diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h index f53a499..0165eed 100644 --- a/libsepol/include/sepol/policydb/policydb.h +++ b/libsepol/include/sepol/policydb/policydb.h @@ -116,6 +116,7 @@ typedef struct class_datum { #define DEFAULT_TARGET 2 char default_user; char default_role; + char default_type; /* Options how a new object range should be decided */ #define DEFAULT_SOURCE_LOW 1 #define DEFAULT_SOURCE_HIGH 2 @@ -681,10 +682,12 @@ extern int policydb_set_target_platform(policydb_t *p, int platform); #define POLICYDB_VERSION_FILENAME_TRANS 25 #define POLICYDB_VERSION_ROLETRANS 26 #define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 27 +#define POLICYDB_VERSION_DEFAULT_TYPE 28 +#define POLICYDB_VERSION_CONSTRAINT_NAMES 29 /* Range of policy versions we understand*/ #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE -#define POLICYDB_VERSION_MAX POLICYDB_VERSION_NEW_OBJECT_DEFAULTS +#define POLICYDB_VERSION_MAX POLICYDB_VERSION_CONSTRAINT_NAMES /* Module versions and specific changes*/ #define MOD_POLICYDB_VERSION_BASE 4 @@ -701,9 +704,11 @@ extern int policydb_set_target_platform(policydb_t *p, int platform); #define MOD_POLICYDB_VERSION_ROLEATTRIB 13 #define MOD_POLICYDB_VERSION_TUNABLE_SEP 14 #define MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS 15 +#define MOD_POLICYDB_VERSION_DEFAULT_TYPE 16 +#define MOD_POLICYDB_VERSION_CONSTRAINT_NAMES 17 #define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE -#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS +#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_CONSTRAINT_NAMES #define POLICYDB_CONFIG_MLS 1 diff --git a/libsepol/include/sepol/policydb/services.h b/libsepol/include/sepol/policydb/services.h index aef0c7b..1969a10 100644 --- a/libsepol/include/sepol/policydb/services.h +++ b/libsepol/include/sepol/policydb/services.h @@ -58,6 +58,38 @@ extern int sepol_compute_av_reason(sepol_security_id_t ssid, struct sepol_av_decision *avd, unsigned int *reason); +/* + * Same as above, but also returns the constraint expression calculations + * whether allowed or denied in a buffer. This buffer is allocated by + * this call and must be free'd by the caller using free(3). The contraint + * buffer will contain any constraints in infix notation. + * If the SHOW_GRANTED flag is set it will show granted and denied + * constraints. The default is to show only denied constraints. + */ +#define SHOW_GRANTED 1 +extern int sepol_compute_av_reason_buffer(sepol_security_id_t ssid, + sepol_security_id_t tsid, + sepol_security_class_t tclass, + sepol_access_vector_t requested, + struct sepol_av_decision *avd, + unsigned int *reason, + char **reason_buf, + unsigned int flags); +/* + * Return a class ID associated with the class string representation + * specified by `class_name'. + */ +extern int sepol_class_name_to_id(const char *class_name, + sepol_security_class_t *tclass); + +/* + * Return a permission av bit associated with tclass and the string + * representation of the `perm_name'. + */ +extern int sepol_perm_name_to_av(sepol_security_class_t tclass, + const char *perm_name, + sepol_access_vector_t *av); + /* * Compute a SID to use for labeling a new object in the * class `tclass' based on a SID pair. diff --git a/libsepol/src/avrule_block.c b/libsepol/src/avrule_block.c index 16c89f3..84cfaf8 100644 --- a/libsepol/src/avrule_block.c +++ b/libsepol/src/avrule_block.c @@ -61,7 +61,6 @@ avrule_decl_t *avrule_decl_create(uint32_t decl_id) for (i = 0; i < SYM_NUM; i++) { if (symtab_init(&decl->symtab[i], symtab_sizes[i])) { avrule_decl_destroy(decl); - free(decl); return NULL; } } diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c index 2003eb6..0ca8448 100644 --- a/libsepol/src/expand.c +++ b/libsepol/src/expand.c @@ -49,6 +49,82 @@ typedef struct expand_state { int expand_neverallow; } expand_state_t; +struct linear_probe { + filename_trans_t **table; /* filename_trans chunks with same stype */ + filename_trans_t **ends; /* pointers to ends of **table chunks */ + uint32_t length; /* length of the table */ +}; + +static int linear_probe_create(struct linear_probe *probe, uint32_t length) +{ + probe->table = calloc(length, sizeof(*probe->table)); + if (probe->table == NULL) + return -1; + + probe->ends = calloc(length, sizeof(*probe->ends)); + if (probe->ends == NULL) + return -1; + + probe->length = length; + + return 0; +} + +static void linear_probe_destroy(struct linear_probe *probe) +{ + if (probe->length == 0) + return; + + free(probe->table); + free(probe->ends); + memset(probe, 0, sizeof(*probe)); +} + +static void linear_probe_insert(struct linear_probe *probe, uint32_t key, + filename_trans_t *data) +{ + assert(probe->length > key); + + if (probe->table[key] != NULL) { + data->next = probe->table[key]; + probe->table[key] = data; + } else { + probe->table[key] = probe->ends[key] = data; + } +} + +static filename_trans_t *linear_probe_find(struct linear_probe *probe, uint32_t key) +{ + assert(probe->length > key); + + return probe->table[key]; +} + +/* Returns all chunks stored in the *probe as single-linked list */ +static filename_trans_t *linear_probe_dump(struct linear_probe *probe, + filename_trans_t **endp) +{ + uint32_t i; + filename_trans_t *result = NULL; + filename_trans_t *end = NULL; + + for (i = 0; i < probe->length; i++) { + if (probe->table[i] != NULL) { + if (end == NULL) + end = probe->ends[i]; + probe->ends[i]->next = result; + result = probe->table[i]; + probe->table[i] = probe->ends[i] = NULL; + } + } + + /* Incoherent result and end pointers indicates bug */ + assert((result != NULL && end != NULL) || (result == NULL && end == NULL)); + + *endp = end; + return result; +} + static void expand_state_init(expand_state_t * state) { memset(state, 0, sizeof(expand_state_t)); @@ -306,6 +382,17 @@ static int constraint_node_clone(constraint_node_t ** dst, new_expr->op = expr->op; if (new_expr->expr_type == CEXPR_NAMES) { if (new_expr->attr & CEXPR_TYPE) { + /* + * Copy over constraint policy source types and/or + * attributes for sepol_compute_av_reason_buffer(3) so that + * utilities can analyse constraint errors. + */ + if (map_ebitmap(&expr->type_names->types, + &new_expr->type_names->types, + state->typemap)) { + ERR(NULL, "Failed to map type_names->types"); + goto out_of_mem; + } /* Type sets require expansion and conversion. */ if (expand_convert_type_set(state->out, state-> @@ -377,6 +464,13 @@ static int class_copy_default_new_object(expand_state_t *state, } newdatum->default_role = olddatum->default_role; } + if (olddatum->default_type) { + if (newdatum->default_type && olddatum->default_type != newdatum->default_type) { + ERR(state->handle, "Found conflicting default type definitions"); + return SEPOL_ENOTSUP; + } + newdatum->default_type = olddatum->default_type; + } if (olddatum->default_range) { if (newdatum->default_range && olddatum->default_range != newdatum->default_range) { ERR(state->handle, "Found conflicting default range definitions"); @@ -812,6 +906,7 @@ static int role_copy_callback(hashtab_key_t key, hashtab_datum_t datum, new_id = strdup(id); if (!new_id) { ERR(state->handle, "Out of memory!"); + free(new_role); return -1; } @@ -877,9 +972,13 @@ int mls_semantic_level_expand(mls_semantic_level_t * sl, mls_level_t * l, l->sens = sl->sens; levdatum = (level_datum_t *) hashtab_search(p->p_levels.table, - p->p_sens_val_to_name[l-> - sens - - 1]); + p->p_sens_val_to_name[l->sens - 1]); + if (!levdatum) { + ERR(h, "%s: Impossible situation found, nothing in p_levels.table.