Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package checkpolicy for openSUSE:Factory checked in at 2021-11-15 15:26:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/checkpolicy (Old) and /work/SRC/openSUSE:Factory/.checkpolicy.new.1890 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "checkpolicy" Mon Nov 15 15:26:06 2021 rev:33 rq:930942 version:3.3 Changes: -------- --- /work/SRC/openSUSE:Factory/checkpolicy/checkpolicy.changes 2021-03-24 16:09:03.819694156 +0100 +++ /work/SRC/openSUSE:Factory/.checkpolicy.new.1890/checkpolicy.changes 2021-11-15 15:27:41.065845075 +0100 @@ -1,0 +2,10 @@ +Thu Nov 11 13:23:59 UTC 2021 - Johannes Segitz <[email protected]> + +- Update to version 3.3 + * When reading a binary policy by checkpolicy, do not automatically change the version + to the max policy version supported by libsepol or, if specified, the value given + using the "-c" flag. + * Updated documentation + * Prints the reason why opening a source policy file failed + +------------------------------------------------------------------- Old: ---- checkpolicy-3.2.tar.gz New: ---- checkpolicy-3.3.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ checkpolicy.spec ++++++ --- /var/tmp/diff_new_pack.ZSCwlC/_old 2021-11-15 15:27:41.453845183 +0100 +++ /var/tmp/diff_new_pack.ZSCwlC/_new 2021-11-15 15:27:41.453845183 +0100 @@ -16,9 +16,9 @@ # -%define libsepol_ver 3.2 +%define libsepol_ver 3.3 Name: checkpolicy -Version: 3.2 +Version: 3.3 Release: 0 Summary: SELinux policy compiler License: GPL-2.0-or-later ++++++ checkpolicy-3.2.tar.gz -> checkpolicy-3.3.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-3.2/Makefile new/checkpolicy-3.3/Makefile --- old/checkpolicy-3.2/Makefile 2021-03-04 16:42:59.000000000 +0100 +++ new/checkpolicy-3.3/Makefile 2021-10-21 16:31:23.000000000 +0200 @@ -10,7 +10,7 @@ LEX = flex YACC = bison -y -CFLAGS ?= -g -Wall -Werror -Wshadow -O2 -pipe -fno-strict-aliasing +CFLAGS ?= -g -Wall -Werror -Wshadow -O2 -fno-strict-aliasing # If no specific libsepol.a is specified, fall back on LDFLAGS search path # Otherwise, as $(LIBSEPOLA) already appears in the dependencies, there @@ -30,10 +30,10 @@ $(MAKE) -C test checkpolicy: $(CHECKPOLOBJS) $(LIBSEPOLA) - $(CC) -o $@ $^ $(LDFLAGS) $(LDLIBS_LIBSEPOLA) + $(CC) $(CFLAGS) -o $@ $^ $(LDFLAGS) $(LDLIBS_LIBSEPOLA) checkmodule: $(CHECKMODOBJS) $(LIBSEPOLA) - $(CC) -o $@ $^ $(LDFLAGS) $(LDLIBS_LIBSEPOLA) + $(CC) $(CFLAGS) -o $@ $^ $(LDFLAGS) $(LDLIBS_LIBSEPOLA) %.o: %.c $(CC) $(CFLAGS) -o $@ -c $< diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-3.2/VERSION new/checkpolicy-3.3/VERSION --- old/checkpolicy-3.2/VERSION 2021-03-04 16:42:59.000000000 +0100 +++ new/checkpolicy-3.3/VERSION 2021-10-21 16:31:23.000000000 +0200 @@ -1 +1 @@ -3.2 +3.3 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-3.2/checkmodule.8 new/checkpolicy-3.3/checkmodule.8 --- old/checkpolicy-3.2/checkmodule.8 2021-03-04 16:42:59.000000000 +0100 +++ new/checkpolicy-3.3/checkmodule.8 2021-10-21 16:31:23.000000000 +0200 @@ -3,7 +3,7 @@ checkmodule \- SELinux policy module compiler .SH SYNOPSIS .B checkmodule -.I "[\-h] [\-b] [\-C] [\-m] [\-M] [\-U handle_unknown ] [\-V] [\-o output_file] [input_file]" +.I "[\-h] [\-b] [\-c policy_version] [\-C] [\-E] [\-m] [\-M] [\-U handle_unknown] [\-V] [\-o output_file] [input_file]" .SH "DESCRIPTION" This manual page describes the .BR checkmodule @@ -15,9 +15,12 @@ module (default) or a non-base policy module (\-m option); typically, you would build a non-base policy module to add to an existing module store that already has a base module provided by the base policy. Use -semodule_package to combine this module with its optional file -contexts to create a policy package, and then use semodule to install -the module package into the module store and load the resulting policy. +.B semodule_package(8) +to combine this module with its optional file +contexts to create a policy package, and then use +.B semodule(8) +to install the module package into the module store and load the resulting +policy. .SH OPTIONS .TP diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-3.2/checkmodule.c new/checkpolicy-3.3/checkmodule.c --- old/checkpolicy-3.2/checkmodule.c 2021-03-04 16:42:59.000000000 +0100 +++ new/checkpolicy-3.3/checkmodule.c 2021-10-21 16:31:23.000000000 +0200 @@ -34,9 +34,6 @@ #include "checkpolicy.h" #include "parse_util.h" -extern char *optarg; -extern int optind; - static sidtab_t sidtab; extern int mlspol; @@ -126,7 +123,7 @@ static __attribute__((__noreturn__)) void usage(const char *progname) { - printf("usage: %s [-h] [-V] [-b] [-C] [-E] [-U handle_unknown] [-m] [-M] [-o FILE] [INPUT]\n", progname); + printf("usage: %s [-h] [-V] [-b] [-C] [-E] [-U handle_unknown] [-m] [-M] [-o FILE] [-c VERSION] [INPUT]\n", progname); printf("Build base and policy modules.