Hello community, here is the log from the commit of package checkpolicy for openSUSE:Factory checked in at 2013-07-02 06:44:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/checkpolicy (Old) and /work/SRC/openSUSE:Factory/.checkpolicy.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "checkpolicy" Changes: -------- --- /work/SRC/openSUSE:Factory/checkpolicy/checkpolicy.changes 2013-03-08 09:08:16.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.checkpolicy.new/checkpolicy.changes 2013-07-02 06:44:41.000000000 +0200 @@ -1,0 +2,16 @@ +Thu Jun 27 14:29:19 UTC 2013 - [email protected] + +- change the source url to the official 2.1.12 release tarball + +------------------------------------------------------------------- +Fri Mar 29 13:10:16 UTC 2013 - [email protected] + +- update to 2.1.12 + * Fix errors found by coverity + * implement default type policy syntax + * Free allocated memory when clean up / exit. +- changes in checkpolicy-rhat.patch: + * original hunk was merged upstream + * space should be allowed for file trans names + +------------------------------------------------------------------- Old: ---- checkpolicy-2.1.11.tar.gz New: ---- checkpolicy-2.1.12.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ checkpolicy.spec ++++++ --- /var/tmp/diff_new_pack.rjEEty/_old 2013-07-02 06:44:42.000000000 +0200 +++ /var/tmp/diff_new_pack.rjEEty/_new 2013-07-02 06:44:42.000000000 +0200 @@ -16,20 +16,20 @@ # -%define libsepol_ver 2.1.8 +%define libsepol_ver 2.1.9 BuildRequires: bison BuildRequires: flex-old BuildRequires: libselinux-devel BuildRequires: libsepol-devel-static >= %{libsepol_ver} Name: checkpolicy -Version: 2.1.11 +Version: 2.1.12 Release: 0 Url: http://userspace.selinuxproject.org/ Summary: SELinux policy compiler License: GPL-2.0+ Group: Productivity/Security -Source: http://userspace.selinuxproject.org/releases/20120216/%{name}-%{version}.tar.gz +Source: http://userspace.selinuxproject.org/releases/20130423/%{name}-%{version}.tar.gz Patch0: %{name}-rhat.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build ++++++ checkpolicy-2.1.11.tar.gz -> checkpolicy-2.1.12.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.1.11/ChangeLog new/checkpolicy-2.1.12/ChangeLog --- old/checkpolicy-2.1.11/ChangeLog 2012-09-14 19:41:22.000000000 +0200 +++ new/checkpolicy-2.1.12/ChangeLog 2013-02-06 02:43:22.000000000 +0100 @@ -1,3 +1,8 @@ +2.1.12 2013-02-01 + * Fix errors found by coverity + * implement default type policy syntax + * Free allocated memory when clean up / exit. + 2.1.11 2012-09-13 * fd leak reading policy * check return code on ebitmap_set_bit diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.1.11/VERSION new/checkpolicy-2.1.12/VERSION --- old/checkpolicy-2.1.11/VERSION 2012-09-14 19:41:22.000000000 +0200 +++ new/checkpolicy-2.1.12/VERSION 2013-02-06 02:43:22.000000000 +0100 @@ -1 +1 @@ -2.1.11 +2.1.12 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.1.11/policy_define.c new/checkpolicy-2.1.12/policy_define.c --- old/checkpolicy-2.1.11/policy_define.c 2012-09-14 19:41:22.000000000 +0200 +++ new/checkpolicy-2.1.12/policy_define.c 2013-02-06 02:43:22.000000000 +0100 @@ -415,6 +415,38 @@ return 0; } +int define_default_type(int which) +{ + char *id; + class_datum_t *cladatum; + + if (pass == 1) { + while ((id = queue_remove(id_queue))) + free(id); + return 0; + } + + while ((id = queue_remove(id_queue))) { + if (!is_id_in_scope(SYM_CLASSES, id)) { + yyerror2("class %s is not within scope", id); + return -1; + } + cladatum = hashtab_search(policydbp->p_classes.table, id); + if (!cladatum) { + yyerror2("unknown class %s", id); + return -1; + } + if (cladatum->default_type && cladatum->default_type != which) { + yyerror2("conflicting default type information for class %s", id); + return -1; + } + cladatum->default_type = which; + free(id); + } + + return 0; +} + int define_default_range(int which) { char *id; @@ -1497,12 +1529,12 @@ while ((id = queue_remove(id_queue))) { if (set_types(&avrule->stypes, id, &add, 0)) - return -1; + goto bad; } add = 1; while ((id = queue_remove(id_queue))) { if (set_types(&avrule->ttypes, id, &add, 0)) - return -1; + goto bad; } ebitmap_init(&tclasses); @@ -1531,7 +1563,7 @@ perm = malloc(sizeof(class_perm_node_t)); if (!perm) { yyerror("out of memory"); - return -1; + goto bad; } class_perm_node_init(perm); perm->class = i + 1; @@ -2050,10 +2082,12 @@ new->s.value = 0; /* temporary role */ if (ebitmap_or(&new->dominates, &r1->dominates, &r2->dominates)) { yyerror("out of memory"); + free(new); return NULL; } if (ebitmap_or(&new->types.types, &r1->types.types, &r2->types.types)) { yyerror("out of memory"); + free(new); return NULL; } if (!r1->s.value) { @@ -2458,13 +2492,17 @@ role_allow_rule_init(ra); while ((id = queue_remove(id_queue))) { - if (set_roles(&ra->roles, id)) + if (set_roles(&ra->roles, id)) { + free(ra); return -1; + } } while ((id = queue_remove(id_queue))) { - if (set_roles(&ra->new_roles, id)) + if (set_roles(&ra->new_roles, id)) { + free(ra); return -1; + } } append_role_allow(ra); @@ -2766,6 +2804,7 @@ node = malloc(sizeof(struct constraint_node)); if (!node) { yyerror("out of memory"); + free(node); return -1; } memset(node, 0, sizeof(constraint_node_t)); @@ -2777,6 +2816,7 @@ } if (!node->expr) { yyerror("out of memory"); + free(node); return -1; } node->permissions = 0; @@ -3068,13 +3108,11 @@ ebitmap_destroy(&negset); return (uintptr_t) expr; default: - yyerror("invalid constraint expression"); - constraint_expr_destroy(expr); - return 0; + break; } yyerror("invalid constraint expression"); - free(expr); + constraint_expr_destroy(expr); return 0; } @@ -3281,6 +3319,7 @@ return expr; default: yyerror("illegal conditional expression"); + free(expr); return NULL; } } @@ -3582,6 +3621,12 @@ return 0; } + /* check context c to make sure ok to dereference c later */ + if (c == NULL) { + yyerror("null context pointer!"); + return -1; + } + context_init(c); /* extract the user */ @@ -4627,7 +4672,10 @@ goto out; } - ebitmap_set_bit(&rule->tclasses, cladatum->s.value - 1, TRUE); + if (ebitmap_set_bit(&rule->tclasses, cladatum->s.value - 1, TRUE)) { + yyerror("out of memory"); + goto out; + } } id = (char *)queue_remove(id_queue); @@ -4673,6 +4721,7 @@ out: range_trans_rule_destroy(rule); + free(rule); return -1; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.1.11/policy_define.h new/checkpolicy-2.1.12/policy_define.h --- old/checkpolicy-2.1.11/policy_define.h 2012-09-14 19:41:22.000000000 +0200 +++ new/checkpolicy-2.1.12/policy_define.h 2013-02-06 02:43:22.000000000 +0100 @@ -26,6 +26,7 @@ int define_class(void); int define_default_user(int which); int define_default_role(int which); +int define_default_type(int which); int define_default_range(int which); int define_common_perms(void); int define_compute_type(int which); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.1.11/policy_parse.y