\n", + __func__); + errno = ENOENT; + return -1; + } for (cat = sl->cat; cat; cat = cat->next) { if (cat->low > cat->high) { ERR(h, "Category range is not valid %s.%s", @@ -963,6 +1062,7 @@ static int user_copy_callback(hashtab_key_t key, hashtab_datum_t datum, new_id = strdup(id); if (!new_id) { ERR(state->handle, "Out of memory!"); + free(new_user); return -1; } ret = hashtab_insert(state->out->p_users.table, @@ -1357,10 +1457,20 @@ static int copy_role_trans(expand_state_t * state, role_trans_rule_t * rules) static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *rules) { unsigned int i, j; - filename_trans_t *new_trans, *cur_trans; + filename_trans_t *new_trans, *cur_trans, *end; filename_trans_rule_t *cur_rule; ebitmap_t stypes, ttypes; ebitmap_node_t *snode, *tnode; + struct linear_probe probe; + + /* + * Linear probing speeds-up finding filename_trans rules with certain + * "stype" value. + */ + if (linear_probe_create(&probe, 4096)) { /* Assume 4096 is enough for most cases */ + ERR(state->handle, "Out of memory!"); + return -1; + } cur_rule = rules; while (cur_rule) { @@ -1383,6 +1493,14 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r mapped_otype = state->typemap[cur_rule->otype - 1]; + if (ebitmap_length(&stypes) > probe.length) { + linear_probe_destroy(&probe); + if (linear_probe_create(&probe, ebitmap_length(&stypes))) { + ERR(state->handle, "Out of memory!"); + return -1; + } + } + ebitmap_for_each_bit(&stypes, snode, i) { if (!ebitmap_node_get_bit(snode, i)) continue; @@ -1390,16 +1508,14 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r if (!ebitmap_node_get_bit(tnode, j)) continue; - cur_trans = state->out->filename_trans; - while (cur_trans) { - if ((cur_trans->stype == i + 1) && - (cur_trans->ttype == j + 1) && + cur_trans = linear_probe_find(&probe, i); + while (cur_trans != NULL) { + if ((cur_trans->ttype == j + 1) && (cur_trans->tclass == cur_rule->tclass) && (!strcmp(cur_trans->name, cur_rule->name))) { /* duplicate rule, who cares */ if (cur_trans->otype == mapped_otype) break; - ERR(state->handle, "Conflicting filename trans rules %s %s %s : %s otype1:%s otype2:%s", cur_trans->name, state->out->p_type_val_to_name[i], @@ -1407,7 +1523,7 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r state->out->p_class_val_to_name[cur_trans->tclass - 1], state->out->p_type_val_to_name[cur_trans->otype - 1], state->out->p_type_val_to_name[mapped_otype - 1]); - + return -1; } cur_trans = cur_trans->next; @@ -1422,8 +1538,6 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r return -1; } memset(new_trans, 0, sizeof(*new_trans)); - new_trans->next = state->out->filename_trans; - state->out->filename_trans = new_trans; new_trans->name = strdup(cur_rule->name); if (!new_trans->name) { @@ -1434,9 +1548,16 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r new_trans->ttype = j + 1; new_trans->tclass = cur_rule->tclass; new_trans->otype = mapped_otype; + linear_probe_insert(&probe, i, new_trans); } } + cur_trans = linear_probe_dump(&probe, &end); + if (cur_trans != NULL) { + end->next = state->out->filename_trans; + state->out->filename_trans = cur_trans; + } + ebitmap_destroy(&stypes); ebitmap_destroy(&ttypes); @@ -1981,6 +2102,8 @@ static int cond_node_copy(expand_state_t * state, cond_node_t * cn) } if (cond_node_map_bools(state, tmp)) { + cond_node_destroy(tmp); + free(tmp); ERR(state->handle, "Error mapping booleans"); return -1; } @@ -2037,14 +2160,13 @@ static int ocontext_copy_xen(expand_state_t *state) else state->out->ocontexts[i] = n; l = n; + if (context_copy(&n->context[0], &c->context[0], + state)) { + ERR(state->handle, "Out of memory!"); + return -1; + } switch (i) { case OCON_XEN_ISID: - if (c->context[0].user == 0) { - ERR(state->handle, - "Missing context for %s initial sid", - c->u.name); - return -1; - } n->sid[0] = c->sid[0]; break; case OCON_XEN_PIRQ: @@ -2067,11 +2189,6 @@ static int ocontext_copy_xen(expand_state_t *state) ERR(state->handle, "Unknown ocontext"); return -1; } - if (context_copy(&n->context[0], &c->context[0], - state)) { - ERR(state->handle, "Out of memory!"); - return -1; - } } } return 0; @@ -2096,14 +2213,12 @@ static int ocontext_copy_selinux(expand_state_t *state) else state->out->ocontexts[i] = n; l = n; + if (context_copy(&n->context[0], &c->context[0], state)) { + ERR(state->handle, "Out of memory!"); + return -1; + } switch (i) { case OCON_ISID: - if (c->context[0].user == 0) { - ERR(state->handle, - "Missing context for %s initial sid", - c->u.name); - return -1; - } n->sid[0] = c->sid[0]; break; case OCON_FS: /* FALLTHROUGH */ @@ -2147,10 +2262,6 @@ static int ocontext_copy_selinux(expand_state_t *state) ERR(state->handle, "Unknown ocontext"); return -1; } - if (context_copy(&n->context[0], &c->context[0], state)) { - ERR(state->handle, "Out of memory!"); - return -1; - } } } return 0; @@ -2188,9 +2299,15 @@ static int genfs_copy(expand_state_t * state) memset(newgenfs, 0, sizeof(genfs_t)); newgenfs->fstype = strdup(genfs->fstype); if (!newgenfs->fstype) { + free(newgenfs); ERR(state->handle, "Out of memory!"); return -1; } + if (!end) + state->out->genfs = newgenfs; + else + end->next = newgenfs; + end = newgenfs; l = NULL; for (c = genfs->head; c; c = c->next) { @@ -2203,6 +2320,7 @@ static int genfs_copy(expand_state_t * state) newc->u.name = strdup(c->u.name); if (!newc->u.name) { ERR(state->handle, "Out of memory!"); + free(newc); return -1; } newc->v.sclass = c->v.sclass; @@ -2213,12 +2331,6 @@ static int genfs_copy(expand_state_t * state) newgenfs->head = newc; l = newc; } - if (!end) { - state->out->genfs = newgenfs; - } else { - end->next = newgenfs; - } - end = newgenfs; } return 0; } @@ -3009,7 +3121,8 @@ int expand_module(sepol_handle_t * handle, } cond_optimize_lists(state.out->cond_list); - evaluate_conds(state.out); + if (evaluate_conds(state.out)) + goto cleanup; /* copy ocontexts */ if (ocontext_copy(&state, out->target_platform)) diff --git a/libsepol/src/genbools.c b/libsepol/src/genbools.c index 612ff9a..6a06ec9 100644 --- a/libsepol/src/genbools.c +++ b/libsepol/src/genbools.c @@ -33,7 +33,7 @@ static char *strtrim(char *dest, char *source, int size) static int process_boolean(char *buffer, char *name, int namesize, int *val) { char name1[BUFSIZ]; - char *ptr; + char *ptr = NULL; char *tok = strtok_r(buffer, "=", &ptr); if (tok) { strncpy(name1, tok, BUFSIZ - 1); diff --git a/libsepol/src/genusers.c b/libsepol/src/genusers.c index 37528e2..7826b71 100644 --- a/libsepol/src/genusers.c +++ b/libsepol/src/genusers.c @@ -92,22 +92,32 @@ static int load_users(struct policydb *policydb, const char *path) } else { char *id = strdup(q); + if (!id) { + ERR(NULL, "out of memory"); + free(buffer); + fclose(fp); + return -1; + } + /* Adding a new user definition. */ - usrdatum = - (user_datum_t *) malloc(sizeof(user_datum_t)); - if (!id || !usrdatum) { + usrdatum = malloc(sizeof(user_datum_t)); + if (!usrdatum) { ERR(NULL, "out of memory"); free(buffer); + free(id); fclose(fp); return -1; } - memset(usrdatum, 0, sizeof(user_datum_t)); + + user_datum_init(usrdatum); usrdatum->s.value = ++policydb->p_users.nprim; - ebitmap_init(&usrdatum->roles.roles); if (hashtab_insert(policydb->p_users.table, id, (hashtab_datum_t) usrdatum)) { ERR(NULL, "out of memory"); free(buffer); + free(id); + user_datum_destroy(usrdatum); + free(usrdatum); fclose(fp); return -1; } diff --git a/libsepol/src/link.c b/libsepol/src/link.c index 01d3231..31b955c 100644 --- a/libsepol/src/link.c +++ b/libsepol/src/link.c @@ -223,6 +223,13 @@ static int class_copy_default_new_object(link_state_t *state, } newdatum->default_role = olddatum->default_role; } + if (olddatum->default_type) { + if (newdatum->default_type && olddatum->default_type != newdatum->default_type) { + ERR(state->handle, "Found conflicting default type definitions"); + return SEPOL_ENOTSUP; + } + newdatum->default_type = olddatum->default_type; + } if (olddatum->default_range) { if (newdatum->default_range && olddatum->default_range != newdatum->default_range) { ERR(state->handle, "Found conflicting default range definitions"); @@ -676,13 +683,17 @@ static int sens_copy_callback(hashtab_key_t key, hashtab_datum_t datum, "%s: Modules may not declare new sensitivities.", state->cur_mod_name); return SEPOL_ENOTSUP; - } - if (scope->scope == SCOPE_REQ) { + } else if (scope->scope == SCOPE_REQ) { /* unmet requirement */ ERR(state->handle, "%s: Sensitivity %s not declared by base.", state->cur_mod_name, id); return SEPOL_ENOTSUP; + } else { + ERR(state->handle, + "%s: has an unknown scope: %d\n", + state->cur_mod_name, scope->scope); + return SEPOL_ENOTSUP; } } @@ -704,8 +715,7 @@ static int cat_copy_callback(hashtab_key_t key, hashtab_datum_t datum, base_cat = hashtab_search(state->base->p_cats.table, id); if (!base_cat) { - scope = - hashtab_search(state->cur->policy->p_cat_scope.table, id); + scope = hashtab_search(state->cur->policy->p_cat_scope.table, id); if (!scope) return SEPOL_ERR; if (scope->scope == SCOPE_DECL) { @@ -714,13 +724,18 @@ static int cat_copy_callback(hashtab_key_t key, hashtab_datum_t datum, "%s: Modules may not declare new categories.", state->cur_mod_name); return SEPOL_ENOTSUP; - } - if (scope->scope == SCOPE_REQ) { + } else if (scope->scope == SCOPE_REQ) { /* unmet requirement */ ERR(state->handle, "%s: Category %s not declared by base.", state->cur_mod_name, id); return SEPOL_ENOTSUP; + } else { + /* unknown scope? malformed policy? */ + ERR(state->handle, + "%s: has an unknown scope: %d\n", + state->cur_mod_name, scope->scope); + return SEPOL_ENOTSUP; } } @@ -2001,6 +2016,7 @@ static int is_decl_requires_met(link_state_t * state, struct find_perm_arg fparg; class_datum_t *cladatum; uint32_t perm_value = j + 1; + int rc; scope_datum_t *scope; if (!ebitmap_node_get_bit(node, j)) { @@ -2022,11 +2038,13 @@ static int is_decl_requires_met(link_state_t * state, fparg.valuep = perm_value; fparg.key = NULL; - hashtab_map(cladatum->permissions.table, find_perm, + (void)hashtab_map(cladatum->permissions.table, find_perm, &fparg); - if (fparg.key == NULL && cladatum->comdatum != NULL) - hashtab_map(cladatum->comdatum->permissions. - table, find_perm, &fparg); + if (fparg.key == NULL && cladatum->comdatum != NULL) { + rc = hashtab_map(cladatum->comdatum->permissions.table, + find_perm, &fparg); + assert(rc == 1); + } perm_id = fparg.key; assert(perm_id != NULL); @@ -2050,6 +2068,7 @@ static int debug_requirements(link_state_t * state, policydb_t * p) int ret; avrule_block_t *cur; missing_requirement_t req; + memset(&req, 0, sizeof(req)); for (cur = p->global; cur != NULL; cur = cur->next) { if (cur->enabled != NULL) @@ -2062,34 +2081,27 @@ static int debug_requirements(link_state_t * state, policydb_t * p) char *mod_name = cur->branch_list->module_name ? cur->branch_list->module_name : "BASE"; if (req.symbol_type == SYM_CLASSES) { - struct find_perm_arg fparg; class_datum_t *cladatum; - cladatum = - p->class_val_to_struct[req.symbol_value - - 1]; + cladatum = p->class_val_to_struct[req.symbol_value - 1]; fparg.valuep = req.perm_value; fparg.key = NULL; - hashtab_map(cladatum->permissions.table, - find_perm, &fparg); + (void)hashtab_map(cladatum->permissions.table, + find_perm, &fparg); if (cur->flags & AVRULE_OPTIONAL) { ERR(state->handle, "%s[%d]'s optional requirements were not met: class %s, permission %s", mod_name, cur->branch_list->decl_id, - p->p_class_val_to_name[req. - symbol_value - - 1], + p->p_class_val_to_name[req.symbol_value - 1], fparg.key); } else { ERR(state->handle, "%s[%d]'s global requirements were not met: class %s, permission %s", mod_name, cur->branch_list->decl_id, - p->p_class_val_to_name[req. - symbol_value - - 1], + p->p_class_val_to_name[req.symbol_value - 1], fparg.key); } } else { @@ -2137,7 +2149,7 @@ static void print_missing_requirements(link_state_t * state, fparg.valuep = req->perm_value; fparg.key = NULL; - hashtab_map(cladatum->permissions.table, find_perm, &fparg); + (void)hashtab_map(cladatum->permissions.table, find_perm, &fparg); ERR(state->handle, "%s's global requirements were not met: class %s, permission %s", @@ -2148,8 +2160,7 @@ static void print_missing_requirements(link_state_t * state, "%s's global requirements were not met: %s %s", mod_name, symtab_names[req->symbol_type], - p->sym_val_to_name[req->symbol_type][req->symbol_value - - 1]); + p->sym_val_to_name[req->symbol_type][req->symbol_value - 1]); } } diff --git a/libsepol/src/module.c b/libsepol/src/module.c index b5b807e..1665ede 100644 --- a/libsepol/src/module.c +++ b/libsepol/src/module.c @@ -59,21 +59,34 @@ static int policy_file_seek(struct policy_file *fp, size_t offset) } } -static size_t policy_file_length(struct policy_file *fp) +static int policy_file_length(struct policy_file *fp, size_t *out) { long prev_offset, end_offset; + int rc; switch (fp->type) { case PF_USE_STDIO: prev_offset = ftell(fp->fp); - fseek(fp->fp, 0L, SEEK_END); + if (prev_offset < 0) + return prev_offset; + rc = fseek(fp->fp, 0L, SEEK_END); + if (rc < 0) + return rc; end_offset = ftell(fp->fp); - fseek(fp->fp, prev_offset, SEEK_SET); - return end_offset; + if (end_offset < 0) + return end_offset; + rc = fseek(fp->fp, prev_offset, SEEK_SET); + if (rc < 0) + return rc; + *out = end_offset; + break; case PF_USE_MEMORY: - return fp->size; + *out = fp->size; + break;; default: - return 0; + *out = 0; + break; } + return 0; } static int module_package_init(sepol_module_package_t * p) @@ -103,10 +116,17 @@ static int set_char(char **field, char *data, size_t len) int sepol_module_package_create(sepol_module_package_t ** p) { + int rc; + *p = calloc(1, sizeof(sepol_module_package_t)); if (!(*p)) return -1; - return module_package_init(*p); + + rc = module_package_init(*p); + if (rc < 0) + free(*p); + + return rc; } hidden_def(sepol_module_package_create) @@ -413,7 +433,10 @@ static int module_package_read_offsets(sepol_module_package_t * mod, } } - off[nsec] = policy_file_length(file); + rc = policy_file_length(file, &off[nsec]); + if (rc < 0) + goto err; + if (nsec && off[nsec] < off[nsec-1]) { ERR(file->handle, "offset greater than file size (at %u, " "offset %zu -> %zu", nsec, off[nsec - 1], diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c index ff292f6..00cf6a8 100644 --- a/libsepol/src/policydb.c +++ b/libsepol/src/policydb.c @@ -158,6 +158,20 @@ static struct policydb_compat_info policydb_compat[] = { .target_platform = SEPOL_TARGET_SELINUX, }, { + .type = POLICY_KERN, + .version = POLICYDB_VERSION_DEFAULT_TYPE, + .sym_num = SYM_NUM, + .ocon_num = OCON_NODE6 + 1, + .target_platform = SEPOL_TARGET_SELINUX, + }, + { + .type = POLICY_KERN, + .version = POLICYDB_VERSION_CONSTRAINT_NAMES, + .sym_num = SYM_NUM, + .ocon_num = OCON_NODE6 + 1, + .target_platform = SEPOL_TARGET_SELINUX, + }, + { .type = POLICY_BASE, .version = MOD_POLICYDB_VERSION_BASE, .sym_num = SYM_NUM, @@ -242,6 +256,20 @@ static struct policydb_compat_info policydb_compat[] = { .target_platform = SEPOL_TARGET_SELINUX, }, { + .type = POLICY_BASE, + .version = MOD_POLICYDB_VERSION_DEFAULT_TYPE, + .sym_num = SYM_NUM, + .ocon_num = OCON_NODE6 + 1, + .target_platform = SEPOL_TARGET_SELINUX, + }, + { + .type = POLICY_BASE, + .version = MOD_POLICYDB_VERSION_CONSTRAINT_NAMES, + .sym_num = SYM_NUM, + .ocon_num = OCON_NODE6 + 1, + .target_platform = SEPOL_TARGET_SELINUX, + }, + { .type = POLICY_MOD, .version = MOD_POLICYDB_VERSION_BASE, .sym_num = SYM_NUM, @@ -325,6 +353,20 @@ static struct policydb_compat_info policydb_compat[] = { .ocon_num = 0, .target_platform = SEPOL_TARGET_SELINUX, }, + { + .type = POLICY_MOD, + .version = MOD_POLICYDB_VERSION_DEFAULT_TYPE, + .sym_num = SYM_NUM, + .ocon_num = 0, + .target_platform = SEPOL_TARGET_SELINUX, + }, + { + .type = POLICY_MOD, + .version = MOD_POLICYDB_VERSION_CONSTRAINT_NAMES, + .sym_num = SYM_NUM, + .ocon_num = 0, + .target_platform = SEPOL_TARGET_SELINUX, + }, }; #if 0 @@ -1074,7 +1116,7 @@ static int common_destroy(hashtab_key_t key, hashtab_datum_t datum, void *p if (key) free(key); comdatum = (common_datum_t *) datum; - hashtab_map(comdatum->permissions.table, perm_destroy, 0); + (void)hashtab_map(comdatum->permissions.table, perm_destroy, 0); hashtab_destroy(comdatum->permissions.table); free(datum); return 0; @@ -1093,7 +1135,7 @@ static int class_destroy(hashtab_key_t key, hashtab_datum_t datum, void *p if (cladatum == NULL) { return 0; } - hashtab_map(cladatum->permissions.table, perm_destroy, 0); + (void)hashtab_map(cladatum->permissions.table, perm_destroy, 0); hashtab_destroy(cladatum->permissions.table); constraint = cladatum->constraints; while (constraint) { @@ -1261,7 +1303,7 @@ void policydb_destroy(policydb_t * p) free(p->decl_val_to_struct); for (i = 0; i < SYM_NUM; i++) { - hashtab_map(p->scope[i].table, scope_destroy, 0); + (void)hashtab_map(p->scope[i].table, scope_destroy, 0); hashtab_destroy(p->scope[i].table); } avrule_block_list_destroy(p->global); @@ -1351,7 +1393,7 @@ void symtabs_destroy(symtab_t * symtab) { int i; for (i = 0; i < SYM_NUM; i++) { - hashtab_map(symtab[i].table, destroy_f[i], 0); + (void)hashtab_map(symtab[i].table, destroy_f[i], 0); hashtab_destroy(symtab[i].table); } } @@ -1998,6 +2040,10 @@ static int read_cons_helper(policydb_t * p, constraint_node_t ** nodep, if (p->policy_type != POLICY_KERN && type_set_read(e->type_names, fp)) return -1; + else if (p->policy_type == POLICY_KERN && + p->policyvers >= POLICYDB_VERSION_CONSTRAINT_NAMES && + type_set_read(e->type_names, fp)) + return -1; break; default: return -1; @@ -2097,6 +2143,16 @@ static int class_read(policydb_t * p, hashtab_t h, struct policy_file *fp) cladatum->default_range = le32_to_cpu(buf[2]); } + if ((p->policy_type == POLICY_KERN && + p->policyvers >= POLICYDB_VERSION_DEFAULT_TYPE) || + (p->policy_type == POLICY_BASE && + p->policyvers >= MOD_POLICYDB_VERSION_DEFAULT_TYPE)) { + rc = next_entry(buf, fp, sizeof(uint32_t)); + if (rc < 0) + goto bad; + cladatum->default_type = le32_to_cpu(buf[0]); + } + if (hashtab_insert(h, key, cladatum)) goto bad; diff --git a/libsepol/src/services.c b/libsepol/src/services.c index 9c2920c..e235ae4 100644 --- a/libsepol/src/services.c +++ b/libsepol/src/services.c @@ -43,6 +43,11 @@ * Implementation of the security services. */ +/* The initial sizes malloc'd for sepol_compute_av_reason_buffer() support */ +#define REASON_BUF_SIZE 2048 +#define EXPR_BUF_SIZE 1024 +#define STACK_LEN 32 + #include #include #include @@ -54,6 +59,7 @@ #include #include #include +#include #include "debug.h" #include "private.h" @@ -70,6 +76,50 @@ static int selinux_enforcing = 1; static sidtab_t mysidtab, *sidtab = &mysidtab; static policydb_t mypolicydb, *policydb = &mypolicydb; +/* Used by sepol_compute_av_reason_buffer() to keep track of entries */ +static int reason_buf_used; +static int reason_buf_len; + +/* Stack services for RPN to infix conversion. */ +static char **stack; +static int stack_len; +static int next_stack_entry; + +static