diff options
author | Stephen Smalley <sds@tycho.nsa.gov> | 2014-03-05 16:05:15 -0500 |
---|---|---|
committer | Stephen Smalley <sds@tycho.nsa.gov> | 2014-03-05 16:05:15 -0500 |
commit | c71644b06ebd417ef060f3f07472125516f86c41 (patch) | |
tree | 32fd59691177b64b331bc48836c42c081ba7ac3a | |
parent | 24c94accb995e6bf114e502a1db146bcf31e0e88 (diff) | |
download | libsepol-c71644b06ebd417ef060f3f07472125516f86c41.tar.gz |
Report source file and line information for neverallow failures.idea133-weekly-release
Change-Id: I0def97a5f2f6097e2dad7bcd5395b8fa740d7073
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
-rw-r--r-- | include/sepol/policydb/policydb.h | 3 | ||||
-rw-r--r-- | src/assertion.c | 20 | ||||
-rw-r--r-- | src/expand.c | 4 | ||||
-rw-r--r-- | src/link.c | 4 | ||||
-rw-r--r-- | src/policydb.c | 2 |
5 files changed, 27 insertions, 6 deletions
diff --git a/include/sepol/policydb/policydb.h b/include/sepol/policydb/policydb.h index fd14a9e..d3a9035 100644 --- a/include/sepol/policydb/policydb.h +++ b/include/sepol/policydb/policydb.h @@ -260,6 +260,9 @@ typedef struct avrule { class_perm_node_t *perms; unsigned long line; /* line number from policy.conf where * this rule originated */ + /* source file name and line number (e.g. .te file) */ + char *source_filename; + unsigned long source_line; struct avrule *next; } avrule_t; diff --git a/src/assertion.c b/src/assertion.c index a6e0c04..ebc011b 100644 --- a/src/assertion.c +++ b/src/assertion.c @@ -31,13 +31,13 @@ static int check_assertion_helper(sepol_handle_t * handle, policydb_t * p, avtab_t * te_avtab, avtab_t * te_cond_avtab, unsigned int stype, unsigned int ttype, - class_perm_node_t * perm, unsigned long line) + avrule_t * avrule) { avtab_key_t avkey; avtab_ptr_t node; class_perm_node_t *curperm; - for (curperm = perm; curperm != NULL; curperm = curperm->next) { + for (curperm = avrule->perms; curperm != NULL; curperm = curperm->next) { avkey.source_type = stype + 1; avkey.target_type = ttype + 1; avkey.target_class = curperm->class; @@ -59,9 +59,17 @@ static int check_assertion_helper(sepol_handle_t * handle, return 0; err: - if (line) { + if (avrule->source_filename) { + ERR(handle, "neverallow on line %lu of %s (or line %lu of policy.conf) violated by allow %s %s:%s {%s };", + avrule->source_line, avrule->source_filename, avrule->line, + p->p_type_val_to_name[stype], + p->p_type_val_to_name[ttype], + p->p_class_val_to_name[curperm->class - 1], + sepol_av_to_string(p, curperm->class, + node->datum.data & curperm->data)); + } else if (avrule->line) { ERR(handle, "neverallow on line %lu violated by allow %s %s:%s {%s };", - line, p->p_type_val_to_name[stype], + avrule->line, p->p_type_val_to_name[stype], p->p_type_val_to_name[ttype], p->p_class_val_to_name[curperm->class - 1], sepol_av_to_string(p, curperm->class, @@ -121,7 +129,7 @@ int check_assertions(sepol_handle_t * handle, policydb_t * p, if (a->flags & RULE_SELF) { if (check_assertion_helper (handle, p, &te_avtab, &te_cond_avtab, i, i, - a->perms, a->line)) { + a)) { rc = -1; goto out; } @@ -131,7 +139,7 @@ int check_assertions(sepol_handle_t * handle, policydb_t * p, continue; if (check_assertion_helper (handle, p, &te_avtab, &te_cond_avtab, i, j, - a->perms, a->line)) { + a)) { rc = -1; goto out; } diff --git a/src/expand.c b/src/expand.c index 7f3c3f5..947bee0 100644 --- a/src/expand.c +++ b/src/expand.c @@ -2650,6 +2650,10 @@ static int copy_neverallow(policydb_t * dest_pol, uint32_t * typemap, avrule->specified = AVRULE_NEVERALLOW; avrule->line = source_rule->line; avrule->flags = source_rule->flags; + avrule->source_line = source_rule->source_line; + avrule->source_filename = strdup(source_rule->source_filename); + if (!avrule->source_filename) + goto err; if (ebitmap_cpy(&avrule->stypes.types, &stypes)) goto err; @@ -1325,6 +1325,10 @@ static int copy_avrule_list(avrule_t * list, avrule_t ** dst, cur_perm = cur_perm->next; } new_rule->line = cur->line; + new_rule->source_line = cur->source_line; + new_rule->source_filename = strdup(cur->source_filename); + if (!new_rule->source_filename) + goto cleanup; cur = cur->next; diff --git a/src/policydb.c b/src/policydb.c index 8c7efbc..19fbfea 100644 --- a/src/policydb.c +++ b/src/policydb.c @@ -535,6 +535,8 @@ void avrule_destroy(avrule_t * x) type_set_destroy(&x->stypes); type_set_destroy(&x->ttypes); + free(x->source_filename); + next = x->perms; while (next) { cur = next; |