[PATCH 3/3] libselinux: makes android label back ends configurable

[Janis Danisevskis]

Android label back ends are not configurable by NO_ANDROID_BACKEND,
which is set if on ANDROID_HOST != y.

Signed-off-by: Janis Danisevskis <jda...@android.com>
---
 libselinux/src/Makefile |  3 +++
 libselinux/src/label.c  | 10 --
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index cba8383..7169230 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -87,6 +87,9 @@ DISABLE_FLAGS+= -DNO_MEDIA_BACKEND -DNO_DB_BACKEND 
-DNO_X_BACKEND \
 SRCS= callbacks.c freecon.c label.c label_file.c \
label_backends_android.c regex.c label_support.c \
matchpathcon.c setrans_client.c sha1.c
+else
+DISABLE_FLAGS+= -DNO_ANDROID_BACKEND
+SRCS:= $(filter-out label_backends_android.c, $(SRCS))
 endif
 
 SWIG = swig -Wall -python -o $(SWIGCOUT) -outdir ./ $(DISABLE_FLAGS)
diff --git a/libselinux/src/label.c b/libselinux/src/label.c
index eb0e766..60639cf 100644
--- a/libselinux/src/label.c
+++ b/libselinux/src/label.c
@@ -35,6 +35,12 @@
 #define CONFIG_DB_BACKEND(fnptr) 
 #endif
 
+#ifdef NO_ANDROID_BACKEND
+#define CONFIG_ANDROID_BACKEND(fnptr) NULL
+#else
+#define CONFIG_ANDROID_BACKEND(fnptr) (&(fnptr))
+#endif
+
 typedef int (*selabel_initfunc)(struct selabel_handle *rec,
const struct selinux_opt *opts,
unsigned nopts);
@@ -44,8 +50,8 @@ static selabel_initfunc initfuncs[] = {
CONFIG_MEDIA_BACKEND(selabel_media_init),
CONFIG_X_BACKEND(selabel_x_init),
CONFIG_DB_BACKEND(selabel_db_init),
-   _property_init,
-   _service_init,
+   CONFIG_ANDROID_BACKEND(selabel_property_init),
+   CONFIG_ANDROID_BACKEND(selabel_service_init),
 };
 
 static void selabel_subs_fini(struct selabel_sub *ptr)
-- 
1.9.1

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH] libselinux: android: fix lax service context lookup

[Janis Danisevskis]

On Wed, Sep 28, 2016 at 5:17 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote:

> On 09/28/2016 12:04 PM, Janis Danisevskis wrote:
> > We use the same lookup function for service contexts
> > that we use for property contexts. However, property
> > contexts are namespace based and only compare the
> > prefix. This may lead to service associations with
> > a wrong label.
> >
> > This patch introduces a stricter lookup function for
> > services contexts. Now the service name must match
> > the key of the service label exactly.
> >
> > Signed-off-by: Janis Danisevskis <jda...@android.com>
> > ---
> >  libselinux/include/selinux/label.h  |  2 ++
> >  libselinux/src/label.c  |  1 +
> >  libselinux/src/label_android_property.c | 50
> +
> >  libselinux/src/label_internal.h |  3 ++
> >  4 files changed, 56 insertions(+)
>
> Normally each backend would go into its own file, so service would get
> its own.  Alternatively, since we are unlikely to ever support one
> without the other, perhaps label_android_property.c should be renamed to
> label_android.c and contain all of the Android-unique backends.
>
> I was thinking along the same lines, was just eager to get home... I'll
send
a refactored patch by tomorrow.


> >
> > diff --git a/libselinux/include/selinux/label.h
> b/libselinux/include/selinux/label.h
> > index f0b1e10..277287e 100644
> > --- a/libselinux/include/selinux/label.h
> > +++ b/libselinux/include/selinux/label.h
> > @@ -34,6 +34,8 @@ struct selabel_handle;
> >  #define SELABEL_CTX_DB   3
> >  /* Android property service contexts */
> >  #define SELABEL_CTX_ANDROID_PROP 4
> > +/* Android service contexts */
> > +#define SELABEL_CTX_ANDROID_SERVICE 5
> >
> >  /*
> >   * Available options
> > diff --git a/libselinux/src/label.c b/libselinux/src/label.c
> > index 96a4ff1..eb0e766 100644
> > --- a/libselinux/src/label.c
> > +++ b/libselinux/src/label.c
> > @@ -45,6 +45,7 @@ static selabel_initfunc initfuncs[] = {
> >   CONFIG_X_BACKEND(selabel_x_init),
> >   CONFIG_DB_BACKEND(selabel_db_init),
> >   _property_init,
> > + _service_init,
>
> Wondering if we should support selective enablement of the property and
> service backends too, similar to what William introduced for media, x,
> and db so that he could disable them on Android (in our case, so we can
> disable property and service backends on Linux distributions).
>

Oh, that is what these wrappers are for :-) . Sure.


>
> >  };
> >
> >  static void selabel_subs_fini(struct selabel_sub *ptr)
> > diff --git a/libselinux/src/label_android_property.c
> b/libselinux/src/label_android_property.c
> > index 290b438..69d6afd 100644
> > --- a/libselinux/src/label_android_property.c
> > +++ b/libselinux/src/label_android_property.c
> > @@ -279,6 +279,38 @@ finish:
> >   return ret;
> >  }
> >
> > +static struct selabel_lookup_rec *service_lookup(struct selabel_handle
> *rec,
> > + const char *key, int __attribute__((unused)) type)
> > +{
> > + struct saved_data *data = (struct saved_data *)rec->data;
> > + spec_t *spec_arr = data->spec_arr;
> > + unsigned int i;
> > + struct selabel_lookup_rec *ret = NULL;
> > +
> > + if (!data->nspec) {
> > + errno = ENOENT;
> > + goto finish;
> > + }
> > +
> > + for (i = 0; i < data->nspec; i++) {
> > + if (strcmp(spec_arr[i].property_key, key) == 0)
> > + break;
> > + if (strcmp(spec_arr[i].property_key, "*") == 0)
> > + break;
> > + }
> > +
> > + if (i >= data->nspec) {
> > + /* No matching specification. */
> > + errno = ENOENT;
> > + goto finish;
> > + }
> > +
> > + ret = _arr[i].lr;
> > +
> > +finish:
> > + return ret;
> > +}
> > +
> >  static void stats(struct selabel_handle __attribute__((unused)) *rec)
> >  {
> >   selinux_log(SELINUX_WARNING, "'stats' functionality not
> implemented.\n");
> > @@ -302,3 +334,21 @@ int selabel_property_init(struct selabel_handle
> *rec,
> >
> >   return init(rec, opts, nopts);
> >  }
> > +
> > +int selabel_service_init(struct selabel_handle *rec,
> > + const struct selinux_opt *opts, unsigned nopts)
> > +{
> >

[PATCH] libselinux: android: fix lax service context lookup

[Janis Danisevskis]

We use the same lookup function for service contexts
that we use for property contexts. However, property
contexts are namespace based and only compare the
prefix. This may lead to service associations with
a wrong label.

This patch introduces a stricter lookup function for
services contexts. Now the service name must match
the key of the service label exactly.