void push(char * expr_ptr) +{ + if (next_stack_entry >= stack_len) { + char **new_stack = stack; + int new_stack_len; + + if (stack_len == 0) + new_stack_len = STACK_LEN; + else + new_stack_len = stack_len * 2; + + new_stack = realloc(stack, new_stack_len * sizeof(*stack)); + if (!new_stack) { + ERR(NULL, "unable to allocate stack space"); + return; + } + stack_len = new_stack_len; + stack = new_stack; + } + stack[next_stack_entry] = expr_ptr; + next_stack_entry++; +} + +static char *pop(void) +{ + next_stack_entry--; + if (next_stack_entry < 0) { + next_stack_entry = 0; + ERR(NULL, "pop called with no stack entries"); + return NULL; + } + return stack[next_stack_entry]; +} +/* End Stack services */ + int hidden sepol_set_sidtab(sidtab_t * s) { sidtab = s; @@ -112,20 +162,195 @@ int sepol_set_policydb_from_file(FILE * fp) static uint32_t latest_granting = 0; /* - * Return the boolean value of a constraint expression - * when it is applied to the specified source and target + * cat_expr_buf adds a string to an expression buffer and handles realloc's if + * buffer is too small. The array of expression text buffer pointers and its + * counter are globally defined here as constraint_expr_eval_reason() sets + * them up and cat_expr_buf updates the e_buf pointer if the buffer is realloc'ed. + */ +static int expr_counter; +static char **expr_list; +static int expr_buf_used; +static int expr_buf_len; + +static void cat_expr_buf(char *e_buf, char *string) +{ + int len, new_buf_len; + char *p, *new_buf = e_buf; + + while (1) { + p = e_buf + expr_buf_used; + len = snprintf(p, expr_buf_len - expr_buf_used, "%s", string); + if (len < 0 || len >= expr_buf_len - expr_buf_used) { + new_buf_len = expr_buf_len + EXPR_BUF_SIZE; + new_buf = realloc(e_buf, new_buf_len); + if (!new_buf) { + ERR(NULL, "failed to realloc expr buffer"); + return; + } + /* Update the new ptr in the expr list and locally + new len */ + expr_list[expr_counter] = new_buf; + e_buf = new_buf; + expr_buf_len = new_buf_len; + } else { + expr_buf_used += len; + return; + } + } +} + +/* + * If the POLICY_KERN version is < POLICYDB_VERSION_CONSTRAINT_NAMES, + * then just return. + * + * If the POLICY_KERN version is >= POLICYDB_VERSION_CONSTRAINT_NAMES, + * then for 'types' only, read the types_names->types list as it will + * contain a list of types and attributes that were defined in the + * policy source. + */ +static void get_names_list(constraint_expr_t *e, int type) +{ + ebitmap_t *types; + types = &e->type_names->types; + int rc = 0; + unsigned int i; + char tmp_buf[128]; + /* if -type_names->types is 0, then output string */ + int empty_set = 0; + + if (policydb->policy_type == POLICY_KERN && + policydb->policyvers >= POLICYDB_VERSION_CONSTRAINT_NAMES && + type == CEXPR_TYPE) { + /* + * Process >= POLICYDB_VERSION_CONSTRAINT_NAMES with CEXPR_TYPE, then + * obtain the list of names defined in the policy source. + */ + cat_expr_buf(expr_list[expr_counter], "{ POLICY_SOURCE: "); + for (i = ebitmap_startbit(types); i < ebitmap_length(types); i++) { + if ((rc = ebitmap_get_bit(types, i)) == 0) + continue; + /* Collect entries */ + snprintf(tmp_buf, sizeof(tmp_buf), "%s ", policydb->p_type_val_to_name[i]); + cat_expr_buf(expr_list[expr_counter], tmp_buf); + empty_set++; + } + if (empty_set == 0) + cat_expr_buf(expr_list[expr_counter], " "); + cat_expr_buf(expr_list[expr_counter], "} "); + } + return; +} + +static void msgcat(char *src, char *tgt, char *rel, int failed) +{ + char tmp_buf[1024]; + if (failed) + snprintf(tmp_buf, sizeof(tmp_buf), "(%s %s %s -Fail-) ", + src, rel, tgt); + else + snprintf(tmp_buf, sizeof(tmp_buf), "(%s %s %s -Pass-) ", + src, rel, tgt); + cat_expr_buf(expr_list[expr_counter], tmp_buf); +} + +/* Returns a buffer with class, statement type and permissions */ +static char *get_class_info(sepol_security_class_t tclass, + constraint_node_t *constraint, + context_struct_t * xcontext) +{ + constraint_expr_t *e; + int mls, state_num; + + /* Find if MLS statement or not */ + mls = 0; + for (e = constraint->expr; e; e = e->next) { + if (e->attr >= CEXPR_L1L2) { + mls = 1; + break; + } + } + + /* Determine statement type */ + char *statements[] = { + "constrain ", /* 0 */ + "mlsconstrain ", /* 1 */ + "validatetrans ", /* 2 */ + "mlsvalidatetrans ", /* 3 */ + 0 }; + + if (xcontext == NULL) + state_num = mls + 0; + else + state_num = mls + 2; + + int class_buf_len = 0; + int new_class_buf_len; + int len, buf_used; + char *class_buf = NULL, *p; + char *new_class_buf = NULL; + + while (1) { + new_class_buf_len = class_buf_len + EXPR_BUF_SIZE; + new_class_buf = realloc(class_buf, new_class_buf_len); + if (!new_class_buf) + return NULL; + class_buf_len = new_class_buf_len; + class_buf = new_class_buf; + buf_used = 0; + p = class_buf; + + /* Add statement type */ + len = snprintf(p, class_buf_len - buf_used, "%s", statements[state_num]); + if (len < 0 || len >= class_buf_len - buf_used) + continue; + + /* Add class entry */ + p += len; + buf_used += len; + len = snprintf(p, class_buf_len - buf_used, "%s ", + policydb->p_class_val_to_name[tclass - 1]); + if (len < 0 || len >= class_buf_len - buf_used) + continue; + + /* Add permission entries */ + p += len; + buf_used += len; + len = snprintf(p, class_buf_len - buf_used, "{%s } (", + sepol_av_to_string(policydb, tclass, constraint->permissions)); + if (len < 0 || len >= class_buf_len - buf_used) + continue; + break; + } + return class_buf; +} + +/* + * Modified version of constraint_expr_eval that will process each + * constraint as before but adds the information to text buffers that + * will hold various components. The expression will be in RPN format, + * therefore there is a stack based RPN to infix converter to produce + * the final readable constraint. + * + * Return the boolean value of a constraint expression + * when it is applied to the specified source and target * security contexts. * * xcontext is a special beast... It is used by the validatetrans rules * only. For these rules, scontext is the context before the transition, * tcontext is the context after the transition, and xcontext is the context * of the process performing the transition. All other callers of - * constraint_expr_eval should pass in NULL for xcontext. + * constraint_expr_eval_reason should pass in NULL for xcontext. + * + * This function will also build a buffer as the constraint is processed + * for analysis. If this option is not required, then: + * 'tclass' should be '0' and r_buf MUST be NULL. */ -static int constraint_expr_eval(context_struct_t * scontext, +static int constraint_expr_eval_reason(context_struct_t * scontext, context_struct_t * tcontext, context_struct_t * xcontext, - constraint_expr_t * cexpr) + sepol_security_class_t tclass, + constraint_node_t *constraint, + char **r_buf, + unsigned int flags) { uint32_t val1, val2; context_struct_t *c; @@ -135,56 +360,135 @@ static int constraint_expr_eval(context_struct_t * scontext, int s[CEXPR_MAXDEPTH]; int sp = -1; - for (e = cexpr; e; e = e->next) { + char tmp_buf[128]; + +/* + * Define the s_t_x_num values that make up r1, t2 etc. in text strings + * Set 1 = source, 2 = target, 3 = xcontext for validatetrans + */ +#define SOURCE 1 +#define TARGET 2 +#define XTARGET 3 + + int s_t_x_num = SOURCE; + + /* Set 0 = fail, u = CEXPR_USER, r = CEXPR_ROLE, t = CEXPR_TYPE */ + int u_r_t = 0; + + char *name1, *name2; + char *src = NULL; + char *tgt = NULL; + + int rc = 0, x; + + char *class_buf = NULL; + + class_buf = get_class_info(tclass, constraint, xcontext); + if (!class_buf) { + ERR(NULL, "failed to allocate class buffer"); + return -ENOMEM; + } + + /* Original function but with buffer support */ + int expr_list_len = 0; + expr_counter = 0; + expr_list = NULL; + for (e = constraint->expr; e; e = e->next) { + /* Allocate a stack to hold expression buffer entries */ + if (expr_counter >= expr_list_len) { + char **new_expr_list = expr_list; + int new_expr_list_len; + + if (expr_list_len == 0) + new_expr_list_len = STACK_LEN; + else + new_expr_list_len = expr_list_len * 2; + + new_expr_list = realloc(expr_list, new_expr_list_len * sizeof(*expr_list)); + if (!new_expr_list) { + ERR(NULL, "failed to allocate expr buffer stack"); + return -ENOMEM; + } + expr_list_len = new_expr_list_len; + expr_list = new_expr_list; + } + + /* + * malloc a buffer to store each expression text component. If the + * buffer is too small cat_expr_buf() will realloc extra space. + */ + expr_buf_len = EXPR_BUF_SIZE; + expr_list[expr_counter] = malloc(expr_buf_len); + if (!expr_list[expr_counter]) { + ERR(NULL, "failed to allocate expr buffer"); + return -ENOMEM; + } + expr_buf_used = 0; + + /* Now process each expression of the constraint */ switch (e->expr_type) { case CEXPR_NOT: BUG_ON(sp < 0); s[sp] = !s[sp]; + cat_expr_buf(expr_list[expr_counter], "not"); break; case CEXPR_AND: BUG_ON(sp < 1); sp--; s[sp] &= s[sp + 1]; + cat_expr_buf(expr_list[expr_counter], "and"); break; case CEXPR_OR: BUG_ON(sp < 1); sp--; s[sp] |= s[sp + 1]; + cat_expr_buf(expr_list[expr_counter], "or"); break; case CEXPR_ATTR: if (sp == (CEXPR_MAXDEPTH - 1)) - return 0; + goto out; + switch (e->attr) { case CEXPR_USER: val1 = scontext->user; val2 = tcontext->user; + free(src); src = strdup("u1"); + free(tgt); tgt = strdup("u2"); break; case CEXPR_TYPE: val1 = scontext->type; val2 = tcontext->type; + free(src); src = strdup("t1"); + free(tgt); tgt = strdup("t2"); break; case CEXPR_ROLE: val1 = scontext->role; val2 = tcontext->role; r1 = policydb->role_val_to_struct[val1 - 1]; r2 = policydb->role_val_to_struct[val2 - 1]; + name1 = policydb->p_role_val_to_name[r1->s.value - 1]; + name2 = policydb->p_role_val_to_name[r2->s.value - 1]; + snprintf(tmp_buf, sizeof(tmp_buf), "r1=%s", name1); + free(src); src = strdup(tmp_buf); + snprintf(tmp_buf, sizeof(tmp_buf), "r2=%s ", name2); + free(tgt); tgt = strdup(tmp_buf); + switch (e->op) { case CEXPR_DOM: - s[++sp] = - ebitmap_get_bit(&r1->dominates, - val2 - 1); + s[++sp] = ebitmap_get_bit(&r1->dominates, val2 - 1); + msgcat(src, tgt, "dom", s[sp] == 0); + expr_counter++; continue; case CEXPR_DOMBY: - s[++sp] = - ebitmap_get_bit(&r2->dominates, - val1 - 1); + s[++sp] = ebitmap_get_bit(&r2->dominates, val1 - 1); + msgcat(src, tgt, "domby", s[sp] == 0); + expr_counter++; continue; case CEXPR_INCOMP: - s[++sp] = - (!ebitmap_get_bit - (&r1->dominates, val2 - 1) - && !ebitmap_get_bit(&r2->dominates, - val1 - 1)); + s[++sp] = (!ebitmap_get_bit(&r1->dominates, val2 - 1) + && !ebitmap_get_bit(&r2->dominates, val1 - 1)); + msgcat(src, tgt, "incomp", s[sp] == 0); + expr_counter++; continue; default: break; @@ -193,110 +497,325 @@ static int constraint_expr_eval(context_struct_t * scontext, case CEXPR_L1L2: l1 = &(scontext->range.level[0]); l2 = &(tcontext->range.level[0]); + free(src); src = strdup("l1"); + free(tgt); tgt = strdup("l2"); goto mls_ops; case CEXPR_L1H2: l1 = &(scontext->range.level[0]); l2 = &(tcontext->range.level[1]); + free(src); src = strdup("l1"); + free(tgt); tgt = strdup("h2"); goto mls_ops; case CEXPR_H1L2: l1 = &(scontext->range.level[1]); l2 = &(tcontext->range.level[0]); + free(src); src = strdup("h1"); + free(tgt); tgt = strdup("L2"); goto mls_ops; case CEXPR_H1H2: l1 = &(scontext->range.level[1]); l2 = &(tcontext->range.level[1]); + free(src); src = strdup("h1"); + free(tgt); tgt = strdup("h2"); goto mls_ops; case CEXPR_L1H1: l1 = &(scontext->range.level[0]); l2 = &(scontext->range.level[1]); + free(src); src = strdup("l1"); + free(tgt); tgt = strdup("h1"); goto mls_ops; case CEXPR_L2H2: l1 = &(tcontext->range.level[0]); l2 = &(tcontext->range.level[1]); - goto mls_ops; - mls_ops: + free(src); src = strdup("l2"); + free(tgt); tgt = strdup("h2"); + mls_ops: switch (e->op) { case CEXPR_EQ: s[++sp] = mls_level_eq(l1, l2); + msgcat(src, tgt, "eq", s[sp] == 0); + expr_counter++; continue; case CEXPR_NEQ: s[++sp] = !mls_level_eq(l1, l2); + msgcat(src, tgt, "neq", s[sp] == 0); + expr_counter++; continue; case CEXPR_DOM: s[++sp] = mls_level_dom(l1, l2); + msgcat(src, tgt, "dom", s[sp] == 0); + expr_counter++; continue; case CEXPR_DOMBY: s[++sp] = mls_level_dom(l2, l1); + msgcat(src, tgt, "domby", s[sp] == 0); + expr_counter++; continue; case CEXPR_INCOMP: s[++sp] = mls_level_incomp(l2, l1); + msgcat(src, tgt, "incomp", s[sp] == 0); + expr_counter++; continue; default: BUG(); - return 0; + goto out; } break; default: BUG(); - return 0; + goto out; } switch (e->op) { case CEXPR_EQ: s[++sp] = (val1 == val2); + msgcat(src, tgt, "eq", s[sp] == 0); break; case CEXPR_NEQ: s[++sp] = (val1 != val2); + msgcat(src, tgt, "neq", s[sp] == 0); break; default: BUG(); - return 0; + goto out; } break; case CEXPR_NAMES: if (sp == (CEXPR_MAXDEPTH - 1)) - return 0; + goto out; + s_t_x_num = SOURCE; c = scontext; - if (e->attr & CEXPR_TARGET) + if (e->attr & CEXPR_TARGET) { + s_t_x_num = TARGET; c = tcontext; - else if (e->attr & CEXPR_XTARGET) { + } else if (e->attr & CEXPR_XTARGET) { + s_t_x_num = XTARGET; c = xcontext; - if (!c) { - BUG(); - return 0; - } } - if (e->attr & CEXPR_USER) + if (!c) { + BUG(); + goto out; + } + if (e->attr & CEXPR_USER) { + u_r_t = CEXPR_USER; val1 = c->user; - else if (e->attr & CEXPR_ROLE) + name1 = policydb->p_user_val_to_name[val1 - 