[PATCH 3/3] libselinux: makes android label back ends configurable
Android label back ends are not configurable by NO_ANDROID_BACKEND, which is set if on ANDROID_HOST != y. Signed-off-by: Janis Danisevskis <jda...@android.com> --- libselinux/src/Makefile | 3 +++ libselinux/src/label.c | 10 -- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile index cba8383..7169230 100644 --- a/libselinux/src/Makefile +++ b/libselinux/src/Makefile @@ -87,6 +87,9 @@ DISABLE_FLAGS+= -DNO_MEDIA_BACKEND -DNO_DB_BACKEND -DNO_X_BACKEND \ SRCS= callbacks.c freecon.c label.c label_file.c \ label_backends_android.c regex.c label_support.c \ matchpathcon.c setrans_client.c sha1.c +else +DISABLE_FLAGS+= -DNO_ANDROID_BACKEND +SRCS:= $(filter-out label_backends_android.c, $(SRCS)) endif SWIG = swig -Wall -python -o $(SWIGCOUT) -outdir ./ $(DISABLE_FLAGS) diff --git a/libselinux/src/label.c b/libselinux/src/label.c index eb0e766..60639cf 100644 --- a/libselinux/src/label.c +++ b/libselinux/src/label.c @@ -35,6 +35,12 @@ #define CONFIG_DB_BACKEND(fnptr) #endif +#ifdef NO_ANDROID_BACKEND +#define CONFIG_ANDROID_BACKEND(fnptr) NULL +#else +#define CONFIG_ANDROID_BACKEND(fnptr) (&(fnptr)) +#endif + typedef int (*selabel_initfunc)(struct selabel_handle *rec, const struct selinux_opt *opts, unsigned nopts); @@ -44,8 +50,8 @@ static selabel_initfunc initfuncs[] = { CONFIG_MEDIA_BACKEND(selabel_media_init), CONFIG_X_BACKEND(selabel_x_init), CONFIG_DB_BACKEND(selabel_db_init), - _property_init, - _service_init, + CONFIG_ANDROID_BACKEND(selabel_property_init), + CONFIG_ANDROID_BACKEND(selabel_service_init), }; static void selabel_subs_fini(struct selabel_sub *ptr) -- 1.9.1 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH] libselinux: android: fix lax service context lookup
On Wed, Sep 28, 2016 at 5:17 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 09/28/2016 12:04 PM, Janis Danisevskis wrote: > > We use the same lookup function for service contexts > > that we use for property contexts. However, property > > contexts are namespace based and only compare the > > prefix. This may lead to service associations with > > a wrong label. > > > > This patch introduces a stricter lookup function for > > services contexts. Now the service name must match > > the key of the service label exactly. > > > > Signed-off-by: Janis Danisevskis <jda...@android.com> > > --- > > libselinux/include/selinux/label.h | 2 ++ > > libselinux/src/label.c | 1 + > > libselinux/src/label_android_property.c | 50 > + > > libselinux/src/label_internal.h | 3 ++ > > 4 files changed, 56 insertions(+) > > Normally each backend would go into its own file, so service would get > its own. Alternatively, since we are unlikely to ever support one > without the other, perhaps label_android_property.c should be renamed to > label_android.c and contain all of the Android-unique backends. > > I was thinking along the same lines, was just eager to get home... I'll send a refactored patch by tomorrow. > > > > diff --git a/libselinux/include/selinux/label.h > b/libselinux/include/selinux/label.h > > index f0b1e10..277287e 100644 > > --- a/libselinux/include/selinux/label.h > > +++ b/libselinux/include/selinux/label.h > > @@ -34,6 +34,8 @@ struct selabel_handle; > > #define SELABEL_CTX_DB 3 > > /* Android property service contexts */ > > #define SELABEL_CTX_ANDROID_PROP 4 > > +/* Android service contexts */ > > +#define SELABEL_CTX_ANDROID_SERVICE 5 > > > > /* > > * Available options > > diff --git a/libselinux/src/label.c b/libselinux/src/label.c > > index 96a4ff1..eb0e766 100644 > > --- a/libselinux/src/label.c > > +++ b/libselinux/src/label.c > > @@ -45,6 +45,7 @@ static selabel_initfunc initfuncs[] = { > > CONFIG_X_BACKEND(selabel_x_init), > > CONFIG_DB_BACKEND(selabel_db_init), > > _property_init, > > + _service_init, > > Wondering if we should support selective enablement of the property and > service backends too, similar to what William introduced for media, x, > and db so that he could disable them on Android (in our case, so we can > disable property and service backends on Linux distributions). > Oh, that is what these wrappers are for :-) . Sure. > > > }; > > > > static void selabel_subs_fini(struct selabel_sub *ptr) > > diff --git a/libselinux/src/label_android_property.c > b/libselinux/src/label_android_property.c > > index 290b438..69d6afd 100644 > > --- a/libselinux/src/label_android_property.c > > +++ b/libselinux/src/label_android_property.c > > @@ -279,6 +279,38 @@ finish: > > return ret; > > } > > > > +static struct selabel_lookup_rec *service_lookup(struct selabel_handle > *rec, > > + const char *key, int __attribute__((unused)) type) > > +{ > > + struct saved_data *data = (struct saved_data *)rec->data; > > + spec_t *spec_arr = data->spec_arr; > > + unsigned int i; > > + struct selabel_lookup_rec *ret = NULL; > > + > > + if (!data->nspec) { > > + errno = ENOENT; > > + goto finish; > > + } > > + > > + for (i = 0; i < data->nspec; i++) { > > + if (strcmp(spec_arr[i].property_key, key) == 0) > > + break; > > + if (strcmp(spec_arr[i].property_key, "*") == 0) > > + break; > > + } > > + > > + if (i >= data->nspec) { > > + /* No matching specification. */ > > + errno = ENOENT; > > + goto finish; > > + } > > + > > + ret = _arr[i].lr; > > + > > +finish: > > + return ret; > > +} > > + > > static void stats(struct selabel_handle __attribute__((unused)) *rec) > > { > > selinux_log(SELINUX_WARNING, "'stats' functionality not > implemented.\n"); > > @@ -302,3 +334,21 @@ int selabel_property_init(struct selabel_handle > *rec, > > > > return init(rec, opts, nopts); > > } > > + > > +int selabel_service_init(struct selabel_handle *rec, > > + const struct selinux_opt *opts, unsigned nopts) > > +{ > >
[PATCH] libselinux: android: fix lax service context lookup
