Hello community, here is the log from the commit of package libsepol for openSUSE:Factory checked in at 2014-05-22 20:38:35 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libsepol (Old) and /work/SRC/openSUSE:Factory/.libsepol.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libsepol" Changes: -------- --- /work/SRC/openSUSE:Factory/libsepol/libsepol.changes 2013-11-07 14:44:55.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.libsepol.new/libsepol.changes 2014-05-22 20:38:57.000000000 +0200 @@ -1,0 +2,11 @@ +Fri May 16 13:06:12 UTC 2014 - [email protected] + +- update to 2.3 + * Improve error message for name-based transition conflicts. + * Revert libsepol: filename_trans: use some better sorting to compare and merge. + * Report source file and line information for neverallow failures. + * Fix valgrind errors in constraint_expr_eval_reason from Richard Haines. + * Add sepol_validate_transition_reason_buffer function from Richard Haines. +- dropped libsepol-2.1.4-role_fix_callback.patch (upstream) + +------------------------------------------------------------------- Old: ---- libsepol-2.1.4-role_fix_callback.patch libsepol-2.2.tar.gz New: ---- libsepol-2.3.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libsepol.spec ++++++ --- /var/tmp/diff_new_pack.g9Kg9n/_old 2014-05-22 20:38:58.000000000 +0200 +++ /var/tmp/diff_new_pack.g9Kg9n/_new 2014-05-22 20:38:58.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package libsepol # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,15 +17,14 @@ Name: libsepol -Version: 2.2 +Version: 2.3 Release: 0 Url: http://www.nsa.gov/selinux/ Summary: SELinux binary policy manipulation library License: LGPL-2.1+ Group: System/Libraries -Source: http://userspace.selinuxproject.org/releases/20131030/%{name}-%{version}.tar.gz +Source: http://userspace.selinuxproject.org/releases/20140506/%{name}-%{version}.tar.gz Source2: baselibs.conf -Patch: libsepol-2.1.4-role_fix_callback.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: pkg-config @@ -99,7 +98,6 @@ %prep %setup -q -%patch -p1 %build make %{?_smp_mflags} CC="%{__cc}" CFLAGS="$RPM_OPT_FLAGS $(getconf LFS_CFLAGS)" ++++++ libsepol-2.2.tar.gz -> libsepol-2.3.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.2/ChangeLog new/libsepol-2.3/ChangeLog --- old/libsepol-2.2/ChangeLog 2013-10-30 17:51:19.000000000 +0100 +++ new/libsepol-2.3/ChangeLog 2014-05-06 19:30:27.000000000 +0200 @@ -1,3 +1,10 @@ +2.3 2014-05-06 + * Improve error message for name-based transition conflicts. + * Revert libsepol: filename_trans: use some better sorting to compare and merge. + * Report source file and line information for neverallow failures. + * Fix valgrind errors in constraint_expr_eval_reason from Richard Haines. + * Add sepol_validate_transition_reason_buffer function from Richard Haines. + 2.2 2013-10-30 * Allow constraint denial cause to be determined from Richard Haines. - Add kernel policy version 29. @@ -12,23 +19,23 @@ * implement default type policy syntax * Fix memory leak issues found by Klocwork -2.1.8 2011-09-13 +2.1.8 2012-09-13 * fix neverallow checking on attributes * Move context_copy() after switch block in ocontext_copy_*(). * check for missing initial SID labeling statement. * Add always_check_network policy capability * role_fix_callback skips out-of-scope roles during expansion. -2.1.7 2011-06-28 +2.1.7 2012-06-28 * reserve policycapability for redhat testing of ptrace