1]; + snprintf(tmp_buf, sizeof(tmp_buf), "u%d=%s ", + s_t_x_num, name1); + free(src); src = strdup(tmp_buf); + } + else if (e->attr & CEXPR_ROLE) { + u_r_t = CEXPR_ROLE; val1 = c->role; - else if (e->attr & CEXPR_TYPE) + name1 = policydb->p_role_val_to_name[val1 - 1]; + snprintf(tmp_buf, sizeof(tmp_buf), "r%d=%s ", s_t_x_num, name1); + free(src); src = strdup(tmp_buf); + } + else if (e->attr & CEXPR_TYPE) { + u_r_t = CEXPR_TYPE; val1 = c->type; + name1 = policydb->p_type_val_to_name[val1 - 1]; + snprintf(tmp_buf, sizeof(tmp_buf), + "t%d=%s ", s_t_x_num, name1); + free(src); src = strdup(tmp_buf); + } else { BUG(); - return 0; + goto out; } switch (e->op) { case CEXPR_EQ: + switch (u_r_t) { + case CEXPR_USER: + free(tgt); tgt=strdup("USER_ENTRY"); + break; + case CEXPR_ROLE: + free(tgt); tgt=strdup("ROLE_ENTRY"); + break; + case CEXPR_TYPE: + free(tgt); tgt=strdup("TYPE_ENTRY"); + break; + default: + ERR(NULL, "unrecognized u_r_t Value: %d", u_r_t); + break; + } + s[++sp] = ebitmap_get_bit(&e->names, val1 - 1); + msgcat(src, tgt, "eq", s[sp] == 0); + if (s[sp] == 0) { + get_names_list(e, u_r_t); + } break; + case CEXPR_NEQ: + switch (u_r_t) { + case CEXPR_USER: + free(tgt); tgt=strdup("USER_ENTRY"); + break; + case CEXPR_ROLE: + free(tgt); tgt=strdup("ROLE_ENTRY"); + break; + case CEXPR_TYPE: + free(tgt); tgt=strdup("TYPE_ENTRY"); + break; + default: + ERR(NULL, "unrecognized u_r_t Value: %d", u_r_t); + break; + } + s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1); + msgcat(src, tgt, "neq", s[sp] == 0); + if (s[sp] == 0) { + get_names_list(e, u_r_t); + } break; default: BUG(); - return 0; + goto out; } break; default: BUG(); - return 0; + goto out; + } + expr_counter++; + } + + /* + * At this point each expression of the constraint is in + * expr_list[n+1] and in RPN format. Now convert to 'infix' + */ + + /* + * Save expr count but zero expr_counter to detect if 'BUG(); goto out;' + * was called as we need to release any used expr_list malloc's. Normally + * they are released by the RPN to infix code. + */ + int expr_count = expr_counter; + expr_counter = 0; + + /* + * The array of expression answer buffer pointers and counter. Generate + * the same number of answer buffer entries as expression buffers (as + * there will never be more required). + */ + char **answer_list; + int answer_counter = 0; + + answer_list = malloc(expr_count * sizeof(*answer_list)); + if (!answer_list) { + ERR(NULL, "failed to allocate answer stack"); + return -ENOMEM; + } + + /* The pop operands */ + char *a; + char *b; + int a_len, b_len; + + /* Convert constraint from RPN to infix notation. */ + for (x = 0; x != expr_count; x++) { + if (strncmp(expr_list[x], "and", 3) == 0 || strncmp(expr_list[x], + "or", 2) == 0) { + b = pop(); + b_len = strlen(b); + a = pop(); + a_len = strlen(a); + + /* get a buffer to hold the answer */ + answer_list[answer_counter] = malloc(a_len + b_len + 8); + if (!answer_list[answer_counter]) { + ERR(NULL, "failed to allocate answer buffer"); + return -ENOMEM; + } + memset(answer_list[answer_counter], '\0', a_len + b_len + 8); + + sprintf(answer_list[answer_counter], "%s %s %s", a, expr_list[x], b); + push(answer_list[answer_counter++]); + free(a); + free(b); + } else if (strncmp(expr_list[x], "not", 3) == 0) { + b = pop(); + b_len = strlen(b); + + answer_list[answer_counter] = malloc(b_len + 8); + if (!answer_list[answer_counter]) { + ERR(NULL, "failed to allocate answer buffer"); + return -ENOMEM; + } + memset(answer_list[answer_counter], '\0', b_len + 8); + + if (strncmp(b, "not", 3) == 0) + sprintf(answer_list[answer_counter], "%s (%s)", expr_list[x], b); + else + sprintf(answer_list[answer_counter], "%s%s", expr_list[x], b); + push(answer_list[answer_counter++]); + free(b); + } else { + push(expr_list[x]); } } + /* Get the final answer from tos and build constraint text */ + a = pop(); + /* Constraint calculation: rc = 0 is denied, rc = 1 is granted */ + sprintf(tmp_buf,"Constraint %s\n", s[0] ? "GRANTED" : "DENIED"); + + int len, new_buf_len; + char *p, **new_buf = r_buf; + /* + * These contain the constraint components that are added to the + * callers reason buffer. + */ + char *buffers[] = { class_buf, a, "); ", tmp_buf, 0 }; + + /* + * This will add the constraints to the callers reason buffer (who is + * responsible for freeing the memory). It will handle any realloc's + * should the buffer be too short. + * The reason_buf_used and reason_buf_len counters are defined globally + * as multiple constraints can be in the buffer. + */ + if (r_buf && ((s[0] == 0) || ((s[0] == 1 && + (flags & SHOW_GRANTED) == SHOW_GRANTED)))) { + for (x = 0; buffers[x] != NULL; x++) { + while (1) { + p = *r_buf + reason_buf_used; + len = snprintf(p, reason_buf_len - reason_buf_used, "%s", buffers[x]); + if (len < 0 || len >= reason_buf_len - reason_buf_used) { + new_buf_len = reason_buf_len + REASON_BUF_SIZE; + *new_buf = realloc(*r_buf, new_buf_len); + if (!new_buf) { + ERR(NULL, "failed to realloc reason buffer"); + goto out1; + } + **r_buf = **new_buf; + reason_buf_len = new_buf_len; + continue; + } else { + reason_buf_used += len; + break; + } + } + } + } + +out1: + rc = s[0]; + free(a); + +out: + free(class_buf); + free(src); + free(tgt); + + if (expr_counter) { + for (x = 0; expr_list[x] != NULL; x++) + free(expr_list[x]); + } BUG_ON(sp != 0); - return s[0]; + return rc; } /* @@ -308,7 +827,9 @@ static int context_struct_compute_av(context_struct_t * scontext, sepol_security_class_t tclass, sepol_access_vector_t requested, struct sepol_av_decision *avd, - unsigned int *reason) + unsigned int *reason, + char **r_buf, + unsigned int flags) { constraint_node_t *constraint; struct role_allow *ra; @@ -383,8 +904,8 @@ static int context_struct_compute_av(context_struct_t * scontext, constraint = tclass_datum->constraints; while (constraint) { if ((constraint->permissions & (avd->allowed)) && - !constraint_expr_eval(scontext, tcontext, NULL, - constraint->expr)) { + !constraint_expr_eval_reason(scontext, tcontext, NULL, + tclass, constraint, r_buf, flags)) { avd->allowed = (avd->allowed) & ~(constraint->permissions); } @@ -459,8 +980,8 @@ int hidden sepol_validate_transition(sepol_security_id_t oldsid, constraint = tclass_datum->validatetrans; while (constraint) { - if (!constraint_expr_eval(ocontext, ncontext, tcontext, - constraint->expr)) { + if (!constraint_expr_eval_reason(ocontext, ncontext, tcontext, + 0, constraint, NULL, 0)) { return -EPERM; } constraint = constraint->next; @@ -493,11 +1014,59 @@ int hidden sepol_compute_av_reason(sepol_security_id_t ssid, } rc = context_struct_compute_av(scontext, tcontext, tclass, - requested, avd, reason); + requested, avd, reason, NULL, 0); out: return rc; } +/* + * sepol_compute_av_reason_buffer - the reason buffer is malloc'd to + * REASON_BUF_SIZE. If the buffer size is exceeded, then it is realloc'd + * in the constraint_expr_eval_reason() function. + */ +int hidden sepol_compute_av_reason_buffer(sepol_security_id_t ssid, + sepol_security_id_t tsid, + sepol_security_class_t tclass, + sepol_access_vector_t requested, + struct sepol_av_decision *avd, + unsigned int *reason, + char **reason_buf, + unsigned int flags) +{ + *reason_buf = malloc(REASON_BUF_SIZE); + if (!