Signed-off-by: Janis Danisevskis <jda...@android.com>
---
 libselinux/include/selinux/label.h  |  2 ++
 libselinux/src/label.c  |  1 +
 libselinux/src/label_android_property.c | 50 +
 libselinux/src/label_internal.h |  3 ++
 4 files changed, 56 insertions(+)

diff --git a/libselinux/include/selinux/label.h 
b/libselinux/include/selinux/label.h
index f0b1e10..277287e 100644
--- a/libselinux/include/selinux/label.h
+++ b/libselinux/include/selinux/label.h
@@ -34,6 +34,8 @@ struct selabel_handle;
 #define SELABEL_CTX_DB 3
 /* Android property service contexts */
 #define SELABEL_CTX_ANDROID_PROP 4
+/* Android service contexts */
+#define SELABEL_CTX_ANDROID_SERVICE 5
 
 /*
  * Available options
diff --git a/libselinux/src/label.c b/libselinux/src/label.c
index 96a4ff1..eb0e766 100644
--- a/libselinux/src/label.c
+++ b/libselinux/src/label.c
@@ -45,6 +45,7 @@ static selabel_initfunc initfuncs[] = {
CONFIG_X_BACKEND(selabel_x_init),
CONFIG_DB_BACKEND(selabel_db_init),
_property_init,
+   _service_init,
 };
 
 static void selabel_subs_fini(struct selabel_sub *ptr)
diff --git a/libselinux/src/label_android_property.c 
b/libselinux/src/label_android_property.c
index 290b438..69d6afd 100644
--- a/libselinux/src/label_android_property.c
+++ b/libselinux/src/label_android_property.c
@@ -279,6 +279,38 @@ finish:
return ret;
 }
 
+static struct selabel_lookup_rec *service_lookup(struct selabel_handle *rec,
+   const char *key, int __attribute__((unused)) type)
+{
+   struct saved_data *data = (struct saved_data *)rec->data;
+   spec_t *spec_arr = data->spec_arr;
+   unsigned int i;
+   struct selabel_lookup_rec *ret = NULL;
+
+   if (!data->nspec) {
+   errno = ENOENT;
+   goto finish;
+   }
+
+   for (i = 0; i < data->nspec; i++) {
+   if (strcmp(spec_arr[i].property_key, key) == 0)
+   break;
+   if (strcmp(spec_arr[i].property_key, "*") == 0)
+   break;
+   }
+
+   if (i >= data->nspec) {
+   /* No matching specification. */
+   errno = ENOENT;
+   goto finish;
+   }
+
+   ret = _arr[i].lr;
+
+finish:
+   return ret;
+}
+
 static void stats(struct selabel_handle __attribute__((unused)) *rec)
 {
selinux_log(SELINUX_WARNING, "'stats' functionality not 
implemented.\n");
@@ -302,3 +334,21 @@ int selabel_property_init(struct selabel_handle *rec,
 
return init(rec, opts, nopts);
 }
+
+int selabel_service_init(struct selabel_handle *rec,
+   const struct selinux_opt *opts, unsigned nopts)
+{
+   struct saved_data *data;
+
+   data = (struct saved_data *)malloc(sizeof(*data));
+   if (!data)
+   return -1;
+   memset(data, 0, sizeof(*data));
+
+   rec->data = data;
+   rec->func_close = 
+   rec->func_stats = 
+   rec->func_lookup = _lookup;
+
+   return init(rec, opts, nopts);
+}
diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h
index 7c55531..6a9481a 100644
--- a/libselinux/src/label_internal.h
+++ b/libselinux/src/label_internal.h
@@ -39,6 +39,9 @@ int selabel_db_init(struct selabel_handle *rec,
 int selabel_property_init(struct selabel_handle *rec,
const struct selinux_opt *opts,
unsigned nopts) hidden;
+int selabel_service_init(struct selabel_handle *rec,
+   const struct selinux_opt *opts,
+   unsigned nopts) hidden;
 
 /*
  * Labeling internal structures
-- 
2.8.0.rc3.226.g39d4020

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH 3/3] libselinux: sefcontext_compile invert semantics of "-r" flag

[Janis Danisevskis]

The "-r" flag of sefcontext_compile now causes it to omit the
precompiled regular expressions from the output.

Signed-off-by: Janis Danisevskis <jda...@android.com>
---
 libselinux/utils/sefcontext_compile.c | 12 +++-
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/libselinux/utils/sefcontext_compile.c 
b/libselinux/utils/sefcontext_compile.c
index 8c48d32..b2746c7 100644
--- a/libselinux/utils/sefcontext_compile.c
+++ b/libselinux/utils/sefcontext_compile.c
@@ -276,10 +276,12 @@ static void usage(const char *progname)
" will be fc_file with the .bin suffix appended.\n\t"
"-p   Optional binary policy file that will be used to\n\t"
" validate contexts defined in the fc_file.\n\t"
-   "-r   Include precompiled regular expressions in the 
output.\n\t"
+   "-r   Omit precompiled regular expressions from the output.\n\t"
" (PCRE2 only. Compiled PCRE2 regular expressions are\n\t"
-   " not portable across architectures. When linked 
against\n\t"
-   " PCRE this flag is ignored)\n\t"
+   " not portable across architectures. Use this flag\n\t"
+   " if you know that you build for an incompatible\n\t"
+   " architecture to save space. When linked against\n\t"
+   " PCRE1 this flag is ignored.)\n\t"
"-i   Print regular expression info end exit. That is, back\n\t"
" end version and architecture identifier.\n\t"
" Arch identifier format (PCRE2):\n\t"
@@ -294,7 +296,7 @@ int main(int argc, char *argv[])
 {
const char *path = NULL;
const char *out_file = NULL;
-   int do_write_precompregex = 0;
+   int do_write_precompregex = 1;
char stack_path[PATH_MAX + 1];
char *tmp = NULL;
int fd, rc, opt;
@@ -315,7 +317,7 @@ int main(int argc, char *argv[])
policy_file = optarg;
break;
case 'r':
-   do_write_precompregex = 1;
+   do_write_precompregex = 0;
break;
case 'i':
printf("%s (%s)\n", regex_version(),
-- 
2.8.0.rc3.226.g39d4020

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH 1/3] libselinux: Add architecture string to file_context.bin

[Janis Danisevskis]

Serialized precompiled regular expressins are architecture
dependent when using PCRE2. This patch
- bumps the SELINUX_COMPILED_FCONTEXT version to 5 and
- adds a field to the output indicating the architecture
  compatibility.

libselinux can cope with an architecture mismatch by
ignoring the precompiled data in the input file and recompiling
the regular expressions at runtime. It can also load older
versions of file_contexts.bin if they where built with
sefcontext_compile using the exact same version of the
pcre1/2 as selinux.

Signed-off-by: Janis Danisevskis <jda...@android.com>
---
 libselinux/src/label_file.c   | 43 +-
 libselinux/src/label_file.h   |  4 ++-
 libselinux/src/regex.c| 50 ---
 libselinux/src/regex.h| 15 ++-
 libselinux/utils/sefcontext_compile.c | 13 +
 5 files changed, 119 insertions(+), 6 deletions(-)

diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
index 7156825..13e05c1 100644
--- a/libselinux/src/label_file.c
+++ b/libselinux/src/label_file.c
@@ -126,6 +126,8 @@ static int load_mmap(FILE *fp, size_t len, struct 
selabel_handle *rec,
uint32_t i, magic, version;
uint32_t entry_len, stem_map_len, regex_array_len;
const char *reg_version;
+   const char *reg_arch;
+   char reg_arch_matches = 0;
 
mmap_area = malloc(sizeof(*mmap_area));
if (!mmap_area) {
@@ -159,6 +161,10 @@ static int load_mmap(FILE *fp, size_t len, struct 
selabel_handle *rec,
if (!reg_version)
return -1;
 
