diff options
author | Stephen Smalley <sds@tycho.nsa.gov> | 2013-10-30 15:38:49 -0400 |
---|---|---|
committer | Stephen Smalley <sds@tycho.nsa.gov> | 2013-10-30 15:38:49 -0400 |
commit | 968aed00ed981987cf96dcfd7640e6dcde5c03a0 (patch) | |
tree | 968ef2c44cbdfedba3031856fd5a2234ce888091 | |
parent | 0d73ef7049feee794f14cf1af88d05dae8139914 (diff) | |
download | checkpolicy-968aed00ed981987cf96dcfd7640e6dcde5c03a0.tar.gz |
Update to checkpolicy 2.2. Requires libsepol 2.2.android-4.4w_r1kitkat-wearidea133
Update to current upstream checkpolicy release.
Includes memory leak fixes, improved handling of
filename-based type transitions, and support for latest
kernel policy version.
Change-Id: Idabd3e4d50777c6691cb0d74b4e28f4fe06bef35
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
-rw-r--r-- | ChangeLog | 11 | ||||
-rw-r--r-- | VERSION | 2 | ||||
-rw-r--r-- | checkmodule.8 | 6 | ||||
-rw-r--r-- | checkmodule.c | 2 | ||||
-rw-r--r-- | checkpolicy.8 | 4 | ||||
-rw-r--r-- | checkpolicy.c | 2 | ||||
-rw-r--r-- | policy_define.c | 44 | ||||
-rw-r--r-- | policy_define.h | 1 | ||||
-rw-r--r-- | policy_parse.y | 9 | ||||
-rw-r--r-- | policy_scan.l | 4 | ||||
-rw-r--r-- | test/Makefile | 2 | ||||
-rw-r--r-- | test/dismod.c | 5 |
12 files changed, 75 insertions, 17 deletions
@@ -1,3 +1,14 @@ +2.2 2013-10-30 + * Fix hyphen usage in man pages from Laurent Bigonville. + * handle-unknown / -U required argument fix from Laurent Bigonville. + * Support overriding Makefile PATH and LIBDIR from Laurent Bigonville. + * Support space and : in filenames from Dan Walsh. + +2.1.12 2013-02-01 + * Fix errors found by coverity + * implement default type policy syntax + * Free allocated memory when clean up / exit. + 2.1.11 2012-09-13 * fd leak reading policy * check return code on ebitmap_set_bit @@ -1 +1 @@ -2.1.11 +2.2 diff --git a/checkmodule.8 b/checkmodule.8 index 40f73c5..2a7ab5c 100644 --- a/checkmodule.8 +++ b/checkmodule.8 @@ -3,7 +3,7 @@ checkmodule \- SELinux policy module compiler .SH SYNOPSIS .B checkmodule -.I "[-h] [-b] [-m] [-M] [-U handle_unknown ] [-V] [-o output_file] [input_file]" +.I "[\-h] [\-b] [\-m] [\-M] [\-U handle_unknown ] [\-V] [\-o output_file] [input_file]" .SH "DESCRIPTION" This manual page describes the .BR checkmodule @@ -12,7 +12,7 @@ command. .B checkmodule is a program that checks and compiles a SELinux security policy module into a binary representation. It can generate either a base policy -module (default) or a non-base policy module (-m option); typically, +module (default) or a non-base policy module (\-m option); typically, you would build a non-base policy module to add to an existing module store that already has a base module provided by the base policy. Use semodule_package to combine this module with its optional file @@ -48,7 +48,7 @@ Specify how the kernel should handle unknown classes or permissions (deny, allow .SH EXAMPLE .nf # Build a MLS/MCS-enabled non-base policy module. -$ checkmodule -M -m httpd.te -o httpd.mod +$ checkmodule \-M \-m httpd.te \-o httpd.mod .fi .SH "SEE ALSO" diff --git a/checkmodule.c b/checkmodule.c index cb58cf0..41ebab5 100644 --- a/checkmodule.c +++ b/checkmodule.c @@ -171,7 +171,7 @@ int main(int argc, char **argv) {"output", required_argument, NULL, 'o'}, {"binary", no_argument, NULL, 'b'}, {"version", no_argument, NULL, 'V'}, - {"handle-unknown", optional_argument, NULL, 'U'}, + {"handle-unknown", required_argument, NULL, 'U'}, {"mls", no_argument, NULL, 'M'}, {NULL, 0, NULL, 0} }; diff --git a/checkpolicy.8 b/checkpolicy.8 index 6826938..0086bdc 100644 --- a/checkpolicy.8 +++ b/checkpolicy.8 @@ -3,7 +3,7 @@ checkpolicy \- SELinux policy compiler .SH SYNOPSIS .B checkpolicy -.I "[-b] [-d] [-M] [-c policyvers] [-o output_file] [input_file]" +.I "[\-b] [\-d] [\-M] [\-c policyvers] [\-o output_file] [input_file]" .br .SH "DESCRIPTION" This manual page describes the @@ -14,7 +14,7 @@ command. is a program that checks and compiles a SELinux security policy configuration into a binary representation that can be loaded into the kernel. If no input file name is specified, checkpolicy will attempt to read from -policy.conf or policy, depending on whether the -b flag is specified. +policy.conf or policy, depending on whether the \-b flag is specified. .SH OPTIONS .TP diff --git a/checkpolicy.c b/checkpolicy.c index 544f235..292f568 100644 --- a/checkpolicy.c +++ b/checkpolicy.c @@ -402,7 +402,7 @@ int main(int argc, char **argv) {"binary", no_argument, NULL, 'b'}, {"debug", no_argument, NULL, 'd'}, {"version", no_argument, NULL, 'V'}, - {"handle-unknown", optional_argument, NULL, 'U'}, + {"handle-unknown", required_argument, NULL, 'U'}, {"mls", no_argument, NULL, 'M'}, {"help", no_argument, NULL, 'h'}, {NULL, 0, NULL, 0} diff --git a/policy_define.c b/policy_define.c index 8af6141..e9ed4b4 100644 --- a/policy_define.c +++ b/policy_define.c @@ -415,6 +415,38 @@ int define_default_role(int which) return 0; } +int define_default_type(int which) +{ + char *id; + class_datum_t *cladatum; + + if (pass == 1) { + while ((id = queue_remove(id_queue))) + free(id); + return 0; + } + + while ((id = queue_remove(id_queue))) { + if (!is_id_in_scope(SYM_CLASSES, id)) { + yyerror2("class %s is not within scope", id); + return -1; + } + cladatum = hashtab_search(policydbp->p_classes.table, id); + if (!cladatum) { + yyerror2("unknown class %s", id); + return -1; + } + if (cladatum->default_type && cladatum->default_type != which) { + yyerror2("conflicting default type information for class %s", id); + return -1; + } + cladatum->default_type = which; + free(id); + } + + return 0; +} + int define_default_range(int which) { char *id; @@ -2772,6 +2804,7 @@ int define_constraint(constraint_expr_t * expr) node = malloc(sizeof(struct constraint_node)); if (!node) { yyerror("out of memory"); + free(node); return -1; } memset(node, 0, sizeof(constraint_node_t)); @@ -3075,13 +3108,11 @@ uintptr_t define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2) ebitmap_destroy(&negset); return (uintptr_t) expr; default: - yyerror("invalid constraint expression"); - constraint_expr_destroy(expr); - return 0; + break; } yyerror("invalid constraint expression"); - free(expr); + constraint_expr_destroy(expr); return 0; } @@ -4641,7 +4672,10 @@ int define_range_trans(int class_specified) goto out; } - ebitmap_set_bit(&rule->tclasses, cladatum->s.value - 1, TRUE); + if (ebitmap_set_bit(&rule->tclasses, cladatum->s.value - 1, TRUE)) { + yyerror("out of memory"); + goto out; + } } id = (char *)queue_remove(id_queue); diff --git a/policy_define.h b/policy_define.h index ccbe56f..8bfd8f6 100644 --- a/policy_define.h +++ b/policy_define.h @@ -26,6 +26,7 @@ int define_category(void); int define_class(void); int define_default_user(int which); int define_default_role(int which); +int define_default_type(int which); int define_default_range(int which); int define_common_perms(void); int define_compute_type(int which); diff --git a/policy_parse.y b/policy_parse.y index d92cc32..b40f413 100644 --- a/policy_parse.y +++ b/policy_parse.y @@ -143,7 +143,7 @@ typedef int (* require_func_t)(); %token POLICYCAP %token PERMISSIVE %token FILESYSTEM -%token DEFAULT_USER DEFAULT_ROLE DEFAULT_RANGE +%token DEFAULT_USER DEFAULT_ROLE DEFAULT_TYPE DEFAULT_RANGE %token LOW_HIGH LOW HIGH %left OR @@ -202,9 +202,11 @@ opt_default_rules : default_rules ; default_rules : default_user_def | default_role_def + | default_type_def | default_range_def | default_rules default_user_def | default_rules default_role_def + | default_rules default_type_def | default_rules default_range_def ; default_user_def : DEFAULT_USER names SOURCE ';' @@ -217,6 +219,11 @@ default_role_def : DEFAULT_ROLE names SOURCE ';' | DEFAULT_ROLE names TARGET ';' {if (define_default_role(DEFAULT_TARGET)) return -1; } ; +default_type_def : DEFAULT_TYPE names SOURCE ';' + {if (define_default_type(DEFAULT_SOURCE)) return -1; } + | DEFAULT_TYPE names TARGET ';' + {if (define_default_type(DEFAULT_TARGET)) return -1; } + ; default_range_def : DEFAULT_RANGE names SOURCE LOW ';' {if (define_default_range(DEFAULT_SOURCE_LOW)) return -1; } | DEFAULT_RANGE names SOURCE HIGH ';' diff --git a/policy_scan.l b/policy_scan.l index 62d03f0..ab046cc 100644 --- a/policy_scan.l +++ b/policy_scan.l @@ -229,6 +229,8 @@ default_user | DEFAULT_USER { return(DEFAULT_USER); } default_role | DEFAULT_ROLE { return(DEFAULT_ROLE); } +default_type | +DEFAULT_TYPE { return(DEFAULT_TYPE); } default_range | DEFAULT_RANGE { return(DEFAULT_RANGE); } low-high | @@ -238,7 +240,7 @@ HIGH { return(HIGH); } low | LOW { return(LOW); } "/"({alnum}|[_\.\-/])* { return(PATH); } -\"({alnum}|[_\.\-\+\~])+\" { return(FILENAME); } +\"({alnum}|[_\.\-\+\~\: ])+\" { return(FILENAME); } {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); } {alnum}*{letter}{alnum}* { return(FILESYSTEM); } {digit}+|0x{hexval}+ { return(NUMBER); } diff --git a/test/Makefile b/test/Makefile index 0731e89..63b4d24 100644 --- a/test/Makefile +++ b/test/Makefile @@ -3,7 +3,7 @@ # PREFIX ?= $(DESTDIR)/usr BINDIR=$(PREFIX)/bin -LIBDIR=$(PREFIX)/lib +LIBDIR ?= $(PREFIX)/lib INCLUDEDIR ?= $(PREFIX)/include CFLAGS ?= -g -Wall -W -Werror -O2 -pipe diff --git a/test/dismod.c b/test/dismod.c index 6a951f6..96ef047 100644 --- a/test/dismod.c +++ b/test/dismod.c @@ -844,7 +844,10 @@ int main(int argc, char **argv) /* read the binary policy */ fprintf(out_fp, "Reading policy...\n"); - policydb_init(&policydb); + if (policydb_init(&policydb)) { + fprintf(stderr, "%s: Out of memory!\n", __FUNCTION__); + exit(1); + } if (read_policy(argv[1], &policydb)) { fprintf(stderr, "%s: error(s) encountered while loading policy\n", |