\n"); printf("Options:\n"); printf(" INPUT build module from INPUT (else read from \"%s\")\n", @@ -155,7 +152,7 @@ int ch; int show_version = 0; policydb_t modpolicydb; - struct option long_options[] = { + const struct option long_options[] = { {"help", no_argument, NULL, 'h'}, {"output", required_argument, NULL, 'o'}, {"binary", no_argument, NULL, 'b'}, @@ -271,7 +268,7 @@ } else { if (policydb_init(&modpolicydb)) { fprintf(stderr, "%s: out of memory!\n", argv[0]); - return -1; + exit(1); } modpolicydb.policy_type = policy_type; @@ -283,19 +280,21 @@ } if (hierarchy_check_constraints(NULL, &modpolicydb)) { - return -1; + exit(1); } } if (policy_type != POLICY_BASE && outfile) { + char *out_name; + char *separator; char *mod_name = modpolicydb.name; char *out_path = strdup(outfile); if (out_path == NULL) { fprintf(stderr, "%s: out of memory\n", argv[0]); exit(1); } - char *out_name = basename(out_path); - char *separator = strrchr(out_name, '.'); + out_name = basename(out_path); + separator = strrchr(out_name, '.'); if (separator) { *separator = '\0'; } @@ -334,7 +333,7 @@ FILE *outfp = fopen(outfile, "w"); if (!outfp) { - perror(outfile); + fprintf(stderr, "%s: error opening %s: %s\n", argv[0], outfile, strerror(errno)); exit(1); } @@ -350,7 +349,10 @@ } } - fclose(outfp); + if (fclose(outfp)) { + fprintf(stderr, "%s: error closing %s: %s\n", argv[0], outfile, strerror(errno)); + exit(1); + } } else if (cil) { fprintf(stderr, "%s: No file to write CIL was specified\n", argv[0]); exit(1); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-3.2/checkpolicy.8 new/checkpolicy-3.3/checkpolicy.8 --- old/checkpolicy-3.2/checkpolicy.8 2021-03-04 16:42:59.000000000 +0100 +++ new/checkpolicy-3.3/checkpolicy.8 2021-10-21 16:31:23.000000000 +0200 @@ -3,7 +3,7 @@ checkpolicy \- SELinux policy compiler .SH SYNOPSIS .B checkpolicy -.I "[\-b[F]] [\-C] [\-d] [\-U handle_unknown (allow,deny,reject)] [\-M] [\-c policyvers] [\-o output_file|\-] [\-S] [\-t target_platform (selinux,xen)] [\-V] [input_file]" +.I "[\-b[F]] [\-C] [\-d] [\-U handle_unknown (allow,deny,reject)] [\-M] [\-c policyvers] [\-o output_file|\-] [\-S] [\-t target_platform (selinux,xen)] [\-O] [\-E] [\-V] [input_file]" .br .SH "DESCRIPTION" This manual page describes the @@ -13,8 +13,10 @@ .B checkpolicy is a program that checks and compiles a SELinux security policy configuration into a binary representation that can be loaded into the kernel. If no -input file name is specified, checkpolicy will attempt to read from -policy.conf or policy, depending on whether the \-b flag is specified. +input file name is specified, +.B checkpolicy +will attempt to read from policy.conf or policy, depending on whether the \-b +flag is specified. .SH OPTIONS .TP diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-3.2/checkpolicy.c new/checkpolicy-3.3/checkpolicy.c --- old/checkpolicy-3.2/checkpolicy.c 2021-03-04 16:42:59.000000000 +0100 +++ new/checkpolicy-3.3/checkpolicy.c 2021-10-21 16:31:23.000000000 +0200 @@ -92,9 +92,6 @@ #include "checkpolicy.h" #include "parse_util.h" -extern char *optarg; -extern int optind; - static policydb_t policydb; static sidtab_t sidtab; @@ -106,24 +103,27 @@ static const char *txtfile = "policy.conf"; static const char *binfile = "policy"; -unsigned int policyvers = POLICYDB_VERSION_MAX; +unsigned int policyvers = 0; static __attribute__((__noreturn__)) void usage(const char *progname) { printf ("usage: %s [-b[F]] [-C] [-d] [-U handle_unknown (allow,deny,reject)] [-M] " - "[-c policyvers (%d-%d)] [-o output_file|-] [-S] " + "[-c policyvers (%d-%d)] [-o output_file|-] [-S] [-O] " "[-t target_platform (selinux,xen)] [-E] [-V] [input_file]\n", progname, POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX); exit(1); } #define FGETS(out, size, in) \ -if (fgets(out,size,in)==NULL) { \ - fprintf(stderr, "fgets failed at line %d: %s\n", __LINE__,\ - strerror(errno)); \ - exit(1);\ -} +do { \ + if (fgets(out,size,in)==NULL) { \ + fprintf(stderr, "fgets failed at line %d: %s\n", __LINE__, \ + strerror(errno)); \ + exit(1);\ + } \ +} while (0) + static int print_sid(sepol_security_id_t sid, context_struct_t * context __attribute__ ((unused)), void *data @@ -294,9 +294,7 @@ } #endif -extern char *av_to_string(uint32_t tclass, sepol_access_vector_t av); - -int display_bools(void) +static int display_bools(void) { uint32_t i; @@ -307,10 +305,10 @@ return 0; } -void display_expr(cond_expr_t * exp) +static void display_expr(const cond_expr_t * exp) { - cond_expr_t *cur; + const cond_expr_t *cur; for (cur = exp; cur != NULL; cur = cur->next) { switch (cur->expr_type) { case COND_BOOL: @@ -342,9 +340,9 @@ } } -int display_cond_expressions(void) +static int display_cond_expressions(void) { - cond_node_t *cur; + const cond_node_t *cur; for (cur = policydbp->cond_list; cur != NULL; cur = cur->next) { printf("expression: "); @@ -354,7 +352,7 @@ return 0; } -int change_bool(char *name, int state) +static int change_bool(const char *name, int state) { cond_bool_datum_t *bool; @@ -409,7 +407,7 @@ unsigned int