We use the same lookup function for service contexts that we use for property contexts. However, property contexts are namespace based and only compare the prefix. This may lead to service associations with a wrong label. This patch introduces a stricter lookup function for services contexts. Now the service name must match the key of the service label exactly. Signed-off-by: Janis Danisevskis <jda...@android.com> --- libselinux/include/selinux/label.h | 2 ++ libselinux/src/label.c | 1 + libselinux/src/label_android_property.c | 50 + libselinux/src/label_internal.h | 3 ++ 4 files changed, 56 insertions(+) diff --git a/libselinux/include/selinux/label.h b/libselinux/include/selinux/label.h index f0b1e10..277287e 100644 --- a/libselinux/include/selinux/label.h +++ b/libselinux/include/selinux/label.h @@ -34,6 +34,8 @@ struct selabel_handle; #define SELABEL_CTX_DB 3 /* Android property service contexts */ #define SELABEL_CTX_ANDROID_PROP 4 +/* Android service contexts */ +#define SELABEL_CTX_ANDROID_SERVICE 5 /* * Available options diff --git a/libselinux/src/label.c b/libselinux/src/label.c index 96a4ff1..eb0e766 100644 --- a/libselinux/src/label.c +++ b/libselinux/src/label.c @@ -45,6 +45,7 @@ static selabel_initfunc initfuncs[] = { CONFIG_X_BACKEND(selabel_x_init), CONFIG_DB_BACKEND(selabel_db_init), _property_init, + _service_init, }; static void selabel_subs_fini(struct selabel_sub *ptr) diff --git a/libselinux/src/label_android_property.c b/libselinux/src/label_android_property.c index 290b438..69d6afd 100644 --- a/libselinux/src/label_android_property.c +++ b/libselinux/src/label_android_property.c @@ -279,6 +279,38 @@ finish: return ret; } +static struct selabel_lookup_rec *service_lookup(struct selabel_handle *rec, + const char *key, int __attribute__((unused)) type) +{ + struct saved_data *data = (struct saved_data *)rec->data; + spec_t *spec_arr = data->spec_arr; + unsigned int i; + struct selabel_lookup_rec *ret = NULL; + + if (!data->nspec) { + errno = ENOENT; + goto finish; + } + + for (i = 0; i < data->nspec; i++) { + if (strcmp(spec_arr[i].property_key, key) == 0) + break; + if (strcmp(spec_arr[i].property_key, "*") == 0) + break; + } + + if (i >= data->nspec) { + /* No matching specification. */ + errno = ENOENT; + goto finish; + } + + ret = _arr[i].lr; + +finish: + return ret; +} + static void stats(struct selabel_handle __attribute__((unused)) *rec) { selinux_log(SELINUX_WARNING, "'stats' functionality not implemented.\n"); @@ -302,3 +334,21 @@ int selabel_property_init(struct selabel_handle *rec, return init(rec, opts, nopts); } + +int selabel_service_init(struct selabel_handle *rec, + const struct selinux_opt *opts, unsigned nopts) +{ + struct saved_data *data; + + data = (struct saved_data *)malloc(sizeof(*data)); + if (!data) + return -1; + memset(data, 0, sizeof(*data)); + + rec->data = data; + rec->func_close = + rec->func_stats = + rec->func_lookup = _lookup; + + return init(rec, opts, nopts); +} diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h index 7c55531..6a9481a 100644 --- a/libselinux/src/label_internal.h +++ b/libselinux/src/label_internal.h @@ -39,6 +39,9 @@ int selabel_db_init(struct selabel_handle *rec, int selabel_property_init(struct selabel_handle *rec, const struct selinux_opt *opts, unsigned nopts) hidden; +int selabel_service_init(struct selabel_handle *rec, + const struct selinux_opt *opts, + unsigned nopts) hidden; /* * Labeling internal structures -- 2.8.0.rc3.226.g39d4020 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH 3/3] libselinux: sefcontext_compile invert semantics of "-r" flag
The "-r" flag of sefcontext_compile now causes it to omit the precompiled regular expressions from the output. Signed-off-by: Janis Danisevskis <jda...@android.com> --- libselinux/utils/sefcontext_compile.c | 12 +++- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/libselinux/utils/sefcontext_compile.c b/libselinux/utils/sefcontext_compile.c index 8c48d32..b2746c7 100644 --- a/libselinux/utils/sefcontext_compile.c +++ b/libselinux/utils/sefcontext_compile.c @@ -276,10 +276,12 @@ static void usage(const char *progname) " will be fc_file with the .bin suffix appended.\n\t" "-p Optional binary policy file that will be used to\n\t" " validate contexts defined in the fc_file.\n\t" - "-r Include precompiled regular expressions in the output.\n\t" + "-r Omit precompiled regular expressions from the output.\n\t" " (PCRE2 only. Compiled PCRE2 regular expressions are\n\t" - " not portable across architectures. When linked against\n\t" - " PCRE this flag is ignored)\n\t" + " not portable across architectures. Use this flag\n\t" + " if you know that you build for an incompatible\n\t" + " architecture to save space. When linked against\n\t" + " PCRE1 this flag is ignored.)\n\t" "-i Print regular expression info end exit. That is, back\n\t" " end version and architecture identifier.\n\t" " Arch identifier format (PCRE2):\n\t" @@ -294,7 +296,7 @@ int main(int argc, char *argv[]) { const char *path = NULL; const char *out_file = NULL; - int do_write_precompregex = 0; + int do_write_precompregex = 1; char stack_path[PATH_MAX + 1]; char *tmp = NULL; int fd, rc, opt; @@ -315,7 +317,7 @@ int main(int argc, char *argv[]) policy_file = optarg; break; case 'r': - do_write_precompregex = 1; + do_write_precompregex = 0; break; case 'i': printf("%s (%s)\n", regex_version(), -- 2.8.0.rc3.226.g39d4020 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH 1/3] libselinux: Add architecture string to file_context.bin
Serialized precompiled regular expressins are architecture dependent when using PCRE2. This patch - bumps the SELINUX_COMPILED_FCONTEXT version to 5 and - adds a field to the output indicating the architecture compatibility. libselinux can cope with an architecture mismatch by ignoring the precompiled data in the input file and recompiling the regular expressions at runtime. It can also load older versions of file_contexts.bin if they where built with sefcontext_compile using the exact same version of the pcre1/2 as selinux. Signed-off-by: Janis Danisevskis <jda...