From 40ba49cbc6302d6a5d9e0ec74e56231462149593 Mon Sep 17 00:00:00 2001 From: openharmony_ci <120357966@qq.com> Date: Tue, 19 Dec 2023 02:45:05 +0000 Subject: [PATCH] =?UTF-8?q?=E5=9B=9E=E9=80=80=20'Pull=20Request=20!92=20:?= =?UTF-8?q?=20selinux=E7=89=88=E6=9C=AC=E5=8D=87=E7=BA=A7=E8=87=B33.5'?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- BUILD.gn | 12 +- OAT.xml | 4 +- checkpolicy/{LICENSE => COPYING} | 0 checkpolicy/VERSION | 2 +- checkpolicy/checkpolicy.c | 10 +- checkpolicy/module_compiler.c | 8 - checkpolicy/policy_define.c | 22 +- checkpolicy/test/dispol.c | 5 +- libselinux/VERSION | 2 +- libselinux/include/selinux/avc.h | 2 +- libselinux/include/selinux/context.h | 22 +- libselinux/include/selinux/selinux.h | 7 +- libselinux/man/man3/context_str.3 | 1 - libselinux/man/man3/getcon.3 | 14 - libselinux/man/man3/getpidprevcon.3 | 1 - libselinux/man/man3/getpidprevcon_raw.3 | 1 - .../man/man3/security_get_checkreqprot.3 | 1 - libselinux/man/man3/security_load_policy.3 | 2 +- .../man/man3/security_set_boolean_list.3 | 1 - .../man/man3/selinux_sepgsql_context_path.3 | 1 - libselinux/man/man3/setexecfilecon.3 | 1 - libselinux/src/.gitignore | 1 - libselinux/src/Makefile | 14 +- libselinux/src/audit2why.c | 66 +- libselinux/src/avc.c | 1 + libselinux/src/avc_internal.c | 2 + libselinux/src/avc_internal.h | 3 + libselinux/src/booleans.c | 14 +- libselinux/src/canonicalize_context.c | 6 +- libselinux/src/compute_av.c | 8 +- libselinux/src/compute_create.c | 7 - libselinux/src/compute_member.c | 8 +- libselinux/src/compute_relabel.c | 8 +- libselinux/src/compute_user.c | 8 +- libselinux/src/context.c | 17 +- libselinux/src/exception.sh | 0 libselinux/src/fgetfilecon.c | 5 +- libselinux/src/file_path_suffixes.h | 6 +- libselinux/src/fsetfilecon.c | 5 +- libselinux/src/get_context_list.c | 11 +- libselinux/src/get_default_type.c | 3 +- libselinux/src/get_initial_context.c | 13 +- libselinux/src/label_db.c | 10 +- libselinux/src/libselinux.map | 6 - libselinux/src/load_policy.c | 2 +- libselinux/src/matchpathcon.c | 9 +- libselinux/src/procattr.c | 163 ++- libselinux/src/query_user_context.c | 2 +- libselinux/src/regex.c | 37 +- libselinux/src/selinux_internal.c | 18 - libselinux/src/selinux_internal.h | 9 - libselinux/src/selinux_restorecon.c | 83 +- libselinux/src/sestatus.c | 1 + libselinux/src/setrans_client.c | 8 +- libselinux/src/setup.py | 4 +- libselinux/src/sha1.c | 2 +- libselinux/src/stringrep.c | 18 +- libselinux/utils/.gitignore | 1 - libselinux/utils/Makefile | 2 +- libselinux/utils/compute_create.c | 9 +- libselinux/utils/getpidprevcon.c | 33 - libselinux/utils/selabel_lookup_best_match.c | 10 +- libsepol/{LICENSE => COPYING} | 0 libsepol/VERSION | 2 +- libsepol/cil/src/cil_build_ast.c | 1 + libsepol/cil/src/cil_post.c | 34 +- libsepol/cil/src/cil_resolve_ast.c | 2 +- libsepol/include/sepol/errcodes.h | 13 +- libsepol/include/sepol/policydb/avtab.h | 2 +- libsepol/include/sepol/policydb/constraint.h | 3 + libsepol/include/sepol/policydb/ebitmap.h | 1 - libsepol/include/sepol/policydb/policydb.h | 10 +- libsepol/include/sepol/policydb/util.h | 2 - libsepol/src/avtab.c | 2 +- libsepol/src/ebitmap.c | 190 +-- libsepol/src/kernel_to_cil.c | 4 +- libsepol/src/kernel_to_conf.c | 21 +- libsepol/src/link.c | 140 ++- libsepol/src/mls.h | 1 - libsepol/src/module_to_cil.c | 4 +- libsepol/src/policydb.c | 5 +- libsepol/src/policydb_validate.c | 391 ++---- libsepol/src/policydb_validate.h | 2 +- libsepol/src/services.c | 5 +- libsepol/src/util.c | 2 +- libsepol/src/write.c | 16 +- libsepol/tests/Makefile | 19 +- libsepol/tests/libsepol-tests.c | 4 - .../tests/policies/test-deps/base-metreq.conf | 2 +- .../policies/test-deps/base-notmetreq.conf | 2 +- .../tests/policies/test-deps/small-base.conf | 2 +- .../policies/test-expander/alias-base.conf | 2 +- .../policies/test-expander/role-base.conf | 2 +- .../policies/test-expander/small-base.conf | 2 +- .../policies/test-expander/user-base.conf | 2 +- .../tests/policies/test-hooks/cmp_policy.conf | 2 +- .../tests/policies/test-hooks/small-base.conf | 2 +- .../policies/test-linker/small-base.conf | 2 +- .../policies/test-neverallow/policy.conf | 298 ----- libsepol/tests/test-ebitmap.c | 1080 ----------------- libsepol/tests/test-ebitmap.h | 10 - libsepol/tests/test-linker-roles.c | 2 +- libsepol/tests/test-neverallow.c | 172 --- libsepol/tests/test-neverallow.h | 10 - libsepol/utils/sepol_check_access.c | 2 +- secilc/{LICENSE => COPYING} | 0 secilc/VERSION | 2 +- secilc/docs/Makefile | 18 +- .../cil_class_and_permission_statements.md | 2 +- secilc/docs/secil.xml | 344 +++--- 110 files changed, 765 insertions(+), 2823 deletions(-) rename checkpolicy/{LICENSE => COPYING} (100%) delete mode 100644 libselinux/man/man3/context_str.3 delete mode 100644 libselinux/man/man3/getpidprevcon.3 delete mode 100644 libselinux/man/man3/getpidprevcon_raw.3 delete mode 100644 libselinux/man/man3/security_get_checkreqprot.3 delete mode 100644 libselinux/man/man3/security_set_boolean_list.3 delete mode 100644 libselinux/man/man3/selinux_sepgsql_context_path.3 delete mode 100644 libselinux/man/man3/setexecfilecon.3 mode change 100755 => 100644 libselinux/src/exception.sh delete mode 100644 libselinux/src/selinux_internal.c delete mode 100644 libselinux/utils/getpidprevcon.c rename libsepol/{LICENSE => COPYING} (100%) delete mode 100644 libsepol/tests/policies/test-neverallow/policy.conf delete mode 100644 libsepol/tests/test-ebitmap.c delete mode 100644 libsepol/tests/test-ebitmap.h delete mode 100644 libsepol/tests/test-neverallow.c delete mode 100644 libsepol/tests/test-neverallow.h rename secilc/{LICENSE => COPYING} (100%) diff --git a/BUILD.gn b/BUILD.gn index a511d8d3..9272a7e8 100644 --- a/BUILD.gn +++ b/BUILD.gn @@ -137,7 +137,7 @@ ohos_shared_library("libsepol") { "ramdisk", "updater", ] - license_file = "$LIBSEPOL_ROOT_DIR/LICENSE" + license_file = "$LIBSEPOL_ROOT_DIR/COPYING" part_name = "selinux" subsystem_name = "thirdparty" } @@ -151,7 +151,7 @@ ohos_executable("chkcon") { "-D_GNU_SOURCE", "-w", ] - license_file = "$LIBSEPOL_ROOT_DIR/LICENSE" + license_file = "$LIBSEPOL_ROOT_DIR/COPYING" part_name = "selinux" subsystem_name = "thirdparty" } @@ -211,12 +211,6 @@ ohos_shared_library("libselinux") { "$LIBSELINUX_ROOT_DIR/src/sha1.c", "$LIBSELINUX_ROOT_DIR/src/stringrep.c", ] - - if (current_toolchain == host_toolchain) { - # host build - sources += [ "$LIBSELINUX_ROOT_DIR/src/selinux_internal.c" ] - } - include_dirs = [ "$LIBSELINUX_ROOT_DIR/include", "$LIBPCRE2_ROOT_DIR/pcre2/src", @@ -455,7 +449,7 @@ ohos_executable("secilc") { "-Werror", "-Wshadow", ] - license_file = "$LIBSEPOL_ROOT_DIR/LICENSE" + license_file = "$LIBSEPOL_ROOT_DIR/COPYING" part_name = "selinux" subsystem_name = "thirdparty" } diff --git a/OAT.xml b/OAT.xml index f8a174c1..a2f0c6ec 100644 --- a/OAT.xml +++ b/OAT.xml @@ -26,7 +26,7 @@ - + @@ -36,7 +36,7 @@ - + diff --git a/checkpolicy/LICENSE b/checkpolicy/COPYING similarity index 100% rename from checkpolicy/LICENSE rename to checkpolicy/COPYING diff --git a/checkpolicy/VERSION b/checkpolicy/VERSION index 5a958026..2f4b6075 100644 --- a/checkpolicy/VERSION +++ b/checkpolicy/VERSION @@ -1 +1 @@ -3.5 +3.4 diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c index 48c31261..926ce72c 100644 --- a/checkpolicy/checkpolicy.c +++ b/checkpolicy/checkpolicy.c @@ -1148,11 +1148,12 @@ int main(int argc, char **argv) FGETS(ans, sizeof(ans), stdin); ans[strlen(ans) - 1] = 0; - name = strdup(ans); + name = malloc((strlen(ans) + 1) * sizeof(char)); if (name == NULL) { - fprintf(stderr, "couldn't strdup string.\n"); + fprintf(stderr, "couldn't malloc string.\n"); break; } + strcpy(name, ans); printf("state? "); FGETS(ans, sizeof(ans), stdin); @@ -1295,11 +1296,12 @@ int main(int argc, char **argv) FGETS(ans, sizeof(ans), stdin); ans[strlen(ans) - 1] = 0; - name = strdup(ans); + name = malloc((strlen(ans) + 1) * sizeof(char)); if (!name) { - fprintf(stderr, "couldn't strdup string.\n"); + fprintf(stderr, "couldn't malloc string.\n"); break; } + strcpy(name, ans); printf("port? "); FGETS(ans, sizeof(ans), stdin); diff --git a/checkpolicy/module_compiler.c b/checkpolicy/module_compiler.c index 3188af89..129650fa 100644 --- a/checkpolicy/module_compiler.c +++ b/checkpolicy/module_compiler.c @@ -851,14 +851,6 @@ int require_class(int pass) free(perm_id); return -1; } - if (datum->permissions.nprim >= PERM_SYMTAB_SIZE) { - yyerror2("Class %s would have too many permissions " - "to fit in an access vector with permission %s", - policydbp->p_class_val_to_name[datum->s.value - 1], - perm_id); - free(perm_id); - return -1; - } allocated = 1; if ((perm = malloc(sizeof(*perm))) == NULL) { yyerror("Out of memory!"); diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c index c2ae7fe5..8bf36859 100644 --- a/checkpolicy/policy_define.c +++ b/checkpolicy/policy_define.c @@ -117,11 +117,12 @@ int insert_id(const char *id, int push) char *newid = 0; int