reason; int flags; struct policy_file pf; - struct option long_options[] = { + const struct option long_options[] = { {"output", required_argument, NULL, 'o'}, {"target", required_argument, NULL, 't'}, {"binary", no_argument, NULL, 'b'}, @@ -501,8 +499,7 @@ usage(argv[0]); exit(1); } - if (policyvers != n) - policyvers = n; + policyvers = n; break; } case 'E': @@ -515,7 +512,8 @@ } if (show_version) { - printf("%d (compatibility range %d-%d)\n", policyvers, + printf("%d (compatibility range %d-%d)\n", + policyvers ? policyvers : POLICYDB_VERSION_MAX , POLICYDB_VERSION_MAX, POLICYDB_VERSION_MIN); exit(0); } @@ -588,6 +586,16 @@ exit(1); } } + + if (policydbp->policyvers <= POLICYDB_VERSION_PERMISSIVE) { + if (policyvers > policydbp->policyvers) { + fprintf(stderr, "Binary policies with version <= %u cannot be upgraded\n", POLICYDB_VERSION_PERMISSIVE); + } else if (policyvers) { + policydbp->policyvers = policyvers; + } + } else { + policydbp->policyvers = policyvers ? policyvers : POLICYDB_VERSION_MAX; + } } else { if (conf) { fprintf(stderr, "Can only generate policy.conf from binary policy\n"); @@ -629,6 +637,8 @@ policydb_destroy(policydbp); policydbp = &policydb; } + + policydbp->policyvers = policyvers ? policyvers : POLICYDB_VERSION_MAX; } if (policydb_load_isids(&policydb, &sidtab)) @@ -654,8 +664,6 @@ } } - policydb.policyvers = policyvers; - if (!cil) { if (!conf) { policydb.policy_type = POLICY_KERN; @@ -693,7 +701,10 @@ } if (outfp != stdout) { - fclose(outfp); + if(fclose(outfp)) { + fprintf(stderr, "%s: error closing %s: %s\n", argv[0], outfile, strerror(errno)); + exit(1); + } } } else if (cil) { fprintf(stderr, "%s: No file to write CIL was specified\n", argv[0]); @@ -783,7 +794,7 @@ case 0: printf("\nallowed {"); for (i = 1; i <= sizeof(avd.allowed) * 8; i++) { - if (avd.allowed & (1 << (i - 1))) { + if (avd.allowed & (UINT32_C(1) << (i - 1))) { v.val = i; ret = hashtab_map(cladatum-> @@ -957,8 +968,12 @@ printf("fs kdevname? "); FGETS(ans, sizeof(ans), stdin); ans[strlen(ans) - 1] = 0; - sepol_fs_sid(ans, &ssid, &tsid); - printf("fs_sid %d default_file_sid %d\n", ssid, tsid); + ret = sepol_fs_sid(ans, &ssid, &tsid); + if (ret) { + printf("unknown fs kdevname\n"); + } else { + printf("fs_sid %d default_file_sid %d\n", ssid, tsid); + } break; case '9': printf("protocol? "); @@ -986,8 +1001,12 @@ printf("netif name? "); FGETS(ans, sizeof(ans), stdin); ans[strlen(ans) - 1] = 0; - sepol_netif_sid(ans, &ssid, &tsid); - printf("if_sid %d default_msg_sid %d\n", ssid, tsid); + ret = sepol_netif_sid(ans, &ssid, &tsid); + if (ret) { + printf("unknown name\n"); + } else { + printf("if_sid %d default_msg_sid %d\n", ssid, tsid); + } break; case 'b':{ char *p; @@ -1166,8 +1185,6 @@ printf("\nNo such class.\n"); break; } - cladatum = - policydb.class_val_to_struct[tclass - 1]; } else { ans[strlen(ans) - 1] = 0; cladatum = @@ -1219,8 +1236,6 @@ printf("\nNo such class.\n"); break; } - cladatum = - policydb.class_val_to_struct[tclass - 1]; } else { ans[strlen(ans) - 1] = 0; cladatum = diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-3.2/module_compiler.c new/checkpolicy-3.3/module_compiler.c --- old/checkpolicy-3.2/module_compiler.c 2021-03-04 16:42:59.000000000 +0100 +++ new/checkpolicy-3.3/module_compiler.c 2021-10-21 16:31:23.000000000 +0200 @@ -165,7 +165,7 @@ decl->decl_id, dest_value); if (ret == 1 && dest_value) { - symtab_datum_t *s = + hashtab_datum_t s = hashtab_search(policydbp->symtab[symbol_type].table, key); assert(s != NULL); @@ -173,7 +173,7 @@ if (symbol_type == SYM_LEVELS) { *dest_value = ((level_datum_t *)s)->level->sens; } else { - *dest_value = s->value; + *dest_value = ((symtab_datum_t *)s)->value; } } else if (ret == -2) { return -2; @@ -999,7 +999,7 @@ if (is_tunable) booldatum->flags |= COND_BOOL_FLAGS_TUNABLE; retval = - require_symbol(SYM_BOOLS, id, (hashtab_datum_t *) booldatum, + require_symbol(SYM_BOOLS, id, booldatum, &booldatum->s.value, &booldatum->s.value); if (retval != 0) { cond_destroy_bool(id, booldatum, NULL); @@ -1051,7 +1051,7 @@ return -1; } mls_level_init(level->level); - retval = require_symbol(SYM_LEVELS, id, (hashtab_datum_t *) level, + retval = require_symbol(SYM_LEVELS, id, level, &level->level->sens, &level->level->sens); if (retval != 0) { free(id); @@ -1089,7 +1089,7 @@ } cat_datum_init(cat); - retval = require_symbol(SYM_CATS, id, (hashtab_datum_t *) cat, + retval = require_symbol(SYM_CATS, id, cat, &cat->s.value, &cat->s.value); if (retval != 0) { free(id); @@ -1104,14 +1104,14 @@ return 0; } -static int is_scope_in_stack(scope_datum_t * scope, scope_stack_t * stack) +static int is_scope_in_stack(const scope_datum_t * scope, const scope_stack_t * stack) { uint32_t i; if (stack == NULL) { return 0; /* no matching scope found */ } if (stack->type == 1) { - avrule_decl_t *decl = stack->decl; + const avrule_decl_t *decl = stack->decl; for (i = 0; i < scope->decl_ids_len; i++) { if (scope->decl_ids[i] == decl->decl_id) { return 