@android.com> --- libselinux/src/label_file.c | 43 +- libselinux/src/label_file.h | 4 ++- libselinux/src/regex.c| 50 --- libselinux/src/regex.h| 15 ++- libselinux/utils/sefcontext_compile.c | 13 + 5 files changed, 119 insertions(+), 6 deletions(-) diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c index 7156825..13e05c1 100644 --- a/libselinux/src/label_file.c +++ b/libselinux/src/label_file.c @@ -126,6 +126,8 @@ static int load_mmap(FILE *fp, size_t len, struct selabel_handle *rec, uint32_t i, magic, version; uint32_t entry_len, stem_map_len, regex_array_len; const char *reg_version; + const char *reg_arch; + char reg_arch_matches = 0; mmap_area = malloc(sizeof(*mmap_area)); if (!mmap_area) { @@ -159,6 +161,10 @@ static int load_mmap(FILE *fp, size_t len, struct selabel_handle *rec, if (!reg_version) return -1; + reg_arch = regex_arch_string(); + if (!reg_arch) + return -1; + if (version >= SELINUX_COMPILED_FCONTEXT_PCRE_VERS) { len = strlen(reg_version); @@ -188,7 +194,42 @@ static int load_mmap(FILE *fp, size_t len, struct selabel_handle *rec, return -1; } free(str_buf); + + if (version >= SELINUX_COMPILED_FCONTEXT_REGEX_ARCH) { + len = strlen(reg_arch); + + rc = next_entry(_len, mmap_area, + sizeof(uint32_t)); + if (rc < 0) + return -1; + + /* Check arch string lengths */ + if (len != entry_len) { + /* +* Skip the entry and conclude that we have +* a mismatch, which is not fatal. +*/ + next_entry(NULL, mmap_area, entry_len); + goto end_arch_check; + } + + /* Check if arch string mismatch */ + str_buf = malloc(entry_len + 1); + if (!str_buf) + return -1; + + rc = next_entry(str_buf, mmap_area, entry_len); + if (rc < 0) { + free(str_buf); + return -1; + } + + str_buf[entry_len] = '\0'; + reg_arch_matches = strcmp(str_buf, reg_arch) == 0; + free(str_buf); + } } +end_arch_check: /* allocate the stems_data array */ rc = next_entry(_map_len, mmap_area, sizeof(uint32_t)); @@ -349,7 +390,7 @@ static int load_mmap(FILE *fp, size_t len, struct selabel_handle *rec, spec->prefix_len = prefix_len; } - rc = regex_load_mmap(mmap_area, >regex); + rc = regex_load_mmap(mmap_area, >regex, reg_arch_matches); if (rc < 0) goto out; diff --git a/libselinux/src/label_file.h b/libselinux/src/label_file.h index 88f4294..00c0a5c 100644 --- a/libselinux/src/label_file.h +++ b/libselinux/src/label_file.h @@ -24,8 +24,10 @@ #define SELINUX_COMPILED_FCONTEXT_PCRE_VERS2 #define SELINUX_COMPILED_FCONTEXT_MODE 3 #define SELINUX_COMPILED_FCONTEXT_PREFIX_LEN 4 +#define SELINUX_COMPILED_FCONTEXT_REGEX_ARCH 5 -#define SELINUX_COMPILED_FCONTEXT_MAX_VERS SELINUX_COMPILED_FCONTEXT_PREFIX_LEN +#define SELINUX_COMPILED_FCONTEXT_MAX_VERS \ + SELINUX_COMPILED_FCONTEXT_REGEX_ARCH /* A file security context specification. */ struct spec { diff --git a/libselinux/src/regex.c b/libselinux/src/regex.c index 750088e..a3b427b 100644 --- a/libselinux/src/regex.c +++ b/libselinux/src/regex.c @@ -7,6 +7,44 @@ #include "label_file.h" #ifdef USE_PCRE2 +#define REGEX_ARCH_SIZE_T PCRE2_SIZE +#else +#define REGEX_ARCH_SIZE_T size_t +#endif + +#ifndef __BYTE_ORDER__ +#error __BYTE_ORDER__ not defined. Unable to determine endianness. +#endif + +#ifdef
[PATCH 2/3] libselinux: sefcontext_compile: Add "-i" flag
Adds the "-i" flag, which prints the version and architecture identifier of the regular expression back end. Signed-off-by: Janis Danisevskis <jda...@android.com> --- libselinux/utils/sefcontext_compile.c | 11 ++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/libselinux/utils/sefcontext_compile.c b/libselinux/utils/sefcontext_compile.c index d91db9a..8c48d32 100644 --- a/libselinux/utils/sefcontext_compile.c +++ b/libselinux/utils/sefcontext_compile.c @@ -280,6 +280,11 @@ static void usage(const char *progname) " (PCRE2 only. Compiled PCRE2 regular expressions are\n\t" " not portable across architectures. When linked against\n\t" " PCRE this flag is ignored)\n\t" + "-i Print regular expression info end exit. That is, back\n\t" + " end version and architecture identifier.\n\t" + " Arch identifier format (PCRE2):\n\t" + " --, e.g.,\n\t" + " \"8-8-el\" for x86_64.\n\t" "fc_file The text based file contexts file to be processed.\n", progname); exit(EXIT_FAILURE); @@ -301,7 +306,7 @@ int main(int argc, char *argv[]) if (argc < 2) usage(argv[0]); - while ((opt = getopt(argc, argv, "o:p:r")) > 0) { + while ((opt = getopt(argc, argv, "io:p:r")) > 0) { switch (opt) { case 'o': out_file = optarg; @@ -312,6 +317,10 @@ int main(int argc, char *argv[]) case 'r': do_write_precompregex = 1; break; + case 'i': + printf("%s (%s)\n", regex_version(), + regex_arch_string()); + return 0; default: usage(argv[0]); } -- 2.8.0.rc3.226.g39d4020 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH 2/3] libselinux: sefcontext_compile: Add "-i" flag
Adds the "-i" flag, which prints the version and architecture identifier of the regular expression back end. Signed-off-by: Janis Danisevskis <jda...@android.com> --- libselinux/utils/sefcontext_compile.c | 11 ++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/libselinux/utils/sefcontext_compile.c b/libselinux/utils/sefcontext_compile.c index d91db9a..8c48d32 100644 --- a/libselinux/utils/sefcontext_compile.c +++ b/libselinux/utils/sefcontext_compile.c @@ -280,6 +280,11 @@ static void usage(const char *progname) " (PCRE2 only. Compiled PCRE2 regular expressions are\n\t" " not portable across architectures. When linked against\n\t" " PCRE this flag is ignored)\n\t" + "-i Print regular expression info end exit. That is, back\n\t" + " end version and architecture identifier.\n\t" + " Arch identifier format (PCRE2):\n\t" + " --, e.g.,\n\t" + " \"8-8-el\" for x86_64.\n\t" "fc_file The text based file contexts file to be processed.\n", progname); exit(EXIT_FAILURE); @@ -301,7 +306,7 @@ int main(int argc, char *argv[]) if (argc < 2) usage(argv[0]); - while ((opt = getopt(argc, argv, "o:p:r")) > 0) { + while ((opt = getopt(argc, argv, "io:p:r")) > 0) { switch (opt) { case 'o': out_file = optarg; @@ -312,6 +317,10 @@ int main(int argc, char *argv[]) case 'r': do_write_precompregex = 1; break; + case 'i': + printf("%s (%s)\n", regex_version(), + regex_arch_string()); + return 0; default: usage(argv[0]); } -- 2.8.0.rc3.226.g39d4020 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH 3/3] libselinux: sefcontext_compile invert semantics of "-r" flag