+   reg_arch = regex_arch_string();
+   if (!reg_arch)
+   return -1;
+
if (version >= SELINUX_COMPILED_FCONTEXT_PCRE_VERS) {
 
len = strlen(reg_version);
@@ -188,7 +194,42 @@ static int load_mmap(FILE *fp, size_t len, struct 
selabel_handle *rec,
return -1;
}
free(str_buf);
+
+   if (version >= SELINUX_COMPILED_FCONTEXT_REGEX_ARCH) {
+   len = strlen(reg_arch);
+
+   rc = next_entry(_len, mmap_area,
+   sizeof(uint32_t));
+   if (rc < 0)
+   return -1;
+
+   /* Check arch string lengths */
+   if (len != entry_len) {
+   /*
+* Skip the entry and conclude that we have
+* a mismatch, which is not fatal.
+*/
+   next_entry(NULL, mmap_area, entry_len);
+   goto end_arch_check;
+   }
+
+   /* Check if arch string mismatch */
+   str_buf = malloc(entry_len + 1);
+   if (!str_buf)
+   return -1;
+
+   rc = next_entry(str_buf, mmap_area, entry_len);
+   if (rc < 0) {
+   free(str_buf);
+   return -1;
+   }
+
+   str_buf[entry_len] = '\0';
+   reg_arch_matches = strcmp(str_buf, reg_arch) == 0;
+   free(str_buf);
+   }
}
+end_arch_check:
 
/* allocate the stems_data array */
rc = next_entry(_map_len, mmap_area, sizeof(uint32_t));
@@ -349,7 +390,7 @@ static int load_mmap(FILE *fp, size_t len, struct 
selabel_handle *rec,
spec->prefix_len = prefix_len;
}
 
-   rc = regex_load_mmap(mmap_area, >regex);
+   rc = regex_load_mmap(mmap_area, >regex, reg_arch_matches);
if (rc < 0)
goto out;
 
diff --git a/libselinux/src/label_file.h b/libselinux/src/label_file.h
index 88f4294..00c0a5c 100644
--- a/libselinux/src/label_file.h
+++ b/libselinux/src/label_file.h
@@ -24,8 +24,10 @@
 #define SELINUX_COMPILED_FCONTEXT_PCRE_VERS2
 #define SELINUX_COMPILED_FCONTEXT_MODE 3
 #define SELINUX_COMPILED_FCONTEXT_PREFIX_LEN   4
+#define SELINUX_COMPILED_FCONTEXT_REGEX_ARCH   5
 
-#define SELINUX_COMPILED_FCONTEXT_MAX_VERS 
SELINUX_COMPILED_FCONTEXT_PREFIX_LEN
+#define SELINUX_COMPILED_FCONTEXT_MAX_VERS \
+   SELINUX_COMPILED_FCONTEXT_REGEX_ARCH
 
 /* A file security context specification. */
 struct spec {
diff --git a/libselinux/src/regex.c b/libselinux/src/regex.c
index 750088e..a3b427b 100644
--- a/libselinux/src/regex.c
+++ b/libselinux/src/regex.c
@@ -7,6 +7,44 @@
 #include "label_file.h"
 
 #ifdef USE_PCRE2
+#define REGEX_ARCH_SIZE_T PCRE2_SIZE
+#else
+#define REGEX_ARCH_SIZE_T size_t
+#endif
+
+#ifndef __BYTE_ORDER__
+#error __BYTE_ORDER__ not defined. Unable to determine endianness.
+#endif
+
+#ifdef 

[PATCH 2/3] libselinux: sefcontext_compile: Add "-i" flag

[Janis Danisevskis]

Adds the "-i" flag, which prints the version and
architecture identifier of the regular expression back end.

Signed-off-by: Janis Danisevskis <jda...@android.com>
---
 libselinux/utils/sefcontext_compile.c | 11 ++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/libselinux/utils/sefcontext_compile.c 
b/libselinux/utils/sefcontext_compile.c
index d91db9a..8c48d32 100644
--- a/libselinux/utils/sefcontext_compile.c
+++ b/libselinux/utils/sefcontext_compile.c
@@ -280,6 +280,11 @@ static void usage(const char *progname)
" (PCRE2 only. Compiled PCRE2 regular expressions are\n\t"
" not portable across architectures. When linked 
against\n\t"
" PCRE this flag is ignored)\n\t"
+   "-i   Print regular expression info end exit. That is, back\n\t"
+   " end version and architecture identifier.\n\t"
+   " Arch identifier format (PCRE2):\n\t"
+   " --, e.g.,\n\t"
+   " \"8-8-el\" for x86_64.\n\t"
"fc_file  The text based file contexts file to be processed.\n",
progname);
exit(EXIT_FAILURE);
@@ -301,7 +306,7 @@ int main(int argc, char *argv[])
if (argc < 2)
usage(argv[0]);
 
-   while ((opt = getopt(argc, argv, "o:p:r")) > 0) {
+   while ((opt = getopt(argc, argv, "io:p:r")) > 0) {
switch (opt) {
case 'o':
out_file = optarg;
@@ -312,6 +317,10 @@ int main(int argc, char *argv[])
case 'r':
do_write_precompregex = 1;
break;
+   case 'i':
+   printf("%s (%s)\n", regex_version(),
+   regex_arch_string());
+   return 0;
default:
usage(argv[0]);
}
-- 
2.8.0.rc3.226.g39d4020

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH 2/3] libselinux: sefcontext_compile: Add "-i" flag

[Janis Danisevskis]

Adds the "-i" flag, which prints the version and
architecture identifier of the regular expression back end.

Signed-off-by: Janis Danisevskis <jda...@android.com>
---
 libselinux/utils/sefcontext_compile.c | 11 ++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/libselinux/utils/sefcontext_compile.c 
b/libselinux/utils/sefcontext_compile.c
index d91db9a..8c48d32 100644
--- a/libselinux/utils/sefcontext_compile.c
+++ b/libselinux/utils/sefcontext_compile.c
@@ -280,6 +280,11 @@ static void usage(const char *progname)
" (PCRE2 only. Compiled PCRE2 regular expressions are\n\t"
" not portable across architectures. When linked 
against\n\t"
" PCRE this flag is ignored)\n\t"
+   "-i   Print regular expression info end exit. That is, back\n\t"
+   " end version and architecture identifier.\n\t"
+   " Arch identifier format (PCRE2):\n\t"
+   " --, e.g.,\n\t"
+   " \"8-8-el\" for x86_64.\n\t"
"fc_file  The text based file contexts file to be processed.\n",
progname);
exit(EXIT_FAILURE);
@@ -301,7 +306,7 @@ int main(int argc, char *argv[])
if (argc < 2)
usage(argv[0]);
 
-   while ((opt = getopt(argc, argv, "o:p:r")) > 0) {
+   while ((opt = getopt(argc, argv, "io:p:r")) > 0) {
switch (opt) {
case 'o':
out_file = optarg;
@@ -312,6 +317,10 @@ int main(int argc, char *argv[])
case 'r':
do_write_precompregex = 1;
break;
+   case 'i':
+   printf("%s (%s)\n", regex_version(),
+   regex_arch_string());
+   return 0;
default:
usage(argv[0]);
}
-- 
2.8.0.rc3.226.g39d4020

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH 3/3] libselinux: sefcontext_compile invert semantics of "-r" flag

[Janis Danisevskis]

The "-r" flag of sefcontext_compile now causes it to omit the
precompiled regular expressions from the output.