1; @@ -1126,9 +1126,9 @@ return is_scope_in_stack(scope, stack->parent); } -int is_id_in_scope(uint32_t symbol_type, hashtab_key_t id) +int is_id_in_scope(uint32_t symbol_type, const_hashtab_key_t id) { - scope_datum_t *scope = + const scope_datum_t *scope = (scope_datum_t *) hashtab_search(policydbp->scope[symbol_type]. table, id); if (scope == NULL) { @@ -1138,7 +1138,7 @@ } static int is_perm_in_scope_index(uint32_t perm_value, uint32_t class_value, - scope_index_t * scope) + const scope_index_t * scope) { if (class_value > scope->class_perms_len) { return 1; @@ -1151,7 +1151,7 @@ } static int is_perm_in_stack(uint32_t perm_value, uint32_t class_value, - scope_stack_t * stack) + const scope_stack_t * stack) { if (stack == NULL) { return 0; /* no matching scope found */ @@ -1173,12 +1173,12 @@ return is_perm_in_stack(perm_value, class_value, stack->parent); } -int is_perm_in_scope(hashtab_key_t perm_id, hashtab_key_t class_id) +int is_perm_in_scope(const_hashtab_key_t perm_id, const_hashtab_key_t class_id) { - class_datum_t *cladatum = + const class_datum_t *cladatum = (class_datum_t *) hashtab_search(policydbp->p_classes.table, class_id); - perm_datum_t *perdatum; + const perm_datum_t *perdatum; if (cladatum == NULL) { return 1; } @@ -1361,17 +1361,17 @@ return 0; } -static int copy_requirements(avrule_decl_t * dest, scope_stack_t * stack) +static int copy_requirements(avrule_decl_t * dest, const scope_stack_t * stack) { uint32_t i; if (stack == NULL) { return 0; } if (stack->type == 1) { - scope_index_t *src_scope = &stack->decl->required; + const scope_index_t *src_scope = &stack->decl->required; scope_index_t *dest_scope = &dest->required; for (i = 0; i < SYM_NUM; i++) { - ebitmap_t *src_bitmap = &src_scope->scope[i]; + const ebitmap_t *src_bitmap = &src_scope->scope[i]; ebitmap_t *dest_bitmap = &dest_scope->scope[i]; if (ebitmap_union(dest_bitmap, src_bitmap)) { yyerror("Out of memory!"); @@ -1397,7 +1397,7 @@ src_scope->class_perms_len; } for (i = 0; i < src_scope->class_perms_len; i++) { - ebitmap_t *src_bitmap = &src_scope->class_perms_map[i]; + const ebitmap_t *src_bitmap = &src_scope->class_perms_map[i]; ebitmap_t *dest_bitmap = &dest_scope->class_perms_map[i]; if (ebitmap_union(dest_bitmap, src_bitmap)) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-3.2/module_compiler.h new/checkpolicy-3.3/module_compiler.h --- old/checkpolicy-3.2/module_compiler.h 2021-03-04 16:42:59.000000000 +0100 +++ new/checkpolicy-3.3/module_compiler.h 2021-10-21 16:31:23.000000000 +0200 @@ -65,12 +65,12 @@ /* Check if an identifier is within the scope of the current * declaration or any of its parents. Return 1 if it is, 0 if not. * If the identifier is not known at all then return 1 (truth). */ -int is_id_in_scope(uint32_t symbol_type, hashtab_key_t id); +int is_id_in_scope(uint32_t symbol_type, const_hashtab_key_t id); /* Check if a particular permission is within the scope of the current * declaration or any of its parents. Return 1 if it is, 0 if not. * If the identifier is not known at all then return 1 (truth). */ -int is_perm_in_scope(hashtab_key_t perm_id, hashtab_key_t class_id); +int is_perm_in_scope(const_hashtab_key_t perm_id, const_hashtab_key_t class_id); /* Search the current avrules block for a conditional with the same * expression as 'cond'. If the conditional does not exist then diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-3.2/parse_util.c new/checkpolicy-3.3/parse_util.c --- old/checkpolicy-3.2/parse_util.c 2021-03-04 16:42:59.000000000 +0100 +++ new/checkpolicy-3.3/parse_util.c 2021-10-21 16:31:23.000000000 +0200 @@ -28,7 +28,6 @@ extern void yyrestart(FILE *); extern queue_t id_queue; extern unsigned int policydb_errors; -extern unsigned long policydb_lineno; extern policydb_t *policydbp; extern int mlspol; extern void set_source_file(const char *name); @@ -37,7 +36,7 @@ { yyin = fopen(file, "r"); if (!yyin) { - fprintf(stderr, "%s: unable to open %s\n", progname, file); + fprintf(stderr, "%s: unable to open %s: %s\n", progname, file, strerror(errno)); return -1; } set_source_file(file); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-3.2/policy_define.c new/checkpolicy-3.3/policy_define.c --- old/checkpolicy-3.2/policy_define.c 2021-03-04 16:42:59.000000000 +0100 +++ new/checkpolicy-3.3/policy_define.c 2021-10-21 16:31:23.000000000 +0200 @@ -60,10 +60,13 @@ #include "module_compiler.h" #include "policy_define.h" +extern void init_parser(int pass_number); +__attribute__ ((format(printf, 1, 2))) +extern void yyerror2(const char *fmt, ...); + policydb_t *policydbp; queue_t id_queue = 0; unsigned int pass; -char *curfile = 0; int mlspol = 0; extern unsigned long policydb_lineno; @@ -74,12 +77,6 @@ extern int yywarn(const char *msg); extern int yyerror(const char *msg); -#define ERRORMSG_LEN 255 -static char errormsg[ERRORMSG_LEN + 1] = {0}; - -static int id_has_dot(char *id); -static int