The "-r" flag of sefcontext_compile now causes it to omit the precompiled regular expressions from the output. Signed-off-by: Janis Danisevskis <jda...@android.com> --- libselinux/utils/sefcontext_compile.c | 12 +++- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/libselinux/utils/sefcontext_compile.c b/libselinux/utils/sefcontext_compile.c index 8c48d32..b2746c7 100644 --- a/libselinux/utils/sefcontext_compile.c +++ b/libselinux/utils/sefcontext_compile.c @@ -276,10 +276,12 @@ static void usage(const char *progname) " will be fc_file with the .bin suffix appended.\n\t" "-p Optional binary policy file that will be used to\n\t" " validate contexts defined in the fc_file.\n\t" - "-r Include precompiled regular expressions in the output.\n\t" + "-r Omit precompiled regular expressions from the output.\n\t" " (PCRE2 only. Compiled PCRE2 regular expressions are\n\t" - " not portable across architectures. When linked against\n\t" - " PCRE this flag is ignored)\n\t" + " not portable across architectures. Use this flag\n\t" + " if you know that you build for an incompatible\n\t" + " architecture to save space. When linked against\n\t" + " PCRE1 this flag is ignored.)\n\t" "-i Print regular expression info end exit. That is, back\n\t" " end version and architecture identifier.\n\t" " Arch identifier format (PCRE2):\n\t" @@ -294,7 +296,7 @@ int main(int argc, char *argv[]) { const char *path = NULL; const char *out_file = NULL; - int do_write_precompregex = 0; + int do_write_precompregex = 1; char stack_path[PATH_MAX + 1]; char *tmp = NULL; int fd, rc, opt; @@ -315,7 +317,7 @@ int main(int argc, char *argv[]) policy_file = optarg; break; case 'r': - do_write_precompregex = 1; + do_write_precompregex = 0; break; case 'i': printf("%s (%s)\n", regex_version(), -- 2.8.0.rc3.226.g39d4020 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH] libselinux: add support for pcre2
On Fri, Sep 16, 2016 at 8:06 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 09/16/2016 02:57 PM, Janis Danisevskis wrote: > > I have started implementing an arch string patch. Unfortunately, i did > > not manage to finish it before I had to leave the office today. > > In essence I did this: > > The regex_arch_string has three components: the pointer width determined > > by sizeof(void*), PCRE2_SIZE width determined by sizeof(), and > > endianess determined by > > __BYTE_ORDER__==__ORDER_BIG/LITTEL_ENDIAN__ > > > > For example, the resulting string for x86_64 and aarch64el should look > like > > this: "8-8-el". > > > > I bumped the compiled context version number and added the string > > right after the version in the output. > > Comments? > > What's the error handling when the versions do not match? Just ignore > the compiled regexes in file_contexts.bin? > > > Yes, If the version and arch match attempt to load the compiled regexes from the file. Otherwise, skip the corresponding regions of the file and leave the regex field NULL, so that they will be compiled on first use. ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH] libselinux: add support for pcre2
I have started implementing an arch string patch. Unfortunately, i did not manage to finish it before I had to leave the office today. In essence I did this: The regex_arch_string has three components: the pointer width determined by sizeof(void*), PCRE2_SIZE width determined by sizeof(), and endianess determined by __BYTE_ORDER__==__ORDER_BIG/LITTEL_ENDIAN__ For example, the resulting string for x86_64 and aarch64el should look like this: "8-8-el". I bumped the compiled context version number and added the string right after the version in the output. Comments? On Fri, Sep 16, 2016 at 3:52 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 09/16/2016 09:31 AM, Jason Zaman wrote: > > On Fri, Sep 16, 2016 at 06:15:01AM -0700, William Roberts wrote: > >> On Fri, Sep 16, 2016 at 6:09 AM, Janis Danisevskis <jda...@google.com> > wrote: > >>> I don't mind. Then before sefcontext_compile -r gets widely adapted we > >>> should change the semantic quickly. I'll prepare a patch. > >> > >> Did I miss something and this was merged? Iv'e been out recovering > >> from a surgery so I haven't been > >> following this as well as I normally would have, > >> > >> If its merged, just leave it. > > > > Its the very latest thing in master yeah, but I do also agree with > changing it. > > > > I just wanted to add that from a distro perspective, compiling things by > > default makes more sense. In gentoo, the package post_install runs > > sefcontext_compile. Using the fcontext files happens a lot more than any > > updates to libselinux (and thus potential format changes) so I'm pretty > > sure most people would prefer to have the speedup. > > > > Gentoo does it on the machine itself, I am not sure about redhat or > > debian but I wouldnt be surprised if they do it per-arch at the very > > least so cross-arch probably isnt an issue. > > In Red Hat, SELinux policy is noarch, and they switched to precompiling > both policy and file_contexts.bin at build time to minimize the cost at > package install time. Otherwise, in small VMs, they had issues with > running out of memory during semodule -B. So file_contexts.bin > presently has to be arch-independent, or we need the arch properties > detection logic and fallback. That said, none of this matters unless > you build with USE_PCRE2=y, and no one outside of Android is doing that > today. > > > Also, I think we should add the arch to the version string stored. I > > would rather have false negatives than positives especially since we are > > not 100% sure exactly what part of the arch is important. We can always > > loosen it up later if that gets locked down. > > We don't want the arch string itself, because that would invalidate use > of file_contexts.bin entirely on typical Android use cases (build on > x86_64, install to ARM), but only the relevant properties. And for > Android, that is fatal - there is no file_contexts text file on which to > fallback anymore. They only ship file_contexts.bin. > > ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: [PATCH] Change semantic of -r in sefcontext_compile
