Hello community, here is the log from the commit of package libsepol for openSUSE:Factory checked in at 2019-03-24 14:55:21 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libsepol (Old) and /work/SRC/openSUSE:Factory/.libsepol.new.25356 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libsepol" Sun Mar 24 14:55:21 2019 rev:41 rq:687216 version:2.9 Changes: -------- --- /work/SRC/openSUSE:Factory/libsepol/libsepol.changes 2018-12-19 13:23:01.953409994 +0100 +++ /work/SRC/openSUSE:Factory/.libsepol.new.25356/libsepol.changes 2019-03-24 14:55:25.735212029 +0100 @@ -1,0 +2,18 @@ +Wed Mar 20 15:12:34 UTC 2019 - [email protected] + +- Update to version 2.9 + * Add two new Xen initial SIDs + * Check that initial sid indexes are within the valid range + * Create policydb_sort_ocontexts() + * Eliminate initial sid string definitions in module_to_cil.c + * Rename kernel_to_common.c stack functions + * add missing ibendport port validity check + * destroy the copied va_list + * do not call malloc with 0 byte + * do not leak memory if list_prepend fails + * do not use uninitialized value for low_value + * fix endianity in ibpkey range checks + * ibpkeys.c: fix printf format string specifiers for subnet_prefix + * mark permissive types when loading a binary policy + +------------------------------------------------------------------- Old: ---- libsepol-2.8.tar.gz New: ---- libsepol-2.9.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libsepol.spec ++++++ --- /var/tmp/diff_new_pack.hePbmG/_old 2019-03-24 14:55:26.199211980 +0100 +++ /var/tmp/diff_new_pack.hePbmG/_new 2019-03-24 14:55:26.199211980 +0100 @@ -1,7 +1,7 @@ # # spec file for package libsepol # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,13 +17,13 @@ Name: libsepol -Version: 2.8 +Version: 2.9 Release: 0 Summary: SELinux binary policy manipulation library License: LGPL-2.1-or-later Group: Development/Libraries/C and C++ Url: https://github.com/SELinuxProject/selinux/wiki/Releases -Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/%{name}-%{version}.tar.gz +Source: https://github.com/SELinuxProject/selinux/releases/download/20190315/%{name}-%{version}.tar.gz Source2: baselibs.conf BuildRequires: flex BuildRequires: pkgconfig @@ -101,6 +101,7 @@ %defattr(-,root,root) %{_bindir}/chkcon %{_mandir}/man8/*.8%{ext_man} +%{_mandir}/ru/man8/*.8%{ext_man} %files -n libsepol1 %defattr(-,root,root) ++++++ libsepol-2.8.tar.gz -> libsepol-2.9.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.8/VERSION new/libsepol-2.9/VERSION --- old/libsepol-2.8/VERSION 2018-05-24 20:21:09.000000000 +0200 +++ new/libsepol-2.9/VERSION 2019-03-15 11:32:30.000000000 +0100 @@ -1 +1 @@ -2.8 +2.9 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.8/cil/src/cil_binary.c new/libsepol-2.9/cil/src/cil_binary.c --- old/libsepol-2.8/cil/src/cil_binary.c 2018-05-24 20:21:09.000000000 +0200 +++ new/libsepol-2.9/cil/src/cil_binary.c 2019-03-15 11:32:30.000000000 +0100 @@ -54,6 +54,7 @@ #include "cil_binary.h" #include "cil_symtab.h" #include "cil_find.h" +#include "cil_build_ast.h" /* There are 44000 filename_trans in current fedora policy. 1.33 times this is the recommended * size of a hashtable. The next power of 2 of this is 2 ** 16. @@ -930,7 +931,7 @@ exit: level_datum_destroy(sepol_alias); - free(sepol_level); + free(sepol_alias); free(key); return rc; } @@ -1763,11 +1764,13 @@ hashtab_xperms = cil_malloc(sizeof(*hashtab_xperms)); rc = ebitmap_cpy(hashtab_xperms, xperms); if (rc != SEPOL_OK) { + free(hashtab_xperms); free(avtab_key); goto exit; } rc = hashtab_insert(h, (hashtab_key_t)avtab_key, hashtab_xperms); if (rc != SEPOL_OK) { + free(hashtab_xperms); free(avtab_key); goto exit; } @@ -2072,6 +2075,7 @@ char *c2 = NULL; __cil_expr_to_string_helper(curr, flavor, &c1); for (curr = curr->next; curr; curr = curr->next) { + s1 = NULL; __cil_expr_to_string_helper(curr, flavor, &s1); cil_asprintf(&c2, "%s %s", c1, s1); free(c1); @@ -2157,6 +2161,7 @@ op->expr_type = COND_NEQ; break; default: + free(op); goto exit; } @@ -2283,6 +2288,7 @@ cond_expr_destroy(tmp_cond->expr); free(tmp_cond); + tmp_cond = NULL; for (cb_node = node->cl_head; cb_node != NULL; cb_node = cb_node->next) { if (cb_node->flavor == CIL_CONDBLOCK) { @@ -2327,6 +2333,11 @@ return SEPOL_OK; exit: + if (tmp_cond) { + if (tmp_cond->expr) + cond_expr_destroy(tmp_cond->expr); + free(tmp_cond); + } return rc; } @@ -4797,6 +4808,7 @@ return cp_list; exit: + cil_destroy_classperms(cp); cil_log(CIL_ERR,"Failed to create CIL class-permissions from sepol values\n"); return NULL; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.8/cil/src/cil_resolve_ast.c new/libsepol-2.9/cil/src/cil_resolve_ast.c --- old/libsepol-2.8/cil/src/cil_resolve_ast.c 2018-05-24 