error; - newid = strdup(id); + newid = (char *)malloc(strlen(id) + 1); if (!newid) { yyerror("out of memory"); return -1; } + strcpy(newid, id); if (push) error = queue_push(id_queue, (queue_element_t) newid); else @@ -1416,7 +1417,7 @@ static int define_typebounds_helper(char *bounds_id, char *type_id) if (!type->bounds) type->bounds = bounds->s.value; else if (type->bounds != bounds->s.value) { - yyerror2("type %s has inconsistent bounds %s/%s", + yyerror2("type %s has inconsistent master {%s,%s}", type_id, policydbp->p_type_val_to_name[type->bounds - 1], policydbp->p_type_val_to_name[bounds->s.value - 1]); @@ -2208,7 +2209,7 @@ static int avrule_ioctl_partialdriver(struct av_ioctl_range_list *rangelist, xperms = calloc(1, sizeof(av_extended_perms_t)); if (!xperms) { yyerror("out of memory"); - return -1; + return - 1; } r = rangelist; @@ -2245,7 +2246,7 @@ static int avrule_ioctl_completedriver(struct av_ioctl_range_list *rangelist, xperms = calloc(1, sizeof(av_extended_perms_t)); if (!xperms) { yyerror("out of memory"); - return -1; + return - 1; } r = rangelist; @@ -2289,7 +2290,7 @@ static int avrule_ioctl_func(struct av_ioctl_range_list *rangelist, xperms = calloc(1, sizeof(av_extended_perms_t)); if (!xperms) { yyerror("out of memory"); - return -1; + return - 1; } r = rangelist; @@ -2352,11 +2353,11 @@ static int avrule_cpy(avrule_t *dest, const avrule_t *src) dest->flags = src->flags; if (type_set_cpy(&dest->stypes, &src->stypes)) { yyerror("out of memory"); - return -1; + return - 1; } if (type_set_cpy(&dest->ttypes, &src->ttypes)) { yyerror("out of memory"); - return -1; + return - 1; } dest->line = src->line; dest->source_filename = strdup(source_file); @@ -2370,12 +2371,11 @@ static int avrule_cpy(avrule_t *dest, const avrule_t *src) src_perms = src->perms; while (src_perms) { dest_perms = (class_perm_node_t *) calloc(1, sizeof(class_perm_node_t)); + class_perm_node_init(dest_perms); if (!dest_perms) { yyerror("out of memory"); return -1; } - class_perm_node_init(dest_perms); - if (!dest->perms) dest->perms = dest_perms; else @@ -4904,7 +4904,7 @@ bad: return -1; } -int define_devicetree_context(void) +int define_devicetree_context() { ocontext_t *newc, *c, *l, *head; @@ -5295,7 +5295,7 @@ int define_netif_context(void) return 0; } -int define_ipv4_node_context(void) +int define_ipv4_node_context() { char *id; int rc = 0; diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c index 36a3362c..8ddefb04 100644 --- a/checkpolicy/test/dispol.c +++ b/checkpolicy/test/dispol.c @@ -486,11 +486,12 @@ int main(int argc, char **argv) } ans[strlen(ans) - 1] = 0; - name = strdup(ans); + name = malloc((strlen(ans) + 1) * sizeof(char)); if (name == NULL) { - fprintf(stderr, "couldn't strdup string.\n"); + fprintf(stderr, "couldn't malloc string.\n"); break; } + strcpy(name, ans); printf("state? "); if (fgets(ans, sizeof(ans), stdin) == NULL) { diff --git a/libselinux/VERSION b/libselinux/VERSION index 5a958026..2f4b6075 100644 --- a/libselinux/VERSION +++ b/libselinux/VERSION @@ -1 +1 @@ -3.5 +3.4 diff --git a/libselinux/include/selinux/avc.h b/libselinux/include/selinux/avc.h index 4bbd2382..9b23357a 100644 --- a/libselinux/include/selinux/avc.h +++ b/libselinux/include/selinux/avc.h @@ -24,7 +24,7 @@ struct security_id { }; typedef struct security_id *security_id_t; -#define SECSID_WILD ((security_id_t)NULL) /* unspecified SID */ +#define SECSID_WILD (security_id_t)NULL /* unspecified SID */ /** * avc_sid_to_context - get copy of context corresponding to SID. diff --git a/libselinux/include/selinux/context.h b/libselinux/include/selinux/context.h index 59d9bb69..949fb1e1 100644 --- a/libselinux/include/selinux/context.h +++ b/libselinux/include/selinux/context.h @@ -17,7 +17,7 @@ extern "C" { /* Return a new context initialized to a context string */ - extern context_t context_new(const char *str); + extern context_t context_new(const char *); /* * Return a pointer to the string value of the context_t @@ -25,24 +25,24 @@ extern "C" { * for the same context_t* */ - extern const char *context_str(context_t con); + extern char *context_str(context_t); /* Free the storage used by a context */ - extern void context_free(context_t con); + extern void context_free(context_t); /* Get a pointer to the string value of a context component */ - extern const char *context_type_get(context_t con); - extern const char *context_range_get(context_t con); - extern const char *context_role_get(context_t con); - extern