I don't really care much about the behavior of sefcontext_compile. I just thought making the default behavior the safest would be the best option. Before android is using it, I will have to sync the (now modified and improved - thank you) patches back into AOSP, which I intend to do. I have some benchmarks measuring load and lookup time for file contexts. I am eager to review and benchmark William's patches and explore a bit myself. And once all options are on the table I can make a case for the fastest solution to make it into Android. Concerning the arch string I respond in the other add support for pcre2 thread. On Fri, Sep 16, 2016 at 4:20 PM, William Roberts <bill.c.robe...@gmail.com> wrote: > On Sep 16, 2016 08:12, "Stephen Smalley" <s...@tycho.nsa.gov> wrote: > > > > On 09/16/2016 11:08 AM, William Roberts wrote: > > > On Fri, Sep 16, 2016 at 7:41 AM, Stephen Smalley <s...@tycho.nsa.gov> > wrote: > > >> On 09/16/2016 09:08 AM, Janis Danisevskis wrote: > > >>> This patch reestablishes the default behavior of sefcontext_compile > > >>> to include precompiled regular expressions in the output. If linked > > >>> against PCRE2 the flag "-r" now causes the precompiled regular > > >>> expressions to be omitted from the output. > > >> > > >> I thought your original rationale was more compelling. If we add > > >> detection of the relevant arch properties, then we can do this. > > >> Otherwise, I don't think we should. > > > > > > I was assuming based on the thread earlier that those patches would be > coming. > > > If we cant detect and compile on the current "undefined behavior" > > > case, then this > > > needs to stay as is. > > > > > > But I thought someone had a list of PCRE things that can be checked > for "arch", > > > so its just a matter of encoding those, assuming that list is correct. > > > > > > Binary file_contexts only make sense if you compile in the regex info, > else > > > just use the textual representation. > > > > That was my thought originally, but Janis did say that it was still > > faster, and Android presently only ships file_contexts.bin, so we can't > > just break that. > > I'm not saying that we break anything, but I think we should really > scrutinize the decision to keep binary fc's on Android. The only way it > could be faster at the moment is mmap and pcre2. We need to get some raw > numbers of pcre2 textual vs binary load times. If it's within 30% I'll have > that gap closed soon. It also takes up about 3 times the disk space for > binary. > ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH] sefcontext_compile: cleanup confusing usage message
From: Janis Danisevskis <jda...@google.com> Signed-off-by: Janis Danisevskis <jda...@google.com> --- libselinux/utils/sefcontext_compile.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/libselinux/utils/sefcontext_compile.c b/libselinux/utils/sefcontext_compile.c index 770ec4c..70853e7 100644 --- a/libselinux/utils/sefcontext_compile.c +++ b/libselinux/utils/sefcontext_compile.c @@ -267,8 +267,6 @@ static void usage(const char *progname) " (PCRE2 only. Compiled PCRE2 regular expressions are\n\t" " not portable across architectures. When linked against\n\t" " PCRE this flag is ignored)\n\t" - " Omit precompiled regular expressions (only meaningful\n\t" - " when using PCRE2 regular expression back-end).\n\t" "fc_file The text based file contexts file to be processed.\n", progname); exit(EXIT_FAILURE); -- 2.8.0.rc3.226.g39d4020 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH] Change semantic of -r in sefcontext_compile
This patch reestablishes the default behavior of sefcontext_compile to include precompiled regular expressions in the output. If linked against PCRE2 the flag "-r" now causes the precompiled regular expressions to be omitted from the output. --- libselinux/utils/sefcontext_compile.c | 8 +++- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/libselinux/utils/sefcontext_compile.c b/libselinux/utils/sefcontext_compile.c index 770ec4c..c1284d5 100644 --- a/libselinux/utils/sefcontext_compile.c +++ b/libselinux/utils/sefcontext_compile.c @@ -263,12 +263,10 @@ static void usage(const char *progname) " will be fc_file with the .bin suffix appended.\n\t" "-p Optional binary policy file that will be used to\n\t" " validate contexts defined in the fc_file.\n\t" - "-r Include precompiled regular expressions in the output.\n\t" + "-r Omit precompiled regular expressions in the output.\n\t" " (PCRE2 only. Compiled PCRE2 regular expressions are\n\t" " not portable across architectures. When linked against\n\t" " PCRE this flag is ignored)\n\t" - " Omit precompiled regular expressions (only meaningful\n\t" - " when using PCRE2 regular expression back-end).\n\t" "fc_file The text based file contexts file to be processed.\n", progname); exit(EXIT_FAILURE); @@ -278,7 +276,7 @@ int main(int argc, char *argv[]) { const char *path = NULL; const char *out_file = NULL; - int do_write_precompregex = 0; + int do_write_precompregex = 1; char stack_path[PATH_MAX + 1]; char *tmp = NULL; int fd, rc, opt; @@ -299,7 +297,7 @@ int main(int argc, char *argv[]) policy_file = optarg; break; case 'r': - do_write_precompregex = 1; + do_write_precompregex = 0; break; default: usage(argv[0]); -- 2.8.0.rc3.226.g39d4020 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH] libselinux: add support for pcre2
From: Janis Danisevskis <jda...@google.com> This patch moves all pcre1/2 dependencies into the new files regex.h and regex.c implementing the common denominator of features needed by libselinux. The compiler flag -DUSE_PCRE2 toggles between the used implementations. As of this patch libselinux supports either pcre or pcre2 but not both at the same time. The persistently stored file contexts information differs. This means libselinux can only load file context files generated by sefcontext_compile build with the same pcre variant. Also, for pcre2 the persistent format is architecture dependent. Stored precompiled regular expressions can only be used on the same architecture they were generated on. If pcre2 is used, sefcontext_compile now respects the "-r". This flag makes sefcontext_compile include the precompiled regular expressions in the output file. The default is to omit them, so that the output remains portable at the cost of having to recompile the regular expressions at load time, or rather on first use. Signed-off-by: Janis Danisevskis <jda...@google.com> --- libselinux/Makefile | 9 + libselinux/src/Makefile | 6 +- libselinux/src/label_file.c | 92 ++- libselinux/src/label_file.h | 72 ++--- libselinux/src/regex.c| 496 ++ libselinux/src/regex.h| 149 ++ libselinux/utils/Makefile | 7 +- libselinux/utils/sefcontext_compile.c | 72 ++--- policycoreutils/restorecond/Makefile | 9 +- 9 files changed, 745 insertions(+), 167 deletions(-) create mode 100644 libselinux/src/regex.c create mode 100644 libselinux/src/regex.h diff --git a/libselinux/Makefile b/libselinux/Makefile index 6142b60..5a8d42c 100644 --- a/libselinux/Makefile +++ b/libselinux/Makefile @@ -24,6 +24,15 @@ ifeq ($(DISABLE_SETRANS),y) endif export DISABLE_AVC DISABLE_SETRANS DISABLE_RPM DISABLE_BOOL EMFLAGS +USE_PCRE2 ?