Signed-off-by: Janis Danisevskis <jda...@android.com>
---
 libselinux/utils/sefcontext_compile.c | 12 +++-
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/libselinux/utils/sefcontext_compile.c 
b/libselinux/utils/sefcontext_compile.c
index 8c48d32..b2746c7 100644
--- a/libselinux/utils/sefcontext_compile.c
+++ b/libselinux/utils/sefcontext_compile.c
@@ -276,10 +276,12 @@ static void usage(const char *progname)
" will be fc_file with the .bin suffix appended.\n\t"
"-p   Optional binary policy file that will be used to\n\t"
" validate contexts defined in the fc_file.\n\t"
-   "-r   Include precompiled regular expressions in the 
output.\n\t"
+   "-r   Omit precompiled regular expressions from the output.\n\t"
" (PCRE2 only. Compiled PCRE2 regular expressions are\n\t"
-   " not portable across architectures. When linked 
against\n\t"
-   " PCRE this flag is ignored)\n\t"
+   " not portable across architectures. Use this flag\n\t"
+   " if you know that you build for an incompatible\n\t"
+   " architecture to save space. When linked against\n\t"
+   " PCRE1 this flag is ignored.)\n\t"
"-i   Print regular expression info end exit. That is, back\n\t"
" end version and architecture identifier.\n\t"
" Arch identifier format (PCRE2):\n\t"
@@ -294,7 +296,7 @@ int main(int argc, char *argv[])
 {
const char *path = NULL;
const char *out_file = NULL;
-   int do_write_precompregex = 0;
+   int do_write_precompregex = 1;
char stack_path[PATH_MAX + 1];
char *tmp = NULL;
int fd, rc, opt;
@@ -315,7 +317,7 @@ int main(int argc, char *argv[])
policy_file = optarg;
break;
case 'r':
-   do_write_precompregex = 1;
+   do_write_precompregex = 0;
break;
case 'i':
printf("%s (%s)\n", regex_version(),
-- 
2.8.0.rc3.226.g39d4020

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH] libselinux: add support for pcre2

[Janis Danisevskis]

On Fri, Sep 16, 2016 at 8:06 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote:

> On 09/16/2016 02:57 PM, Janis Danisevskis wrote:
> > I have started implementing an arch string patch. Unfortunately, i did
> > not manage to finish it before I had to leave the office today.
> > In essence I did this:
> > The regex_arch_string has three components: the pointer width determined
> > by sizeof(void*), PCRE2_SIZE width determined by sizeof(), and
> > endianess determined by
> > __BYTE_ORDER__==__ORDER_BIG/LITTEL_ENDIAN__
> >
> > For example, the resulting string for x86_64 and aarch64el should look
> like
> > this: "8-8-el".
> >
> > I bumped the compiled context version number and added the string
> > right after the version in the output.
> > Comments?
>
> What's the error handling when the versions do not match?  Just ignore
> the compiled regexes in file_contexts.bin?
>
>
> Yes, If the version and arch match attempt to load the compiled regexes
from the file. Otherwise, skip the corresponding regions of the file and
leave the regex field NULL, so that they will be compiled on first use.
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH] libselinux: add support for pcre2

[Janis Danisevskis]

I have started implementing an arch string patch. Unfortunately, i did
not manage to finish it before I had to leave the office today.
In essence I did this:
The regex_arch_string has three components: the pointer width determined
by sizeof(void*), PCRE2_SIZE width determined by sizeof(), and
endianess determined by
__BYTE_ORDER__==__ORDER_BIG/LITTEL_ENDIAN__

For example, the resulting string for x86_64 and aarch64el should look like
this: "8-8-el".

I bumped the compiled context version number and added the string
right after the version in the output.
Comments?


On Fri, Sep 16, 2016 at 3:52 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote:

> On 09/16/2016 09:31 AM, Jason Zaman wrote:
> > On Fri, Sep 16, 2016 at 06:15:01AM -0700, William Roberts wrote:
> >> On Fri, Sep 16, 2016 at 6:09 AM, Janis Danisevskis <jda...@google.com>
> wrote:
> >>> I don't mind. Then before sefcontext_compile -r gets widely adapted we
> >>> should change the semantic quickly. I'll prepare a patch.
> >>
> >> Did I miss something and this was merged? Iv'e been out recovering
> >> from a surgery so I haven't been
> >> following this as well as I normally would have,
> >>
> >> If its merged, just leave it.
> >
> > Its the very latest thing in master yeah, but I do also agree with
> changing it.
> >
> > I just wanted to add that from a distro perspective, compiling things by
> > default makes more sense. In gentoo, the package post_install runs
> > sefcontext_compile. Using the fcontext files happens a lot more than any
> > updates to libselinux (and thus potential format changes) so I'm pretty
> > sure most people would prefer to have the speedup.
> >
> > Gentoo does it on the machine itself, I am not sure about redhat or
> > debian but I wouldnt be surprised if they do it per-arch at the very
> > least so cross-arch probably isnt an issue.
>
> In Red Hat, SELinux policy is noarch, and they switched to precompiling
> both policy and file_contexts.bin at build time to minimize the cost at
> package install time.  Otherwise, in small VMs, they had issues with
> running out of memory during semodule -B.  So file_contexts.bin
> presently has to be arch-independent, or we need the arch properties
> detection logic and fallback.  That said, none of this matters unless
> you build with USE_PCRE2=y, and no one outside of Android is doing that
> today.
>
> > Also, I think we should add the arch to the version string stored. I
> > would rather have false negatives than positives especially since we are
> > not 100% sure exactly what part of the arch is important. We can always
> > loosen it up later if that gets locked down.
>
> We don't want the arch string itself, because that would invalidate use
> of file_contexts.bin entirely on typical Android use cases (build on
> x86_64, install to ARM), but only the relevant properties.  And for
> Android, that is fatal - there is no file_contexts text file on which to
> fallback anymore.  They only ship file_contexts.bin.
>
>
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH] Change semantic of -r in sefcontext_compile

[Janis Danisevskis]

I don't really care much about the behavior of sefcontext_compile. I just
thought making the default behavior the safest would be the best option.
Before android is using it, I will have to sync the (now modified and
improved - thank you) patches back into AOSP, which I intend to do. I have
some benchmarks measuring load and lookup time for file contexts. I am
eager to review and benchmark William's patches and explore a bit myself.
And once all options are on the table I can make a case for the fastest
solution to make it into Android.

Concerning the arch string I respond in the other add support for pcre2
thread.

On Fri, Sep 16, 2016 at 4:20 PM, William Roberts <bill.c.robe...@gmail.com>
wrote:

> On Sep 16, 2016 08:12, "Stephen Smalley" <s...@tycho.nsa.gov> wrote:
> >
> > On 09/16/2016 11:08 AM, William Roberts wrote:
> > > On Fri, Sep 16, 2016 at 7:41 AM, Stephen Smalley <s...@tycho.nsa.gov>
> wrote:
> > >> On 09/16/2016 09:08 AM, Janis Danisevskis wrote:
> > >>> This patch reestablishes the default behavior of sefcontext_compile
> > >>> to include precompiled regular expressions in the output. If linked
> > >>> against PCRE2 the flag "-r" now causes the precompiled regular
> > >>> expressions to be omitted from the output.
> > >>
> > >> I thought your original rationale was more compelling.  If we add
> > >> detection of the relevant arch properties, then we can do this.
> > >> Otherwise, I don't think we should.
> > >
> > > I was assuming based on the thread earlier that those patches would be
> coming.
> > > If we cant detect and compile on the current "undefined behavior"
> > > case, then this
> > > needs to stay as is.
> > >
> > > But I thought someone had a list of PCRE things that can be checked
> for "arch",
> > > so its just a matter of encoding those, assuming that list is correct.
> > >
> > > Binary file_contexts only make sense if you compile in the regex info,
> else
> > > just use the textual representation.
> >
> > That was my thought originally, but Janis did say that it was still
> > faster, and Android presently only ships file_contexts.bin, so we can't
> > just break that.
>
> I'm not saying that we break anything, but I think we should really
> scrutinize the decision to keep binary fc's on Android. The only way it
> could be faster at the moment is mmap and pcre2. We need to get some raw
> numbers of pcre2 textual vs binary load times. If it's within 30% I'll have
> that gap closed soon. It also takes up about 3 times the disk space for
> binary.
>
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH] sefcontext_compile: cleanup confusing usage message

