diff --git libsepol-2.7/cil/include/cil/cil.h libsepol-2.7/cil/include/cil/cil.h index 86117f2..f8cfc3b 100644 --- libsepol-2.7/cil/include/cil/cil.h +++ libsepol-2.7/cil/include/cil/cil.h @@ -50,6 +50,7 @@ extern int cil_userprefixes_to_string(cil_db_t *db, char **out, size_t *size); extern int cil_selinuxusers_to_string(cil_db_t *db, char **out, size_t *size); extern int cil_filecons_to_string(cil_db_t *db, char **out, size_t *size); extern void cil_set_disable_dontaudit(cil_db_t *db, int disable_dontaudit); +extern void cil_set_multiple_decls(cil_db_t *db, int multiple_decls); extern void cil_set_disable_neverallow(cil_db_t *db, int disable_neverallow); extern void cil_set_preserve_tunables(cil_db_t *db, int preserve_tunables); extern int cil_set_handle_unknown(cil_db_t *db, int handle_unknown); diff --git libsepol-2.7/cil/src/cil.c libsepol-2.7/cil/src/cil.c index c02a41a..3fe68af 100644 --- libsepol-2.7/cil/src/cil.c +++ libsepol-2.7/cil/src/cil.c @@ -1691,6 +1691,11 @@ void cil_set_mls(struct cil_db *db, int mls) db->mls = mls; } +void cil_set_multiple_decls(struct cil_db *db, int multiple_decls) +{ + db->multiple_decls = multiple_decls; +} + void cil_set_target_platform(struct cil_db *db, int target_platform) { db->target_platform = target_platform; diff --git libsepol-2.7/cil/src/cil_build_ast.c libsepol-2.7/cil/src/cil_build_ast.c index 04492e5..e84336b 100644 --- libsepol-2.7/cil/src/cil_build_ast.c +++ libsepol-2.7/cil/src/cil_build_ast.c @@ -82,10 +82,33 @@ exit: return rc; } -int cil_gen_node(__attribute__((unused)) struct cil_db *db, struct cil_tree_node *ast_node, struct cil_symtab_datum *datum, hashtab_key_t key, enum cil_sym_index sflavor, enum cil_flavor nflavor) +/* + * Determine whether or not multiple declarations of the same key can share a + * datum, given the new datum and the one already present in a given symtab. + */ +int cil_is_datum_multiple_decl(__attribute__((unused)) struct cil_symtab_datum *cur, + __attribute__((unused)) struct cil_symtab_datum *old, + enum cil_flavor f) +{ + int rc = CIL_FALSE; + + switch (f) { + case CIL_TYPE: + case CIL_TYPEATTRIBUTE: + /* type and typeattribute statements insert empty datums, ret true */ + rc = CIL_TRUE; + break; + default: + break; + } + return rc; +} + +int cil_gen_node(struct cil_db *db, struct cil_tree_node *ast_node, struct cil_symtab_datum *datum, hashtab_key_t key, enum cil_sym_index sflavor, enum cil_flavor nflavor) { int rc = SEPOL_ERR; symtab_t *symtab = NULL; + struct cil_symtab_datum *prev; rc = __cil_verify_name((const char*)key); if (rc != SEPOL_OK) { @@ -103,15 +126,26 @@ int cil_gen_node(__attribute__((unused)) struct cil_db *db, struct cil_tree_node if (symtab != NULL) { rc = cil_symtab_insert(symtab, (hashtab_key_t)key, datum, ast_node); if (rc == SEPOL_EEXIST) { - cil_log(CIL_ERR, "Re-declaration of %s %s\n", - cil_node_to_string(ast_node), key); - if (cil_symtab_get_datum(symtab, key, &datum) == SEPOL_OK) { - if (sflavor == CIL_SYM_BLOCKS) { - struct cil_tree_node *node = datum->nodes->head->data; - cil_tree_log(node, CIL_ERR, "Previous declaration"); + if (!db->multiple_decls || + cil_symtab_get_datum(symtab, (hashtab_key_t)key, &prev) != SEPOL_OK || + !cil_is_datum_multiple_decl(datum, prev, nflavor)) { + + /* multiple_decls not ok, ret error */ + cil_log(CIL_ERR, "Re-declaration of %s %s\n", + cil_node_to_string(ast_node), key); + if (cil_symtab_get_datum(symtab, key, &datum) == SEPOL_OK) { + if (sflavor == CIL_SYM_BLOCKS) { + struct cil_tree_node *node = datum->nodes->head->data; + cil_tree_log(node, CIL_ERR, "Previous declaration"); + } } + goto exit; } - goto exit; + /* multiple_decls is enabled and works for this datum type, add node */ + cil_list_append(prev->nodes, CIL_NODE, ast_node); + ast_node->data = prev; + cil_symtab_datum_destroy(datum); + free(datum); } } diff --git libsepol-2.7/cil/src/cil_internal.h libsepol-2.7/cil/src/cil_internal.h index 6d6a7d9..136a004 100644 --- libsepol-2.7/cil/src/cil_internal.h +++ libsepol-2.7/cil/src/cil_internal.h @@ -316,6 +316,7 @@ struct cil_db { int preserve_tunables; int handle_unknown; int mls; + int multiple_decls; int target_platform; int policy_version; }; diff --git libsepol-2.7/cil/src/cil_policy.c libsepol-2.7/cil/src/cil_policy.c index 729b6e0..6d4987c 100644 --- libsepol-2.7/cil/src/cil_policy.c +++ libsepol-2.7/cil/src/cil_policy.c @@ -775,7 +775,7 @@ static void cil_classes_to_policy(FILE *out, struct cil_list *classorder) } } -static void cil_defaults_to_policy(FILE *out, struct cil_list *defaults, char *kind) +static void cil_defaults_to_policy(FILE *out, struct cil_list *defaults, const char *kind) { struct cil_list_item *i1, *i2, *i3; struct cil_default *def; diff --git libsepol-2.7/cil/src/cil_post.c libsepol-2.7/cil/src/cil_post.c index ad073e8..3e013c9 100644 --- libsepol-2.7/cil/src/cil_post.c +++ libsepol-2.7/cil/src/cil_post.c @@ -1297,6 +1297,55 @@ static int cil_typeattribute_used(struct cil_typeattribute *attr, struct cil_db return CIL_TRUE; } +static void __mark_neverallow_attrs(struct cil_list *expr_list) +{ + struct cil_list_item *curr; + + cil_list_for_each(curr, expr_list) { + if (curr->flavor == CIL_DATUM) { + if (NODE(curr->data)->flavor == CIL_TYPEATTRIBUTE) { + struct cil_typeattribute *attr = curr->data; + if (strstr(DATUM(attr)->name, TYPEATTR_INFIX)) { + __mark_neverallow_attrs(attr->expr_list); + } else { + attr->used |= CIL_ATTR_NEVERALLOW; + } + } + } else if (curr->flavor == CIL_LIST) { + __mark_neverallow_attrs(curr->data); + } + } +} + +static int __cil_post_db_neverallow_attr_helper(struct cil_tree_node *node, uint32_t *finished, __attribute__((unused)) void *extra_args) +{ + switch (node->flavor) { + case CIL_BLOCK: { + struct cil_block *blk = node->data; + if (blk->is_abstract == CIL_TRUE) { + *finished = CIL_TREE_SKIP_HEAD; + } + break; + } + case CIL_MACRO: { + *finished = CIL_TREE_SKIP_HEAD; + break; + } + case CIL_TYPEATTRIBUTE: { + struct cil_typeattribute *attr = node->data; + if ((attr->used & CIL_ATTR_NEVERALLOW) && + strstr(DATUM(attr)->name, TYPEATTR_INFIX)) { + __mark_neverallow_attrs(attr->expr_list); + } + break; + } + default: + break; + } + + return SEPOL_OK; +} + static int __cil_post_db_attr_helper(struct cil_tree_node *node, uint32_t *finished, void *extra_args) { int rc = SEPOL_ERR; @@ -2031,6 +2080,12 @@ static int cil_post_db(struct cil_db *db) goto exit; } + rc = cil_tree_walk(db->ast->root, __cil_post_db_neverallow_attr_helper, NULL, NULL, db); + if (rc != SEPOL_OK) { + cil_log(CIL_INFO, "Failed to mark attributes used by generated attributes used in neverallow rules\n"); + goto exit; + } + rc = cil_tree_walk(db->ast->root, __cil_post_db_attr_helper, NULL, NULL, db); if (rc != SEPOL_OK) { cil_log(CIL_INFO, "Failed to create attribute bitmaps\n"); diff --git libsepol-2.7/cil/src/cil_strpool.c libsepol-2.7/cil/src/cil_strpool.c index b1396d2..97d4c4b 100644 --- libsepol-2.7/cil/src/cil_strpool.c +++ libsepol-2.7/cil/src/cil_strpool.c @@ -119,6 +119,7 @@ void cil_strpool_destroy(void) if (cil_strpool_readers == 0) { hashtab_map(cil_strpool_tab, cil_strpool_entry_destroy, NULL); hashtab_destroy(cil_strpool_tab); + cil_strpool_tab = NULL; } pthread_mutex_unlock(&cil_strpool_mutex); } diff --git libsepol-2.7/include/sepol/policydb/avtab.h libsepol-2.7/include/sepol/policydb/avtab.h index 958848e..10ecde9 100644 --- libsepol-2.7/include/sepol/policydb/avtab.h +++ libsepol-2.7/include/sepol/policydb/avtab.h @@ -1,5 +1,5 @@ -/* Author : Stephen Smalley, */ +/* Author : Stephen Smalley, */ /* * Updated: Yuichi Nakamura diff --git libsepol-2.7/include/sepol/policydb/constraint.h libsepol-2.7/include/sepol/policydb/constraint.h index 927bdc0..b91fc4e 100644 --- libsepol-2.7/include/sepol/policydb/constraint.h +++ libsepol-2.7/include/sepol/policydb/constraint.h @@ -1,4 +1,4 @@ -/* Author : Stephen Smalley, */ +/* Author : Stephen Smalley, */ /* FLASK */ diff --git libsepol-2.7/include/sepol/policydb/context.h libsepol-2.7/include/sepol/policydb/context.h index 2eaa686..c27c334 100644 --- libsepol-2.7/include/sepol/policydb/context.h +++ libsepol-2.7/include/sepol/policydb/context.h @@ -1,4 +1,4 @@ -/* Author : Stephen Smalley, */ +/* Author : Stephen Smalley, */ /* FLASK */ diff --git libsepol-2.7/include/sepol/policydb/ebitmap.h libsepol-2.7/include/sepol/policydb/ebitmap.h index e90371e..94fb7ef 100644 --- libsepol-2.7/include/sepol/policydb/ebitmap.h +++ libsepol-2.7/include/sepol/policydb/ebitmap.h @@ -1,4 +1,4 @@ -/* Author : Stephen Smalley, */ +/* Author : Stephen Smalley, */ /* FLASK */ diff --git libsepol-2.7/include/sepol/policydb/flask_types.h libsepol-2.7/include/sepol/policydb/flask_types.h