parse_security_context(context_struct_t *c); - /* initialize all of the state variables for the scanner/parser */ void init_parser(int pass_number) { @@ -89,12 +86,12 @@ pass = pass_number; } -__attribute__ ((format(printf, 1, 2))) void yyerror2(const char *fmt, ...) { + char errormsg[256]; va_list ap; va_start(ap, fmt); - vsnprintf(errormsg, ERRORMSG_LEN, fmt, ap); + vsnprintf(errormsg, sizeof(errormsg), fmt, ap); yyerror(errormsg); va_end(ap); } @@ -141,7 +138,7 @@ /* If the identifier has a dot within it and that its first character is not a dot then return 1, else return 0. */ -static int id_has_dot(char *id) +static int id_has_dot(const char *id) { if (strchr(id, '.') >= id + 1) { return 1; @@ -1168,11 +1165,6 @@ ebitmap_init(&attrs); while ((id = queue_remove(id_queue))) { - if (!id) { - yyerror("No attribute name for expandattribute statement?"); - goto exit; - } - if (!is_id_in_scope(SYM_TYPES, id)) { yyerror2("attribute %s is not within scope", id); goto exit; @@ -1610,7 +1602,7 @@ return -1; } -int define_compute_type_helper(int which, avrule_t ** rule) +static int define_compute_type_helper(int which, avrule_t ** rule) { char *id; type_datum_t *datum; @@ -1801,7 +1793,7 @@ return -1; } - datum->state = (int)(bool_value[0] == 'T') ? 1 : 0; + datum->state = (bool_value[0] == 'T') ? 1 : 0; free(bool_value); return 0; cleanup: @@ -1837,7 +1829,7 @@ struct av_ioctl_range_list *next; }; -int avrule_sort_ioctls(struct av_ioctl_range_list **rangehead) +static int avrule_sort_ioctls(struct av_ioctl_range_list **rangehead) { struct av_ioctl_range_list *r, *r2, *sorted, *sortedhead = NULL; @@ -1885,7 +1877,7 @@ return -1; } -int avrule_merge_ioctls(struct av_ioctl_range_list **rangehead) +static int avrule_merge_ioctls(struct av_ioctl_range_list **rangehead) { struct av_ioctl_range_list *r, *tmp; r = *rangehead; @@ -1905,13 +1897,14 @@ return 0; } -int avrule_read_ioctls(struct av_ioctl_range_list **rangehead) +static int avrule_read_ioctls(struct av_ioctl_range_list **rangehead) { char *id; struct av_ioctl_range_list *rnew, *r = NULL; - *rangehead = NULL; uint8_t omit = 0; + *rangehead = NULL; + /* read in all the ioctl commands */ while ((id = queue_remove(id_queue))) { if (strcmp(id,"~") == 0) { @@ -1947,7 +1940,9 @@ } } r = *rangehead; - r->omit = omit; + if (r) { + r->omit = omit; + } return 0; error: yyerror("out of memory"); @@ -1955,7 +1950,7 @@ } /* flip to included ranges */ -int avrule_omit_ioctls(struct av_ioctl_range_list **rangehead) +static int avrule_omit_ioctls(struct av_ioctl_range_list **rangehead) { struct av_ioctl_range_list *rnew, *r, *newhead, *r2; @@ -2003,7 +1998,7 @@ return -1; } -int avrule_ioctl_ranges(struct av_ioctl_range_list **rangelist) +static int avrule_ioctl_ranges(struct av_ioctl_range_list **rangelist) { struct av_ioctl_range_list *rangehead; uint8_t omit; @@ -2031,7 +2026,7 @@ return 0; } -int define_te_avtab_xperms_helper(int which, avrule_t ** rule) +static int define_te_avtab_xperms_helper(int which, avrule_t ** rule) { char *id; class_perm_node_t *perms, *tail = NULL, *cur_perms = NULL; @@ -2131,7 +2126,7 @@ policydbp->p_class_val_to_name[i]); continue; } else { - cur_perms->data |= 1U << (perdatum->s.value - 1); + cur_perms->data |= UINT32_C(1) << (perdatum->s.value - 1); } } @@ -2145,14 +2140,14 @@ } /* index of the u32 containing the permission */ -#define XPERM_IDX(x) (x >> 5) +#define XPERM_IDX(x) ((x) >> 5) /* set bits 0 through x-1 within the u32 */ -#define XPERM_SETBITS(x) ((1U << (x & 0x1f)) - 1) +#define XPERM_SETBITS(x) ((UINT32_C(1) << ((x) & 0x1f)) - 1) /* low value for this u32 */ -#define XPERM_LOW(x) (x << 5) +#define XPERM_LOW(x) ((x) << 5) /* high value for this u32 */ -#define XPERM_HIGH(x) (((x + 1) << 5) - 1) -void avrule_xperm_setrangebits(uint16_t low, uint16_t high, +#define XPERM_HIGH(x) ((((x) + 1) << 5) - 1) +static void avrule_xperm_setrangebits(uint16_t low, uint16_t high, av_extended_perms_t *xperms) { unsigned int i; @@ -2174,7 +2169,7 @@ } } -int avrule_xperms_used(av_extended_perms_t *xperms) +static int avrule_xperms_used(const av_extended_perms_t *xperms) { unsigned int i; @@ -2191,10 +2186,10 @@ * dir, size, driver, and function. Only the driver and function fields * are considered here */ -#define IOC_DRIV(x) (x >> 8) -#define IOC_FUNC(x) (x & 0xff) -#define IOC_CMD(driver, func) ((driver << 8) + func) -int avrule_ioctl_partialdriver(struct av_ioctl_range_list *rangelist, +#define IOC_DRIV(x) ((x) >> 8) +#define IOC_FUNC(x) ((x) & 0xff) +#define IOC_CMD(driver, func) (((driver) << 8) + (func)) +static int avrule_ioctl_partialdriver(struct av_ioctl_range_list *rangelist, av_extended_perms_t *complete_driver, av_extended_perms_t **extended_perms) { @@ -2233,7 +2228,7 @@ } -int avrule_ioctl_completedriver(struct av_ioctl_range_list *rangelist, +static int avrule_ioctl_completedriver(struct av_ioctl_range_list *rangelist, av_extended_perms_t **extended_perms) { struct av_ioctl_range_list *r; @@ -2275,7 +2270,7 @@ return 0; } -int avrule_ioctl_func(struct av_ioctl_range_list *rangelist, +static int avrule_ioctl_func(struct av_ioctl_range_list *rangelist, av_extended_perms_t **extended_perms, unsigned int driver) { struct av_ioctl_range_list *r; @@ -2325,18 +2320,7 @@ return 0; } -void avrule_ioctl_freeranges(struct av_ioctl_range_list *rangelist) -{ - struct av_ioctl_range_list *r, *tmp; - r = rangelist; - while (r) { - tmp = r; - r = r->next; - free(tmp); - } -} - -unsigned int xperms_for_each_bit(unsigned int *bit, av_extended_perms_t *xperms) +static unsigned int xperms_for_each_bit(unsigned int *bit, av_extended_perms_t *xperms) { unsigned int i; for (i = *bit; i < sizeof(xperms->perms)*8; i++) { @@ -2349,7 +2333,7 @@ return 0; } -int avrule_cpy(avrule_t *dest, avrule_t *src) +static int avrule_cpy(avrule_t *dest, const avrule_t *src) { class_perm_node_t *src_perms; class_perm_node_t *dest_perms, *dest_tail; @@ -2397,10 +2381,10 @@ return 0; } -int define_te_avtab_ioctl(avrule_t *avrule_template) +static int define_te_avtab_ioctl(const avrule_t *avrule_template) { avrule_t *avrule; - struct av_ioctl_range_list *rangelist; + struct av_ioctl_range_list *rangelist, *r; av_extended_perms_t *complete_driver, *partial_driver, *xperms; unsigned int i; @@ -2458,6 +2442,12 @@ if (partial_driver) free(partial_driver); + while (rangelist != NULL) { + r = rangelist; + rangelist = rangelist->next; + free(r); + } + return 0; } @@ -2466,6 +2456,7 @@ char *id; unsigned int i; avrule_t *avrule_template; + int rc = 0; if (pass == 1) { for (i = 0; i < 4; i++) { @@ -2481,18 +2472,20 @@ id = queue_remove(id_queue); if (strcmp(id,"ioctl") == 0) { - free(id); - if (define_te_avtab_ioctl(avrule_template)) - return -1; + rc = define_te_avtab_ioctl(avrule_template); } else { yyerror("only ioctl extended permissions are supported"); - free(id); - return -1; + rc = -1; } - return 0; + + free(id); + avrule_destroy(avrule_template); + free(avrule_template); + + return rc; } -int define_te_avtab_helper(int which, avrule_t ** rule) +static int define_te_avtab_helper(int which, avrule_t ** rule) { char *id; class_datum_t *cladatum; @@ -2619,7 +2612,7 @@ } continue; } else { - cur_perms->data |= 1U << (perdatum->s.value - 1); + cur_perms->data |= UINT32_C(1) << (perdatum->s.value - 1); } next: cur_perms = cur_perms->next; @@ -3446,9 +3439,10 @@ return -1; } -static constraint_expr_t *constraint_expr_clone(constraint_expr_t * expr) +static constraint_expr_t *constraint_expr_clone(const constraint_expr_t * expr) { - constraint_expr_t *h = NULL, *l = NULL, *e, *newe; + constraint_expr_t *h = NULL, *l = NULL, *newe; + const constraint_expr_t *e; for (e = expr; e; e = e->next) { newe = malloc(sizeof(*newe)); if (!newe) @@ -3621,7 +3615,7 @@ return -1; } } - node->permissions |= (1 << (perdatum->s.value - 1)); + node->permissions |= (UINT32_C(1) << (perdatum->s.value - 1)); } free(id); } @@ -4088,8 +4082,6 @@ static int set_user_roles(role_set_t * set, char *id) { role_datum_t *r; - unsigned int i; - ebitmap_node_t *node; if (strcmp(id, "*") == 0) { free(id); @@ -4115,12 +4107,9 @@ return -1; } - /* set the role and every role it dominates */ - ebitmap_for_each_positive_bit(&r->dominates, node, i) { - if (ebitmap_set_bit(&set->roles, i, TRUE)) - goto oom; - } free(id); + if (ebitmap_set_bit(&set->roles, r->s.value - 1, TRUE)) + goto oom; return 0; oom: yyerror("out of memory"); @@ -5476,7 +5465,7 @@ return 0; } -int define_genfs_context_helper(char *fstype, int has_type) +static int define_genfs_context_helper(char *fstype, int has_type) { struct genfs *genfs_p, *genfs, *newgenfs; ocontext_t *newc, *c, *head, *p; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-3.2/policy_parse.y new/checkpolicy-3.3/policy_parse.y --- old/checkpolicy-3.2/policy_parse.y 2021-03-04 16:42:59.000000000 +0100 +++ new/checkpolicy-3.3/policy_parse.y 2021-10-21 16:31:23.000000000 +0200 @@ -890,10 +890,26 @@ { yytext[strlen(yytext) - 1] = '\0'; if (insert_id(yytext + 1,0)) return -1; } ; number : NUMBER - { $$ = strtoul(yytext,NULL,0); } + { unsigned long x; + errno = 0; + x = strtoul(yytext, NULL, 0); + if (errno) + return -1; +#if ULONG_MAX > UINT_MAX + if (x > UINT_MAX) + return -1; +#endif + $$ = (unsigned int) x; + } ; number64 : NUMBER - { $$ = strtoull(yytext,NULL,0); } + { unsigned long long x; + errno = 0; + x = strtoull(yytext, NULL, 0); + if (errno) + return -1; + $$ = (uint64_t) x; + } ; ipv6_addr : IPV6_ADDR { if (insert_id(yytext,0)) return -1; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-3.2/policy_scan.l new/checkpolicy-3.3/policy_scan.l --- old/checkpolicy-3.2/policy_scan.l 2021-03-04 16:42:59.000000000 +0100 +++ new/checkpolicy-3.3/policy_scan.l 2021-10-21 16:31:23.000000000 +0200 @@ -59,12 +59,17 @@ hexval [0-9A-Fa-f] %% -\n.* { strncpy(linebuf[lno], yytext+1, 255); - linebuf[lno][254] = 0; - lno = 1 - lno; - policydb_lineno++; - source_lineno++; - yyless(1); } +\n.