[Janis Danisevskis]

From: Janis Danisevskis <jda...@google.com>

Signed-off-by: Janis Danisevskis <jda...@google.com>
---
 libselinux/utils/sefcontext_compile.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/libselinux/utils/sefcontext_compile.c 
b/libselinux/utils/sefcontext_compile.c
index 770ec4c..70853e7 100644
--- a/libselinux/utils/sefcontext_compile.c
+++ b/libselinux/utils/sefcontext_compile.c
@@ -267,8 +267,6 @@ static void usage(const char *progname)
" (PCRE2 only. Compiled PCRE2 regular expressions are\n\t"
" not portable across architectures. When linked 
against\n\t"
" PCRE this flag is ignored)\n\t"
-   " Omit precompiled regular expressions (only meaningful\n\t"
-   " when using PCRE2 regular expression back-end).\n\t"
"fc_file  The text based file contexts file to be processed.\n",
progname);
exit(EXIT_FAILURE);
-- 
2.8.0.rc3.226.g39d4020

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH] Change semantic of -r in sefcontext_compile

[Janis Danisevskis]

This patch reestablishes the default behavior of sefcontext_compile
to include precompiled regular expressions in the output. If linked
against PCRE2 the flag "-r" now causes the precompiled regular
expressions to be omitted from the output.
---
 libselinux/utils/sefcontext_compile.c | 8 +++-
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/libselinux/utils/sefcontext_compile.c 
b/libselinux/utils/sefcontext_compile.c
index 770ec4c..c1284d5 100644
--- a/libselinux/utils/sefcontext_compile.c
+++ b/libselinux/utils/sefcontext_compile.c
@@ -263,12 +263,10 @@ static void usage(const char *progname)
" will be fc_file with the .bin suffix appended.\n\t"
"-p   Optional binary policy file that will be used to\n\t"
" validate contexts defined in the fc_file.\n\t"
-   "-r   Include precompiled regular expressions in the 
output.\n\t"
+   "-r   Omit precompiled regular expressions in the output.\n\t"
" (PCRE2 only. Compiled PCRE2 regular expressions are\n\t"
" not portable across architectures. When linked 
against\n\t"
" PCRE this flag is ignored)\n\t"
-   " Omit precompiled regular expressions (only meaningful\n\t"
-   " when using PCRE2 regular expression back-end).\n\t"
"fc_file  The text based file contexts file to be processed.\n",
progname);
exit(EXIT_FAILURE);
@@ -278,7 +276,7 @@ int main(int argc, char *argv[])
 {
const char *path = NULL;
const char *out_file = NULL;
-   int do_write_precompregex = 0;
+   int do_write_precompregex = 1;
char stack_path[PATH_MAX + 1];
char *tmp = NULL;
int fd, rc, opt;
@@ -299,7 +297,7 @@ int main(int argc, char *argv[])
policy_file = optarg;
break;
case 'r':
-   do_write_precompregex = 1;
+   do_write_precompregex = 0;
break;
default:
usage(argv[0]);
-- 
2.8.0.rc3.226.g39d4020

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH] libselinux: add support for pcre2

[Janis Danisevskis]

From: Janis Danisevskis <jda...@google.com>

This patch moves all pcre1/2 dependencies into the new files regex.h
and regex.c implementing the common denominator of features needed
by libselinux. The compiler flag -DUSE_PCRE2 toggles between the
used implementations.

As of this patch libselinux supports either pcre or pcre2 but not
both at the same time. The persistently stored file contexts
information differs. This means libselinux can only load file
context files generated by sefcontext_compile build with the
same pcre variant.

Also, for pcre2 the persistent format is architecture dependent.
Stored precompiled regular expressions can only be used on the
same architecture they were generated on. If pcre2 is used,
sefcontext_compile now respects the "-r". This flag makes
sefcontext_compile include the precompiled regular expressions
in the output file. The default is to omit them, so that the
output remains portable at the cost of having to recompile
the regular expressions at load time, or rather on first use.

Signed-off-by: Janis Danisevskis <jda...@google.com>
---
 libselinux/Makefile   |   9 +
 libselinux/src/Makefile   |   6 +-
 libselinux/src/label_file.c   |  92 ++-
 libselinux/src/label_file.h   |  72 ++---
 libselinux/src/regex.c| 496 ++
 libselinux/src/regex.h| 149 ++
 libselinux/utils/Makefile |   7 +-
 libselinux/utils/sefcontext_compile.c |  72 ++---
 policycoreutils/restorecond/Makefile  |   9 +-
 9 files changed, 745 insertions(+), 167 deletions(-)
 create mode 100644 libselinux/src/regex.c
 create mode 100644 libselinux/src/regex.h

diff --git a/libselinux/Makefile b/libselinux/Makefile
index 6142b60..5a8d42c 100644
--- a/libselinux/Makefile
+++ b/libselinux/Makefile
@@ -24,6 +24,15 @@ ifeq ($(DISABLE_SETRANS),y)
 endif
 export DISABLE_AVC DISABLE_SETRANS DISABLE_RPM DISABLE_BOOL EMFLAGS
 
+USE_PCRE2 ?= n
+ifeq ($(USE_PCRE2),y)
+   PCRE_CFLAGS := -DUSE_PCRE2 -DPCRE2_CODE_UNIT_WIDTH=8
+   PCRE_LDFLAGS := -lpcre2-8
+else
+   PCRE_LDFLAGS := -lpcre
+endif
+export PCRE_CFLAGS PCRE_LDFLAGS
+
 all install relabel clean distclean indent:
@for subdir in $(SUBDIRS); do \
(cd $$subdir && $(MAKE) $@) || exit 1; \
diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index 37d01af..36e42b8 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -74,7 +74,9 @@ CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security 
-Winit-self -Wmissi
   -fipa-pure-const -Wno-suggest-attribute=pure 
-Wno-suggest-attribute=const \
   -Werror -Wno-aggregate-return -Wno-redundant-decls
 
-override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE $(EMFLAGS)
+PCRE_LDFLAGS ?= -lpcre
+
+override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE $(EMFLAGS) 
$(PCRE_CFLAGS)
 
 SWIG_CFLAGS += -Wno-error -Wno-unused-variable -Wno-unused-but-set-variable 
-Wno-unused-parameter \
-Wno-shadow -Wno-uninitialized -Wno-missing-prototypes 
-Wno-missing-declarations
@@ -113,7 +115,7 @@ $(LIBA): $(OBJS)
$(RANLIB) $@
 
 $(LIBSO): $(LOBJS)
-   $(CC) $(CFLAGS) -shared -o $@ $^ -lpcre -ldl $(LDFLAGS) -L$(LIBDIR) 
-Wl,-soname,$(LIBSO),-z,defs,-z,relro
+   $(CC) $(CFLAGS) -shared -o $@ $^ $(PCRE_LDFLAGS) -ldl $(LDFLAGS) 
-L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro
ln -sf $@ $(TARGET) 
 