index e01669c..714176f 100644 --- libsepol-2.7/include/sepol/policydb/flask_types.h +++ libsepol-2.7/include/sepol/policydb/flask_types.h @@ -1,7 +1,7 @@ /* -*- linux-c -*- */ /* - * Author : Stephen Smalley, + * Author : Stephen Smalley, */ #ifndef _SEPOL_POLICYDB_FLASK_TYPES_H_ diff --git libsepol-2.7/include/sepol/policydb/hashtab.h libsepol-2.7/include/sepol/policydb/hashtab.h index ae5674a..ef1bb67 100644 --- libsepol-2.7/include/sepol/policydb/hashtab.h +++ libsepol-2.7/include/sepol/policydb/hashtab.h @@ -1,4 +1,4 @@ -/* Author : Stephen Smalley, */ +/* Author : Stephen Smalley, */ /* FLASK */ diff --git libsepol-2.7/include/sepol/policydb/mls_types.h libsepol-2.7/include/sepol/policydb/mls_types.h index 568386c..a06723b 100644 --- libsepol-2.7/include/sepol/policydb/mls_types.h +++ libsepol-2.7/include/sepol/policydb/mls_types.h @@ -1,4 +1,4 @@ -/* Author : Stephen Smalley, */ +/* Author : Stephen Smalley, */ /* * Updated: Trusted Computer Solutions, Inc. * diff --git libsepol-2.7/include/sepol/policydb/policydb.h libsepol-2.7/include/sepol/policydb/policydb.h index 1b2d782..f8626ef 100644 --- libsepol-2.7/include/sepol/policydb/policydb.h +++ libsepol-2.7/include/sepol/policydb/policydb.h @@ -1,4 +1,4 @@ -/* Author : Stephen Smalley, */ +/* Author : Stephen Smalley, */ /* * Updated: Joshua Brindle diff --git libsepol-2.7/include/sepol/policydb/services.h libsepol-2.7/include/sepol/policydb/services.h index efdf7de..6ef27a8 100644 --- libsepol-2.7/include/sepol/policydb/services.h +++ libsepol-2.7/include/sepol/policydb/services.h @@ -2,7 +2,7 @@ /* -*- linux-c -*- */ /* - * Author : Stephen Smalley, + * Author : Stephen Smalley, */ #ifndef _SEPOL_POLICYDB_SERVICES_H_ diff --git libsepol-2.7/include/sepol/policydb/sidtab.h libsepol-2.7/include/sepol/policydb/sidtab.h index 2df1a50..893e6f0 100644 --- libsepol-2.7/include/sepol/policydb/sidtab.h +++ libsepol-2.7/include/sepol/policydb/sidtab.h @@ -1,4 +1,4 @@ -/* Author : Stephen Smalley, */ +/* Author : Stephen Smalley, */ /* FLASK */ diff --git libsepol-2.7/include/sepol/policydb/symtab.h libsepol-2.7/include/sepol/policydb/symtab.h index 68b5ad4..8b9ddca 100644 --- libsepol-2.7/include/sepol/policydb/symtab.h +++ libsepol-2.7/include/sepol/policydb/symtab.h @@ -1,5 +1,5 @@ -/* Author : Stephen Smalley, */ +/* Author : Stephen Smalley, */ /* FLASK */ diff --git libsepol-2.7/man/man3/sepol_genbools.3 libsepol-2.7/man/man3/sepol_genbools.3 index dcfb69d..5363383 100644 --- libsepol-2.7/man/man3/sepol_genbools.3 +++ libsepol-2.7/man/man3/sepol_genbools.3 @@ -1,4 +1,4 @@ -.TH "sepol_genbools" "3" "11 August 2004" "sds@epoch.ncsc.mil" "SE Linux binary policy API documentation" +.TH "sepol_genbools" "3" "11 August 2004" "sds@tycho.nsa.gov" "SE Linux binary policy API documentation" .SH "NAME" sepol_genbools \- Rewrite a binary policy with different boolean settings .SH "SYNOPSIS" diff --git libsepol-2.7/man/man8/genpolbools.8 libsepol-2.7/man/man8/genpolbools.8 index afeaced..fc792c8 100644 --- libsepol-2.7/man/man8/genpolbools.8 +++ libsepol-2.7/man/man8/genpolbools.8 @@ -1,4 +1,4 @@ -.TH "genpolbools" "8" "11 August 2004" "sds@epoch.ncsc.mil" "SELinux Command Line documentation" +.TH "genpolbools" "8" "11 August 2004" "sds@tycho.nsa.gov" "SELinux Command Line documentation" .SH "NAME" genpolbools \- Rewrite a binary policy with different boolean settings .SH "SYNOPSIS" diff --git libsepol-2.7/src/avtab.c libsepol-2.7/src/avtab.c index 3854d6f..257f051 100644 --- libsepol-2.7/src/avtab.c +++ libsepol-2.7/src/avtab.c @@ -1,5 +1,5 @@ -/* Author : Stephen Smalley, */ +/* Author : Stephen Smalley, */ /* * Updated: Yuichi Nakamura diff --git libsepol-2.7/src/booleans.c libsepol-2.7/src/booleans.c index c914a28..30fcf29 100644 --- libsepol-2.7/src/booleans.c +++ libsepol-2.7/src/booleans.c @@ -155,6 +155,7 @@ int sepol_bool_query(sepol_handle_t * handle, booldatum = hashtab_search(policydb->p_bools.table, name); if (!booldatum) { *response = NULL; + free(name); return STATUS_SUCCESS; } diff --git libsepol-2.7/src/ebitmap.c libsepol-2.7/src/ebitmap.c index 218adc2..76e6e41 100644 --- libsepol-2.7/src/ebitmap.c +++ libsepol-2.7/src/ebitmap.c @@ -1,5 +1,5 @@ -/* Author : Stephen Smalley, */ +/* Author : Stephen Smalley, */ /* FLASK */ diff --git libsepol-2.7/src/hashtab.c libsepol-2.7/src/hashtab.c index ec49c15..f5407ab 100644 --- libsepol-2.7/src/hashtab.c +++ libsepol-2.7/src/hashtab.c @@ -1,5 +1,5 @@ -/* Author : Stephen Smalley, */ +/* Author : Stephen Smalley, */ /* * Updated : Karl MacMillan diff --git libsepol-2.7/src/kernel_to_cil.c libsepol-2.7/src/kernel_to_cil.c index f1905a9..0055c23 100644 --- libsepol-2.7/src/kernel_to_cil.c +++ libsepol-2.7/src/kernel_to_cil.c @@ -2788,7 +2788,7 @@ static int write_selinux_ibpkey_rules_to_cil(FILE *out, struct policydb *pdb) { struct ocontext *ibpkeycon; char subnet_prefix_str[INET6_ADDRSTRLEN]; - struct in6_addr subnet_prefix = {0}; + struct in6_addr subnet_prefix = IN6ADDR_ANY_INIT; uint16_t low; uint16_t high; char low_high_str[44]; /* 2^64 <= 20 digits so "(low high)" <= 44 chars */ diff --git libsepol-2.7/src/kernel_to_conf.c libsepol-2.7/src/kernel_to_conf.c index a74873f..95aa92f 100644 --- libsepol-2.7/src/kernel_to_conf.c +++ libsepol-2.7/src/kernel_to_conf.c @@ -2649,7 +2649,7 @@ static int write_selinux_ibpkey_rules_to_conf(FILE *out, struct policydb *pdb) { struct ocontext *ibpkeycon; char subnet_prefix_str[INET6_ADDRSTRLEN]; - struct in6_addr subnet_prefix = {0}; + struct in6_addr subnet_prefix = IN6ADDR_ANY_INIT; uint16_t low; uint16_t high; char low_high_str[44]; /* 2^64 <= 20 digits so "low-high" <= 44 chars */ diff --git libsepol-2.7/src/libsepol.map.in libsepol-2.7/src/libsepol.map.in index dd1fec2..2a9996f 100644 --- libsepol-2.7/src/libsepol.map.in +++ libsepol-2.7/src/libsepol.map.in @@ -49,6 +49,7 @@ LIBSEPOL_1.1 { cil_set_mls; cil_set_attrs_expand_generated; cil_set_attrs_expand_size; + cil_set_multiple_decls; cil_write_policy_conf; sepol_ppfile_to_module_package; sepol_module_package_to_cil; diff --git libsepol-2.7/src/mls.c libsepol-2.7/src/mls.c index be85475..bf1fdbd 100644 --- libsepol-2.7/src/mls.c +++ libsepol-2.7/src/mls.c @@ -1,4 +1,4 @@ -/* Author : Stephen Smalley, */ +/* Author : Stephen Smalley, */ /* * Updated: Trusted Computer Solutions, Inc. * diff --git libsepol-2.7/src/mls.h libsepol-2.7/src/mls.h index 98da3d3..5ca3cd5 100644 --- libsepol-2.7/src/mls.h +++ libsepol-2.7/src/mls.h @@ -1,4 +1,4 @@ -/* Author: Stephen Smalley, +/* Author: Stephen Smalley, * Updated: Trusted Computer Solutions, Inc. * * Support for enhanced MLS infrastructure. diff --git libsepol-2.7/src/module_to_cil.c libsepol-2.7/src/module_to_cil.c index 619a48f..15b58a7 100644 --- libsepol-2.7/src/module_to_cil.c +++ libsepol-2.7/src/module_to_cil.c @@ -2687,7 +2687,7 @@ static int ocontext_selinux_ibpkey_to_cil(struct policydb *pdb, int rc = -1; struct ocontext *ibpkeycon; char subnet_prefix_str[INET6_ADDRSTRLEN]; - struct in6_addr subnet_prefix = {0}; + struct in6_addr subnet_prefix = IN6ADDR_ANY_INIT; uint16_t high; uint16_t low; diff --git libsepol-2.7/src/policydb.c libsepol-2.7/src/policydb.c index 691101e..c752123 100644 --- libsepol-2.7/src/policydb.c +++ libsepol-2.7/src/policydb.c @@ -1,5 +1,5 @@ -/* Author : Stephen Smalley, */ +/* Author : Stephen Smalley, */ /* * Updated: Trusted Computer Solutions, Inc. @@ -1420,6 +1420,8 @@ void ocontext_selinux_free(ocontext_t **ocontexts) if (i == OCON_ISID || i == OCON_FS || i == OCON_NETIF || i == OCON_FSUSE) free(ctmp->u.name); + else if (i == OCON_IBENDPORT) + free(ctmp->u.ibendport.dev_name); free(ctmp); } } diff --git libsepol-2.7/src/services.c libsepol-2.7/src/services.c index 10338a6..d40793e 100644 --- libsepol-2.7/src/services.c +++ libsepol-2.7/src/services.c @@ -1,6 +1,6 @@ /* - * Author : Stephen Smalley, + * Author : Stephen Smalley, */ /* * Updated: Trusted Computer Solutions, Inc. diff --git libsepol-2.7/src/sidtab.c libsepol-2.7/src/sidtab.c index 5bd7999..23b2e8f 100644 --- libsepol-2.7/src/sidtab.c +++ libsepol-2.7/src/sidtab.c @@ -1,5 +1,5 @@ -/* Author : Stephen Smalley, */ +/* Author : Stephen Smalley, */ /* FLASK */ diff --git libsepol-2.7/src/symtab.c libsepol-2.7/src/symtab.c index c1e625d..9a417ca 100644 --- libsepol-2.7/src/symtab.c +++ libsepol-2.7/src/symtab.c @@ -1,5 +1,5 @@ -/* Author : Stephen Smalley, */ +/* Author : Stephen Smalley, */ /* FLASK */ diff --git libsepol-2.7/src/write.c libsepol-2.7/src/write.c index e486e28..1fb3095 100644 --- libsepol-2.7/src/write.c +++ libsepol-2.7/src/write.c @@ -1,5 +1,5 @@ -/* Author : Stephen Smalley, */ +/* Author : Stephen Smalley, */ /* * Updated: Trusted Computer Solutions, Inc.