20:21:09.000000000 +0200 +++ new/libsepol-2.9/cil/src/cil_resolve_ast.c 2019-03-15 11:32:30.000000000 +0100 @@ -1535,6 +1535,7 @@ return SEPOL_OK; exit: + cil_list_destroy(&new, CIL_FALSE); return rc; } @@ -1591,6 +1592,7 @@ return SEPOL_OK; exit: + cil_list_destroy(&new, CIL_FALSE); return rc; } @@ -1624,6 +1626,7 @@ return SEPOL_OK; exit: + cil_list_destroy(&new, CIL_FALSE); return rc; } @@ -2853,6 +2856,7 @@ rc = cil_fill_cats(pc, &catset->cats); if (rc != SEPOL_OK) { cil_destroy_catset(catset); + cil_destroy_args(new_arg); goto exit; } cil_tree_node_init(&cat_node); @@ -2877,6 +2881,7 @@ if (rc != SEPOL_OK) { cil_log(CIL_ERR, "Failed to create anonymous level, rc: %d\n", rc); cil_destroy_level(level); + cil_destroy_args(new_arg); goto exit; } cil_tree_node_init(&lvl_node); @@ -2901,6 +2906,7 @@ if (rc != SEPOL_OK) { cil_log(CIL_ERR, "Failed to create anonymous levelrange, rc: %d\n", rc); cil_destroy_levelrange(range); + cil_destroy_args(new_arg); goto exit; } cil_tree_node_init(&range_node); @@ -2923,8 +2929,9 @@ rc = cil_fill_ipaddr(pc->cl_head, ipaddr); if (rc != SEPOL_OK) { - cil_log(CIL_ERR, "Failed to create anonymous ip address, rc; %d\n", rc); + cil_log(CIL_ERR, "Failed to create anonymous ip address, rc: %d\n", rc); cil_destroy_ipaddr(ipaddr); + cil_destroy_args(new_arg); goto exit; } cil_tree_node_init(&addr_node); @@ -2955,6 +2962,7 @@ if (rc != SEPOL_OK) { cil_log(CIL_ERR, "Failed to create anonymous classpermission\n"); cil_destroy_classpermission(cp); + cil_destroy_args(new_arg); goto exit; } cil_tree_node_init(&cp_node); @@ -2970,6 +2978,7 @@ default: cil_log(CIL_ERR, "Unexpected flavor: %d\n", (((struct cil_param*)item->data)->flavor)); + cil_destroy_args(new_arg); rc = SEPOL_ERR; goto exit; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.8/cil/src/cil_symtab.c new/libsepol-2.9/cil/src/cil_symtab.c --- old/libsepol-2.8/cil/src/cil_symtab.c 2018-05-24 20:21:09.000000000 +0200 +++ new/libsepol-2.9/cil/src/cil_symtab.c 2019-03-15 11:32:30.000000000 +0100 @@ -185,6 +185,7 @@ ckey->key2 == curr->ckey->key2 && ckey->key3 == curr->ckey->key3 && ckey->key4 == curr->ckey->key4) { + free(node); return SEPOL_EEXIST; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.8/cil/src/cil_tree.c new/libsepol-2.9/cil/src/cil_tree.c --- old/libsepol-2.8/cil/src/cil_tree.c 2018-05-24 20:21:09.000000000 +0200 +++ new/libsepol-2.9/cil/src/cil_tree.c 2019-03-15 11:32:30.000000000 +0100 @@ -512,7 +512,7 @@ } else { rc = cil_expr_to_string(str_expr, &expr_str); } - if (rc < 0) { + if (rc != SEPOL_OK) { cil_log(CIL_INFO, "ERROR)"); return; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.8/include/sepol/errcodes.h new/libsepol-2.9/include/sepol/errcodes.h --- old/libsepol-2.8/include/sepol/errcodes.h 2018-05-24 20:21:09.000000000 +0200 +++ new/libsepol-2.9/include/sepol/errcodes.h 2019-03-15 11:32:30.000000000 +0100 @@ -12,7 +12,7 @@ #define SEPOL_OK 0 /* These first error codes are defined for compatibility with - * previous version of libsepol. In the future, custome error + * previous version of libsepol. In the future, custom error * codes that don't map to system error codes should be defined * outside of the range of system error codes. */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.8/include/sepol/policydb/policydb.h new/libsepol-2.9/include/sepol/policydb/policydb.h --- old/libsepol-2.8/include/sepol/policydb/policydb.h 2018-05-24 20:21:09.000000000 +0200 +++ new/libsepol-2.9/include/sepol/policydb/policydb.h 2019-03-15 11:32:30.000000000 +0100 @@ -640,6 +640,8 @@ extern int policydb_load_isids(policydb_t * p, sidtab_t * s); +extern int policydb_sort_ocontexts(policydb_t *p); + /* Deprecated */ extern int policydb_context_isvalid(const policydb_t * p, const context_struct_t * c); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.8/man/Makefile new/libsepol-2.9/man/Makefile --- old/libsepol-2.8/man/Makefile 2018-05-24 20:21:09.000000000 +0200 +++ new/libsepol-2.9/man/Makefile 2019-03-15 11:32:30.000000000 +0100 @@ -1,7 +1,11 @@ # Installation directories. +LINGUAS ?= ru PREFIX ?= /usr -MAN8DIR ?= $(PREFIX)/share/man/man8 -MAN3DIR ?= $(PREFIX)/share/man/man3 +MANDIR ?= $(PREFIX)/share/man +MAN3SUBDIR ?= man3 +MAN8SUBDIR ?= man8 +MAN3DIR ?= $(MANDIR)/$(MAN3SUBDIR) +MAN8DIR ?= $(MANDIR)/$(MAN8SUBDIR) all: @@ -10,4 +14,13 @@ mkdir -p $(DESTDIR)$(MAN8DIR) install -m 644 man3/*.3 $(DESTDIR)$(MAN3DIR) install -m 644 man8/*.8 $(DESTDIR)$(MAN8DIR) - + for lang in $(LINGUAS) ; do \ + if [ -e $${lang}/man3 ] ; then \ + mkdir -p $(DESTDIR)$(MANDIR)/$${lang}/$(MAN3SUBDIR) ; \ + install -m 644 $${lang}/man3/*.3 $(DESTDIR)$(MANDIR)/$${lang}/$(MAN3SUBDIR) ; \ + fi ; \ + if [ -e $${lang}/man8 ] ; then \ + mkdir -p $(DESTDIR)$(MANDIR)/$${lang}/$(MAN8SUBDIR) ; \ + install -m 644 $${lang}/man8/*.8 $(DESTDIR)$(MANDIR)/$${lang}/$(MAN8SUBDIR) ; \ + fi ; \ + done diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.8/man/ru/man8/chkcon.8 new/libsepol-2.9/man/ru/man8/chkcon.8 --- old/libsepol-2.8/man/ru/man8/chkcon.8 1970-01-01 01:00:00.000000000 +0100 +++ new/libsepol-2.9/man/ru/man8/chkcon.8 2019-03-15 11:32:30.000000000 +0100 @@ -0,0 +1,39 @@ +.