= n +ifeq ($(USE_PCRE2),y) + PCRE_CFLAGS := -DUSE_PCRE2 -DPCRE2_CODE_UNIT_WIDTH=8 + PCRE_LDFLAGS := -lpcre2-8 +else + PCRE_LDFLAGS := -lpcre +endif +export PCRE_CFLAGS PCRE_LDFLAGS + all install relabel clean distclean indent: @for subdir in $(SUBDIRS); do \ (cd $$subdir && $(MAKE) $@) || exit 1; \ diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile index 37d01af..36e42b8 100644 --- a/libselinux/src/Makefile +++ b/libselinux/src/Makefile @@ -74,7 +74,9 @@ CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissi -fipa-pure-const -Wno-suggest-attribute=pure -Wno-suggest-attribute=const \ -Werror -Wno-aggregate-return -Wno-redundant-decls -override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE $(EMFLAGS) +PCRE_LDFLAGS ?= -lpcre + +override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE $(EMFLAGS) $(PCRE_CFLAGS) SWIG_CFLAGS += -Wno-error -Wno-unused-variable -Wno-unused-but-set-variable -Wno-unused-parameter \ -Wno-shadow -Wno-uninitialized -Wno-missing-prototypes -Wno-missing-declarations @@ -113,7 +115,7 @@ $(LIBA): $(OBJS) $(RANLIB) $@ $(LIBSO): $(LOBJS) - $(CC) $(CFLAGS) -shared -o $@ $^ -lpcre -ldl $(LDFLAGS) -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro + $(CC) $(CFLAGS) -shared -o $@ $^ $(PCRE_LDFLAGS) -ldl $(LDFLAGS) -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro ln -sf $@ $(TARGET) $(LIBPC): $(LIBPC).in ../VERSION diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c index 9faecdb..9a67aa2 100644 --- a/libselinux/src/label_file.c +++ b/libselinux/src/label_file.c @@ -15,7 +15,6 @@ #include #include #include -#include #include #include #include @@ -126,6 +125,7 @@ static int load_mmap(FILE *fp, size_t len, struct selabel_handle *rec, struct mmap_area *mmap_area; uint32_t i, magic, version; uint32_t entry_len, stem_map_len, regex_array_len; + const char *reg_version; mmap_area = malloc(sizeof(*mmap_area)); if (!mmap_area) { @@ -155,8 +155,13 @@ static int load_mmap(FILE *fp, size_t len, struct selabel_handle *rec, if (rc < 0 || version > SELINUX_COMPILED_FCONTEXT_MAX_VERS) return -1; + reg_version = regex_version(); + if (!reg_version) + return -1; + if (version >= SELINUX_COMPILED_FCONTEXT_PCRE_VERS) { - len = strlen(pcre_version()); + + len = strlen(reg_version); rc = next_entry(_len, mmap_area, sizeof(uint32_t)); if (rc < 0) @@ -166,7 +171,7 @@ static int load_mmap(FILE *fp, size_t len, struct selabel_handle *rec, if (len != entry_len) return -1; - /* Check if pcre version mismatch */ + /* Check if regex version mismatch */ str_buf = malloc(en
[PATCH] libselinux: add support for pcre2
From: Janis Danisevskis <jda...@google.com> This patch moves all pcre1/2 dependencies into the new files regex.h and regex.c implementing the common denominator of features needed by libselinux. The compiler flag -DUSE_PCRE2 toggles between the used implementations. As of this patch libselinux supports either pcre or pcre2 but not both at the same time. The persistently stored file contexts information differs. This means libselinux can only load file context files generated by sefcontext_compile build with the same pcre variant. Also, for pcre2 the persistent format is architecture dependent. Stored precompiled regular expressions can only be used on the same architecture they were generated on. If pcre2 is used, sefcontext_compile now respects the "-r". This flag makes sefcontext_compile include the precompiled regular expressions in the output file. The default is to omit them, so that the output remains portable at the cost of having to recompile the regular expressions at load time, or rather on first use. Signed-off-by: Janis Danisevskis <jda...@google.com> --- libselinux/Makefile | 9 + libselinux/src/Makefile | 6 +- libselinux/src/label_file.c | 95 ++- libselinux/src/label_file.h | 64 ++--- libselinux/src/regex.c| 496 ++ libselinux/src/regex.h| 149 ++ libselinux/utils/Makefile | 7 +- libselinux/utils/sefcontext_compile.c | 72 ++--- policycoreutils/restorecond/Makefile | 9 +- 9 files changed, 740 insertions(+), 167 deletions(-) create mode 100644 libselinux/src/regex.c create mode 100644 libselinux/src/regex.h diff --git a/libselinux/Makefile b/libselinux/Makefile index 6142b60..5a8d42c 100644 --- a/libselinux/Makefile +++ b/libselinux/Makefile @@ -24,6 +24,15 @@ ifeq ($(DISABLE_SETRANS),y) endif export DISABLE_AVC DISABLE_SETRANS DISABLE_RPM DISABLE_BOOL EMFLAGS +USE_PCRE2 ?= n +ifeq ($(USE_PCRE2),y) + PCRE_CFLAGS := -DUSE_PCRE2 -DPCRE2_CODE_UNIT_WIDTH=8 + PCRE_LDFLAGS := -lpcre2-8 +else + PCRE_LDFLAGS := -lpcre +endif +export PCRE_CFLAGS PCRE_LDFLAGS + all install relabel clean distclean indent: @for subdir in $(SUBDIRS); do \ (cd $$subdir && $(MAKE) $@) || exit 1; \ diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile index 37d01af..36e42b8 100644 --- a/libselinux/src/Makefile +++ b/libselinux/src/Makefile @@ -74,7 +74,9 @@ CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissi -fipa-pure-const -Wno-suggest-attribute=pure -Wno-suggest-attribute=const \ -Werror -Wno-aggregate-return -Wno-redundant-decls -override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE $(EMFLAGS) +PCRE_LDFLAGS ?= -lpcre + +override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE $(EMFLAGS) $(PCRE_CFLAGS) SWIG_CFLAGS += -Wno-error -Wno-unused-variable -Wno-unused-but-set-variable -Wno-unused-parameter \ -Wno-shadow -Wno-uninitialized -Wno-missing-prototypes -Wno-missing-declarations @@ -113,7 +115,7 @@ $(LIBA): $(OBJS) $(RANLIB) $@ $(LIBSO): $(LOBJS) - $(CC) $(CFLAGS) -shared -o $@ $^ -lpcre -ldl $(LDFLAGS) -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro + $(CC) $(CFLAGS) -shared -o $@ $^ $(PCRE_LDFLAGS) -ldl $(LDFLAGS) -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro ln -sf $@ $(TARGET) $(LIBPC): $(LIBPC).in ../VERSION diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c index 9faecdb..e805189 100644 --- a/libselinux/src/label_file.c +++ b/libselinux/src/label_file.c @@ -15,7 +15,6 @@ #include #include #include -#include #include #include #include @@ -126,6 +125,7 @@ static int load_mmap(FILE *fp, size_t len, struct selabel_handle *rec, struct mmap_area *mmap_area; uint32_t i, magic, version; uint32_t entry_len, stem_map_len, regex_array_len; + const char *reg_version; mmap_area = malloc(sizeof(*mmap_area)); if (!mmap_area) { @@ -155,8 +155,13 @@ static int load_mmap(FILE *fp, size_t len, struct selabel_handle *rec, if (rc < 0 || version > SELINUX_COMPILED_FCONTEXT_MAX_VERS) return -1; + reg_version = regex_version(); + if (!reg_version) + return -1; + if (version >= SELINUX_COMPILED_FCONTEXT_PCRE_VERS) { - len = strlen(pcre_version()); + + len = strlen(reg_version); rc = next_entry(_len, mmap_area, sizeof(uint32_t)); if (rc < 0) @@ -166,7 +171,7 @@ static int load_mmap(FILE *fp, size_t len, struct selabel_handle *rec, if (len != entry_len) return -1; - /* Check if pcre version mismatch */ + /* Check if regex version mismatch */ str_buf = malloc(en