child * cosmetic changes to make the source easier to read * prepend instead of append to filename_trans list * Android/MacOS X build support -2.1.6 2011-04-23 +2.1.6 2012-04-23 * allocate enough space to hold filename in trans rules -2.1.5 2011-03-28 +2.1.5 2012-03-28 * checkpolicy: implement new default labeling behaviors 2.1.4 2011-10-03 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.2/VERSION new/libsepol-2.3/VERSION --- old/libsepol-2.2/VERSION 2013-10-30 17:51:19.000000000 +0100 +++ new/libsepol-2.3/VERSION 2014-05-06 19:30:27.000000000 +0200 @@ -1 +1 @@ -2.2 +2.3 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.2/include/sepol/policydb/policydb.h new/libsepol-2.3/include/sepol/policydb/policydb.h --- old/libsepol-2.2/include/sepol/policydb/policydb.h 2013-10-30 17:51:19.000000000 +0100 +++ new/libsepol-2.3/include/sepol/policydb/policydb.h 2014-05-06 19:30:27.000000000 +0200 @@ -260,6 +260,9 @@ class_perm_node_t *perms; unsigned long line; /* line number from policy.conf where * this rule originated */ + /* source file name and line number (e.g. .te file) */ + char *source_filename; + unsigned long source_line; struct avrule *next; } avrule_t; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.2/include/sepol/policydb/services.h new/libsepol-2.3/include/sepol/policydb/services.h --- old/libsepol-2.2/include/sepol/policydb/services.h 2013-10-30 17:51:19.000000000 +0100 +++ new/libsepol-2.3/include/sepol/policydb/services.h 2014-05-06 19:30:27.000000000 +0200 @@ -75,6 +75,20 @@ unsigned int *reason, char **reason_buf, unsigned int flags); + +/* + * Returns the mls/validatetrans constraint expression calculations in + * a buffer that must be free'd by the caller using free(3). + * If the SHOW_GRANTED flag is set it will show granted and denied + * mls/validatetrans (the default is to show only those denied). + */ +extern int sepol_validate_transition_reason_buffer(sepol_security_id_t oldsid, + sepol_security_id_t newsid, + sepol_security_id_t tasksid, + sepol_security_class_t tclass, + char **reason_buf, + unsigned int flags); + /* * Return a class ID associated with the class string representation * specified by `class_name'. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.2/src/assertion.c new/libsepol-2.3/src/assertion.c --- old/libsepol-2.2/src/assertion.c 2013-10-30 17:51:19.000000000 +0100 +++ new/libsepol-2.3/src/assertion.c 2014-05-06 19:30:27.000000000 +0200 @@ -31,13 +31,13 @@ policydb_t * p, avtab_t * te_avtab, avtab_t * te_cond_avtab, unsigned int stype, unsigned int ttype, - class_perm_node_t * perm, unsigned long line) + avrule_t * avrule) { avtab_key_t avkey; avtab_ptr_t node; class_perm_node_t *curperm; - for (curperm = perm; curperm != NULL; curperm = curperm->next) { + for (curperm = avrule->perms; curperm != NULL; curperm = curperm->next) { avkey.source_type = stype + 1; avkey.target_type = ttype + 1; avkey.target_class = curperm->class; @@ -59,9 +59,17 @@ return 0; err: - if (line) { + if (avrule->source_filename) { + ERR(handle, "neverallow on line %lu of %s (or line %lu of policy.conf) violated by allow %s %s:%s {%s };", + avrule->source_line, avrule->source_filename, avrule->line, + p->p_type_val_to_name[stype], + p->p_type_val_to_name[ttype], + p->p_class_val_to_name[curperm->class - 1], + sepol_av_to_string(p, curperm->class, + node->datum.data & curperm->data)); + } else if (avrule->line) { ERR(handle, "neverallow on line %lu violated