\" Hey, Emacs! This is an -*- nroff -*- source file. +.\" Copyright (c) 1997 Manoj Srivastava <[email protected]> +.\" +.\" This is free documentation; you can redistribute it and/or +.\" modify it under the terms of the GNU General Public License as +.\" published by the Free Software Foundation; either version 2 of +.\" the License, or (at your option) any later version. +.\" +.\" The GNU General Public License's references to "object code" +.\" and "executables" are to be interpreted as the output of any +.\" document formatting or typesetting system, including +.\" intermediate and printed output. +.\" +.\" This manual is distributed in the hope that it will be useful, +.\" but WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +.\" GNU General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public +.\" License along with this manual; if not, write to the Free +.\" Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, +.\" USA. +.\" +.TH CHKCON 8 "12 марта 2005" "SELinux" "Документация по командной строке SELinux" +.SH ИМЯ +chkcon \- определить, является ли контекст безопасности действительным для конкретной двоичной политики +.SH ОБЗОР +chkcon policy_file context +.SH ОПИСАНИЕ +Эта утилита проверяет контекст безопасности (его строковое представление), заданный аргументом +.I context, +относительно данных конфигурации, прочтённых из файла двоичного представления базы данных политик, заданного аргументом +.I policy_file. +.SH ФАЙЛЫ +policy file +.SH АВТОРЫ +Эта страница руководства (и только она) была написана Manoj +Srivastava <[email protected]>. +Перевод на русский язык выполнила Герасименко Олеся <[email protected]>. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.8/src/expand.c new/libsepol-2.9/src/expand.c --- old/libsepol-2.8/src/expand.c 2018-05-24 20:21:09.000000000 +0200 +++ new/libsepol-2.9/src/expand.c 2019-03-15 11:32:30.000000000 +0100 @@ -1451,6 +1451,7 @@ new_trans->name = strdup(cur_rule->name); if (!new_trans->name) { ERR(state->handle, "Out of memory!"); + free(new_trans); return -1; } new_trans->stype = i + 1; @@ -1460,6 +1461,8 @@ otype = calloc(1, sizeof(*otype)); if (!otype) { ERR(state->handle, "Out of memory!"); + free(new_trans->name); + free(new_trans); return -1; } otype->otype = mapped_otype; @@ -1469,6 +1472,9 @@ otype); if (rc) { ERR(state->handle, "Out of memory!"); + free(otype); + free(new_trans->name); + free(new_trans); return -1; } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.8/src/ibpkeys.c new/libsepol-2.9/src/ibpkeys.c --- old/libsepol-2.8/src/ibpkeys.c 2018-05-24 20:21:09.000000000 +0200 +++ new/libsepol-2.9/src/ibpkeys.c 2019-03-15 11:32:30.000000000 +0100 @@ -1,5 +1,6 @@ #include <netinet/in.h> #include <stdlib.h> +#include <inttypes.h> #include "debug.h" #include "context.h" @@ -176,7 +177,7 @@ return STATUS_SUCCESS; err: - ERR(handle, "could not query ibpkey subnet prefix: %#lx range %u - %u exists", + ERR(handle, "could not query ibpkey subnet prefix: %#" PRIx64 " range %u - %u exists", subnet_prefix, low, high); return STATUS_ERR; } @@ -203,7 +204,7 @@ return STATUS_SUCCESS; err: - ERR(handle, "could not load ibpkey subnet prefix: %#lx range %u - %u exists", + ERR(handle, "could not load ibpkey subnet prefix: %#" PRIx64 " range %u - %u exists", subnet_prefix, low, high); if (ibpkey) { context_destroy(&ibpkey->context[0]); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.8/src/kernel_to_cil.c new/libsepol-2.9/src/kernel_to_cil.c --- old/libsepol-2.8/src/kernel_to_cil.c 2018-05-24 20:21:09.000000000 +0200 +++ new/libsepol-2.9/src/kernel_to_cil.c 2019-03-15 11:32:30.000000000 +0100 @@ -36,7 +36,7 @@ char *str = NULL; int rc; - rc = stack_init(&stack); + rc = strs_stack_init(&stack); if (rc != 0) { goto exit; } @@ -65,13 +65,13 @@ } if (num_params == 2) { - val2 = stack_pop(stack); + val2 = strs_stack_pop(stack); if (!val2) { sepol_log_err("Invalid conditional expression"); goto exit; } } - val1 = stack_pop(stack); + val1 = strs_stack_pop(stack); if (!val1) { sepol_log_err("Invalid conditional expression"); free(val2); @@ -89,29 +89,29 @@ sepol_log_err("Invalid conditional expression"); goto exit; } - rc = stack_push(stack, new_val); + rc = strs_stack_push(stack, new_val); if (rc != 0) { sepol_log_err("Out of memory"); goto exit; } } - new_val = stack_pop(stack); - if (!new_val || !stack_empty(stack)) { + new_val = strs_stack_pop(stack); + if (!new_val || !strs_stack_empty(stack)) { sepol_log_err("Invalid conditional expression"); goto exit; } str = new_val; - stack_destroy(&stack); + strs_stack_destroy(&stack); return str; exit: - while ((new_val = stack_pop(stack)) != NULL) { + while ((new_val = strs_stack_pop(stack)) != NULL) { free(new_val); } - stack_destroy(&stack); + strs_stack_destroy(&stack); return NULL; } @@ -127,7 +127,7 @@ *use_mls = 0; - rc = stack_init(&stack); + rc = strs_stack_init(&stack); if (rc != 0) { goto exit; } @@ -208,13 +208,13 @@ } if (num_params == 2) { - val2 = stack_pop(stack); + val2 = strs_stack_pop(stack); if (!val2) { sepol_log_err("Invalid constraint expression"); goto exit; } } - val1 = stack_pop(stack); + val1 = strs_stack_pop(stack); if (!val1) { sepol_log_err("Invalid constraint expression"); goto exit; @@ -231,30 +231,30 @@ if (!new_val) { goto exit; } - rc = stack_push(stack, new_val); + rc = strs_stack_push(stack, new_val); if (rc != 0) { sepol_log_err("Out of memory"); goto exit; } } - new_val = stack_pop(stack); - if (!new_val || !stack_empty(stack)) { + new_val = strs_stack_pop(stack); + if (!new_val || !strs_stack_empty(stack)) { sepol_log_err("Invalid constraint expression"); goto exit; } str = new_val; - stack_destroy(&stack); + strs_stack_destroy(&stack); return str; exit: - while ((new_val = stack_pop(stack)) != NULL) { + while ((new_val = strs_stack_pop(stack)) != NULL) { free(new_val); } - stack_destroy(&stack); + strs_stack_destroy(&stack); return NULL; } @@ -529,23 +529,31 @@ return rc; } -static int write_sids_to_cil(FILE *out, const char *const *sid_to_str, struct ocontext *isids) +static int write_sids_to_cil(FILE *out, const char *const *sid_to_str, + unsigned num_sids, struct ocontext *isids) { struct ocontext *isid; struct strs *strs; char *sid; char *prev; + char unknown[18]; unsigned i; int rc; - rc = strs_init(&strs, SECINITSID_NUM+1); + rc = strs_init(&strs, num_sids+1); if (rc != 0) { goto exit; } for (isid = isids; isid != NULL; isid = isid->next) { i = isid->sid[0]; - rc = strs_add_at_index(strs, (char *)sid_to_str[i], i); + if (i < num_sids) { + sid = (char *)sid_to_str[i]; + } else { + snprintf(unknown, 18, "%s%u", "UNKNOWN", i); + sid = strdup(unknown); + } + rc = strs_add_at_index(strs, sid, i); if (rc != 0) { goto exit; } @@ -577,6 +585,10 @@ sepol_printf(out, "))\n"); exit: + for (i=num_sids; i<strs_num_items(strs); i++) { + sid = strs_read_at_index(strs, i); + free(sid); + } strs_destroy(&strs); if (rc != 0) { sepol_log_err("Error writing sid rules to CIL\n"); @@ -590,9 +602,11 @@ int rc = 0; if (pdb->target_platform == SEPOL_TARGET_SELINUX) { - rc = write_sids_to_cil(out, selinux_sid_to_str, pdb->ocontexts[0]); + rc = write_sids_to_cil(out, selinux_sid_to_str, SELINUX_SID_SZ, + pdb->ocontexts[0]); } else if (pdb->target_platform == SEPOL_TARGET_XEN) { - rc = write_sids_to_cil(out, xen_sid_to_str, pdb->ocontexts[0]); + rc = write_sids_to_cil(out, xen_sid_to_str, XEN_SID_SZ, + pdb->ocontexts[0]); } else { sepol_log_err("Unknown target platform: %i", pdb->target_platform); rc = -1; @@ -1520,9 +1534,9 @@ static int write_type_permissive_rules_to_cil(FILE *out, struct policydb *pdb) { - type_datum_t *type; struct strs *strs; char *name; + struct ebitmap_node *node; unsigned i, num; int rc = 0; @@ -1531,13 +1545,11 @@ goto exit; } - for (i=0; i < pdb->p_types.nprim; i++) { - type = pdb->type_val_to_struct[i]; - if (type->flavor == TYPE_TYPE && (type->flags & TYPE_FLAGS_PERMISSIVE)) { - rc = strs_add(strs, pdb->p_type_val_to_name[i]); - if (rc != 0) { - goto exit; - } + ebitmap_for_each_bit(&pdb->permissive_map, node, i) { + if (!ebitmap_get_bit(&pdb->permissive_map, i)) continue; + rc = strs_add(strs, pdb->p_type_val_to_name[i-1]); + if (rc != 0) { + goto exit; } } @@ -1602,8 +1614,8 @@ if (xperms->specified & AVTAB_XPERMS_IOCTLFUNCTION) { value = xperms->driver<<8 | bit; - low_value = xperms->driver<<8 | low_bit; if (in_range) { + low_value = xperms->driver<<8 | low_bit; len = snprintf(p, remaining, " (range 0x%hx 0x%hx)", low_value, value); in_range = 0; } else { @@ -1611,8 +1623,8 @@ } } else if (xperms->specified & AVTAB_XPERMS_IOCTLDRIVER) { value = bit << 8; - low_value = low_bit << 8; if (in_range) { + low_value = low_bit << 8; len = snprintf(p, remaining, " (range 0x%hx 0x%hx)", low_value, (uint16_t) (value|0xff)); in_range = 0; } else { @@ -2019,6 +2031,8 @@ return 0; exit: + strs_free_all(strs); + strs_destroy(&strs); return rc; } @@ -2479,11 +2493,12 @@ return ctx; } -static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const char *const *sid_to_str) +static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const char *const *sid_to_str, unsigned num_sids) { struct ocontext *isid; struct strs *strs; - const char *sid; + char *sid; + char unknown[18]; char *ctx, *rule; unsigned i; int rc = -1; @@ -2495,7 +2510,13 @@ for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) { i = isid->sid[0]; - sid = sid_to_str[i]; + if (i < num_sids) { + sid = (char *)sid_to_str[i]; + } else { + snprintf(unknown, 18, "%s%u", "UNKNOWN", i); + sid = unknown; + } + ctx = context_to_str(pdb, &isid->context[0]); if (!ctx) { rc = -1; @@ -2531,7 +2552,8 @@ static int write_selinux_isid_rules_to_cil(FILE *out, struct policydb *pdb) { - return write_sid_context_rules_to_cil(out, pdb, selinux_sid_to_str); + return write_sid_context_rules_to_cil(out, pdb, selinux_sid_to_str, + SELINUX_SID_SZ); } static int write_selinux_fsuse_rules_to_cil(FILE *out, struct policydb *pdb) @@ -2884,7 +2906,7 @@ static int write_xen_isid_rules_to_cil(FILE *out, struct policydb *pdb) { - return write_sid_context_rules_to_cil(out, pdb, xen_sid_to_str); + return write_sid_context_rules_to_cil(out, pdb, xen_sid_to_str, XEN_SID_SZ); } static int write_xen_pirq_rules_to_cil(FILE *out, struct policydb *pdb) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.8/src/kernel_to_common.c new/libsepol-2.9/src/kernel_to_common.c --- old/libsepol-2.8/src/kernel_to_common.c 2018-05-24 20:21:09.000000000 +0200 +++ new/libsepol-2.9/src/kernel_to_common.c 2019-03-15 11:32:30.000000000 +0100 @@ -80,10 +80,13 @@ goto exit; } + va_end(vargs2); + return str; exit: free(str); + va_end(vargs2); return NULL; } @@ -397,27 +400,27 @@ return str; } -int stack_init(struct strs **stack) +int strs_stack_init(struct strs **stack) { return strs_init(stack, STACK_SIZE); } -void stack_destroy(struct strs **stack) +void strs_stack_destroy(struct strs **stack) { return strs_destroy(stack); } -int stack_push(struct strs *stack, char *s) +int strs_stack_push(struct strs *stack, char *s) { return strs_add(stack, s); } -char *stack_pop(struct strs *stack) +char *strs_stack_pop(struct strs *stack) { return strs_remove_last(stack); } -int stack_empty(struct strs *stack) +int strs_stack_empty(struct strs *stack) { return strs_num_items(stack) == 0; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.8/src/kernel_to_common.h new/libsepol-2.9/src/kernel_to_common.h --- old/libsepol-2.8/src/kernel_to_common.h 2018-05-24 20:21:09.000000000 +0200 +++ new/libsepol-2.9/src/kernel_to_common.h 2019-03-15 11:32:30.000000000 +0100 @@ -43,6 +43,8 @@ "devnull", }; +#define SELINUX_SID_SZ (sizeof(selinux_sid_to_str)/sizeof(selinux_sid_to_str[0])) + static const char * const xen_sid_to_str[] = { "null", "xen", @@ -55,8 +57,12 @@ "iomem", "irq", "device", + "domU", + "domDM", }; +#define XEN_SID_SZ (sizeof(xen_sid_to_str)/sizeof(xen_sid_to_str[0])) + static const uint32_t avtab_flavors[] = { AVTAB_ALLOWED, AVTAB_AUDITALLOW, @@ -105,10 +111,10 @@ int ebitmap_to_strs(struct ebitmap *map, struct strs *strs, char **val_to_name); char *ebitmap_to_str(struct ebitmap *map, char **val_to_name, int sort); -int stack_init(struct strs **stack); -void stack_destroy(struct strs **stack); -int stack_push(struct strs *stack, char *s); -char *stack_pop(struct strs *stack); -int stack_empty(struct strs *stack); +int strs_stack_init(struct strs **stack); +void strs_stack_destroy(struct strs **stack); +int strs_stack_push(struct strs *stack, char *s); +char *strs_stack_pop(struct strs *stack); +int strs_stack_empty(struct strs *stack); int sort_ocontexts(struct policydb *pdb); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.8/src/kernel_to_conf.c new/libsepol-2.9/src/kernel_to_conf.c --- old/libsepol-2.8/src/kernel_to_conf.c 2018-05-24 20:21:09.000000000 +0200 +++ new/libsepol-2.9/src/kernel_to_conf.c 2019-03-15 11:32:30.000000000 +0100 @@ -35,7 +35,7 @@ char *str = NULL; int rc; - rc = stack_init(&stack); + rc = strs_stack_init(&stack); if (rc != 0) { goto exit; } @@ -63,13 +63,13 @@ } if (num_params == 2) { - val2 = stack_pop(stack); + val2 = strs_stack_pop(stack); if (!val2) { sepol_log_err("Invalid conditional expression"); goto exit; } } - val1 = stack_pop(stack); + val1 = strs_stack_pop(stack); if (!val1) { sepol_log_err("Invalid conditional expression"); free(val2); @@ -87,29 +87,29 @@ sepol_log_err("Invalid conditional expression"); goto exit; } - rc = stack_push(stack, new_val); + rc = strs_stack_push(stack, new_val); if (rc != 0) { sepol_log_err("Out of memory"); goto exit; } } - new_val = stack_pop(stack); - if (!new_val || !stack_empty(stack)) { + new_val = strs_stack_pop(stack); + if (!new_val || !strs_stack_empty(stack)) { sepol_log_err("Invalid conditional expression"); goto exit; } str = new_val; - stack_destroy(&stack); + strs_stack_destroy(&stack); return str; exit: - while ((new_val = stack_pop(stack)) != NULL) { + while ((new_val = strs_stack_pop(stack)) != NULL) { free(new_val); } - stack_destroy(&stack); + strs_stack_destroy(&stack); return NULL; } @@ -125,7 +125,7 @@ *use_mls = 0; - rc = stack_init(&stack); + rc = strs_stack_init(&stack); if (rc != 0) { goto exit; } @@ -204,13 +204,13 @@ } if (num_params == 2) { - val2 = stack_pop(stack); + val2 = strs_stack_pop(stack); if (!val2) { sepol_log_err("Invalid constraint expression"); goto exit; } } - val1 = stack_pop(stack); + val1 = strs_stack_pop(stack); if (!val1) { sepol_log_err("Invalid constraint expression"); goto exit; @@ -227,30 +227,30 @@ if (!new_val) { goto exit; } - rc = stack_push(stack, new_val); + rc = strs_stack_push(stack, new_val); if (rc != 0) { sepol_log_err("Out of memory"); goto exit; } } - new_val = stack_pop(stack); - if (!new_val || !stack_empty(stack)) { + new_val = strs_stack_pop(stack); + if (!new_val || !strs_stack_empty(stack)) { sepol_log_err("Invalid constraint expression"); goto exit; } str = new_val; - stack_destroy(&stack); + strs_stack_destroy(&stack); return str; exit: - while ((new_val = stack_pop(stack)) != NULL) { + while ((new_val = strs_stack_pop(stack)) != NULL) { free(new_val); } - stack_destroy(&stack); + strs_stack_destroy(&stack); return NULL; } @@ -428,22 +428,30 @@ return 0; } -static int write_sids_to_conf(FILE *out, const char *const *sid_to_str, struct ocontext *isids) +static int write_sids_to_conf(FILE *out, const char *const *sid_to_str, + unsigned num_sids, struct ocontext *isids) { struct ocontext *isid; struct strs *strs; char *sid; + char unknown[18]; unsigned i; int rc; - rc = strs_init(&strs, SECINITSID_NUM+1); + rc = strs_init(&strs, num_sids+1); if (rc != 0) { goto exit; } for (isid = isids; isid != NULL; isid = isid->next) { i = isid->sid[0]; - rc = strs_add_at_index(strs, (char *)sid_to_str[i], i); + if (i < num_sids) { + sid = (char *)sid_to_str[i]; + } else { + snprintf(unknown, 18, "%s%u", "UNKNOWN", i); + sid = strdup(unknown); + } + rc = strs_add_at_index(strs, sid, i); if (rc != 0) { goto exit; } @@ -458,6 +466,10 @@ } exit: + for (i=num_sids; i<strs_num_items(strs); i++) { + sid = strs_read_at_index(strs, i); + free(sid); + } strs_destroy(&strs); if (rc != 0) { sepol_log_err("Error writing sid rules to policy.conf\n"); @@ -471,9 +483,11 @@ int rc = 0; if (pdb->target_platform == SEPOL_TARGET_SELINUX) { - rc = write_sids_to_conf(out, selinux_sid_to_str, pdb->ocontexts[0]); + rc = write_sids_to_conf(out, selinux_sid_to_str, SELINUX_SID_SZ, + pdb->ocontexts[0]); } else if (pdb->target_platform == SEPOL_TARGET_XEN) { - rc = write_sids_to_conf(out, xen_sid_to_str, pdb->ocontexts[0]); + rc = write_sids_to_conf(out, xen_sid_to_str, XEN_SID_SZ, + pdb->ocontexts[0]); } else { sepol_log_err("Unknown target platform: %i", pdb->target_platform); rc = -1; @@ -1565,9 +1579,9 @@ static int write_type_permissive_rules_to_conf(FILE *out, struct policydb *pdb) { - type_datum_t *type; struct strs *strs; char *name; + struct ebitmap_node *node; unsigned i, num; int rc = 0; @@ -1576,13 +1590,11 @@ goto exit; } - for (i=0; i < pdb->p_types.nprim; i++) { - type = pdb->type_val_to_struct[i]; - if (type->flavor == TYPE_TYPE && (type->flags & TYPE_FLAGS_PERMISSIVE)) { - rc = strs_add(strs, pdb->p_type_val_to_name[i]); - if (rc != 0) { - goto exit; - } + ebitmap_for_each_bit(&pdb->permissive_map, node, i) { + if (!ebitmap_get_bit(&pdb->permissive_map, i)) continue; + rc = strs_add(strs, pdb->p_type_val_to_name[i-1]); + if (rc != 0) { + goto exit; } } @@ -1987,6 +1999,8 @@ return 0; exit: + strs_free_all(strs); + strs_destroy(&strs); return rc; } @@ -2339,11 +2353,12 @@ return ctx; } -static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, const char *const *sid_to_str) +static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, const char *const *sid_to_str, unsigned num_sids) { struct ocontext *isid; struct strs *strs; - const char *sid; + char *sid; + char unknown[18]; char *ctx, *rule; unsigned i; int rc; @@ -2355,7 +2370,13 @@ for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) { i = isid->sid[0]; - sid = sid_to_str[i]; + if (i < num_sids) { + sid = (char *)sid_to_str[i]; + } else { + snprintf(unknown, 18, "%s%u", "UNKNOWN", i); + sid = unknown; + } + ctx = context_to_str(pdb, &isid->context[0]); if (!ctx) { rc = -1; @@ -2391,7 +2412,8 @@ static int write_selinux_isid_rules_to_conf(FILE *out, struct policydb *pdb) { - return write_sid_context_rules_to_conf(out, pdb, selinux_sid_to_str); + return write_sid_context_rules_to_conf(out, pdb, selinux_sid_to_str, + SELINUX_SID_SZ); } static int write_selinux_fsuse_rules_to_conf(FILE *out, struct policydb *pdb) @@ -2745,7 +2767,7 @@ static int write_xen_isid_rules_to_conf(FILE *out, struct policydb *pdb) { - return write_sid_context_rules_to_conf(out, pdb, xen_sid_to_str); + return write_sid_context_rules_to_conf(out, pdb, xen_sid_to_str, XEN_SID_SZ); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.8/src/module_to_cil.c new/libsepol-2.9/src/module_to_cil.c --- old/libsepol-2.8/src/module_to_cil.c 2018-05-24 20:21:09.000000000 +0200 +++ new/libsepol-2.9/src/module_to_cil.c 2019-03-15 11:32:30.000000000 +0100 @@ -52,6 +52,7 @@ #include <sepol/policydb/services.h> #include <sepol/policydb/util.h> +#include "kernel_to_common.h" #include "private.h" #ifdef __GNUC__ @@ -298,6 +299,8 @@ role_node->role = role; rc = list_prepend((struct list *)args, role_node); + if (rc != 0) + free(role_node); return rc; } @@ -344,6 +347,11 @@ goto exit; } } + /* As typealias_lists[scope_id] does not hold the + * ownership of its items (typealias_list_destroy does + * not free the list items), "key" does not need to be + * strdup'ed before it is inserted in the list. + */ list_prepend(typealias_lists[scope_id], key); } } @@ -647,8 +655,8 @@ if (xperms->specified & AVTAB_XPERMS_IOCTLFUNCTION) { value = xperms->driver<<8 | bit; - low_value = xperms->driver<<8 | low_bit; if (in_range) { + low_value = xperms->driver<<8 | low_bit; cil_printf("(range 0x%hx 0x%hx)", low_value, value); in_range = 0; } else { @@ -656,8 +664,8 @@ } } else if (xperms->specified & AVTAB_XPERMS_IOCTLDRIVER) { value = bit << 8; - low_value = low_bit << 8; if (in_range) { + low_value = low_bit << 8; cil_printf("(range 0x%hx 0x%hx)", low_value, (uint16_t) (value|0xff)); in_range = 0; } else { @@ -1002,6 +1010,12 @@ } } + if (!num) { + *names = NULL; + *num_names = 0; + goto exit; + } + name_arr = malloc(sizeof(*name_arr) * num); if (name_arr == NULL) { log_err("Out of memory"); @@ -1092,7 +1106,6 @@ goto exit; } - curr = role_list->head; for (curr = role_list->head; curr != NULL; curr = curr->next) { role_node = curr->data; if (!is_id_in_ancestor_scope(pdb, decl_stack, role_node->role_name, SYM_ROLES)) { @@ -1284,7 +1297,6 @@ rc = -1; goto exit; } - num_params = 0; } else { switch(curr->expr_type) { case COND_NOT: op = "not"; break; @@ -1824,8 +1836,6 @@ free(names); names = NULL; } - - num_params = 0; } else { switch (expr->expr_type) { case CEXPR_NOT: op = "not"; break; @@ -2537,23 +2547,34 @@ return 0; } -static int ocontext_isid_to_cil(struct policydb *pdb, const char **sid_to_string, struct ocontext *isids) +static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_string, + unsigned num_sids, struct ocontext *isids) { int rc = -1; struct ocontext *isid; struct sid_item { - const char *sid_key; + char *sid_key; struct sid_item *next; }; struct sid_item *head = NULL; struct sid_item *item = NULL; + char *sid; + char unknown[18]; + unsigned i; for (isid = isids; isid != NULL; isid = isid->next) { - cil_println(0, "(sid %s)", sid_to_string[isid->sid[0]]); - cil_printf("(sidcontext %s ", sid_to_string[isid->sid[0]]); + i = isid->sid[0]; + if (i < num_sids) { + sid = (char*)sid_to_string[i]; + } else { + snprintf(unknown, 18, "%s%u", "UNKNOWN", i); + sid = unknown; + } + cil_println(0, "(sid %s)", sid); + cil_printf("(sidcontext %s ", sid); context_to_cil(pdb, &isid->context[0]); cil_printf(")\n"); @@ -2565,7 +2586,7 @@ rc = -1; goto exit; } - item->sid_key = sid_to_string[isid->sid[0]]; + item->sid_key = strdup(sid); item->next = head; head = item; } @@ -2584,6 +2605,7 @@ while(head) { item = head; head = item->next; + free(item->sid_key); free(item); } return rc; @@ -2593,41 +2615,7 @@ { int rc = -1; - // initial sid names aren't actually stored in the pp files, need to a have - // a mapping, taken from the linux kernel - static const char *selinux_sid_to_string[] = { - "null", - "kernel", - "security", - "unlabeled", - "fs", - "file", - "file_labels", - "init", - "any_socket", - "port", - "netif", - "netmsg", - "node", - "igmp_packet", - "icmp_socket", - "tcp_socket", - "sysctl_modprobe", - "sysctl", - "sysctl_fs", - "sysctl_kernel", - "sysctl_net", - "sysctl_net_unix", - "sysctl_vm", - "sysctl_dev", - "kmod", - "policy", - "scmp_packet", - "devnull", - NULL - }; - - rc = ocontext_isid_to_cil(pdb, selinux_sid_to_string, isids); + rc = ocontext_isid_to_cil(pdb, selinux_sid_to_str, SELINUX_SID_SZ, isids); if (rc != 0) { goto exit; } @@ -2856,24 +2844,7 @@ { int rc = -1; - // initial sid names aren't actually stored in the pp files, need to a have - // a mapping, taken from the xen kernel - static const char *xen_sid_to_string[] = { - "null", - "xen", - "dom0", - "domio", - "domxen", - "unlabeled", - "security", - "ioport", - "iomem", - "irq", - "device", - NULL, - }; - - rc = ocontext_isid_to_cil(pdb, xen_sid_to_string, isids); + rc = ocontext_isid_to_cil(pdb, xen_sid_to_str, XEN_SID_SZ, isids); if (rc != 0) { goto exit; } @@ -4223,7 +4194,6 @@ int sepol_ppfile_to_module_package(FILE *fp, struct sepol_module_package **mod_pkg) { int rc = -1; - FILE *f = NULL; struct sepol_policy_file *pf = NULL; struct sepol_module_package *pkg = NULL; char *data = NULL; @@ -4275,9 +4245,6 @@ free(data); sepol_policy_file_free(pf); - if (f != NULL) { - fclose(f); - } if (rc != 0) { sepol_module_package_free(pkg); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.8/src/node_record.c new/libsepol-2.9/src/node_record.c --- old/libsepol-2.8/src/node_record.c 2018-05-24 20:21:09.000000000 +0200 +++ new/libsepol-2.9/src/node_record.c 2019-03-15 11:32:30.000000000 +0100 @@ -83,7 +83,7 @@ } /* Allocates a sufficiently large buffer (addr, addr_sz) - * according the the protocol */ + * according to the protocol */ static int node_alloc_addr(sepol_handle_t * handle, int proto, char **addr, size_t * addr_sz) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.8/src/policydb.c new/libsepol-2.9/src/policydb.c --- old/libsepol-2.8/src/policydb.c 2018-05-24 20:21:09.000000000 +0200 +++ new/libsepol-2.9/src/policydb.c 2019-03-15 11:32:30.000000000 +0100 @@ -51,6 +51,7 @@ #include <sepol/policydb/util.h> #include <sepol/policydb/flask.h> +#include "kernel_to_common.h" #include "private.h" #include "debug.h" #include "mls.h" @@ -2827,22 +2828,35 @@ (&c->context[1], p, fp)) return -1; break; - case OCON_IBPKEY: + case OCON_IBPKEY: { + uint32_t pkey_lo, pkey_hi; + rc = next_entry(buf, fp, sizeof(uint32_t) * 4); - if (rc < 0 || buf[2] > 0xffff || buf[3] > 0xffff) + if (rc < 0) return -1; + pkey_lo = le32_to_cpu(buf[2]); + pkey_hi = le32_to_cpu(buf[3]); + + if (pkey_lo > UINT16_MAX || pkey_hi > UINT16_MAX) + return -1; + + c->u.ibpkey.low_pkey = pkey_lo; + c->u.ibpkey.high_pkey = pkey_hi; + + /* we want c->u.ibpkey.subnet_prefix in network + * (big-endian) order, just memcpy it */ memcpy(&c->u.ibpkey.subnet_prefix, buf, sizeof(c->u.ibpkey.subnet_prefix)); - c->u.ibpkey.low_pkey = le32_to_cpu(buf[2]); - c->u.ibpkey.high_pkey = le32_to_cpu(buf[3]); - if (context_read_and_validate (&c->context[0], p, fp)) return -1; break; - case OCON_IBENDPORT: + } + case OCON_IBENDPORT: { + uint32_t port; + rc = next_entry(buf, fp, sizeof(uint32_t) * 2); if (rc < 0) return -1; @@ -2850,6 +2864,10 @@ if (len == 0 || len > IB_DEVICE_NAME_MAX - 1) return -1; + port = le32_to_cpu(buf[1]); + if (port > UINT8_MAX || port == 0) + return -1; + c->u.ibendport.dev_name = malloc(len + 1); if (!c->u.ibendport.dev_name) return -1; @@ -2857,11 +2875,12 @@ if (rc < 0) return -1; c->u.ibendport.dev_name[len] = 0; - c->u.ibendport.port = le32_to_cpu(buf[1]); + c->u.ibendport.port = port; if (context_read_and_validate (&c->context[0], p, fp)) return -1; break; + } case OCON_PORT: rc = next_entry(buf, fp, sizeof(uint32_t) * 3); if (rc < 0) @@ -4301,3 +4320,7 @@ return 0; } +int policydb_sort_ocontexts(policydb_t *p) +{ + return sort_ocontexts(p); +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.8/src/util.c new/libsepol-2.9/src/util.c --- old/libsepol-2.8/src/util.c 2018-05-24 20:21:09.000000000 +0200 +++ new/libsepol-2.9/src/util.c 2019-03-15 11:32:30.000000000 +0100 @@ -159,16 +159,16 @@ if (xperms->specified & AVTAB_XPERMS_IOCTLFUNCTION) { value = xperms->driver<<8 | bit; - low_value = xperms->driver<<8 | low_bit; if (in_range) { + low_value = xperms->driver<<8 | low_bit; len = snprintf(p, sizeof(xpermsbuf) - xpermslen, "0x%hx-0x%hx ", low_value, value); } else { len = snprintf(p, sizeof(xpermsbuf) - xpermslen, "0x%hx ", value); } } else if (xperms->specified & AVTAB_XPERMS_IOCTLDRIVER) { value = bit << 8; - low_value = low_bit << 8; if (in_range) { + low_value = low_bit << 8; len = snprintf(p, sizeof(xpermsbuf) - xpermslen, "0x%hx-0x%hx ", low_value, (uint16_t) (value|0xff)); } else { len = snprintf(p, sizeof(xpermsbuf) - xpermslen, "0x%hx-0x%hx ", value, (uint16_t) (value|0xff)); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.8/tests/test-downgrade.c new/libsepol-2.9/tests/test-downgrade.c --- old/libsepol-2.8/tests/test-downgrade.c 2018-05-24 20:21:09.000000000 +0200 +++ new/libsepol-2.9/tests/test-downgrade.c 2019-03-15 11:32:30.000000000 +0100 @@ -210,7 +210,6 @@ if ((in_fp = fopen(path, "rb")) == NULL) { fprintf(stderr, "Unable to open %s: %s\n", path, strerror(errno)); - sepol_handle_destroy(f.handle); return -1; } @@ -220,7 +219,6 @@ f.fp = in_fp; rc = policydb_read(p, &f, 0); - sepol_handle_destroy(f.handle); fclose(in_fp); return rc; } @@ -256,7 +254,7 @@ if ((out_fp = fopen(path, "w" )) == NULL) { fprintf(stderr, "Unable to open %s: %s\n", path, strerror(errno)); - sepol_handle_destroy(f.handle); + sepol_handle_destroy(handle); return -1; }
