libsepol-2.5-5
- Only apply bounds checking to source types in rules - Fix CIL and not add an attribute as a type in the attr_type_map
This commit is contained in:
parent
29e9ab01e1
commit
d88ffa19a4
|
@ -11,10 +11,12 @@ index a43b343..5d2c96b 100644
|
||||||
-Wshadow -Wmissing-noreturn \
|
-Wshadow -Wmissing-noreturn \
|
||||||
-Wmissing-format-attribute
|
-Wmissing-format-attribute
|
||||||
diff --git libsepol-2.5/ChangeLog libsepol-2.5/ChangeLog
|
diff --git libsepol-2.5/ChangeLog libsepol-2.5/ChangeLog
|
||||||
index ace3d54..9348d70 100644
|
index ace3d54..12e2ebc 100644
|
||||||
--- libsepol-2.5/ChangeLog
|
--- libsepol-2.5/ChangeLog
|
||||||
+++ libsepol-2.5/ChangeLog
|
+++ libsepol-2.5/ChangeLog
|
||||||
@@ -1,3 +1,10 @@
|
@@ -1,3 +1,12 @@
|
||||||
|
+ * Only apply bounds checking to source types in rules, from Stephen Smalley.
|
||||||
|
+ * Fix CIL and not add an attribute as a type in the attr_type_map, from James Carter
|
||||||
+ * Build policy on systems not supporting DCCP protocol, from Richard Haines.
|
+ * Build policy on systems not supporting DCCP protocol, from Richard Haines.
|
||||||
+ * Fix extended permissions neverallow checking, from Jeff Vander Stoep.
|
+ * Fix extended permissions neverallow checking, from Jeff Vander Stoep.
|
||||||
+ * Fix CIL neverallow and bounds checking, from James Carter
|
+ * Fix CIL neverallow and bounds checking, from James Carter
|
||||||
|
@ -38,7 +40,7 @@ index afdc240..de7033a 100644
|
||||||
CIL_KEY_TUNABLEIF = cil_strpool_add("tunableif");
|
CIL_KEY_TUNABLEIF = cil_strpool_add("tunableif");
|
||||||
CIL_KEY_ALLOW = cil_strpool_add("allow");
|
CIL_KEY_ALLOW = cil_strpool_add("allow");
|
||||||
diff --git libsepol-2.5/cil/src/cil_binary.c libsepol-2.5/cil/src/cil_binary.c
|
diff --git libsepol-2.5/cil/src/cil_binary.c libsepol-2.5/cil/src/cil_binary.c
|
||||||
index f749e53..b8437c9 100644
|
index f749e53..1cd12d2 100644
|
||||||
--- libsepol-2.5/cil/src/cil_binary.c
|
--- libsepol-2.5/cil/src/cil_binary.c
|
||||||
+++ libsepol-2.5/cil/src/cil_binary.c
|
+++ libsepol-2.5/cil/src/cil_binary.c
|
||||||
@@ -31,6 +31,9 @@
|
@@ -31,6 +31,9 @@
|
||||||
|
@ -51,7 +53,22 @@ index f749e53..b8437c9 100644
|
||||||
|
|
||||||
#include <sepol/policydb/policydb.h>
|
#include <sepol/policydb/policydb.h>
|
||||||
#include <sepol/policydb/polcaps.h>
|
#include <sepol/policydb/polcaps.h>
|
||||||
@@ -3035,6 +3038,9 @@ int cil_portcon_to_policydb(policydb_t *pdb, struct cil_sort *portcons)
|
@@ -606,9 +609,11 @@ int __cil_typeattr_bitmap_init(policydb_t *pdb)
|
||||||
|
rc = SEPOL_ERR;
|
||||||
|
goto exit;
|
||||||
|
}
|
||||||
|
- if (ebitmap_set_bit(&pdb->attr_type_map[i], i, 1)) {
|
||||||
|
- rc = SEPOL_ERR;
|
||||||
|
- goto exit;
|
||||||
|
+ if (pdb->type_val_to_struct[i] && pdb->type_val_to_struct[i]->flavor != TYPE_ATTRIB) {
|
||||||
|
+ if (ebitmap_set_bit(&pdb->attr_type_map[i], i, 1)) {
|
||||||
|
+ rc = SEPOL_ERR;
|
||||||
|
+ goto exit;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
@@ -3035,6 +3040,9 @@ int cil_portcon_to_policydb(policydb_t *pdb, struct cil_sort *portcons)
|
||||||
case CIL_PROTOCOL_TCP:
|
case CIL_PROTOCOL_TCP:
|
||||||
new_ocon->u.port.protocol = IPPROTO_TCP;
|
new_ocon->u.port.protocol = IPPROTO_TCP;
|
||||||
break;
|
break;
|
||||||
|
@ -61,7 +78,7 @@ index f749e53..b8437c9 100644
|
||||||
default:
|
default:
|
||||||
/* should not get here */
|
/* should not get here */
|
||||||
rc = SEPOL_ERR;
|
rc = SEPOL_ERR;
|
||||||
@@ -4380,10 +4386,9 @@ exit:
|
@@ -4380,10 +4388,9 @@ exit:
|
||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -74,7 +91,7 @@ index f749e53..b8437c9 100644
|
||||||
struct cil_avrule *cil_rule = node->data;
|
struct cil_avrule *cil_rule = node->data;
|
||||||
struct cil_symtab_datum *tgt = cil_rule->tgt;
|
struct cil_symtab_datum *tgt = cil_rule->tgt;
|
||||||
uint32_t kind;
|
uint32_t kind;
|
||||||
@@ -4422,11 +4427,11 @@ static int cil_check_neverallow(const struct cil_db *db, policydb_t *pdb, struct
|
@@ -4422,11 +4429,11 @@ static int cil_check_neverallow(const struct cil_db *db, policydb_t *pdb, struct
|
||||||
|
|
||||||
rc = check_assertion(pdb, rule);
|
rc = check_assertion(pdb, rule);
|
||||||
if (rc == CIL_TRUE) {
|
if (rc == CIL_TRUE) {
|
||||||
|
@ -87,7 +104,7 @@ index f749e53..b8437c9 100644
|
||||||
}
|
}
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
@@ -4444,12 +4449,11 @@ static int cil_check_neverallow(const struct cil_db *db, policydb_t *pdb, struct
|
@@ -4444,12 +4451,11 @@ static int cil_check_neverallow(const struct cil_db *db, policydb_t *pdb, struct
|
||||||
rule->xperms = item->data;
|
rule->xperms = item->data;
|
||||||
rc = check_assertion(pdb, rule);
|
rc = check_assertion(pdb, rule);
|
||||||
if (rc == CIL_TRUE) {
|
if (rc == CIL_TRUE) {
|
||||||
|
@ -101,7 +118,7 @@ index f749e53..b8437c9 100644
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -4466,34 +4470,23 @@ exit:
|
@@ -4466,34 +4472,23 @@ exit:
|
||||||
rule->xperms = NULL;
|
rule->xperms = NULL;
|
||||||
__cil_destroy_sepol_avrules(rule);
|
__cil_destroy_sepol_avrules(rule);
|
||||||
|
|
||||||
|
@ -141,7 +158,7 @@ index f749e53..b8437c9 100644
|
||||||
}
|
}
|
||||||
|
|
||||||
static struct cil_list *cil_classperms_from_sepol(policydb_t *pdb, uint16_t class, uint32_t data, struct cil_class *class_value_to_cil[], struct cil_perm **perm_value_to_cil[])
|
static struct cil_list *cil_classperms_from_sepol(policydb_t *pdb, uint16_t class, uint32_t data, struct cil_class *class_value_to_cil[], struct cil_perm **perm_value_to_cil[])
|
||||||
@@ -4548,7 +4541,7 @@ exit:
|
@@ -4548,7 +4543,7 @@ exit:
|
||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -150,7 +167,7 @@ index f749e53..b8437c9 100644
|
||||||
{
|
{
|
||||||
int rc = SEPOL_OK;
|
int rc = SEPOL_OK;
|
||||||
int i;
|
int i;
|
||||||
@@ -4574,6 +4567,9 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void
|
@@ -4574,6 +4569,9 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void
|
||||||
if (bad) {
|
if (bad) {
|
||||||
avtab_ptr_t cur;
|
avtab_ptr_t cur;
|
||||||
struct cil_avrule target;
|
struct cil_avrule target;
|
||||||
|
@ -160,7 +177,7 @@ index f749e53..b8437c9 100644
|
||||||
|
|
||||||
target.is_extended = 0;
|
target.is_extended = 0;
|
||||||
target.rule_kind = CIL_AVRULE_ALLOWED;
|
target.rule_kind = CIL_AVRULE_ALLOWED;
|
||||||
@@ -4585,7 +4581,6 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void
|
@@ -4585,7 +4583,6 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void
|
||||||
for (cur = bad; cur; cur = cur->next) {
|
for (cur = bad; cur; cur = cur->next) {
|
||||||
struct cil_list_item *i2;
|
struct cil_list_item *i2;
|
||||||
struct cil_list *matching;
|