* { + strncpy(linebuf[lno], yytext+1, 255); + linebuf[lno][254] = 0; + lno = 1 - lno; + policydb_lineno++; + if (source_lineno == ULONG_MAX) + yywarn("source line number overflow"); + else + source_lineno++; + yyless(1); + } CLONE | clone { return(CLONE); } COMMON | @@ -270,7 +275,13 @@ {hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])* { return(IPV6_ADDR); } {digit}+(\.({alnum}|[_.])*)? { return(VERSION_IDENTIFIER); } #line[ ]1[ ]\"[^\n]*\" { set_source_file(yytext+9); } -#line[ ]{digit}+ { source_lineno = atoi(yytext+6)-1; } +#line[ ]{digit}+ { + errno = 0; + source_lineno = strtoul(yytext+6, NULL, 10) - 1; + if (errno) { + yywarn("source line number too big"); + } + } #[^\n]* { /* delete comments */ } [ \t\f]+ { /* delete whitespace */ } "==" { return(EQUALS); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-3.2/test/Makefile new/checkpolicy-3.3/test/Makefile --- old/checkpolicy-3.2/test/Makefile 2021-03-04 16:42:59.000000000 +0100 +++ new/checkpolicy-3.3/test/Makefile 2021-10-21 16:31:23.000000000 +0200 @@ -1,7 +1,7 @@ # # Makefile for building the dispol program # -CFLAGS ?= -g -Wall -W -Werror -O2 -pipe +CFLAGS ?= -g -Wall -W -Werror -O2 # If no specific libsepol.a is specified, fall back on LDFLAGS search path # Otherwise, as $(LIBSEPOLA) already appears in the dependencies, there @@ -13,10 +13,10 @@ all: dispol dismod dispol: dispol.o $(LIBSEPOLA) - $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS_LIBSEPOLA) + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LDLIBS_LIBSEPOLA) dismod: dismod.o $(LIBSEPOLA) - $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS_LIBSEPOLA) + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LDLIBS_LIBSEPOLA) clean: -rm -f dispol dismod *.o diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-3.2/test/dismod.c new/checkpolicy-3.3/test/dismod.c --- old/checkpolicy-3.2/test/dismod.c 2021-03-04 16:42:59.000000000 +0100 +++ new/checkpolicy-3.3/test/dismod.c 2021-10-21 16:31:23.000000000 +0200 @@ -89,7 +89,7 @@ fprintf(fp, "{"); for (i = ebitmap_startbit(map); i < ebitmap_length(map); i++) { if (ebitmap_get_bit(map, i)) { - perm = sepol_av_to_string(p, class, 1 << i); + perm = sepol_av_to_string(p, class, UINT32_C(1) << i); if (perm) fprintf(fp, " %s", perm); } @@ -111,7 +111,7 @@ } } -int display_type_set(type_set_t * set, uint32_t flags, policydb_t * policy, +static int display_type_set(type_set_t * set, uint32_t flags, policydb_t * policy, FILE * fp) { unsigned int i, num_types; @@ -175,7 +175,7 @@ return 0; } -int display_mod_role_set(role_set_t * roles, policydb_t * p, FILE * fp) +static int display_mod_role_set(role_set_t * roles, policydb_t * p, FILE * fp) { unsigned int i, num = 0; @@ -210,7 +210,7 @@ } -int display_avrule(avrule_t * avrule, policydb_t * policy, +static int display_avrule(avrule_t * avrule, policydb_t * policy, FILE * fp) { class_perm_node_t *cur; @@ -313,7 +313,7 @@ return 0; } -int display_type_callback(hashtab_key_t key, hashtab_datum_t datum, void *data) +static int display_type_callback(hashtab_key_t key, hashtab_datum_t datum, void *data) { type_datum_t *type; FILE *fp; @@ -355,14 +355,14 @@ return 0; } -int display_types(policydb_t * p, FILE * fp) +static int display_types(policydb_t * p, FILE * fp) { if (hashtab_map(p->p_types.table, display_type_callback, fp)) return -1; return 0; } -int display_users(policydb_t * p, FILE * fp) +static int display_users(policydb_t * p, FILE * fp) { unsigned int i, j; ebitmap_t *bitmap; @@ -381,7 +381,7 @@ return 0; } -int display_bools(policydb_t * p, FILE * fp) +static int display_bools(policydb_t * p, FILE * fp) { unsigned int i; @@ -392,7 +392,7 @@ return 0; } -void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp) +static void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp) { cond_expr_t *cur; @@ -427,14 +427,14 @@ } } -void display_policycon(FILE * fp) +static void display_policycon(FILE * fp) { /* There was an attempt to implement this at one time. Look through * git history to find it. */ fprintf(fp, "Sorry, not implemented\n"); } -void display_initial_sids(policydb_t * p, FILE * fp) +static void display_initial_sids(policydb_t * p, FILE * fp) { ocontext_t *cur; char *user, *role, *type; @@ -459,7 +459,7 @@ #endif } -void display_class_set(ebitmap_t *classes, policydb_t *p, FILE *fp) +static void display_class_set(ebitmap_t *classes, policydb_t *p, FILE *fp) { unsigned int i, num = 0; @@ -482,7 +482,7 @@ fprintf(fp, " }"); } -void display_role_trans(role_trans_rule_t * tr, policydb_t * p, FILE * fp) +static void display_role_trans(role_trans_rule_t * tr, policydb_t * p, FILE * fp) { for (; tr; tr = tr->next) { fprintf(fp, "role transition "); @@ -495,7 +495,7 @@ } } -void display_role_allow(role_allow_rule_t * ra, policydb_t * p, FILE * fp) +static void display_role_allow(role_allow_rule_t * ra, policydb_t * p, FILE * fp) { for (; ra; ra = ra->next) { fprintf(fp, "role allow "); @@ -517,7 +517,7 @@ } } -int