by allow %s %s:%s {%s };", - line, p->p_type_val_to_name[stype], + avrule->line, p->p_type_val_to_name[stype], p->p_type_val_to_name[ttype], p->p_class_val_to_name[curperm->class - 1], sepol_av_to_string(p, curperm->class, @@ -121,7 +129,7 @@ if (a->flags & RULE_SELF) { if (check_assertion_helper (handle, p, &te_avtab, &te_cond_avtab, i, i, - a->perms, a->line)) { + a)) { rc = -1; goto out; } @@ -131,7 +139,7 @@ continue; if (check_assertion_helper (handle, p, &te_avtab, &te_cond_avtab, i, j, - a->perms, a->line)) { + a)) { rc = -1; goto out; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.2/src/expand.c new/libsepol-2.3/src/expand.c --- old/libsepol-2.2/src/expand.c 2013-10-30 17:51:19.000000000 +0100 +++ new/libsepol-2.3/src/expand.c 2014-05-06 19:30:27.000000000 +0200 @@ -49,82 +49,6 @@ int expand_neverallow; } expand_state_t; -struct linear_probe { - filename_trans_t **table; /* filename_trans chunks with same stype */ - filename_trans_t **ends; /* pointers to ends of **table chunks */ - uint32_t length; /* length of the table */ -}; - -static int linear_probe_create(struct linear_probe *probe, uint32_t length) -{ - probe->table = calloc(length, sizeof(*probe->table)); - if (probe->table == NULL) - return -1; - - probe->ends = calloc(length, sizeof(*probe->ends)); - if (probe->ends == NULL) - return -1; - - probe->length = length; - - return 0; -} - -static void linear_probe_destroy(struct linear_probe *probe) -{ - if (probe->length == 0) - return; - - free(probe->table); - free(probe->ends); - memset(probe, 0, sizeof(*probe)); -} - -static void linear_probe_insert(struct linear_probe *probe, uint32_t key, - filename_trans_t *data) -{ - assert(probe->length > key); - - if (probe->table[key] != NULL) { - data->next = probe->table[key]; - probe->table[key] = data; - } else { - probe->table[key] = probe->ends[key] = data; - } -} - -static filename_trans_t *linear_probe_find(struct linear_probe *probe, uint32_t key) -{ - assert(probe->length > key); - - return probe->table[key]; -} - -/* Returns all chunks stored in the *probe as single-linked list */ -static filename_trans_t *linear_probe_dump(struct linear_probe *probe, - filename_trans_t **endp) -{ - uint32_t i; - filename_trans_t *result = NULL; - filename_trans_t *end = NULL; - - for (i = 0; i < probe->length; i++) { - if (probe->table[i] != NULL) { - if (end == NULL) - end = probe->ends[i]; - probe->ends[i]->next = result; - result = probe->table[i]; - probe->table[i] = probe->ends[i] = NULL; - } - } - - /* Incoherent result and end pointers indicates bug */ - assert((result != NULL && end != NULL) || (result == NULL && end == NULL)); - - *endp = end; - return result; -} - static void expand_state_init(expand_state_t * state) { memset(state, 0, sizeof(expand_state_t)); @@ -1459,20 +1383,10 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *rules) { unsigned int i, j; - filename_trans_t *new_trans, *cur_trans, *end; + filename_trans_t *new_trans, *cur_trans; filename_trans_rule_t *cur_rule; ebitmap_t stypes, ttypes; ebitmap_node_t *snode, *tnode; - struct linear_probe probe; - - /* - * Linear probing speeds-up finding filename_trans rules with certain - * "stype" value. - */ - if (linear_probe_create(&probe, 4096)) { /* Assume 4096 is enough for most cases */ - ERR(state->handle, "Out of memory!"); - return -1; - } cur_rule = rules; while (cur_rule) { @@ -1495,14 +1409,6 @@ mapped_otype = state->typemap[cur_rule->otype - 1]; - if (ebitmap_length(&stypes) > probe.length) { - linear_probe_destroy(&probe); - if (linear_probe_create(&probe, ebitmap_length(&stypes))) { - ERR(state->handle, "Out of memory!"); - return -1; - } - } - ebitmap_for_each_bit(&stypes, snode, i) { if (!ebitmap_node_get_bit(snode, i)) continue; @@ -1510,19 +1416,21 @@ if (!ebitmap_node_get_bit(tnode, j)) continue; - cur_trans = linear_probe_find(&probe, i); - while (cur_trans != NULL) { - if ((cur_trans->ttype == j + 1) && + cur_trans = state->out->filename_trans; + while (cur_trans) { + if ((cur_trans->stype == i + 1) && + (cur_trans->ttype == j + 1) && (cur_trans->tclass == cur_rule->tclass) && (!strcmp(cur_trans->name, cur_rule->name))) { /* duplicate rule, who cares */ if (cur_trans->otype == mapped_otype) break; - ERR(state->handle, "Conflicting filename trans rules %s %s %s : %s otype1:%s otype2:%s", - cur_trans->name, + + ERR(state->handle, "Conflicting name-based type_transition %s %s:%s \"%s\": %s vs %s", state->out->p_type_val_to_name[i], state->out->p_type_val_to_name[j], state->out->p_class_val_to_name[cur_trans->tclass - 1], + cur_trans->name, state->out->p_type_val_to_name[cur_trans->otype - 1], state->out->p_type_val_to_name[mapped_otype - 1]); @@ -1540,6 +1448,8 @@ return -1; } memset(new_trans, 0, sizeof(*new_trans)); + new_trans->next = state->out->filename_trans; + state->out->filename_trans = new_trans; new_trans->name = strdup(cur_rule->name); if (!new_trans->name) { @@ -1550,16 +1460,9 @@ new_trans->ttype = j + 1; new_trans->tclass = cur_rule->tclass; new_trans->otype = mapped_otype; - linear_probe_insert(&probe, i, new_trans); } } - cur_trans = linear_probe_dump(&probe, &end); - if (cur_trans != NULL) { - end->next = state->out->filename_trans; - state->out->filename_trans = cur_trans; - } - ebitmap_destroy(&stypes); ebitmap_destroy(&ttypes); @@ -2650,6 +2553,12 @@ avrule->specified = AVRULE_NEVERALLOW; avrule->line = source_rule->line; avrule->flags = source_rule->flags; + avrule->source_line = source_rule->source_line; + if (source_rule->source_filename) { + avrule->source_filename = strdup(source_rule->source_filename); + if (!avrule->source_filename) + goto err; + } if (ebitmap_cpy(&avrule->stypes.types, &stypes)) goto err; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.2/src/link.c new/libsepol-2.3/src/link.c --- old/libsepol-2.2/src/link.c 2013-10-30 17:51:19.000000000 +0100 +++ new/libsepol-2.3/src/link.c 2014-05-06 19:30:27.000000000 +0200 @@ -1325,6 +1325,12 @@ cur_perm = cur_perm->next; } new_rule->line = cur->line; + new_rule->source_line = cur->source_line; + if (cur->source_filename) { + new_rule->source_filename = strdup(cur->source_filename); + if (!new_rule->source_filename) + goto cleanup; + } cur = cur->next; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.2/src/policydb.c new/libsepol-2.3/src/policydb.c --- old/libsepol-2.2/src/policydb.c 2013-10-30 17:51:19.000000000 +0100 +++ new/libsepol-2.3/src/policydb.c 2014-05-06 19:30:27.000000000 +0200 @@ -535,6 +535,8 @@ type_set_destroy(&x->stypes); type_set_destroy(&x->ttypes); + free(x->source_filename); + next = x->perms; while (next) { cur = next; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.2/src/services.c new/libsepol-2.3/src/services.c --- old/libsepol-2.2/src/services.c 2013-10-30 17:51:19.000000000 +0100 +++ new/libsepol-2.3/src/services.c 2014-05-06 19:30:27.000000000 +0200 @@ -344,11 +344,16 @@ if (len < 0 || len >= class_buf_len - buf_used) continue; - /* Add permission entries */ + /* Add permission entries (validatetrans does not have perms) */ p += len; buf_used += len; - len = snprintf(p, class_buf_len - buf_used, "{%s } (", - sepol_av_to_string(policydb, tclass, constraint->permissions)); + if (state_num < 2) { + len = snprintf(p, class_buf_len - buf_used, "{%s } (", + sepol_av_to_string(policydb, tclass, + constraint->permissions)); + } else { + len = snprintf(p, class_buf_len - buf_used, "("); + } if (len < 0 || len >= class_buf_len - buf_used) continue; break; @@ -723,6 +728,7 @@ push(answer_list[answer_counter++]); free(a); free(b); + free(expr_list[x]); } else if (strncmp(expr_list[x], "not", 3) == 0) { b = pop(); b_len = strlen(b); @@ -743,6 +749,7 @@ expr_list[x], b); push(answer_list[answer_counter++]); free(b); + free(expr_list[x]); } else { push(expr_list[x]); } @@ -750,8 +757,11 @@ /* Get the final answer from tos and build constraint text */ a = pop(); - /* Constraint calculation: rc = 0 is denied, rc = 1 is granted */ - sprintf(tmp_buf, "Constraint %s\n", s[0] ? "GRANTED" : "DENIED"); + /* validatetrans / constraint calculation: + rc = 0 is denied, rc = 1 is granted */ + sprintf(tmp_buf, "%s %s\n", + xcontext ? "Validatetrans" : "Constraint", + s[0] ? "GRANTED" : "DENIED"); int len, new_buf_len; char *p, **new_buf = r_buf; @@ -807,6 +817,8 @@ for (x = 0; expr_list[x] != NULL; x++) free(expr_list[x]); } + free(answer_list); + free(expr_list); return rc; } @@ -982,6 +994,68 @@ return 0; } +/* + * sepol_validate_transition_reason_buffer - the reason buffer is realloc'd + * in the constraint_expr_eval_reason() function. + */ +int hidden sepol_validate_transition_reason_buffer(sepol_security_id_t oldsid, + sepol_security_id_t newsid, + sepol_security_id_t tasksid, + sepol_security_class_t tclass, + char **reason_buf, + unsigned int flags) +{ + context_struct_t *ocontext; + context_struct_t *ncontext; + context_struct_t *tcontext; + class_datum_t *tclass_datum; + constraint_node_t *constraint; + + if (!tclass || tclass > policydb->p_classes.nprim) { + ERR(NULL, "unrecognized class %d", tclass); + return -EINVAL; + } + tclass_datum = policydb->class_val_to_struct[tclass - 1]; + + ocontext = sepol_sidtab_search(sidtab, oldsid); + if (!ocontext) { + ERR(NULL, "unrecognized SID %d", oldsid); + return -EINVAL; + } + + ncontext = sepol_sidtab_search(sidtab, newsid); + if (!ncontext) { + ERR(NULL, "unrecognized SID %d", newsid); + return -EINVAL; + } + + tcontext = sepol_sidtab_search(sidtab, tasksid); + if (!tcontext) { + ERR(NULL, "unrecognized SID %d", tasksid); + return -EINVAL; + } + + /* + * Set the buffer to NULL as mls/validatetrans may not be processed. + * If a buffer is required, then the routines in + * constraint_expr_eval_reason will realloc in REASON_BUF_SIZE + * chunks (as it gets called for each mls/validatetrans processed). + * We just make sure these start from zero. + */ + *reason_buf = NULL; + reason_buf_used = 0; + reason_buf_len = 0; + constraint = tclass_datum->validatetrans; + while (constraint) { + if (!constraint_expr_eval_reason(ocontext, ncontext, tcontext, + tclass, constraint, reason_buf, flags)) { + return -EPERM; + } + constraint = constraint->next; + } + return 0; +} + int hidden sepol_compute_av_reason(sepol_security_id_t ssid, sepol_security_id_t tsid, sepol_security_class_t tclass, -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