const char *context_user_get(context_t con); + extern const char *context_type_get(context_t); + extern const char *context_range_get(context_t); + extern const char *context_role_get(context_t); + extern const char *context_user_get(context_t); /* Set a context component. Returns nonzero if unsuccessful */ - extern int context_type_set(context_t con, const char *type); - extern int context_range_set(context_t con, const char *range); - extern int context_role_set(context_t con, const char *role); - extern int context_user_set(context_t con, const char *user); + extern int context_type_set(context_t, const char *); + extern int context_range_set(context_t, const char *); + extern int context_role_set(context_t, const char *); + extern int context_user_set(context_t, const char *); #ifdef __cplusplus } diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h index a0948853..ae98a92e 100644 --- a/libselinux/include/selinux/selinux.h +++ b/libselinux/include/selinux/selinux.h @@ -54,11 +54,6 @@ extern int getpidcon_raw(pid_t pid, char ** con); extern int getprevcon(char ** con); extern int getprevcon_raw(char ** con); -/* Get previous context (prior to last exec) of process identified by pid, and - set *con to refer to it. Caller must free via freecon. */ -extern int getpidprevcon(pid_t pid, char ** con); -extern int getpidprevcon_raw(pid_t pid, char ** con); - /* Get exec context, and set *con to refer to it. Sets *con to NULL if no exec context has been set, i.e. using default. If non-NULL, caller must free via freecon. */ @@ -284,7 +279,7 @@ extern int security_validatetrans_raw(const char *scon, const char *newcon); /* Load a policy configuration. */ -extern int security_load_policy(const void *data, size_t len); +extern int security_load_policy(void *data, size_t len); /* Get the context of an initial kernel security identifier by name. Caller must free via freecon */ diff --git a/libselinux/man/man3/context_str.3 b/libselinux/man/man3/context_str.3 deleted file mode 100644 index f4f03a6d..00000000 --- a/libselinux/man/man3/context_str.3 +++ /dev/null @@ -1 +0,0 @@ -.so man3/context_new.3 diff --git a/libselinux/man/man3/getcon.3 b/libselinux/man/man3/getcon.3 index be60341b..e7e394f3 100644 --- a/libselinux/man/man3/getcon.3 +++ b/libselinux/man/man3/getcon.3 @@ -23,10 +23,6 @@ setcon \- set current security context of a process .sp .BI "int getpidcon_raw(pid_t " pid ", char **" context ); .sp -.BI "int getpidprevcon(pid_t " pid ", char **" context ); -.sp -.BI "int getpidprevcon_raw(pid_t " pid ", char **" context ); -.sp .BI "int getpeercon(int " fd ", char **" context ); .sp .BI "int getpeercon_raw(int " fd ", char **" context ); @@ -54,11 +50,6 @@ same as getcon but gets the context before the last exec. returns the process context for the specified PID, which must be free'd with .BR freecon (). -.TP -.BR getpidprevcon () -returns the process context before the last exec for the specified PID, which must be free'd with -.BR freecon (). - .TP .BR getpeercon () retrieves the context of the peer socket, which must be free'd with @@ -134,7 +125,6 @@ will fail if it is not allowed by policy. .BR getcon_raw (), .BR getprevcon_raw (), .BR getpidcon_raw (), -.BR getpidprevcon_raw (), .BR getpeercon_raw () and .BR setcon_raw () @@ -149,9 +139,5 @@ The retrieval functions might return success and set .I *context to NULL if and only if SELinux is not enabled. -Querying a foreign process via its PID, e.g. \fBgetpidcon\fR() or -\fBgetpidprevcon\fR(), is inherently racy and therefore should never be relied -upon for security purposes. - .SH "SEE ALSO" .BR selinux "(8), " setexeccon "(3)" diff --git a/libselinux/man/man3/getpidprevcon.3 b/libselinux/man/man3/getpidprevcon.3 deleted file mode 100644 index 1210b5a0..00000000 --- a/libselinux/man/man3/getpidprevcon.3 +++ /dev/null @@ -1 +0,0 @@ -.so man3/getcon.3 diff --git a/libselinux/man/man3/getpidprevcon_raw.3 b/libselinux/man/man3/getpidprevcon_raw.3 deleted file mode 100644 index 1210b5a0..00000000 --- a/libselinux/man/man3/getpidprevcon_raw.3 +++ /dev/null @@ -1 +0,0 @@ -.so man3/getcon.3 diff --git a/libselinux/man/man3/security_get_checkreqprot.3 b/libselinux/man/man3/security_get_checkreqprot.3 deleted file mode 100644 index d59e5c2c..00000000 --- a/libselinux/man/man3/security_get_checkreqprot.3 +++ /dev/null @@ -1 +0,0 @@ -.so man3/security_getenforce.3 diff --git a/libselinux/man/man3/security_load_policy.3 b/libselinux/man/man3/security_load_policy.3 