 $(LIBPC): $(LIBPC).in ../VERSION
diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
index 9faecdb..9a67aa2 100644
--- a/libselinux/src/label_file.c
+++ b/libselinux/src/label_file.c
@@ -15,7 +15,6 @@
 #include 
 #include 
 #include 
-#include 
 #include 
 #include 
 #include 
@@ -126,6 +125,7 @@ static int load_mmap(FILE *fp, size_t len, struct 
selabel_handle *rec,
struct mmap_area *mmap_area;
uint32_t i, magic, version;
uint32_t entry_len, stem_map_len, regex_array_len;
+   const char *reg_version;
 
mmap_area = malloc(sizeof(*mmap_area));
if (!mmap_area) {
@@ -155,8 +155,13 @@ static int load_mmap(FILE *fp, size_t len, struct 
selabel_handle *rec,
if (rc < 0 || version > SELINUX_COMPILED_FCONTEXT_MAX_VERS)
return -1;
 
+   reg_version = regex_version();
+   if (!reg_version)
+   return -1;
+
if (version >= SELINUX_COMPILED_FCONTEXT_PCRE_VERS) {
-   len = strlen(pcre_version());
+
+   len = strlen(reg_version);
 
rc = next_entry(_len, mmap_area, sizeof(uint32_t));
if (rc < 0)
@@ -166,7 +171,7 @@ static int load_mmap(FILE *fp, size_t len, struct 
selabel_handle *rec,
if (len != entry_len)
return -1;
 
-   /* Check if pcre version mismatch */
+   /* Check if regex version mismatch */
str_buf = malloc(en

[PATCH] libselinux: add support for pcre2

[Janis Danisevskis]

From: Janis Danisevskis <jda...@google.com>

This patch moves all pcre1/2 dependencies into the new files regex.h
and regex.c implementing the common denominator of features needed
by libselinux. The compiler flag -DUSE_PCRE2 toggles between the
used implementations.

As of this patch libselinux supports either pcre or pcre2 but not
both at the same time. The persistently stored file contexts
information differs. This means libselinux can only load file
context files generated by sefcontext_compile build with the
same pcre variant.

Also, for pcre2 the persistent format is architecture dependent.
Stored precompiled regular expressions can only be used on the
same architecture they were generated on. If pcre2 is used,
sefcontext_compile now respects the "-r". This flag makes
sefcontext_compile include the precompiled regular expressions
in the output file. The default is to omit them, so that the
output remains portable at the cost of having to recompile
the regular expressions at load time, or rather on first use.

Signed-off-by: Janis Danisevskis <jda...@google.com>
---
 libselinux/Makefile   |   9 +
 libselinux/src/Makefile   |   6 +-
 libselinux/src/label_file.c   |  95 ++-
 libselinux/src/label_file.h   |  64 ++---
 libselinux/src/regex.c| 496 ++
 libselinux/src/regex.h| 149 ++
 libselinux/utils/Makefile |   7 +-
 libselinux/utils/sefcontext_compile.c |  72 ++---
 policycoreutils/restorecond/Makefile  |   9 +-
 9 files changed, 740 insertions(+), 167 deletions(-)
 create mode 100644 libselinux/src/regex.c
 create mode 100644 libselinux/src/regex.h

diff --git a/libselinux/Makefile b/libselinux/Makefile
index 6142b60..5a8d42c 100644
--- a/libselinux/Makefile
+++ b/libselinux/Makefile
@@ -24,6 +24,15 @@ ifeq ($(DISABLE_SETRANS),y)
 endif
 export DISABLE_AVC DISABLE_SETRANS DISABLE_RPM DISABLE_BOOL EMFLAGS
 
+USE_PCRE2 ?= n
+ifeq ($(USE_PCRE2),y)
+   PCRE_CFLAGS := -DUSE_PCRE2 -DPCRE2_CODE_UNIT_WIDTH=8
+   PCRE_LDFLAGS := -lpcre2-8
+else
+   PCRE_LDFLAGS := -lpcre
+endif
+export PCRE_CFLAGS PCRE_LDFLAGS
+
 all install relabel clean distclean indent:
@for subdir in $(SUBDIRS); do \
(cd $$subdir && $(MAKE) $@) || exit 1; \
diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index 37d01af..36e42b8 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -74,7 +74,9 @@ CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security 
-Winit-self -Wmissi
   -fipa-pure-const -Wno-suggest-attribute=pure 
-Wno-suggest-attribute=const \
   -Werror -Wno-aggregate-return -Wno-redundant-decls
 
-override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE $(EMFLAGS)
+PCRE_LDFLAGS ?= -lpcre
+
+override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE $(EMFLAGS) 
$(PCRE_CFLAGS)
 
 SWIG_CFLAGS += -Wno-error -Wno-unused-variable -Wno-unused-but-set-variable 
-Wno-unused-parameter \
-Wno-shadow -Wno-uninitialized -Wno-missing-prototypes 
-Wno-missing-declarations
@@ -113,7 +115,7 @@ $(LIBA): $(OBJS)
$(RANLIB) $@
 
 $(LIBSO): $(LOBJS)
-   $(CC) $(CFLAGS) -shared -o $@ $^ -lpcre -ldl $(LDFLAGS) -L$(LIBDIR) 
-Wl,-soname,$(LIBSO),-z,defs,-z,relro
+   $(CC) $(CFLAGS) -shared -o $@ $^ $(PCRE_LDFLAGS) -ldl $(LDFLAGS) 
-L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro
ln -sf $@ $(TARGET) 
 
 $(LIBPC): $(LIBPC).in ../VERSION
diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
index 9faecdb..e805189 100644
--- a/libselinux/src/label_file.c
+++ b/libselinux/src/label_file.c
@@ -15,7 +15,6 @@
 #include 
 #include 
 #include 
-#include 
 #include 
 #include 
 #include 
@@ -126,6 +125,7 @@ static int load_mmap(FILE *fp, size_t len, struct 
selabel_handle *rec,
struct mmap_area *mmap_area;
uint32_t i, magic, version;
uint32_t entry_len, stem_map_len, regex_array_len;
+   const char *reg_version;
 
mmap_area = malloc(sizeof(*mmap_area));
if (!mmap_area) {
@@ -155,8 +155,13 @@ static int load_mmap(FILE *fp, size_t len, struct 
selabel_handle *rec,
if (rc < 0 || version > SELINUX_COMPILED_FCONTEXT_MAX_VERS)
return -1;
 
+   reg_version = regex_version();
+   if (!reg_version)
+   return -1;
+
if (version >= SELINUX_COMPILED_FCONTEXT_PCRE_VERS) {
-   len = strlen(pcre_version());
+
+   len = strlen(reg_version);
 
rc = next_entry(_len, mmap_area, sizeof(uint32_t));
if (rc < 0)
@@ -166,7 +171,7 @@ static int load_mmap(FILE *fp, size_t len, struct 
selabel_handle *rec,
if (len != entry_len)
return -1;
 
-   /* Check if pcre version mismatch */
+   /* Check if regex version mismatch */
str_buf = malloc(en

[PATCH] libselinux: add support for pcre2

[Janis Danisevskis]

From: Janis Danisevskis <jda...@google.com>

This patch moves all pcre1/2 dependencies into the new files regex.h
and regex.c implementing the common denominator of features needed
by libselinux. The compiler flag -DUSE_PCRE2 toggles between the
used implementations.