role_display_callback(hashtab_key_t key __attribute__((unused)), +static int role_display_callback(hashtab_key_t key __attribute__((unused)), hashtab_datum_t datum, void *data) { role_datum_t *role; @@ -611,7 +611,7 @@ } #endif -int display_avdecl(avrule_decl_t * decl, int field, +static int display_avdecl(avrule_decl_t * decl, int field, policydb_t * policy, FILE * out_fp) { fprintf(out_fp, "decl %u:%s\n", decl->decl_id, @@ -692,13 +692,13 @@ return 0; /* should never get here */ } -int display_avblock(int field, policydb_t * policy, +static int display_avblock(int field, policydb_t * policy, FILE * out_fp) { avrule_block_t *block = policydb.global; while (block != NULL) { - fprintf(out_fp, "--- begin avrule block ---\n"); avrule_decl_t *decl = block->branch_list; + fprintf(out_fp, "--- begin avrule block ---\n"); while (decl != NULL) { if (display_avdecl(decl, field, policy, out_fp)) { return -1; @@ -710,7 +710,7 @@ return 0; } -int display_handle_unknown(policydb_t * p, FILE * out_fp) +static int display_handle_unknown(policydb_t * p, FILE * out_fp) { if (p->handle_unknown == ALLOW_UNKNOWN) fprintf(out_fp, "Allow unknown classes and perms\n"); @@ -751,12 +751,14 @@ fprintf(stderr, "%s: Out of memory!\n", __FUNCTION__); exit(1); } + sepol_policydb_free(package->policy); package->policy = (sepol_policydb_t *) policy; package->file_contexts = NULL; retval = sepol_module_package_read(package, (sepol_policy_file_t *) & f, 1); - free(package->file_contexts); + package->policy = NULL; + sepol_module_package_free(package); } else { if (policydb_init(policy)) { fprintf(stderr, "%s: Out of memory!\n", __FUNCTION__); @@ -827,14 +829,14 @@ ebitmap_for_each_positive_bit(&p->policycaps, node, i) { capname = sepol_polcap_getname(i); if (capname == NULL) { - snprintf(buf, sizeof(buf), "unknown (%d)", i); + snprintf(buf, sizeof(buf), "unknown (%u)", i); capname = buf; } fprintf(fp, "\t%s\n", capname); } } -int menu(void) +static int menu(void) { printf("\nSelect a command:\n"); printf("1) display unconditional AVTAB\n"); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-3.2/test/dispol.c new/checkpolicy-3.3/test/dispol.c --- old/checkpolicy-3.2/test/dispol.c 2021-03-04 16:42:59.000000000 +0100 +++ new/checkpolicy-3.3/test/dispol.c 2021-10-21 16:31:23.000000000 +0200 @@ -42,7 +42,7 @@ exit(1); } -int render_access_mask(uint32_t mask, avtab_key_t * key, policydb_t * p, +static int render_access_mask(uint32_t mask, avtab_key_t * key, policydb_t * p, FILE * fp) { char *perm; @@ -54,13 +54,13 @@ return 0; } -int render_type(uint32_t type, policydb_t * p, FILE * fp) +static int render_type(uint32_t type, policydb_t * p, FILE * fp) { fprintf(fp, "%s", p->p_type_val_to_name[type - 1]); return 0; } -int render_key(avtab_key_t * key, policydb_t * p, FILE * fp) +static int render_key(avtab_key_t * key, policydb_t * p, FILE * fp) { char *stype, *ttype, *tclass; stype = p->p_type_val_to_name[key->source_type - 1]; @@ -84,7 +84,7 @@ #define RENDER_DISABLED 0x0004 #define RENDER_CONDITIONAL (RENDER_ENABLED|RENDER_DISABLED) -int render_av_rule(avtab_key_t * key, avtab_datum_t * datum, uint32_t what, +static int render_av_rule(avtab_key_t * key, avtab_datum_t * datum, uint32_t what, policydb_t * p, FILE * fp) { if (!(what & RENDER_UNCONDITIONAL)) { @@ -163,7 +163,7 @@ return 0; } -int display_avtab(avtab_t * a, uint32_t what, policydb_t * p, FILE * fp) +static int display_avtab(avtab_t * a, uint32_t what, policydb_t * p, FILE * fp) { unsigned int i; avtab_ptr_t cur; @@ -178,7 +178,7 @@ return 0; } -int display_bools(policydb_t * p, FILE * fp) +static int display_bools(policydb_t * p, FILE * fp) { unsigned int i; @@ -189,7 +189,7 @@ return 0; } -void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp) +static void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp) { cond_expr_t *cur; @@ -224,7 +224,7 @@ } } -int display_cond_expressions(policydb_t * p, FILE * fp) +static int display_cond_expressions(policydb_t * p, FILE * fp) { cond_node_t *cur; cond_av_list_t *av_cur; @@ -249,7 +249,7 @@ return 0; } -int display_handle_unknown(policydb_t * p, FILE * out_fp) +static int display_handle_unknown(policydb_t * p, FILE * out_fp) { if (p->handle_unknown == ALLOW_UNKNOWN) fprintf(out_fp, "Allow unknown classes and permissions\n"); @@ -260,7 +260,7 @@ return 0; } -int change_bool(char *name, int state, policydb_t * p, FILE * fp) +static int change_bool(char *name, int state, policydb_t * p, FILE * fp) { cond_bool_datum_t *bool; @@ -285,7 +285,7 @@ ebitmap_for_each_positive_bit(&p->policycaps, node, i) { capname = sepol_polcap_getname(i); if (capname == NULL) { - snprintf(buf, sizeof(buf), "unknown (%d)", i); + snprintf(buf, sizeof(buf), "unknown (%u)", i); capname = buf; } fprintf(fp, "\t%s\n", capname); @@ -368,7 +368,7 @@ hashtab_map(p->filename_trans, filenametr_display, &args); } -int menu(void) +static int menu(void) { printf("\nSelect a command:\n"); printf("1) display unconditional AVTAB\n");
