Update to checkpolicy 2.2. Requires libsepol 2.2.android-4.4w_r1kitkat-wearidea133

Update to current upstream checkpolicy release.
Includes memory leak fixes, improved handling of
filename-based type transitions, and support for latest
kernel policy version.

Change-Id: Idabd3e4d50777c6691cb0d74b4e28f4fe06bef35
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

12 files changed, 75 insertions, 17 deletions

diff --git a/ChangeLog b/ChangeLog
index 7dc7d76..0c76070 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2.2 2013-10-30
+	* Fix hyphen usage in man pages from Laurent Bigonville.
+	* handle-unknown / -U required argument fix from Laurent Bigonville.
+	* Support overriding Makefile PATH and LIBDIR from Laurent Bigonville.
+	* Support space and : in filenames from Dan Walsh.
+
+2.1.12 2013-02-01
+	* Fix errors found by coverity
+	* implement default type policy syntax
+	* Free allocated memory when clean up / exit.
+
 2.1.11 2012-09-13
 	* fd leak reading policy
 	* check return code on ebitmap_set_bit
diff --git a/VERSION b/VERSION
index a39c0b7..8bbe6cf 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.1.11
+2.2
diff --git a/checkmodule.8 b/checkmodule.8
index 40f73c5..2a7ab5c 100644
--- a/checkmodule.8
+++ b/checkmodule.8
@@ -3,7 +3,7 @@
 checkmodule \- SELinux policy module compiler
 .SH SYNOPSIS
 .B checkmodule
-.I "[-h] [-b] [-m] [-M] [-U handle_unknown ] [-V] [-o output_file] [input_file]"
+.I "[\-h] [\-b] [\-m] [\-M] [\-U handle_unknown ] [\-V] [\-o output_file] [input_file]"
 .SH "DESCRIPTION"
 This manual page describes the
 .BR checkmodule
@@ -12,7 +12,7 @@ command.
 .B checkmodule
 is a program that checks and compiles a SELinux security policy module
 into a binary representation.  It can generate either a base policy
-module (default) or a non-base policy module (-m option); typically,
+module (default) or a non-base policy module (\-m option); typically,
 you would build a non-base policy module to add to an existing module
 store that already has a base module provided by the base policy.  Use
 semodule_package to combine this module with its optional file
@@ -48,7 +48,7 @@ Specify how the kernel should handle unknown classes or permissions (deny, allow
 .SH EXAMPLE
 .nf
 # Build a MLS/MCS-enabled non-base policy module.
-$ checkmodule -M -m httpd.te -o httpd.mod
+$ checkmodule \-M \-m httpd.te \-o httpd.mod
 .fi
 
 .SH "SEE ALSO"
diff --git a/checkmodule.c b/checkmodule.c
index cb58cf0..41ebab5 100644
--- a/checkmodule.c
+++ b/checkmodule.c
@@ -171,7 +171,7 @@ int main(int argc, char **argv)
 		{"output", required_argument, NULL, 'o'},
 		{"binary", no_argument, NULL, 'b'},
 		{"version", no_argument, NULL, 'V'},
-		{"handle-unknown", optional_argument, NULL, 'U'},
+		{"handle-unknown", required_argument, NULL, 'U'},
 		{"mls", no_argument, NULL, 'M'},
 		{NULL, 0, NULL, 0}
 	};
diff --git a/checkpolicy.8 b/checkpolicy.8
index 6826938..0086bdc 100644
--- a/checkpolicy.8
+++ b/checkpolicy.8
@@ -3,7 +3,7 @@
 checkpolicy \- SELinux policy compiler
 .SH SYNOPSIS
 .B checkpolicy
-.I "[-b] [-d] [-M] [-c policyvers] [-o output_file] [input_file]"
+.I "[\-b] [\-d] [\-M] [\-c policyvers] [\-o output_file] [input_file]"
 .br
 .SH "DESCRIPTION"
 This manual page describes the
@@ -14,7 +14,7 @@ command.
 is a program that checks and compiles a SELinux security policy configuration
 into a binary representation that can be loaded into the kernel.  If no 
 input file name is specified, checkpolicy will attempt to read from
-policy.conf or policy, depending on whether the -b flag is specified.
+policy.conf or policy, depending on whether the \-b flag is specified.
 