new/checkpolicy-2.1.12/policy_parse.y --- old/checkpolicy-2.1.11/policy_parse.y 2012-09-14 19:41:22.000000000 +0200 +++ new/checkpolicy-2.1.12/policy_parse.y 2013-02-06 02:43:22.000000000 +0100 @@ -143,7 +143,7 @@ %token POLICYCAP %token PERMISSIVE %token FILESYSTEM -%token DEFAULT_USER DEFAULT_ROLE DEFAULT_RANGE +%token DEFAULT_USER DEFAULT_ROLE DEFAULT_TYPE DEFAULT_RANGE %token LOW_HIGH LOW HIGH %left OR @@ -202,9 +202,11 @@ ; default_rules : default_user_def | default_role_def + | default_type_def | default_range_def | default_rules default_user_def | default_rules default_role_def + | default_rules default_type_def | default_rules default_range_def ; default_user_def : DEFAULT_USER names SOURCE ';' @@ -217,6 +219,11 @@ | DEFAULT_ROLE names TARGET ';' {if (define_default_role(DEFAULT_TARGET)) return -1; } ; +default_type_def : DEFAULT_TYPE names SOURCE ';' + {if (define_default_type(DEFAULT_SOURCE)) return -1; } + | DEFAULT_TYPE names TARGET ';' + {if (define_default_type(DEFAULT_TARGET)) return -1; } + ; default_range_def : DEFAULT_RANGE names SOURCE LOW ';' {if (define_default_range(DEFAULT_SOURCE_LOW)) return -1; } | DEFAULT_RANGE names SOURCE HIGH ';' diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.1.11/policy_scan.l new/checkpolicy-2.1.12/policy_scan.l --- old/checkpolicy-2.1.11/policy_scan.l 2012-09-14 19:41:22.000000000 +0200 +++ new/checkpolicy-2.1.12/policy_scan.l 2013-02-06 02:43:22.000000000 +0100 @@ -229,6 +229,8 @@ DEFAULT_USER { return(DEFAULT_USER); } default_role | DEFAULT_ROLE { return(DEFAULT_ROLE); } +default_type | +DEFAULT_TYPE { return(DEFAULT_TYPE); } default_range | DEFAULT_RANGE { return(DEFAULT_RANGE); } low-high | diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-2.1.11/test/dismod.c new/checkpolicy-2.1.12/test/dismod.c --- old/checkpolicy-2.1.11/test/dismod.c 2012-09-14 19:41:22.000000000 +0200 +++ new/checkpolicy-2.1.12/test/dismod.c 2013-02-06 02:43:22.000000000 +0100 @@ -844,7 +844,10 @@ /* read the binary policy */ fprintf(out_fp, "Reading policy...\n"); - policydb_init(&policydb); + if (policydb_init(&policydb)) { + fprintf(stderr, "%s: Out of memory!\n", __FUNCTION__); + exit(1); + } if (read_policy(argv[1], &policydb)) { fprintf(stderr, "%s: error(s) encountered while loading policy\n", ++++++ checkpolicy-rhat.patch ++++++ --- /var/tmp/diff_new_pack.rjEEty/_old 2013-07-02 06:44:42.000000000 +0200 +++ /var/tmp/diff_new_pack.rjEEty/_new 2013-07-02 06:44:42.000000000 +0200 @@ -1,13 +1,11 @@ -diff --exclude-from=exclude -N -u -r nsacheckpolicy/module_compiler.c checkpolicy-2.0.18/module_compiler.c ---- nsacheckpolicy/module_compiler.c 2008-10-14 13:57:54.000000000 -0400 -+++ checkpolicy-2.0.18/module_compiler.c 2008-10-28 10:10:03.000000000 -0400 -@@ -904,8 +904,7 @@ - return -1; - } - case -2:{ -- yyerror("duplicate declaration of type/attribute"); -- return -1; -+ return 0; - } - case -1:{ - yyerror("could not require type/attribute here"); +--- checkpolicy/policy_scan.l ++++ checkpolicy/policy_scan.l +@@ -240,7 +240,7 @@ HIGH { return(HIGH); } + low | + LOW { return(LOW); } + "/"({alnum}|[_\.\-/])* { return(PATH); } +-\"({alnum}|[_\.\-\+\~])+\" { return(FILENAME); } ++\"({alnum}|[_\.\-\+\~ ])+\" { return(FILENAME); } + {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); } + {alnum}*{letter}{alnum}* { return(FILESYSTEM); } + {digit}+|0x{hexval}+ { return(NUMBER); } -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