struct cil_list *matching;
|
||||||
|
@ -168,7 +185,7 @@ index f749e53..b8437c9 100644
|
||||||
|
|
||||||
rc = cil_avrule_from_sepol(pdb, cur, &target, type_value_to_cil, class_value_to_cil, perm_value_to_cil);
|
rc = cil_avrule_from_sepol(pdb, cur, &target, type_value_to_cil, class_value_to_cil, perm_value_to_cil);
|
||||||
if (rc != SEPOL_OK) {
|
if (rc != SEPOL_OK) {
|
||||||
@@ -4594,7 +4589,7 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void
|
@@ -4594,7 +4591,7 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void
|
||||||
}
|
}
|
||||||
__cil_print_rule(" ", "allow", &target);
|
__cil_print_rule(" ", "allow", &target);
|
||||||
cil_list_init(&matching, CIL_NODE);
|
cil_list_init(&matching, CIL_NODE);
|
||||||
|
@ -177,7 +194,7 @@ index f749e53..b8437c9 100644
|
||||||
if (rc) {
|
if (rc) {
|
||||||
cil_log(CIL_ERR, "Error occurred while checking type bounds\n");
|
cil_log(CIL_ERR, "Error occurred while checking type bounds\n");
|
||||||
cil_list_destroy(&matching, CIL_FALSE);
|
cil_list_destroy(&matching, CIL_FALSE);
|
||||||
@@ -4602,14 +4597,17 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void
|
@@ -4602,14 +4599,17 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void
|
||||||
bounds_destroy_bad(bad);
|
bounds_destroy_bad(bad);
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
|
@ -201,7 +218,7 @@ index f749e53..b8437c9 100644
|
||||||
cil_list_destroy(&matching, CIL_FALSE);
|
cil_list_destroy(&matching, CIL_FALSE);
|
||||||
cil_list_destroy(&target.perms.classperms, CIL_TRUE);
|
cil_list_destroy(&target.perms.classperms, CIL_TRUE);
|
||||||
}
|
}
|
||||||
@@ -4753,20 +4751,32 @@ int cil_binary_create_allocated_pdb(const struct cil_db *db, sepol_policydb_t *p
|
@@ -4753,20 +4753,32 @@ int cil_binary_create_allocated_pdb(const struct cil_db *db, sepol_policydb_t *p
|
||||||
__cil_set_conditional_state_and_flags(pdb);
|
__cil_set_conditional_state_and_flags(pdb);
|
||||||
|
|
||||||
if (db->disable_neverallow != CIL_TRUE) {
|
if (db->disable_neverallow != CIL_TRUE) {
|
||||||
|
@ -479,6 +496,61 @@ index fbf397f..f4429ad 100644
|
||||||
if (rc == 0)
|
if (rc == 0)
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
|
diff --git libsepol-2.5/src/hierarchy.c libsepol-2.5/src/hierarchy.c
|
||||||
|
index 6f73195..b24b39e 100644
|
||||||
|
--- libsepol-2.5/src/hierarchy.c
|
||||||
|
+++ libsepol-2.5/src/hierarchy.c
|
||||||
|
@@ -121,18 +121,6 @@ static int bounds_expand_rule(sepol_handle_t *handle, policydb_t *p,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (ebitmap_get_bit(&p->attr_type_map[tgt - 1], parent - 1)) {
|
||||||
|
- avtab_key.target_type = parent;
|
||||||
|
- ebitmap_for_each_bit(&p->attr_type_map[src - 1], tnode, i) {
|
||||||
|
- if (!ebitmap_node_get_bit(tnode, i))
|
||||||
|
- continue;
|
||||||
|
- avtab_key.source_type = i + 1;
|
||||||
|
- rc = bounds_insert_rule(handle, avtab, global, other,
|
||||||
|
- &avtab_key, &datum);
|
||||||
|
- if (rc) goto exit;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
exit:
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
@@ -329,31 +317,6 @@ static int bounds_check_rule(sepol_handle_t *handle, policydb_t *p,
|
||||||
|
if (rc) goto exit;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
- if (ebitmap_get_bit(&p->attr_type_map[tgt - 1], child - 1)) {
|
||||||
|