*reason_buf) { + ERR(NULL, "failed to allocate reason buffer"); + return -ENOMEM; + } + /* + * These are defined globally as the buffer can contain multiple + * constraint statements so need to keep track + */ + reason_buf_used = 0; + reason_buf_len = REASON_BUF_SIZE; + + context_struct_t *scontext = 0, *tcontext = 0; + int rc = 0; + + scontext = sepol_sidtab_search(sidtab, ssid); + if (!scontext) { + ERR(NULL, "unrecognized SID %d", ssid); + rc = -EINVAL; + goto out; + } + tcontext = sepol_sidtab_search(sidtab, tsid); + if (!tcontext) { + ERR(NULL, "unrecognized SID %d", tsid); + rc = -EINVAL; + goto out; + } + + rc = context_struct_compute_av(scontext, tcontext, tclass, + requested, avd, reason, reason_buf, flags); +out: + return rc; +} + int hidden sepol_compute_av(sepol_security_id_t ssid, sepol_security_id_t tsid, sepol_security_class_t tclass, @@ -510,6 +1079,70 @@ int hidden sepol_compute_av(sepol_security_id_t ssid, } /* + * Return a class ID associated with the class string specified by + * class_name. + */ +int hidden sepol_class_name_to_id(const char *class_name, + sepol_security_class_t *tclass) +{ + char *class = NULL; + sepol_security_class_t id; + + for (id = 1; ; id++) { + if ((class = policydb->p_class_val_to_name[id - 1]) == NULL) { + ERR(NULL, "could not convert %s to class id", class_name); + return STATUS_ERR; + } + if ((strcmp(class, class_name)) == 0) { + *tclass = id; + return STATUS_SUCCESS; + } + } +} + +/* + * Return access vector bit associated with the class ID and permission + * string. + */ +int hidden sepol_perm_name_to_av(sepol_security_class_t tclass, + const char *perm_name, + sepol_access_vector_t *av) +{ + class_datum_t *tclass_datum; + perm_datum_t *perm_datum; + + if (!tclass || tclass > policydb->p_classes.nprim) { + ERR(NULL, "unrecognized class %d", tclass); + return -EINVAL; + } + tclass_datum = policydb->class_val_to_struct[tclass - 1]; + + /* Check for unique perms then the common ones (if any) */ + perm_datum = (perm_datum_t *) + hashtab_search(tclass_datum->permissions.table, + (hashtab_key_t)perm_name); + if (perm_datum != NULL) { + *av = 0x1 << (perm_datum->s.value - 1); + return STATUS_SUCCESS; + } + + if (tclass_datum->comdatum == NULL) + goto out; + + perm_datum = (perm_datum_t *) + hashtab_search(tclass_datum->comdatum->permissions.table, + (hashtab_key_t)perm_name); + + if (perm_datum != NULL) { + *av = 0x1 << (perm_datum->s.value - 1); + return STATUS_SUCCESS; + } +out: + ERR(NULL, "could not convert %s to av bit", perm_name); + return STATUS_ERR; +} + +/* * Write the security context string representation of * the context associated with `sid' into a dynamically * allocated string of the correct size. Set `*scontext' @@ -1337,7 +1970,7 @@ int hidden sepol_get_user_sids(sepol_security_id_t fromsid, rc = context_struct_compute_av(fromcon, &usercon, SECCLASS_PROCESS, PROCESS__TRANSITION, - &avd, &reason); + &avd, &reason, NULL, 0); if (rc || !(avd.allowed & PROCESS__TRANSITION)) continue; rc = sepol_sidtab_context_to_sid(sidtab, &usercon, diff --git a/libsepol/src/write.c b/libsepol/src/write.c index 22e6143..6fe73e6 100644 --- a/libsepol/src/write.c +++ b/libsepol/src/write.c @@ -893,8 +893,11 @@ static int write_cons_helper(policydb_t * p, if (ebitmap_write(&e->names, fp)) { return POLICYDB_ERROR; } - if (p->policy_type != POLICY_KERN && - type_set_write(e->type_names, fp)) { + if ((p->policy_type != POLICY_KERN && + type_set_write(e->type_names, fp)) || + (p->policy_type == POLICY_KERN && + (p->policyvers >= POLICYDB_VERSION_CONSTRAINT_NAMES) && + type_set_write(e->type_names, fp))) { return POLICYDB_ERROR; } break; @@ -988,6 +991,16 @@ static int class_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr) return POLICYDB_ERROR; } + if ((p->policy_type == POLICY_KERN && + p->policyvers >= POLICYDB_VERSION_DEFAULT_TYPE) || + (p->policy_type == POLICY_BASE && + p->policyvers >= MOD_POLICYDB_VERSION_DEFAULT_TYPE)) { + buf[0] = cpu_to_le32(cladatum->default_type); + items = put_entry(buf, sizeof(uint32_t), 1, fp); + if (items != 1) + return POLICYDB_ERROR; + } + return POLICYDB_SUCCESS; } @@ -1795,34 +1808,38 @@ static int scope_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr) uint32_t static_buf[32], *dyn_buf = NULL, *buf; size_t key_len = strlen(key); unsigned int items = 2 + scope->decl_ids_len, i; + int rc; + buf = static_buf; if (items >= (sizeof(static_buf) / 4)) { /* too many things required, so dynamically create a * buffer. this would have been easier with C99's * dynamic arrays... */ - if ((dyn_buf = malloc(items * sizeof(*dyn_buf))) == NULL) { - return POLICYDB_ERROR; - } + rc = POLICYDB_ERROR; + dyn_buf = malloc(items * sizeof(*dyn_buf)); + if (!dyn_buf) + goto err; buf = dyn_buf; - } else { - buf = static_buf; } buf[0] = cpu_to_le32(key_len); + + rc = POLICYDB_ERROR; if (put_entry(buf, sizeof(*buf), 1, fp) != 1 || - put_entry(key, 1, key_len, fp) != key_len) { - return POLICYDB_ERROR; - } + put_entry(key, 1, key_len, fp) != key_len) + goto err; buf[0] = cpu_to_le32(scope->scope); buf[1] = cpu_to_le32(scope->decl_ids_len); - for (i = 0; i < scope->decl_ids_len; i++) { + + for (i = 0; i < scope->decl_ids_len; i++) buf[2 + i] = cpu_to_le32(scope->decl_ids[i]); - } - if (put_entry(buf, sizeof(*buf), items, fp) != items) { - free(dyn_buf); - return POLICYDB_ERROR; - } + + rc = POLICYDB_ERROR; + if (put_entry(buf, sizeof(*buf), items, fp) != items) + goto err; + rc = POLICYDB_SUCCESS; +err: free(dyn_buf); - return POLICYDB_SUCCESS; + return rc; } static int type_attr_uncount(hashtab_key_t key __attribute__ ((unused)), @@ -2006,7 +2023,7 @@ int policydb_write(policydb_t * p, struct policy_file *fp) ((p->policy_type == POLICY_KERN) || (p->policy_type != POLICY_KERN && p->policyvers < MOD_POLICYDB_VERSION_ROLEATTRIB))) - hashtab_map(p->symtab[i].table, role_attr_uncount, &buf[1]); + (void)hashtab_map(p->symtab[i].table, role_attr_uncount, &buf[1]); buf[1] = cpu_to_le32(buf[1]); items = put_entry(buf, sizeof(uint32_t), 2, fp);