Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package checkpolicy for openSUSE:Factory checked in at 2022-06-20 15:36:50 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/checkpolicy (Old) and /work/SRC/openSUSE:Factory/.checkpolicy.new.1548 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "checkpolicy" Mon Jun 20 15:36:50 2022 rev:34 rq:978305 version:3.4 Changes: -------- --- /work/SRC/openSUSE:Factory/checkpolicy/checkpolicy.changes 2021-11-15 15:27:41.065845075 +0100 +++ /work/SRC/openSUSE:Factory/.checkpolicy.new.1548/checkpolicy.changes 2022-06-20 15:36:57.714831985 +0200 @@ -1,0 +2,8 @@ +Mon May 9 10:09:06 UTC 2022 - Johannes Segitz <jseg...@suse.com> + +- Update to version 3.4 + * warn on bogus IP address or netmask in nodecon statement + * allow wildcard permissions in constraints + * mention class name on invalid permission + +------------------------------------------------------------------- Old: ---- checkpolicy-3.3.tar.gz New: ---- checkpolicy-3.4.tar.gz checkpolicy-3.4.tar.gz.asc checkpolicy.keyring ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ checkpolicy.spec ++++++ --- /var/tmp/diff_new_pack.VpCpzd/_old 2022-06-20 15:36:58.266832792 +0200 +++ /var/tmp/diff_new_pack.VpCpzd/_new 2022-06-20 15:36:58.270832798 +0200 @@ -1,7 +1,7 @@ # # spec file for package checkpolicy # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,16 +16,18 @@ # -%define libsepol_ver 3.3 +%define libsepol_ver 3.4 Name: checkpolicy -Version: 3.3 +Version: 3.4 Release: 0 Summary: SELinux policy compiler License: GPL-2.0-or-later Group: Productivity/Security URL: https://github.com/SELinuxProject/selinux Source0: https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{name}-%{version}.tar.gz -Source1: checkpolicy-tests.tar.gz +Source1: https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{name}-%{version}.tar.gz.asc +Source2: checkpolicy.keyring +Source3: checkpolicy-tests.tar.gz BuildRequires: bison BuildRequires: flex BuildRequires: libselinux-devel ++++++ checkpolicy-3.3.tar.gz -> checkpolicy-3.4.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-3.3/VERSION new/checkpolicy-3.4/VERSION --- old/checkpolicy-3.3/VERSION 2021-10-21 16:31:23.000000000 +0200 +++ new/checkpolicy-3.4/VERSION 2022-05-18 16:51:03.000000000 +0200 @@ -1 +1 @@ -3.3 +3.4 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-3.3/module_compiler.c new/checkpolicy-3.4/module_compiler.c --- old/checkpolicy-3.3/module_compiler.c 2021-10-21 16:31:23.000000000 +0200 +++ new/checkpolicy-3.4/module_compiler.c 2022-05-18 16:51:03.000000000 +0200 @@ -99,6 +99,7 @@ yyerror("no module name"); return -1; } + free(policydbp->name); policydbp->name = id; if ((policydbp->version = queue_remove(id_queue)) == NULL) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-3.3/parse_util.c new/checkpolicy-3.4/parse_util.c --- old/checkpolicy-3.3/parse_util.c 2021-10-21 16:31:23.000000000 +0200 +++ new/checkpolicy-3.4/parse_util.c 2022-05-18 16:51:03.000000000 +0200 @@ -47,6 +47,7 @@ } policydbp = p; + policydbp->name = strdup(file); mlspol = p->mls; init_parser(1); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-3.3/policy_define.c new/checkpolicy-3.4/policy_define.c --- old/checkpolicy-3.3/policy_define.c 2021-10-21 16:31:23.000000000 +0200 +++ new/checkpolicy-3.4/policy_define.c 2022-05-18 16:51:03.000000000 +0200 @@ -1634,6 +1634,15 @@ } add = 1; while ((id = queue_remove(id_queue))) { + if (strcmp(id, "self") == 0) { + free(id); + if (add == 0) { + yyerror("-self is not supported"); + goto bad; + } + avrule->flags |= RULE_SELF; + continue; + } if (set_types(&avrule->ttypes, id, &add, 0)) goto bad; } @@ -3300,7 +3309,7 @@ type_datum_t *typdatum; uint32_t otype; unsigned int c, s, t; - int add, rc; + int add, self, rc; if (pass == 1) { /* stype */ @@ -3333,8 +3342,18 @@ goto bad; } - add =1; + self = 0; + add = 1; while ((id = queue_remove(id_queue))) { + if (strcmp(id, "self") == 0) { + free(id); + if (add == 0) { + yyerror("-self is not supported"); + goto bad; + } + self = 1; + continue; + } if (set_types(&ttypes, id, &add, 0)) goto bad; } @@ -3396,6 +3415,24 @@ goto bad; } } + if (self) { + rc = policydb_filetrans_insert( + policydbp, s+1, s+1, c+1, name, + NULL, otype, NULL + ); + if (rc != SEPOL_OK) { + if (rc == SEPOL_EEXIST) { + yyerror2("duplicate filename transition for: filename_trans %s %s %s:%s", + name, + policydbp->p_type_val_to_name[s], + policydbp->p_type_val_to_name[s], + policydbp->p_class_val_to_name[c]); + goto bad; + } + yyerror("out of memory"); + goto bad; + } + } } /* Now add the real rule since we didn't find any duplicates */ @@ -3418,6 +3455,7 @@ } ftr->tclass = c + 1; ftr->otype = otype; + ftr->flags = self ? RULE_SELF : 0; } free(name); @@ -3477,6 +3515,8 @@ return NULL; } +#define PERMISSION_MASK(nprim) ((nprim) == PERM_SYMTAB_SIZE ? (~UINT32_C(0)) : ((UINT32_C(1) << (nprim)) - 1)) + int define_constraint(constraint_expr_t * expr) { struct constraint_node *node; @@ -3590,6 +3630,22 @@ cladatum = policydbp->class_val_to_struct[i]; node = cladatum->constraints; + if (strcmp(id, "*") == 0) { + node->permissions = PERMISSION_MASK(cladatum->permissions.nprim); + continue; + } + + if (strcmp(id, "~") == 0) { + node->permissions = ~node->permissions & PERMISSION_MASK(cladatum->permissions.nprim); + if (node->permissions == 0) { + yywarn("omitting constraint with no permission set"); + cladatum->constraints = node->next; + constraint_expr_destroy(node->expr); + free(node); + } + continue; + } + perdatum = (perm_datum_t *) hashtab_search(cladatum-> permissions. @@ -3609,7 +3665,7 @@ } if (!perdatum) { yyerror2("permission %s is not" - " defined", id); + " defined for class %s", id, policydbp->p_class_val_to_name[i]); free(id); ebitmap_destroy(&classmap); return -1; @@ -5290,6 +5346,14 @@ goto out; } + if (mask.s_addr != 0 && ((~mask.s_addr + 1) & ~mask.s_addr) != 0) { + yywarn("ipv4 mask is not contiguous"); + } + + if ((~mask.s_addr & addr.s_addr) != 0) { + yywarn("host bits in ipv4 address set"); + } + newc = malloc(sizeof(ocontext_t)); if (!newc) { yyerror("out of memory"); @@ -5325,6 +5389,40 @@ return rc; } +static int ipv6_is_mask_contiguous(const struct in6_addr *mask) +{ + int filled = 1; + unsigned i; + + for (i = 0; i < 16; i++) { + if ((((~mask->s6_addr[i] & 0xFF) + 1) & (~mask->s6_addr[i] & 0xFF)) != 0) { + return 0; + } + if (!filled && mask->s6_addr[i] != 0) { + return 0; + } + + if (filled && mask->s6_addr[i] != 0xFF) { + filled = 0; + } + } + + return 1; +} + +static int ipv6_has_host_bits_set(const struct in6_addr *addr, const struct in6_addr *mask) +{ + unsigned i; + + for (i = 0; i < 16; i++) { + if ((addr->s6_addr[i] & ~mask->s6_addr[i]) != 0) { + return 1; + } + } + + return 0; +} + int define_ipv6_node_context(void) { char *id; @@ -5376,6 +5474,14 @@ goto out; } + if (!ipv6_is_mask_contiguous(&mask)) { + yywarn("ipv6 mask is not contiguous"); + } + + if (ipv6_has_host_bits_set(&addr, &mask)) { + yywarn("host bits in ipv6 address set"); + } + newc = malloc(sizeof(ocontext_t)); if (!newc) { yyerror("out of memory"); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/checkpolicy-3.3/policy_scan.l new/checkpolicy-3.4/policy_scan.l --- old/checkpolicy-3.3/policy_scan.l 2021-10-21 16:31:23.000000000 +0200 +++ new/checkpolicy-3.4/policy_scan.l 2022-05-18 16:51:03.000000000 +0200 @@ -60,7 +60,14 @@ %% \n.* { +#if defined(__GNUC__) && __GNUC__ >= 8 +#pragma GCC diagnostic push +#pragma GCC diagnostic ignored "-Wstringop-truncation" +#endif strncpy(linebuf[lno], yytext+1, 255); +#if defined(__GNUC__) && __GNUC__ >= 8 +#pragma GCC diagnostic pop +#endif linebuf[lno][254] = 0; lno = 1 - lno; policydb_lineno++; @@ -308,11 +315,11 @@ int yyerror(const char *msg) { if (source_file[0]) - fprintf(stderr, "%s:%ld:", + fprintf(stderr, "%s:%lu:", source_file, source_lineno); else fprintf(stderr, "(unknown source)::"); - fprintf(stderr, "ERROR '%s' at token '%s' on line %ld:\n%s\n%s\n", + fprintf(stderr, "ERROR '%s' at token '%s' on line %lu:\n%s\n%s\n", msg, yytext, policydb_lineno, @@ -327,11 +334,11 @@ return yyerror(msg); if (source_file[0]) - fprintf(stderr, "%s:%ld:", + fprintf(stderr, "%s:%lu:", source_file, source_lineno); else fprintf(stderr, "(unknown source)::"); - fprintf(stderr, "WARNING '%s' at token '%s' on line %ld:\n%s\n%s\n", + fprintf(stderr, "WARNING '%s' at token '%s' on line %lu:\n%s\n%s\n", msg, yytext, policydb_lineno,