index b2da0256..af561636 100644 --- a/libselinux/man/man3/security_load_policy.3 +++ b/libselinux/man/man3/security_load_policy.3 @@ -5,7 +5,7 @@ security_load_policy \- load a new SELinux policy .SH "SYNOPSIS" .B #include .sp -.BI "int security_load_policy(const void *" data ", size_t "len ); +.BI "int security_load_policy(void *" data ", size_t "len ); .sp .BI "int selinux_mkload_policy(int " preservebools ");" .sp diff --git a/libselinux/man/man3/security_set_boolean_list.3 b/libselinux/man/man3/security_set_boolean_list.3 deleted file mode 100644 index 29731efa..00000000 --- a/libselinux/man/man3/security_set_boolean_list.3 +++ /dev/null @@ -1 +0,0 @@ -.so man3/security_load_booleans.3 diff --git a/libselinux/man/man3/selinux_sepgsql_context_path.3 b/libselinux/man/man3/selinux_sepgsql_context_path.3 deleted file mode 100644 index 175a611a..00000000 --- a/libselinux/man/man3/selinux_sepgsql_context_path.3 +++ /dev/null @@ -1 +0,0 @@ -.so man3/selinux_binary_policy_path.3 diff --git a/libselinux/man/man3/setexecfilecon.3 b/libselinux/man/man3/setexecfilecon.3 deleted file mode 100644 index b2e6ab81..00000000 --- a/libselinux/man/man3/setexecfilecon.3 +++ /dev/null @@ -1 +0,0 @@ -.so man3/getexeccon.3 diff --git a/libselinux/src/.gitignore b/libselinux/src/.gitignore index 94400e81..001f20b0 100644 --- a/libselinux/src/.gitignore +++ b/libselinux/src/.gitignore @@ -1,4 +1,3 @@ selinux.py selinuxswig_python_wrap.c selinuxswig_ruby_wrap.c -selinux.egg-info/ diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile index 36d57122..04bf4f24 100644 --- a/libselinux/src/Makefile +++ b/libselinux/src/Makefile @@ -14,7 +14,7 @@ SHLIBDIR ?= /lib INCLUDEDIR ?= $(PREFIX)/include PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX)) PYLIBS ?= $(shell $(PKG_CONFIG) --libs $(PYPREFIX)) -PYTHONLIBDIR ?= $(shell $(PYTHON) -c "import sysconfig; print(sysconfig.get_path('platlib', vars={'platbase': '$(PREFIX)', 'base': '$(PREFIX)'}))") +PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; print(get_python_lib(plat_specific=1, prefix='$(PREFIX)'))") PYCEXT ?= $(shell $(PYTHON) -c 'import importlib.machinery;print(importlib.machinery.EXTENSION_SUFFIXES[0])') RUBYINC ?= $(shell $(RUBY) -e 'puts "-I" + RbConfig::CONFIG["rubyarchhdrdir"] + " -I" + RbConfig::CONFIG["rubyhdrdir"]') RUBYLIBS ?= $(shell $(RUBY) -e 'puts "-L" + RbConfig::CONFIG["libdir"] + " -L" + RbConfig::CONFIG["archlibdir"] + " " + RbConfig::CONFIG["LIBRUBYARG_SHARED"]') @@ -86,7 +86,7 @@ CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissi -Wno-missing-field-initializers -Wno-sign-compare \ -Wno-format-nonliteral -Wframe-larger-than=$(MAX_STACK_SIZE) \ -fstack-protector-all --param=ssp-buffer-size=4 -fexceptions \ - -fasynchronous-unwind-tables -fdiagnostics-show-option \ + -fasynchronous-unwind-tables -fdiagnostics-show-option -funit-at-a-time \ -Werror -Wno-aggregate-return -Wno-redundant-decls \ $(EXTRA_CFLAGS) @@ -103,12 +103,6 @@ FTS_LDLIBS ?= override CFLAGS += -I../include -D_GNU_SOURCE $(DISABLE_FLAGS) $(PCRE_CFLAGS) -# check for strlcpy(3) availability -H := \# -ifeq (yes,$(shell printf '${H}include \nint main(void){char*d,*s;strlcpy(d, s, 0);return 0;}' | $(CC) -x c -o /dev/null - >/dev/null 2>&1 && echo yes)) -override CFLAGS += -DHAVE_STRLCPY -endif - SWIG_CFLAGS += -Wno-error -Wno-unused-variable -Wno-unused-but-set-variable -Wno-unused-parameter \ -Wno-shadow -Wno-uninitialized -Wno-missing-prototypes -Wno-missing-declarations \ -Wno-deprecated-declarations @@ -187,7 +181,7 @@ install: all ln -sf --relative $(DESTDIR)$(SHLIBDIR)/$(LIBSO) $(DESTDIR)$(LIBDIR)/$(TARGET) install-pywrap: pywrap - $(PYTHON) -m pip install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR) --ignore-installed --no-deps` $(PYTHON_SETUP_ARGS) . + $(PYTHON) setup.py install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR)` $(PYTHON_SETUP_ARGS) install -m 644 $(SWIGPYOUT) $(DESTDIR)$(PYTHONLIBDIR)/selinux/__init__.py ln -sf --relative $(DESTDIR)$(PYTHONLIBDIR)/selinux/_selinux$(PYCEXT) $(DESTDIR)$(PYTHONLIBDIR)/_selinux$(PYCEXT) @@ -201,7 +195,7 @@ relabel: clean-pywrap: -rm -f $(SWIGLOBJ) $(SWIGSO) $(AUDIT2WHYLOBJ) $(AUDIT2WHYSO) $(PYTHON) setup.py clean - -rm -rf build *~ \#* *pyc .#* selinux.egg-info/ + -rm -rf build *~ \#* *pyc .