As of this patch libselinux supports either pcre or pcre2 but not
both at the same time. The persistently stored file contexts
information differs. This means libselinux can only load file
context files generated by sefcontext_compile build with the
same pcre variant.

Also, for pcre2 the persistent format is architecture dependent.
Stored precompiled regular expressions can only be used on the
same architecture they were generated on. If pcre2 is used and
sefcontext_compile shall generate portable output, it and libselinux
must be compiled with -DNO_PERSISTENTLY_STORED_PATTERNS, at the
cost of having to recompile the regular expressions at load time.

Signed-off-by: Janis Danisevskis <jda...@google.com>

This patch includes includes:

libselinux: fix memory leak on pcre2

Introduced a malloc on pcre_version(). Libselinux
expected this to be static, just use a static
internal buffer.

Signed-off-by: William Roberts <william.c.robe...@intel.com>
---
 libselinux/Makefile   |  13 +
 libselinux/src/Makefile   |   4 +-
 libselinux/src/label_file.c   |  93 ++-
 libselinux/src/label_file.h   |  59 ++---
 libselinux/src/regex.c| 461 ++
 libselinux/src/regex.h| 169 +
 libselinux/utils/Makefile |   4 +-
 libselinux/utils/sefcontext_compile.c |  55 +---
 8 files changed, 697 insertions(+), 161 deletions(-)
 create mode 100644 libselinux/src/regex.c
 create mode 100644 libselinux/src/regex.h

diff --git a/libselinux/Makefile b/libselinux/Makefile
index 6142b60..15d051e 100644
--- a/libselinux/Makefile
+++ b/libselinux/Makefile
@@ -24,6 +24,19 @@ ifeq ($(DISABLE_SETRANS),y)
 endif
 export DISABLE_AVC DISABLE_SETRANS DISABLE_RPM DISABLE_BOOL EMFLAGS
 
+USE_PCRE2 ?= n
+DISABLE_PERSISTENTLY_STORED_REGEX_PATTERNS ?= n
+ifeq ($(USE_PCRE2),y)
+   PCRE_CFLAGS := -DUSE_PCRE2 -DPCRE2_CODE_UNIT_WIDTH=8
+   ifeq ($(DISABLE_PERSISTENTLY_STORED_REGEX_PATTERNS), y)
+   PCRE_CFLAGS += -DNO_PERSISTENTLY_STORED_PATTERNS
+   endif
+   PCRE_LDFLAGS := -lpcre2-8
+else
+   PCRE_LDFLAGS := -lpcre
+endif
+export PCRE_CFLAGS PCRE_LDFLAGS
+
 all install relabel clean distclean indent:
@for subdir in $(SUBDIRS); do \
(cd $$subdir && $(MAKE) $@) || exit 1; \
diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index 37d01af..66687e6 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -74,7 +74,7 @@ CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security 
-Winit-self -Wmissi
   -fipa-pure-const -Wno-suggest-attribute=pure 
-Wno-suggest-attribute=const \
   -Werror -Wno-aggregate-return -Wno-redundant-decls
 
-override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE $(EMFLAGS)
+override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE $(EMFLAGS) 
$(PCRE_CFLAGS)
 
 SWIG_CFLAGS += -Wno-error -Wno-unused-variable -Wno-unused-but-set-variable 
-Wno-unused-parameter \
-Wno-shadow -Wno-uninitialized -Wno-missing-prototypes 
-Wno-missing-declarations
@@ -113,7 +113,7 @@ $(LIBA): $(OBJS)
$(RANLIB) $@
 
 $(LIBSO): $(LOBJS)
-   $(CC) $(CFLAGS) -shared -o $@ $^ -lpcre -ldl $(LDFLAGS) -L$(LIBDIR) 
-Wl,-soname,$(LIBSO),-z,defs,-z,relro
+   $(CC) $(CFLAGS) -shared -o $@ $^ $(PCRE_LDFLAGS) -ldl $(LDFLAGS) 
-L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro
ln -sf $@ $(TARGET) 
 
 $(LIBPC): $(LIBPC).in ../VERSION
diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
index c89bb35..e41c351 100644
--- a/libselinux/src/label_file.c
+++ b/libselinux/src/label_file.c
@@ -15,7 +15,6 @@
 #include 
 #include 
 #include 
-#include 
 #include 
 #include 
 #include 
@@ -112,6 +111,7 @@ static int load_mmap(struct selabel_handle *rec, const char 
*path,
struct mmap_area *mmap_area;
uint32_t i, magic, version;
uint32_t entry_len, stem_map_len, regex_array_len;
+   const char *reg_version;
 
if (isbinary) {
len = strlen(path);
@@ -175,8 +175,13 @@ static int load_mmap(struct selabel_handle *rec, const 
char *path,
if (rc < 0 || version > SELINUX_COMPILED_FCONTEXT_MAX_VERS)
return -1;
 
+   reg_version = regex_version();
+   if (!reg_version)
+   return -1;
+
if (version >= SELINUX_COMPILED_FCONTEXT_PCRE_VERS) {
-   len = strlen(pcre_version());
+
+   len = strlen(reg_version);
 
rc = next_entry(_len, mmap_area, sizeof(uint32_t));
if (rc < 0)
@@ -198,7 +203,7 @@ static int load_mmap(struct 

[PATCH 2/2] libselinux: fix memory leak on pcre2

[Janis Danisevskis]

From: William Roberts 

Introduced a malloc on pcre_version(). Libselinux
expected this to be static, just use a static
internal buffer.

Signed-off-by: William Roberts 
---
 libselinux/src/label_file.c   | 13 -
 libselinux/src/regex.c| 20 +++-
 libselinux/utils/sefcontext_compile.c |  8 +---
 3 files changed, 20 insertions(+), 21 deletions(-)

diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
index 6698624..110db11 100644
--- a/libselinux/src/label_file.c
+++ b/libselinux/src/label_file.c
@@ -111,6 +111,7 @@ static int load_mmap(struct selabel_handle *rec, const char 
*path,
struct mmap_area *mmap_area;
uint32_t i, magic, version;
uint32_t entry_len, stem_map_len, regex_array_len;
+   const char *reg_version;
 
if (isbinary) {
len = strlen(path);
@@ -174,11 +175,13 @@ static int load_mmap(struct selabel_handle *rec, const 
char *path,
if (rc < 0 || version > SELINUX_COMPILED_FCONTEXT_MAX_VERS)
return -1;
 