 .SH OPTIONS
 .TP
diff --git a/checkpolicy.c b/checkpolicy.c
index 544f235..292f568 100644
--- a/checkpolicy.c
+++ b/checkpolicy.c
@@ -402,7 +402,7 @@ int main(int argc, char **argv)
 		{"binary", no_argument, NULL, 'b'},
 		{"debug", no_argument, NULL, 'd'},
 		{"version", no_argument, NULL, 'V'},
-		{"handle-unknown", optional_argument, NULL, 'U'},
+		{"handle-unknown", required_argument, NULL, 'U'},
 		{"mls", no_argument, NULL, 'M'},
 		{"help", no_argument, NULL, 'h'},
 		{NULL, 0, NULL, 0}
diff --git a/policy_define.c b/policy_define.c
index 8af6141..e9ed4b4 100644
--- a/policy_define.c
+++ b/policy_define.c
@@ -415,6 +415,38 @@ int define_default_role(int which)
 	return 0;
 }
 
+int define_default_type(int which)
+{
+	char *id;
+	class_datum_t *cladatum;
+
+	if (pass == 1) {
+		while ((id = queue_remove(id_queue)))
+			free(id);
+		return 0;
+	}
+
+	while ((id = queue_remove(id_queue))) {
+		if (!is_id_in_scope(SYM_CLASSES, id)) {
+			yyerror2("class %s is not within scope", id);
+			return -1;
+		}
+		cladatum = hashtab_search(policydbp->p_classes.table, id);
+		if (!cladatum) {
+			yyerror2("unknown class %s", id);
+			return -1;
+		}
+		if (cladatum->default_type && cladatum->default_type != which) {
+			yyerror2("conflicting default type information for class %s", id);
+			return -1;
+		}
+		cladatum->default_type = which;
+		free(id);
+	}
+
+	return 0;
+}
+
 int define_default_range(int which)
 {
 	char *id;
@@ -2772,6 +2804,7 @@ int define_constraint(constraint_expr_t * expr)
 		node = malloc(sizeof(struct constraint_node));
 		if (!node) {
 			yyerror("out of memory");
+			free(node);
 			return -1;
 		}
 		memset(node, 0, sizeof(constraint_node_t));
@@ -3075,13 +3108,11 @@ uintptr_t define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2)
 		ebitmap_destroy(&negset);
 		return (uintptr_t) expr;
 	default:
-		yyerror("invalid constraint expression");
-		constraint_expr_destroy(expr);
-		return 0;
+		break;
 	}
 
 	yyerror("invalid constraint expression");
-	free(expr);
+	constraint_expr_destroy(expr);
 	return 0;
 }
 
@@ -4641,7 +4672,10 @@ int define_range_trans(int class_specified)
 			goto out;
 		}
 
-		ebitmap_set_bit(&rule->tclasses, cladatum->s.value - 1, TRUE);
+		if (ebitmap_set_bit(&rule->tclasses, cladatum->s.value - 1, TRUE)) {
+			yyerror("out of memory");
+			goto out;
+		}
 	}
 
 	id = (char *)queue_remove(id_queue);
diff --git a/policy_define.h b/policy_define.h
index ccbe56f..8bfd8f6 100644
--- a/policy_define.h
+++ b/policy_define.h
@@ -26,6 +26,7 @@ int define_category(void);
 int define_class(void);
 int define_default_user(int which);
 int define_default_role(int which);
+int define_default_type(int which);
 int define_default_range(int which);
 int define_common_perms(void);
 int define_compute_type(int which);
diff --git a/policy_parse.y b/policy_parse.y
index d92cc32..b40f413 100644
--- a/policy_parse.y
+++ b/policy_parse.y
@@ -143,7 +143,7 @@ typedef int (* require_func_t)();
 %token POLICYCAP
 %token PERMISSIVE
 %token FILESYSTEM
-%token DEFAULT_USER DEFAULT_ROLE DEFAULT_RANGE
+%token DEFAULT_USER DEFAULT_ROLE DEFAULT_TYPE DEFAULT_RANGE
 %token LOW_HIGH LOW HIGH
 