#* clean-rubywrap: -rm -f $(SWIGRUBYLOBJ) $(SWIGRUBYSO) diff --git a/libselinux/src/audit2why.c b/libselinux/src/audit2why.c index ba1a66eb..ca38e13c 100644 --- a/libselinux/src/audit2why.c +++ b/libselinux/src/audit2why.c @@ -191,17 +191,26 @@ static PyObject *finish(PyObject *self __attribute__((unused)), PyObject *args) static int __policy_init(const char *init_path) { - FILE *fp = NULL; - const char *curpolicy; + FILE *fp; + char path[PATH_MAX]; char errormsg[PATH_MAX+1024+20]; struct sepol_policy_file *pf = NULL; int rc; unsigned int cnt; + path[PATH_MAX-1] = '\0'; if (init_path) { - curpolicy = init_path; + strncpy(path, init_path, PATH_MAX-1); + fp = fopen(path, "re"); + if (!fp) { + snprintf(errormsg, sizeof(errormsg), + "unable to open %s: %m\n", + path); + PyErr_SetString( PyExc_ValueError, errormsg); + return 1; + } } else { - curpolicy = selinux_current_policy_path(); + const char *curpolicy = selinux_current_policy_path(); if (!curpolicy) { /* SELinux disabled, must use -p option. */ snprintf(errormsg, sizeof(errormsg), @@ -209,15 +218,14 @@ static int __policy_init(const char *init_path) PyErr_SetString( PyExc_ValueError, errormsg); return 1; } - } - - fp = fopen(curpolicy, "re"); - if (!fp) { - snprintf(errormsg, sizeof(errormsg), - "unable to open %s: %m\n", - curpolicy); - PyErr_SetString( PyExc_ValueError, errormsg); - return 1; + fp = fopen(curpolicy, "re"); + if (!fp) { + snprintf(errormsg, sizeof(errormsg), + "unable to open %s: %m\n", + curpolicy); + PyErr_SetString( PyExc_ValueError, errormsg); + return 1; + } } avc = calloc(sizeof(struct avc_t), 1); @@ -235,17 +243,18 @@ static int __policy_init(const char *init_path) snprintf(errormsg, sizeof(errormsg), "policydb_init failed: %m\n"); PyErr_SetString( PyExc_RuntimeError, errormsg); - goto err; + fclose(fp); + return 1; } sepol_policy_file_set_fp(pf, fp); if (sepol_policydb_read(avc->policydb, pf)) { snprintf(errormsg, sizeof(errormsg), - "invalid binary policy %s\n", curpolicy); + "invalid binary policy %s\n", path); PyErr_SetString( PyExc_ValueError, errormsg); - goto err; + fclose(fp); + return 1; } fclose(fp); - fp = NULL; sepol_set_policydb(&avc->policydb->p); avc->handle = sepol_handle_create(); /* Turn off messages */ @@ -255,13 +264,13 @@ static int __policy_init(const char *init_path) avc->policydb, &cnt); if (rc < 0) { PyErr_SetString( PyExc_RuntimeError, "unable to get bool count\n"); - goto err; + return 1; } boollist = calloc(cnt, sizeof(*boollist)); if (!boollist) { PyErr_SetString( PyExc_MemoryError, "Out of memory\n"); - goto err; + return 1; } sepol_bool_iterate(avc->handle, avc->policydb, @@ -272,26 +281,11 @@ static int __policy_init(const char *init_path) rc = sepol_sidtab_init(&sidtab); if (rc < 0) { PyErr_SetString( PyExc_RuntimeError, "unable to init sidtab\n"); - goto err; + free(boollist); + return 1; } sepol_set_sidtab(&sidtab); return 0; - -err: - if (boollist) - free(boollist); - if (avc){ - if (avc->handle) - sepol_handle_destroy(avc->handle); - if (avc->policydb) - sepol_policydb_free(avc->policydb); - free(avc); - } - if (pf) - sepol_policy_file_free(pf); - if (fp) - fclose(fp); - return 1; } static PyObject *init(PyObject *self __attribute__((unused)), PyObject *args) { diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c index 8d5983a2..7493e4b2 100644 --- a/libselinux/src/avc.c +++ b/libselinux/src/avc.c @@ -725,6 +725,7 @@ void avc_audit(security_id_t ssid, security_id_t tsid, if (denied) log_append(avc_audit_buf, " permissive=%u", result ? 0 : 1); + log_append(avc_audit_buf, "\n"); avc_log(SELINUX_AVC, "%s", avc_audit_buf); avc_release_lock(avc_log_lock); diff --git a/libselinux/src/avc_internal.c b/libselinux/src/avc_internal.c index ffc663e5..71a1357b 100644 --- a/libselinux/src/avc_internal.c +++ b/libselinux/src/avc_internal.c @@ -51,6 +51,7 @@ char avc_prefix[AVC_PREFIX_SIZE] = "uavc"; int avc_running = 0; int avc_enforcing = 1; int avc_setenforce = 0; +int avc_netlink_trouble = 0; /* process setenforce events for netlink and sestatus */ int avc_process_setenforce(int enforcing) @@ -294,6 +295,7 @@ void avc_netlink_loop(void) close(fd); fd = -1; + avc_netlink_trouble = 1; avc_log(SELINUX_ERROR, "%s: netlink thread: errors encountered, terminating\n", avc_prefix); diff --git a/libselinux/src/avc_internal.h b/libselinux/src/avc_internal.h index 54f0ce28..a9a4aa0b 100644 --- a/libselinux/src/avc_internal.h +++ b/libselinux/src/avc_internal.h @@ -180,4 +180,7 @@ int avc_ss_set_auditdeny(security_id_t ssid, security_id_t tsid, security_class_t tclass, access_vector_t perms, uint32_t seqno, uint32_t enable) ; +/* netlink kernel message code */ +extern int avc_netlink_trouble ; + #endif /* _SELINUX_AVC_INTERNAL_H_ */ diff --git a/libselinux/src/booleans.c b/libselinux/src/booleans.c index e34b39ff..ef1f64a0 100644 --- a/libselinux/src/booleans.c +++ b/libselinux/src/booleans.c @@ -7,6 +7,7 @@ #ifndef DISABLE_BOOL +#include #include #include #include @@ -131,8 +132,7 @@ char *selinux_boolean_sub(const char *name) ptr++; *ptr = '\0'; - if (!strchr(dst, '/')) - sub = strdup(dst); + sub = strdup(dst); break; } @@ -147,12 +147,12 @@ out: static int bool_open(const char *name, int flag) { char *fname = NULL; char *alt_name = NULL; - size_t len; + int len; int fd = -1; int ret; char *ptr; - if (!name || strchr(name, '/')) { + if (!name) { errno = EINVAL; return -1; } @@ -164,8 +164,9 @@ static int bool_open(const char *name, int flag) { return -1; ret = snprintf(fname, len, "%s%s%s", selinux_mnt, SELINUX_BOOL_DIR, name); - if (ret < 0 || (size_t)ret >= len) + if (ret < 0) goto out; + assert(ret < len); fd = open(fname, flag); if (fd >= 0 || errno != ENOENT) @@ -183,8 +184,9 @@ static int bool_open(const char *name, int flag) { fname = ptr; ret = snprintf(fname, len, "%s%s%s", selinux_mnt, SELINUX_BOOL_DIR, alt_name); - if (ret < 0 || (size_t)ret >= len) + if (ret < 0) goto out; + assert(ret < len); fd = open(fname, flag); out: diff --git a/libselinux/src/canonicalize_context.c b/libselinux/src/canonicalize_context.c index 6af8491d..faab7305 100644 --- a/libselinux/src/canonicalize_context.c +++ b/libselinux/src/canonicalize_context.c @@ -33,11 +33,7 @@ int security_canonicalize_context_raw(const char * con, ret = -1; goto out; } - if (strlcpy(buf, con, size) >= size) { - errno = EOVERFLOW; - ret = -1; - goto out2; - } + strncpy(buf, con, size); ret = write(fd, buf, strlen(buf) + 1); if (ret < 0) diff --git a/libselinux/src/compute_av.c b/libselinux/src/compute_av.c index 354a19e1..9d17339d 100644 --- a/libselinux/src/compute_av.c +++ b/libselinux/src/compute_av.c @@ -40,14 +40,8 @@ int security_compute_av_flags_raw(const char * scon, } kclass = unmap_class(tclass); - - ret = snprintf(buf, len, "%s %s %hu %x", scon, tcon, + snprintf(buf, len, "%s %s %hu %x", scon, tcon, kclass, unmap_perm(tclass, requested)); - if (ret < 0 || (size_t)ret >= len) { - errno = EOVERFLOW; - ret = -1; - goto out2; - } ret = write(fd, buf, strlen(buf)); if (ret < 0) diff --git a/libselinux/src/compute_create.c b/libselinux/src/compute_create.c index e9f3c96a..1d75714d 100644 --- a/libselinux/src/compute_create.c +++ b/libselinux/src/compute_create.c @@ -75,15 +75,8 @@ int security_compute_create_name_raw(const char * scon, ret = -1; goto out; } - len = snprintf(buf, size, "%s %s %hu", scon, tcon, unmap_class(tclass)); - if (len < 0 || (size_t)len >= size) { - errno = EOVERFLOW; - ret = -1; - goto out2; - } - if (objname && object_name_encode(objname, buf + len, size - len) < 0) { errno = ENAMETOOLONG; diff --git a/libselinux/src/compute_member.c b/libselinux/src/compute_member.c index 53d2f559..16234b79 100644 --- a/libselinux/src/compute_member.c +++ b/libselinux/src/compute_member.c @@ -36,13 +36,7 @@ int security_compute_member_raw(const char * scon, ret = -1; goto out; } - - ret = snprintf(buf, size, "%s %s %hu", scon, tcon, unmap_class(tclass)); - if (ret < 0 || (size_t)ret >= size) { - errno = EOVERFLOW; - ret = -1; - goto out2; - } + snprintf(buf, size, "%s %s %hu", scon, tcon, unmap_class(tclass)); ret = write(fd, buf, strlen(buf)); if (ret < 0) diff --git a/libselinux/src/compute_relabel.c b/libselinux/src/compute_relabel.c index 9c0a2304..dd20d652 100644 --- a/libselinux/src/compute_relabel.c +++ b/libselinux/src/compute_relabel.c @@ -36,13 +36,7 @@ int security_compute_relabel_raw(const char * scon, ret = -1; goto out; } - - ret = snprintf(buf, size, "%s %s %hu", scon, tcon, unmap_class(tclass)); - if (ret < 0 || (size_t)ret >= size) { - errno = EOVERFLOW; - ret = -1; - goto out2; - } + snprintf(buf, size, "%s %s %hu", scon, tcon, unmap_class(tclass)); ret = write(fd, buf, strlen(buf)); if (ret < 0) diff --git a/libselinux/src/compute_user.c b/libselinux/src/compute_user.c index f55f945a..ae5e7b4a 100644 --- a/libselinux/src/compute_user.c +++ b/libselinux/src/compute_user.c @@ -38,13 +38,7 @@ int security_compute_user_raw(const char * scon, ret = -1; goto out; } - - ret = snprintf(buf, size, "%s %s", scon, user); - if (ret < 0 || (size_t)ret >= size) { - errno = EOVERFLOW; - ret = -1; - goto out2; - } + snprintf(buf, size, "%s %s", scon, user); ret = write(fd, buf, strlen(buf)); if (ret < 0) diff --git