- Upgrade to latest from NSA

Eliminate unaligned accesses from policy reading code from Stephen Smalley.
2007-08-28 17:35:57 +00:00 · 2007-08-28 17:35:57 +00:00 · b79588c078
commit b79588c078
parent d7175a2f83
2 changed files with 87 additions and 74 deletions
--- a/libsepol-rhat.patch
+++ b/libsepol-rhat.patch
@ -1,77 +1,88 @@
-diff --exclude-from=exclude -N -u -r nsalibsepol/include/sepol/handle.h libsepol-2.0.5/include/sepol/handle.h
--- nsalibsepol/include/sepol/handle.h	2007-07-16 14:20:40.000000000 -0400
-+++ libsepol-2.0.5/include/sepol/handle.h	2007-08-10 09:42:16.000000000 -0400
-@@ -7,6 +7,10 @@
- /* Create and return a sepol handle. */
- sepol_handle_t *sepol_handle_create(void);
+Index: libsepol/src/module.c
+===================================================================
+--- libsepol/src/module.c	(revision 2538)
+++ libsepol/src/module.c	(working copy)
+@@ -353,21 +353,27 @@
+ 				       struct policy_file *file,
+ 				       size_t ** offsets, uint32_t * sections)
+ {
+-	uint32_t buf[3], nsec;
+	uint32_t *buf = NULL, nsec;
+ 	unsigned i;
+-	size_t *off;
+	size_t *off = NULL;
+ 	int rc;
 
-+/* Set whether or not to disable dontaudits, 0 is default and does 
-+ * not disable dontaudits, 1 disables them */
-+void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit);
+	buf = malloc(sizeof(uint32_t)*3);
+	if (!buf) {
+		ERR(file->handle, "out of memory");
+		goto err;
+	}
+	  
+ 	rc = next_entry(buf, file, sizeof(uint32_t) * 3);
+ 	if (rc < 0) {
+ 		ERR(file->handle, "module package header truncated");
+-		return -1;
+		goto err;
+ 	}
+ 	if (le32_to_cpu(buf[0]) != SEPOL_MODULE_PACKAGE_MAGIC) {
+ 		ERR(file->handle,
+ 		    "wrong magic number for module package:  expected %u, got %u",
+ 		    SEPOL_MODULE_PACKAGE_MAGIC, le32_to_cpu(buf[0]));
+-		return -1;
+		goto err;
+ 	}
+ 
+ 	mod->version = le32_to_cpu(buf[1]);
+@@ -376,23 +382,29 @@
+ 	if (nsec > MAXSECTIONS) {
+ 		ERR(file->handle, "too many sections (%u) in module package",
+ 		    nsec);
+-		return -1;
+		goto err;
+ 	}
+ 
+ 	off = (size_t *) malloc((nsec + 1) * sizeof(size_t));
+ 	if (!off) {
+ 		ERR(file->handle, "out of memory");
+-		return -1;
+		goto err;
+ 	}
+ 
+-	rc = next_entry(off, file, sizeof(uint32_t) * nsec);
+	free(buf);
+	buf = malloc(sizeof(uint32_t) * nsec);
+	if (!buf) {
+		ERR(file->handle, "out of memory");
+		goto err;
+	}
+	rc = next_entry(buf, file, sizeof(uint32_t) * nsec);
+ 	if (rc < 0) {
+ 		ERR(file->handle, "module package offset array truncated");
+-		return -1;
+		goto err;
+ 	}
+ 
+ 	for (i = 0; i < nsec; i++) {
+-		off[i] = le32_to_cpu(off[i]);
+		off[i] = le32_to_cpu(buf[i]);
+ 		if (i && off[i] < off[i - 1]) {
+ 			ERR(file->handle, "offsets are not increasing (at %u, "
+ 			    "offset %zu -> %zu", i, off[i - 1],
+@@ -401,10 +413,15 @@
+ 		}
+ 	}
+ 
+-	
+	free(buf); 	
+ 	off[nsec] = policy_file_length(file);
+ 	*offsets = off;
+ 	return 0;
 +
- /* Destroy a sepol handle. */
- void sepol_handle_destroy(sepol_handle_t *);
- 
-diff --exclude-from=exclude -N -u -r nsalibsepol/src/expand.c libsepol-2.0.5/src/expand.c
--- nsalibsepol/src/expand.c	2007-07-16 14:20:41.000000000 -0400
-+++ libsepol-2.0.5/src/expand.c	2007-08-10 09:42:16.000000000 -0400
-@@ -1367,6 +1367,8 @@
- 	} else if (specified & AVRULE_AUDITDENY) {
- 		spec = AVTAB_AUDITDENY;
- 	} else if (specified & AVRULE_DONTAUDIT) {
-+		if (handle->disable_dontaudit)
-+			return EXPAND_RULE_SUCCESS;
- 		spec = AVTAB_AUDITDENY;
- 	} else if (specified & AVRULE_NEVERALLOW) {
- 		spec = AVTAB_NEVERALLOW;
-diff --exclude-from=exclude -N -u -r nsalibsepol/src/handle.c libsepol-2.0.5/src/handle.c
--- nsalibsepol/src/handle.c	2007-07-16 14:20:41.000000000 -0400
-+++ libsepol-2.0.5/src/handle.c	2007-08-10 09:42:16.000000000 -0400
-@@ -1,4 +1,5 @@
- #include <stdlib.h>
-+#include <assert.h>
- #include "handle.h"
- #include "debug.h"
- 
-@@ -13,9 +14,18 @@
- 	sh->msg_callback = sepol_msg_default_handler;
- 	sh->msg_callback_arg = NULL;
- 
-+	/* by default do not disable dontaudits */
-+	sh->disable_dontaudit = 0;
-+
- 	return sh;
+err:
+	free(buf);
+	free(off);
+	return -1;
 }
 