 %left OR
@@ -202,9 +202,11 @@ opt_default_rules	: default_rules
 			;
 default_rules		: default_user_def
 			| default_role_def
+			| default_type_def
 			| default_range_def
 			| default_rules default_user_def
 			| default_rules default_role_def
+			| default_rules default_type_def
 			| default_rules default_range_def
 			;
 default_user_def	: DEFAULT_USER names SOURCE ';'
@@ -217,6 +219,11 @@ default_role_def	: DEFAULT_ROLE names SOURCE ';'
 			| DEFAULT_ROLE names TARGET ';'
 			{if (define_default_role(DEFAULT_TARGET)) return -1; }
 			;
+default_type_def	: DEFAULT_TYPE names SOURCE ';'
+			{if (define_default_type(DEFAULT_SOURCE)) return -1; }
+			| DEFAULT_TYPE names TARGET ';'
+			{if (define_default_type(DEFAULT_TARGET)) return -1; }
+			;
 default_range_def	: DEFAULT_RANGE names SOURCE LOW ';'
 			{if (define_default_range(DEFAULT_SOURCE_LOW)) return -1; }
 			| DEFAULT_RANGE names SOURCE HIGH ';'
diff --git a/policy_scan.l b/policy_scan.l
index 62d03f0..ab046cc 100644
--- a/policy_scan.l
+++ b/policy_scan.l
@@ -229,6 +229,8 @@ default_user |
 DEFAULT_USER			{ return(DEFAULT_USER); }
 default_role |
 DEFAULT_ROLE			{ return(DEFAULT_ROLE); }
+default_type |
+DEFAULT_TYPE			{ return(DEFAULT_TYPE); }
 default_range |
 DEFAULT_RANGE			{ return(DEFAULT_RANGE); }
 low-high |
@@ -238,7 +240,7 @@ HIGH				{ return(HIGH); }
 low |
 LOW				{ return(LOW); }
 "/"({alnum}|[_\.\-/])*	        { return(PATH); }
-\"({alnum}|[_\.\-\+\~])+\"	{ return(FILENAME); }
+\"({alnum}|[_\.\-\+\~\: ])+\"	{ return(FILENAME); }
 {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))*	{ return(IDENTIFIER); }
 {alnum}*{letter}{alnum}*        { return(FILESYSTEM); }
 {digit}+|0x{hexval}+            { return(NUMBER); }
diff --git a/test/Makefile b/test/Makefile
index 0731e89..63b4d24 100644
--- a/test/Makefile
+++ b/test/Makefile
@@ -3,7 +3,7 @@
 #
 PREFIX ?= $(DESTDIR)/usr
 BINDIR=$(PREFIX)/bin
-LIBDIR=$(PREFIX)/lib
+LIBDIR ?= $(PREFIX)/lib
 INCLUDEDIR ?= $(PREFIX)/include
 
 CFLAGS ?= -g -Wall -W -Werror -O2 -pipe
diff --git a/test/dismod.c b/test/dismod.c
index 6a951f6..96ef047 100644
--- a/test/dismod.c
+++ b/test/dismod.c
@@ -844,7 +844,10 @@ int main(int argc, char **argv)
 
 	/* read the binary policy */
 	fprintf(out_fp, "Reading policy...\n");
-	policydb_init(&policydb);
+	if (policydb_init(&policydb)) {
+		fprintf(stderr, "%s:  Out of memory!\n", __FUNCTION__);
+		exit(1);
+	}
 	if (read_policy(argv[1], &policydb)) {
 		fprintf(stderr,
 			"%s:  error(s) encountered while loading policy\n",