCON_XEN_ISID: + if (c->context[0].user == 0) { + ERR(state->handle, + "Missing context for %s initial sid", + c->u.name); + return -1; + } n->sid[0] = c->sid[0]; break; case OCON_XEN_PIRQ: @@ -2056,6 +2067,11 @@ ERR(state->handle, "Unknown ocontext"); return -1; } + if (context_copy(&n->context[0], &c->context[0], + state)) { + ERR(state->handle, "Out of memory!"); + return -1; + } } } return 0; @@ -2080,12 +2096,14 @@ else state->out->ocontexts[i] = n; l = n; - if (context_copy(&n->context[0], &c->context[0], state)) { - ERR(state->handle, "Out of memory!"); - return -1; - } switch (i) { case OCON_ISID: + if (c->context[0].user == 0) { + ERR(state->handle, + "Missing context for %s initial sid", + c->u.name); + return -1; + } n->sid[0] = c->sid[0]; break; case OCON_FS: /* FALLTHROUGH */ @@ -2129,6 +2147,10 @@ ERR(state->handle, "Unknown ocontext"); return -1; } + if (context_copy(&n->context[0], &c->context[0], state)) { + ERR(state->handle, "Out of memory!"); + return -1; + } } } return 0; @@ -3101,12 +3123,12 @@ newkey.target_class = k->target_class; newkey.specified = k->specified; - if (stype && ttype) { + if (stype->flavor != TYPE_ATTRIB && ttype->flavor != TYPE_ATTRIB) { /* Both are individual types, no expansion required. */ return expand_avtab_insert(expa, k, d); } - if (stype) { + if (stype->flavor != TYPE_ATTRIB) { /* Source is an individual type, target is an attribute. */ newkey.source_type = k->source_type; ebitmap_for_each_bit(tattr, tnode, j) { @@ -3120,7 +3142,7 @@ return 0; } - if (ttype) { + if (ttype->flavor != TYPE_ATTRIB) { /* Target is an individual type, source is an attribute. */ newkey.target_type = k->target_type; ebitmap_for_each_bit(sattr, snode, i) { @@ -3231,12 +3253,12 @@ newkey.target_class = k->target_class; newkey.specified = k->specified; - if (stype && ttype) { + if (stype->flavor != TYPE_ATTRIB && ttype->flavor != TYPE_ATTRIB) { /* Both are individual types, no expansion required. */ return expand_cond_insert(newl, expa, k, d); } - if (stype) { + if (stype->flavor != TYPE_ATTRIB) { /* Source is an individual type, target is an attribute. */ newkey.source_type = k->source_type; ebitmap_for_each_bit(tattr, tnode, j) { @@ -3250,7 +3272,7 @@ return 0; } - if (ttype) { + if (ttype->flavor != TYPE_ATTRIB) { /* Target is an individual type, source is an attribute. */ newkey.target_type = k->target_type; ebitmap_for_each_bit(sattr, snode, i) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.1.4/src/genbools.c new/libsepol-2.1.8/src/genbools.c --- old/libsepol-2.1.4/src/genbools.c 2011-12-21 18:46:04.000000000 +0100 +++ new/libsepol-2.1.8/src/genbools.c 2012-09-14 19:41:22.000000000 +0200 @@ -79,7 +79,16 @@ if (boolf == NULL) goto localbool; +#ifdef DARWIN + if ((buffer = (char *)malloc(255 * sizeof(char))) == NULL) { + ERR(NULL, "out of memory"); + return -1; + } + + while(fgets(buffer, 255, boolf) != NULL) { +#else while (getline(&buffer, &size, boolf) > 0) { +#endif int ret = process_boolean(buffer, name, sizeof(name), &val); if (ret == -1) errors++; @@ -101,7 +110,14 @@ snprintf(localbools, sizeof(localbools), "%s.local", path); boolf = fopen(localbools, "r"); if (boolf != NULL) { - while (getline(&buffer, &size, boolf) > 0) { + +#ifdef DARWIN + + while(fgets(buffer, 255, boolf) != NULL) { +#else + + while (getline(&buffer, &size, boolf) > 0) { +#endif int ret = process_boolean(buffer, name, sizeof(name), &val); if (ret == -1) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.1.4/src/genusers.c new/libsepol-2.1.8/src/genusers.c --- old/libsepol-2.1.4/src/genusers.c 2011-12-21 18:46:04.000000000 +0100 +++ new/libsepol-2.1.8/src/genusers.c 2012-09-14 19:41:22.000000000 +0200 @@ -1,11 +1,16 @@ #include <stdio.h> -#include <stdio_ext.h> + #include <stdlib.h> #include <ctype.h> #include <errno.h> #include <limits.h> #include <sepol/policydb/policydb.h> + +#ifndef DARWIN +#include <stdio_ext.h> +#endif + #include <stdarg.h> #include "debug.h" @@ -41,9 +46,19 @@ fp = fopen(path, "r"); if (fp == NULL) return -1; - __fsetlocking(fp, FSETLOCKING_BYCALLER); +#ifdef DARWIN + if ((buffer = (char *)malloc(255 * sizeof(char))) == NULL) { + ERR(NULL, "out of memory"); + return -1; + } + + while(fgets(buffer, 255, fp) != NULL) { +#else + __fsetlocking(fp, FSETLOCKING_BYCALLER); while ((nread = getline(&buffer, &len, fp)) > 0) { +#endif + lineno++; if (buffer[nread - 1] == '\n') buffer[nread - 1] = 0; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.1.4/src/link.c new/libsepol-2.1.8/src/link.c --- old/libsepol-2.1.4/src/link.c 2011-12-21 18:46:04.000000000 +0100 +++ new/libsepol-2.1.8/src/link.c 2012-09-14 19:41:22.000000000 +0200 @@ -205,6 +205,34 @@ return ret; } +static int class_copy_default_new_object(link_state_t *state, + class_datum_t *olddatum, + class_datum_t *newdatum) +{ + if (olddatum->default_user) { + if (newdatum->default_user && olddatum->default_user != newdatum->default_user) { + ERR(state->handle, "Found conflicting default user definitions"); + return SEPOL_ENOTSUP; + } + newdatum->default_user = olddatum->default_user; + } + if (olddatum->default_role) { + if (newdatum->default_role && olddatum->default_role != newdatum->default_role) { + ERR(state->handle, "Found conflicting default role definitions"); + return SEPOL_ENOTSUP; + } + newdatum->default_role = olddatum->default_role; + } + if (olddatum->default_range) { + if (newdatum->default_range && olddatum->default_range != newdatum->default_range) { + ERR(state->handle, "Found conflicting default range definitions"); + return SEPOL_ENOTSUP; + } + newdatum->default_range = olddatum->default_range; + } + return 0; +} + static int class_copy_callback(hashtab_key_t key, hashtab_datum_t datum, void *data) { @@ -287,6 +315,11 @@ state->dest_class = new_class; state->dest_class_name = (char *)key; + /* copy default new object rules */ + ret = class_copy_default_new_object(state, cladatum, new_class); + if (ret) + return ret; + ret = hashtab_map(cladatum->permissions.table, permission_copy_callback, state); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.1.4/src/node_record.c new/libsepol-2.1.8/src/node_record.c --- old/libsepol-2.1.4/src/node_record.c 2011-12-21 18:46:04.000000000 +0100 +++ new/libsepol-2.1.8/src/node_record.c 2012-09-14 19:41:22.000000000 +0200 @@ -70,7 +70,11 @@ return STATUS_ERR; } +#ifdef DARWIN + memcpy(addr_bytes, in_addr.s6_addr, 16); +#else memcpy(addr_bytes, in_addr.s6_addr32, 16); +#endif break; } default: @@ -158,8 +162,11 @@ { struct in6_addr addr; memset(&addr, 0, sizeof(struct in6_addr)); +#ifdef DARWIN + memcpy(&addr.s6_addr[0], addr_bytes, 16); +#else memcpy(&addr.s6_addr32[0], addr_bytes, 16); - +#endif if (inet_ntop(AF_INET6, &addr, addr_str, INET6_ADDRSTRLEN) == NULL) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.1.4/src/polcaps.c new/libsepol-2.1.8/src/polcaps.c --- old/libsepol-2.1.4/src/polcaps.c 2011-12-21 18:46:04.000000000 +0100 +++ new/libsepol-2.1.8/src/polcaps.c 2012-09-14 19:41:22.000000000 +0200 @@ -8,6 +8,8 @@ static const char *polcap_names[] = { "network_peer_controls", /* POLICYDB_CAPABILITY_NETPEER */ "open_perms", /* POLICYDB_CAPABILITY_OPENPERM */ + "redhat1", /* POLICYDB_CAPABILITY_REDHAT1, aka ptrace_child */ + "always_check_network", /* POLICYDB_CAPABILITY_ALWAYSNETWORK */ NULL }; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.1.4/src/policydb.c new/libsepol-2.1.8/src/policydb.c --- old/libsepol-2.1.4/src/policydb.c 2011-12-21 18:46:04.000000000 +0100 +++ new/libsepol-2.1.8/src/policydb.c 2012-09-14 19:41:22.000000000 +0200 @@ -151,6 +151,13 @@ .target_platform = SEPOL_TARGET_SELINUX, }, { + .type = POLICY_KERN, + .version = POLICYDB_VERSION_NEW_OBJECT_DEFAULTS, + .sym_num = SYM_NUM, + .ocon_num = OCON_NODE6 + 1, + .target_platform = SEPOL_TARGET_SELINUX, + }, + { .type = POLICY_BASE, .version = MOD_POLICYDB_VERSION_BASE, .sym_num = SYM_NUM, @@ -228,6 +235,13 @@ .target_platform = SEPOL_TARGET_SELINUX, }, { + .type = POLICY_BASE, + .version = MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS, + .sym_num = SYM_NUM, + .ocon_num = OCON_NODE6 + 1, + .target_platform = SEPOL_TARGET_SELINUX, + }, + { .type = POLICY_MOD, .version = MOD_POLICYDB_VERSION_BASE, .sym_num = SYM_NUM, @@ -304,6 +318,13 @@ .ocon_num = 0, .target_platform = SEPOL_TARGET_SELINUX, }, + { + .type = POLICY_MOD, + .version = MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS, + .sym_num = SYM_NUM, + .ocon_num = 0, + .target_platform = SEPOL_TARGET_SELINUX, + }, }; #if 0 @@ -2064,6 +2085,18 @@ goto bad; } + if ((p->policy_type == POLICY_KERN && + p->policyvers >= POLICYDB_VERSION_NEW_OBJECT_DEFAULTS) || + (p->policy_type == POLICY_BASE && + p->policyvers >= MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS)) { + rc = next_entry(buf, fp, sizeof(uint32_t) * 3); + if (rc < 0) + goto bad; + cladatum->default_user = le32_to_cpu(buf[0]); + cladatum->default_role = le32_to_cpu(buf[1]); + cladatum->default_range = le32_to_cpu(buf[2]); + } + if (hashtab_insert(h, key, cladatum)) goto bad; @@ -2347,7 +2380,7 @@ return -1; len = le32_to_cpu(buf[0]); - name = calloc(len, sizeof(*name)); + name = calloc(len + 1, sizeof(*name)); if (!name) return -1; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.1.4/src/private.h new/libsepol-2.1.8/src/private.h --- old/libsepol-2.1.4/src/private.h 2011-12-21 18:46:04.000000000 +0100 +++ new/libsepol-2.1.8/src/private.h 2012-09-14 19:41:22.000000000 +0200 @@ -4,11 +4,23 @@ #include <sepol/policydb/policydb.h> + +#ifdef DARWIN +#include <sys/types.h> +#include <machine/endian.h> +#else #include <byteswap.h> #include <endian.h> +#endif + #include <errno.h> #include <dso.h> +#ifdef DARWIN +#define __BYTE_ORDER BYTE_ORDER +#define __LITTLE_ENDIAN LITTLE_ENDIAN +#endif + #if __BYTE_ORDER == __LITTLE_ENDIAN #define cpu_to_le16(x) (x) #define le16_to_cpu(x) (x) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.1.4/src/write.c new/libsepol-2.1.8/src/write.c --- old/libsepol-2.1.4/src/write.c 2011-12-21 18:46:04.000000000 +0100 +++ new/libsepol-2.1.8/src/write.c 2012-09-14 19:41:22.000000000 +0200 @@ -976,6 +976,18 @@ return POLICYDB_ERROR; } + if ((p->policy_type == POLICY_KERN && + p->policyvers >= POLICYDB_VERSION_NEW_OBJECT_DEFAULTS) || + (p->policy_type == POLICY_BASE && + p->policyvers >= MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS)) { + buf[0] = cpu_to_le32(cladatum->default_user); + buf[1] = cpu_to_le32(cladatum->default_role); + buf[2] = cpu_to_le32(cladatum->default_range); + items = put_entry(buf, sizeof(uint32_t), 3, fp); + if (items != 3) + return POLICYDB_ERROR; + } + return POLICYDB_SUCCESS; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.1.4/utils/chkcon.c new/libsepol-2.1.8/utils/chkcon.c --- old/libsepol-2.1.4/utils/chkcon.c 2011-12-21 18:46:04.000000000 +0100 +++ new/libsepol-2.1.8/utils/chkcon.c 2012-09-14 19:41:22.000000000 +0200 @@ -6,6 +6,8 @@ #include <string.h> #include <errno.h> +void usage(char*) __attribute__((noreturn)); + void usage(char *progname) { printf("usage: %s policy context\n", progname); -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