-+void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit)
-+{
-+	assert(sh !=NULL);
-+	sh->disable_dontaudit = disable_dontaudit;
-+}
-+
- void sepol_handle_destroy(sepol_handle_t * sh)
- {
- 	free(sh);
-diff --exclude-from=exclude -N -u -r nsalibsepol/src/handle.h libsepol-2.0.5/src/handle.h
--- nsalibsepol/src/handle.h	2007-07-16 14:20:40.000000000 -0400
-+++ libsepol-2.0.5/src/handle.h	2007-08-10 09:42:16.000000000 -0400
-@@ -14,6 +14,9 @@
- 	void (*msg_callback) (void *varg,
- 			      sepol_handle_t * handle, const char *fmt, ...);
- 	void *msg_callback_arg;
-+
-+	int disable_dontaudit;
-+
- };
- 
- #endif
-diff --exclude-from=exclude -N -u -r nsalibsepol/src/libsepol.map libsepol-2.0.5/src/libsepol.map
--- nsalibsepol/src/libsepol.map	2007-07-16 14:20:41.000000000 -0400
-+++ libsepol-2.0.5/src/libsepol.map	2007-08-10 09:42:16.000000000 -0400
-@@ -12,5 +12,6 @@
- 	sepol_policydb_*; sepol_set_policydb_from_file; 
- 	sepol_policy_kern_*;
- 	sepol_policy_file_*;
-+	sepol_set_disable_dontaudit;
-   local: *;
- };
+ /* Flags for which sections have been seen during parsing of module package. */
--- a/libsepol.spec
+++ b/libsepol.spec
@ -2,11 +2,12 @@
 Summary: SELinux binary policy manipulation library 
 Name: libsepol
 Version: 2.0.7
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Group: System Environment/Libraries
 Source: http://www.nsa.gov/selinux/archives/libsepol-%{version}.tgz
 URL:	http://www.selinuxproject.org
+Patch: libsepol-rhat.patch

 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Provides: libsepol.so
@ -38,6 +39,7 @@ needed for developing applications that manipulate binary policies.

 %prep
 %setup -q
+%patch -p 1 -b .rhat
 # sparc64 is an -fPIC arch, so we need to fix it here
 %ifarch sparc64
 sed -i 's/fpic/fPIC/g' src/Makefile