[PATCH] libselinux: add support for pcre2
From: Janis Danisevskis <jda...@google.com> This patch moves all pcre1/2 dependencies into the new files regex.h and regex.c implementing the common denominator of features needed by libselinux. The compiler flag -DUSE_PCRE2 toggles between the used implementations. As of this patch libselinux supports either pcre or pcre2 but not both at the same time. The persistently stored file contexts information differs. This means libselinux can only load file context files generated by sefcontext_compile build with the same pcre variant. Also, for pcre2 the persistent format is architecture dependent. Stored precompiled regular expressions can only be used on the same architecture they were generated on. If pcre2 is used and sefcontext_compile shall generate portable output, it and libselinux must be compiled with -DNO_PERSISTENTLY_STORED_PATTERNS, at the cost of having to recompile the regular expressions at load time. Signed-off-by: Janis Danisevskis <jda...@google.com> This patch includes includes: libselinux: fix memory leak on pcre2 Introduced a malloc on pcre_version(). Libselinux expected this to be static, just use a static internal buffer. Signed-off-by: William Roberts <william.c.robe...@intel.com> --- libselinux/Makefile | 13 + libselinux/src/Makefile | 4 +- libselinux/src/label_file.c | 93 ++- libselinux/src/label_file.h | 59 ++--- libselinux/src/regex.c| 461 ++ libselinux/src/regex.h| 169 + libselinux/utils/Makefile | 4 +- libselinux/utils/sefcontext_compile.c | 55 +--- 8 files changed, 697 insertions(+), 161 deletions(-) create mode 100644 libselinux/src/regex.c create mode 100644 libselinux/src/regex.h diff --git a/libselinux/Makefile b/libselinux/Makefile index 6142b60..15d051e 100644 --- a/libselinux/Makefile +++ b/libselinux/Makefile @@ -24,6 +24,19 @@ ifeq ($(DISABLE_SETRANS),y) endif export DISABLE_AVC DISABLE_SETRANS DISABLE_RPM DISABLE_BOOL EMFLAGS +USE_PCRE2 ?= n +DISABLE_PERSISTENTLY_STORED_REGEX_PATTERNS ?= n +ifeq ($(USE_PCRE2),y) + PCRE_CFLAGS := -DUSE_PCRE2 -DPCRE2_CODE_UNIT_WIDTH=8 + ifeq ($(DISABLE_PERSISTENTLY_STORED_REGEX_PATTERNS), y) + PCRE_CFLAGS += -DNO_PERSISTENTLY_STORED_PATTERNS + endif + PCRE_LDFLAGS := -lpcre2-8 +else + PCRE_LDFLAGS := -lpcre +endif +export PCRE_CFLAGS PCRE_LDFLAGS + all install relabel clean distclean indent: @for subdir in $(SUBDIRS); do \ (cd $$subdir && $(MAKE) $@) || exit 1; \ diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile index 37d01af..66687e6 100644 --- a/libselinux/src/Makefile +++ b/libselinux/src/Makefile @@ -74,7 +74,7 @@ CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissi -fipa-pure-const -Wno-suggest-attribute=pure -Wno-suggest-attribute=const \ -Werror -Wno-aggregate-return -Wno-redundant-decls -override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE $(EMFLAGS) +override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE $(EMFLAGS) $(PCRE_CFLAGS) SWIG_CFLAGS += -Wno-error -Wno-unused-variable -Wno-unused-but-set-variable -Wno-unused-parameter \ -Wno-shadow -Wno-uninitialized -Wno-missing-prototypes -Wno-missing-declarations @@ -113,7 +113,7 @@ $(LIBA): $(OBJS) $(RANLIB) $@ $(LIBSO): $(LOBJS) - $(CC) $(CFLAGS) -shared -o $@ $^ -lpcre -ldl $(LDFLAGS) -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro + $(CC) $(CFLAGS) -shared -o $@ $^ $(PCRE_LDFLAGS) -ldl $(LDFLAGS) -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro ln -sf $@ $(TARGET) $(LIBPC): $(LIBPC).in ../VERSION diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c index c89bb35..e41c351 100644 --- a/libselinux/src/label_file.c +++ b/libselinux/src/label_file.c @@ -15,7 +15,6 @@ #include #include #include -#include #include #include #include @@ -112,6 +111,7 @@ static int load_mmap(struct selabel_handle *rec, const char *path, struct mmap_area *mmap_area; uint32_t i, magic, version; uint32_t entry_len, stem_map_len, regex_array_len; + const char *reg_version; if (isbinary) { len = strlen(path); @@ -175,8 +175,13 @@ static int load_mmap(struct selabel_handle *rec, const char *path, if (rc < 0 || version > SELINUX_COMPILED_FCONTEXT_MAX_VERS) return -1; + reg_version = regex_version(); + if (!reg_version) + return -1; + if (version >= SELINUX_COMPILED_FCONTEXT_PCRE_VERS) { - len = strlen(pcre_version()); + + len = strlen(reg_version); rc = next_entry(_len, mmap_area, sizeof(uint32_t)); if (rc < 0) @@ -198,7 +203,7 @@ static int load_mmap(struct
[PATCH 2/2] libselinux: fix memory leak on pcre2
From: William RobertsIntroduced a malloc on pcre_version(). Libselinux expected this to be static, just use a static internal buffer. Signed-off-by: William Roberts --- libselinux/src/label_file.c | 13 - libselinux/src/regex.c| 20 +++- libselinux/utils/sefcontext_compile.c | 8 +--- 3 files changed, 20 insertions(+), 21 deletions(-) diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c index 6698624..110db11 100644 --- a/libselinux/src/label_file.c +++ b/libselinux/src/label_file.c @@ -111,6 +111,7 @@ static int load_mmap(struct selabel_handle *rec, const char *path, struct mmap_area *mmap_area; uint32_t i, magic, version; uint32_t entry_len, stem_map_len, regex_array_len; + const char *reg_version; if (isbinary) { len = strlen(path); @@ -174,11 +175,13 @@ static int load_mmap(struct selabel_handle *rec, const char *path, if (rc < 0 || version > SELINUX_COMPILED_FCONTEXT_MAX_VERS) return -1; + reg_version = regex_version(); + if (!reg_version) + return -1; + if (version >= SELINUX_COMPILED_FCONTEXT_PCRE_VERS) { - if (!regex_version()) { - return -1; - } - len = strlen(regex_version()); + + len = strlen(reg_version); rc = next_entry(_len, mmap_area, sizeof(uint32_t)); if (rc < 0) @@ -200,7 +203,7 @@ static int load_mmap(struct selabel_handle *rec, const char *path, } str_buf[entry_len] = '\0'; - if ((strcmp(str_buf, regex_version()) != 0)) { + if ((strcmp(str_buf, reg_version) != 0)) { free(str_buf); return -1; } diff --git a/libselinux/src/regex.c b/libselinux/src/regex.c index 6b92b04..c880bfa 100644 --- a/libselinux/src/regex.c +++ b/libselinux/src/regex.c @@ -49,19 +49,13 @@ err:regex_data_free(*regex); char const * regex_version(void) { #ifdef USE_PCRE2 - static int initialized = 0; - static char * version_string = NULL; - size_t version_string_len; - if (!initialized) { - version_string_len = pcre2_config(PCRE2_CONFIG_VERSION, NULL); - version_string = (char*) malloc(version_string_len); - if (!version_string) { - return NULL; - } - pcre2_config(PCRE2_CONFIG_VERSION, version_string); - initialized = 1; - } - return version_string; + static char version_buf[256]; + size_t len = pcre2_config(PCRE2_CONFIG_VERSION, NULL); + if (len <= 0 || len > sizeof(version_buf)) + return NULL; + + pcre2_config(PCRE2_CONFIG_VERSION, version_buf); + return version_buf; #else return pcre_version(); #endif diff --git a/libselinux/utils/sefcontext_compile.c b/libselinux/utils/sefcontext_compile.c index 8ff73f4..b6b8d92 100644 --- a/libselinux/utils/sefcontext_compile.c +++ b/libselinux/utils/sefcontext_compile.c @@ -101,6 +101,7 @@ static int write_binary_file(struct saved_data *data, int fd) uint32_t section_len; uint32_t i; int rc; + const char *reg_version; bin_file = fdopen(fd, "w"); if (!bin_file) { @@ -120,13 +121,14 @@ static int write_binary_file(struct saved_data *data, int fd) goto err; /* write version of the regex back-end */ - if (!regex_version()) + reg_version = regex_version(); + if (!reg_version) goto err; - section_len = strlen(regex_version()); + section_len = strlen(reg_version); len = fwrite(_len, sizeof(uint32_t), 1, bin_file); if (len != 1) goto err; - len = fwrite(regex_version(), sizeof(char), section_len, bin_file); + len = fwrite(reg_version, sizeof(char), section_len, bin_file); if (len != section_len) goto err; -- 2.8.0.rc3.226.g39d4020 ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
[PATCH 1/2] libselinux: add support for pcre2
From: Janis Danisevskis <jda...@google.com> This patch moves all pcre1/2 dependencies into the new files regex.h and regex.c implementing the common denominator of features needed by libselinux. The compiler flag -DUSE_PCRE2 toggles between the used implementations. As of this patch libselinux supports either pcre or pcre2 but not both at the same time. The persistently stored file contexts information differs. This means libselinux can only load file context files generated by sefcontext_compile build with the same pcre variant. Also, for pcre2 the persistent format is architecture dependant. Stored precompiled regular expressions can only be used on the same architecture they were generated on. If pcre2 is used and sefcontext_compile shall generate portable output, it and libselinux must be compiled with -DNO_PERSISTENTLY_STORED_PATTERNS, at the cost of having to recompile the regular expressions at load time. Signed-off-by: Janis Danisevskis <jda...@google.com> --- libselinux/Makefile | 13 ++ libselinux/src/Makefile | 4 +- libselinux/src/label_file.c | 91 ++-- libselinux/src/label_file.h | 54 ++--- libselinux/src/regex.c| 405 ++ libselinux/src/regex.h| 168 ++ libselinux/utils/Makefile | 4 +- libselinux/utils/sefcontext_compile.c | 53 + 8 files changed, 637 insertions(+), 155 deletions(-) create mode 100644 libselinux/src/regex.c create mode 100644 libselinux/src/regex.h diff --git a/libselinux/Makefile b/libselinux/Makefile index 6142b60..15d051e 100644 --- a/libselinux/Makefile +++ b/libselinux/Makefile @@ -24,6 +24,19 @@ ifeq ($(DISABLE_SETRANS),y) endif export DISABLE_AVC DISABLE_SETRANS DISABLE_RPM DISABLE_BOOL EMFLAGS +USE_PCRE2 ?= n +DISABLE_PERSISTENTLY_STORED_REGEX_PATTERNS ?= n +ifeq ($(USE_PCRE2),y) + PCRE_CFLAGS := -DUSE_PCRE2 -DPCRE2_CODE_UNIT_WIDTH=8 + ifeq ($(DISABLE_PERSISTENTLY_STORED_REGEX_PATTERNS), y) + PCRE_CFLAGS += -DNO_PERSISTENTLY_STORED_PATTERNS + endif + PCRE_LDFLAGS := -lpcre2-8 +else + PCRE_LDFLAGS := -lpcre +endif +export PCRE_CFLAGS PCRE_LDFLAGS + all install relabel clean distclean indent: @for subdir in $(SUBDIRS); do \ (cd $$subdir && $(MAKE) $@) || exit 1; \ diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile index 37d01af..66687e6 100644 --- a/libselinux/src/Makefile +++ b/libselinux/src/Makefile @@ -74,7 +74,7 @@ CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissi -fipa-pure-const -Wno-suggest-attribute=pure -Wno-suggest-attribute=const \ -Werror -Wno-aggregate-return -Wno-redundant-decls -override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE $(EMFLAGS) +override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE $(EMFLAGS) $(PCRE_CFLAGS) SWIG_CFLAGS += -Wno-error -Wno-unused-variable -Wno-unused-but-set-variable -Wno-unused-parameter \ -Wno-shadow -Wno-uninitialized -Wno-missing-prototypes -Wno-missing-declarations @@ -113,7 +113,7 @@ $(LIBA): $(OBJS) $(RANLIB) $@ $(LIBSO): $(LOBJS) - $(CC) $(CFLAGS) -shared -o $@ $^ -lpcre -ldl $(LDFLAGS) -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro + $(CC) $(CFLAGS) -shared -o $@ $^ $(PCRE_LDFLAGS) -ldl $(LDFLAGS) -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro ln -sf $@ $(TARGET) $(LIBPC): $(LIBPC).in ../VERSION diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c index c89bb35..6698624 100644 --- a/libselinux/src/label_file.c +++ b/libselinux/src/label_file.c @@ -15,7 +15,6 @@ #include #include #include -#include #include #include #include @@ -176,7 +175,10 @@ static int load_mmap(struct selabel_handle *rec, const char *path, return -1; if (version >= SELINUX_COMPILED_FCONTEXT_PCRE_VERS) { - len = strlen(pcre_version()); + if (!regex_version()) { + return -1; + } + len = strlen(regex_version()); rc = next_entry(_len, mmap_area, sizeof(uint32_t)); if (rc < 0) @@ -198,7 +200,7 @@ static int load_mmap(struct selabel_handle *rec, const char *path, } str_buf[entry_len] = '\0'; - if ((strcmp(str_buf, pcre_version()) != 0)) { + if ((strcmp(str_buf, regex_version()) != 0)) { free(str_buf); return -1; } @@ -278,7 +280,11 @@ static int load_mmap(struct selabel_handle *rec, const char *path, spec = >spec_arr[data->nspec]; spec->from_mmap = 1; +#if defined USE_PCRE2 && defined NO_PERSISTENTLY_STORED_PATTERNS + spec->regcomp = 0; +#else spec->regcomp