- avtab_key.target_type = parent;
|
||||||
|
- ebitmap_for_each_bit(&p->attr_type_map[src - 1], tnode, i) {
|
||||||
|
- if (!ebitmap_node_get_bit(tnode, i))
|
||||||
|
- continue;
|
||||||
|
- avtab_key.source_type = i + 1;
|
||||||
|
- if (avtab_key.source_type == child) {
|
||||||
|
- /* Checked above */
|
||||||
|
- continue;
|
||||||
|
- }
|
||||||
|
- d = bounds_not_covered(global_avtab, cur_avtab,
|
||||||
|
- &avtab_key, data);
|
||||||
|
- if (!d) continue;
|
||||||
|
- td = p->type_val_to_struct[i];
|
||||||
|
- if (td && td->bounds) {
|
||||||
|
- avtab_key.source_type = td->bounds;
|
||||||
|
- d = bounds_not_covered(global_avtab, cur_avtab,
|
||||||
|
- &avtab_key, data);
|
||||||
|
- if (!d) continue;
|
||||||
|
- }
|
||||||
|
- (*numbad)++;
|
||||||
|
- rc = bounds_add_bad(handle, i+1, child, class, d, bad);
|
||||||
|
- if (rc) goto exit;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
|
||||||
|
exit:
|
||||||
|
return rc;
|
||||||
diff --git libsepol-2.5/src/module_to_cil.c libsepol-2.5/src/module_to_cil.c
|
diff --git libsepol-2.5/src/module_to_cil.c libsepol-2.5/src/module_to_cil.c
|
||||||
index 18ec6b9..38f0dc3 100644
|
index 18ec6b9..38f0dc3 100644
|
||||||
--- libsepol-2.5/src/module_to_cil.c
|
--- libsepol-2.5/src/module_to_cil.c
|
||||||
|
|
|
@ -1,14 +1,14 @@
|
||||||
Summary: SELinux binary policy manipulation library
|
Summary: SELinux binary policy manipulation library
|
||||||
Name: libsepol
|
Name: libsepol
|
||||||
Version: 2.5
|
Version: 2.5
|
||||||
Release: 4%{?dist}
|
Release: 5%{?dist}
|
||||||
License: LGPLv2+
|
License: LGPLv2+
|
||||||
Group: System Environment/Libraries
|
Group: System Environment/Libraries
|
||||||
Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/libsepol-2.5.tar.gz
|
Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/libsepol-2.5.tar.gz
|
||||||
# download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
|
# download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
|
||||||
# run:
|
# run:
|
||||||
# $ VERSION=2.5 ./make-fedora-selinux-patch.sh libsepol
|
# $ VERSION=2.5 ./make-fedora-selinux-patch.sh libsepol
|
||||||
# HEAD https://github.com/fedora-selinux/selinux/commit/f900ff37022119de47d516f103ccfd339d52c861
|
# HEAD https://github.com/fedora-selinux/selinux/commit/3d38b0a219c3697546d813b6da9fff4d0da04a1e
|
||||||
Patch1: libsepol-fedora.patch
|
Patch1: libsepol-fedora.patch
|
||||||
URL: https://github.com/SELinuxProject/selinux/wiki
|
URL: https://github.com/SELinuxProject/selinux/wiki
|
||||||
BuildRequires: flex
|
BuildRequires: flex
|
||||||
|
@ -106,6 +106,10 @@ exit 0
|
||||||
%{_libdir}/libsepol.so.1
|
%{_libdir}/libsepol.so.1
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon May 02 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-5
|
||||||
|
- Only apply bounds checking to source types in rules
|
||||||
|
- Fix CIL and not add an attribute as a type in the attr_type_map
|
||||||
|
|
||||||
* Fri Apr 29 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-4
|
* Fri Apr 29 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-4
|
||||||
- Build policy on systems not supporting DCCP protocol
|
- Build policy on systems not supporting DCCP protocol
|
||||||
- Fix extended permissions neverallow checking
|
- Fix extended permissions neverallow checking
|
||||||
|
|
Loading…
Reference in New Issue