+   reg_version = regex_version();
+   if (!reg_version)
+   return -1;
+
if (version >= SELINUX_COMPILED_FCONTEXT_PCRE_VERS) {
-   if (!regex_version()) {
-   return -1;
-   }
-   len = strlen(regex_version());
+
+   len = strlen(reg_version);
 
rc = next_entry(_len, mmap_area, sizeof(uint32_t));
if (rc < 0)
@@ -200,7 +203,7 @@ static int load_mmap(struct selabel_handle *rec, const char 
*path,
}
 
str_buf[entry_len] = '\0';
-   if ((strcmp(str_buf, regex_version()) != 0)) {
+   if ((strcmp(str_buf, reg_version) != 0)) {
free(str_buf);
return -1;
}
diff --git a/libselinux/src/regex.c b/libselinux/src/regex.c
index 6b92b04..c880bfa 100644
--- a/libselinux/src/regex.c
+++ b/libselinux/src/regex.c
@@ -49,19 +49,13 @@ err:regex_data_free(*regex);
 
 char const * regex_version(void) {
 #ifdef USE_PCRE2
-   static int initialized = 0;
-   static char * version_string = NULL;
-   size_t version_string_len;
-   if (!initialized) {
-   version_string_len = pcre2_config(PCRE2_CONFIG_VERSION, NULL);
-   version_string = (char*) malloc(version_string_len);
-   if (!version_string) {
-   return NULL;
-   }
-   pcre2_config(PCRE2_CONFIG_VERSION, version_string);
-   initialized = 1;
-   }
-   return version_string;
+   static char version_buf[256];
+   size_t len = pcre2_config(PCRE2_CONFIG_VERSION, NULL);
+   if (len <= 0 || len > sizeof(version_buf))
+   return NULL;
+
+   pcre2_config(PCRE2_CONFIG_VERSION, version_buf);
+   return version_buf;
 #else
return pcre_version();
 #endif
diff --git a/libselinux/utils/sefcontext_compile.c 
b/libselinux/utils/sefcontext_compile.c
index 8ff73f4..b6b8d92 100644
--- a/libselinux/utils/sefcontext_compile.c
+++ b/libselinux/utils/sefcontext_compile.c
@@ -101,6 +101,7 @@ static int write_binary_file(struct saved_data *data, int 
fd)
uint32_t section_len;
uint32_t i;
int rc;
+   const char *reg_version;
 
bin_file = fdopen(fd, "w");
if (!bin_file) {
@@ -120,13 +121,14 @@ static int write_binary_file(struct saved_data *data, int 
fd)
goto err;
 
/* write version of the regex back-end */
-   if (!regex_version())
+   reg_version = regex_version();
+   if (!reg_version)
goto err;
-   section_len = strlen(regex_version());
+   section_len = strlen(reg_version);
len = fwrite(_len, sizeof(uint32_t), 1, bin_file);
if (len != 1)
goto err;
-   len = fwrite(regex_version(), sizeof(char), section_len, bin_file);
+   len = fwrite(reg_version, sizeof(char), section_len, bin_file);
if (len != section_len)
goto err;
 
-- 
2.8.0.rc3.226.g39d4020

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH 1/2] libselinux: add support for pcre2

[Janis Danisevskis]

From: Janis Danisevskis <jda...@google.com>

This patch moves all pcre1/2 dependencies into the new files regex.h
and regex.c implementing the common denominator of features needed
by libselinux. The compiler flag -DUSE_PCRE2 toggles between the
used implementations.

As of this patch libselinux supports either pcre or pcre2 but not
both at the same time. The persistently stored file contexts
information differs. This means libselinux can only load file
context files generated by sefcontext_compile build with the
same pcre variant.

Also, for pcre2 the persistent format is architecture dependant.
Stored precompiled regular expressions can only be used on the
same architecture they were generated on. If pcre2 is used and
sefcontext_compile shall generate portable output, it and libselinux
must be compiled with -DNO_PERSISTENTLY_STORED_PATTERNS, at the
cost of having to recompile the regular expressions at load time.

Signed-off-by: Janis Danisevskis <jda...@google.com>
---
 libselinux/Makefile   |  13 ++
 libselinux/src/Makefile   |   4 +-
 libselinux/src/label_file.c   |  91 ++--
 libselinux/src/label_file.h   |  54 ++---
 libselinux/src/regex.c| 405 ++
 libselinux/src/regex.h| 168 ++
 libselinux/utils/Makefile |   4 +-
 libselinux/utils/sefcontext_compile.c |  53 +
 8 files changed, 637 insertions(+), 155 deletions(-)
 create mode 100644 libselinux/src/regex.c
 create mode 100644 libselinux/src/regex.h

diff --git a/libselinux/Makefile b/libselinux/Makefile
index 6142b60..15d051e 100644
--- a/libselinux/Makefile
+++ b/libselinux/Makefile
@@ -24,6 +24,19 @@ ifeq ($(DISABLE_SETRANS),y)
 endif
 export DISABLE_AVC DISABLE_SETRANS DISABLE_RPM DISABLE_BOOL EMFLAGS
 
+USE_PCRE2 ?= n
+DISABLE_PERSISTENTLY_STORED_REGEX_PATTERNS ?= n
+ifeq ($(USE_PCRE2),y)
+   PCRE_CFLAGS := -DUSE_PCRE2 -DPCRE2_CODE_UNIT_WIDTH=8
+   ifeq ($(DISABLE_PERSISTENTLY_STORED_REGEX_PATTERNS), y)
+   PCRE_CFLAGS += -DNO_PERSISTENTLY_STORED_PATTERNS
+   endif
+   PCRE_LDFLAGS := -lpcre2-8
+else
+   PCRE_LDFLAGS := -lpcre
+endif
+export PCRE_CFLAGS PCRE_LDFLAGS
+
 all install relabel clean distclean indent:
@for subdir in $(SUBDIRS); do \
(cd $$subdir && $(MAKE) $@) || exit 1; \
diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index 37d01af..66687e6 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -74,7 +74,7 @@ CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security 
-Winit-self -Wmissi
   -fipa-pure-const -Wno-suggest-attribute=pure 
-Wno-suggest-attribute=const \
   -Werror -Wno-aggregate-return -Wno-redundant-decls
 
-override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE $(EMFLAGS)
+override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE $(EMFLAGS) 
$(PCRE_CFLAGS)
 
 SWIG_CFLAGS += -Wno-error -Wno-unused-variable -Wno-unused-but-set-variable 
-Wno-unused-parameter \
-Wno-shadow -Wno-uninitialized -Wno-missing-prototypes 
-Wno-missing-declarations
@@ -113,7 +113,7 @@ $(LIBA): $(OBJS)
$(RANLIB) $@
 
 $(LIBSO): $(LOBJS)
-   $(CC) $(CFLAGS) -shared -o $@ $^ -lpcre -ldl $(LDFLAGS) -L$(LIBDIR) 
-Wl,-soname,$(LIBSO),-z,defs,-z,relro
+   $(CC) $(CFLAGS) -shared -o $@ $^ $(PCRE_LDFLAGS) -ldl $(LDFLAGS) 
-L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro
ln -sf $@ $(TARGET) 
 
 $(LIBPC): $(LIBPC).in ../VERSION
diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
index c89bb35..6698624 100644
--- a/libselinux/src/label_file.c
+++ b/libselinux/src/label_file.c
@@ -15,7 +15,6 @@
 #include 
 #include 
 #include 
-#include 
 #include 
 #include 
 #include 
@@ -176,7 +175,10 @@ static int load_mmap(struct selabel_handle *rec, const 
char *path,
return -1;
 
if (version >= SELINUX_COMPILED_FCONTEXT_PCRE_VERS) {
-   len = strlen(pcre_version());
+   if (!regex_version()) {
+   return -1;
+   }
+   len = strlen(regex_version());
 
rc = next_entry(_len, mmap_area, sizeof(uint32_t));
if (rc < 0)
@@ -198,7 +200,7 @@ static int load_mmap(struct selabel_handle *rec, const char 
*path,
}
 
str_buf[entry_len] = '\0';
-   if ((strcmp(str_buf, pcre_version()) != 0)) {
+   if ((strcmp(str_buf, regex_version()) != 0)) {
free(str_buf);
return -1;
}
@@ -278,7 +280,11 @@ static int load_mmap(struct selabel_handle *rec, const 
char *path,
 
spec = >spec_arr[data->nspec];
spec->from_mmap = 1;
+#if defined USE_PCRE2 && defined NO_PERSISTENTLY_STORED_PATTERNS
+   spec->regcomp = 0;
+#else
spec->regcomp