a/libselinux/src/context.c b/libselinux/src/context.c index 33c48ef3..b2144c7c 100644 --- a/libselinux/src/context.c +++ b/libselinux/src/context.c @@ -68,9 +68,11 @@ context_t context_new(const char *str) for (p = tok; *p; p++) { /* empty */ } } - n->component[i] = strndup(tok, p - tok); + n->component[i] = (char *)malloc(p - tok + 1); if (n->component[i] == 0) goto err; + strncpy(n->component[i], tok, p - tok); + n->component[i][p - tok] = '\0'; tok = *p ? p + 1 : p; } return result; @@ -114,7 +116,7 @@ void context_free(context_t context) /* * Return a pointer to the string value of the context. */ -const char *context_str(context_t context) +char *context_str(context_t context) { context_private_t *n = context->ptr; int i; @@ -147,18 +149,19 @@ static int set_comp(context_private_t * n, int idx, const char *str) char *t = NULL; const char *p; if (str) { + t = (char *)malloc(strlen(str) + 1); + if (!t) { + return -1; + } for (p = str; *p; p++) { if (*p == '\t' || *p == '\n' || *p == '\r' || ((*p == ':' || *p == ' ') && idx != COMP_RANGE)) { + free(t); errno = EINVAL; return -1; } } - - t = strdup(str); - if (!t) { - return -1; - } + strcpy(t, str); } conditional_free(&n->component[idx]); n->component[idx] = t; diff --git a/libselinux/src/exception.sh b/libselinux/src/exception.sh old mode 100755 new mode 100644 diff --git a/libselinux/src/fgetfilecon.c b/libselinux/src/fgetfilecon.c index d7051171..baf38ec1 100644 --- a/libselinux/src/fgetfilecon.c +++ b/libselinux/src/fgetfilecon.c @@ -26,10 +26,7 @@ static ssize_t fgetxattr_wrapper(int fd, const char *name, void *value, size_t s snprintf(buf, sizeof(buf), "/proc/self/fd/%d", fd); errno = saved_errno; - ret = getxattr(buf, name, value, size); - if (ret < 0 && errno == ENOENT) - errno = EBADF; - return ret; + return getxattr(buf, name, value, size); } int fgetfilecon_raw(int fd, char ** context) diff --git a/libselinux/src/file_path_suffixes.h b/libselinux/src/file_path_suffixes.h index a5573134..93a81b64 100644 --- a/libselinux/src/file_path_suffixes.h +++ b/libselinux/src/file_path_suffixes.h @@ -1,7 +1,11 @@ /* File name suffixes. */ S_(BINPOLICY, "/policy/policy") S_(CONTEXTS_DIR, "/contexts") - S_(FILE_CONTEXTS, "/contexts/files/file_contexts") + // FIXME 此处不应该改变 file_contexts 的约定路径! + // 因为 OpenHarmony 的 e2fsdroid 无法支持五级系统目录,所以在此作出规避, + // 但是很显然这是不应当的。 + //S_(FILE_CONTEXTS, "/contexts/files/file_contexts") + S_(FILE_CONTEXTS, "/contexts/file_contexts") S_(HOMEDIR_CONTEXTS, "/contexts/files/homedir_template") S_(DEFAULT_CONTEXTS, "/contexts/default_contexts") S_(USER_CONTEXTS, "/contexts/users/") diff --git a/libselinux/src/fsetfilecon.c b/libselinux/src/fsetfilecon.c index 19ea15b7..be821c7a 100644 --- a/libselinux/src/fsetfilecon.c +++ b/libselinux/src/fsetfilecon.c @@ -25,10 +25,7 @@ static int fsetxattr_wrapper(int fd, const char* name, const void* value, size_t snprintf(buf, sizeof(buf), "/proc/self/fd/%d", fd); errno = saved_errno; - rc = setxattr(buf, name, value, size, flags); - if (rc < 0 && errno == ENOENT) - errno = EBADF; - return rc; + return setxattr(buf, name, value, size, flags); } int fsetfilecon_raw(int fd, const char * context) diff --git a/libselinux/src/get_context_list.c b/libselinux/src/get_context_list.c index d774b9cf..cfe38e59 100644 --- a/libselinux/src/get_context_list.c +++ b/libselinux/src/get_context_list.c @@ -143,7 +143,6 @@ static int get_context_user(FILE * fp, char *linerole, *linetype; char **new_reachable = NULL; char *usercon_str; - const char *usercon_str2; context_t con; context_t usercon; @@ -258,20 +257,20 @@ static int get_context_user(FILE * fp, rc = -1; goto out; } - usercon_str2 = context_str(usercon); - if (!usercon_str2) { + usercon_str = context_str(usercon); + if (!usercon_str) { context_free(usercon); rc = -1; goto out; } /* check whether usercon is already in reachable */ - if (is_in_reachable(*reachable, usercon_str2)) { + if (is_in_reachable(*reachable, usercon_str)) { context_free(usercon); start = end; continue; } - if (security_check_context(usercon_str2) == 0) { + if (security_check_context(usercon_str) == 0) { new_reachable = realloc(*reachable, (*nreachable + 2) * sizeof(char *)); if (!new_reachable) { context_free(usercon); @@ -279,7 +278,7 @@ static int get_context_user(FILE * fp, goto out; } *reachable = new_reachable; - new_reachable[*nreachable] = strdup(usercon_str2); + new_reachable[*nreachable] = strdup(usercon_str); if (new_reachable[*nreachable] == NULL) { context_free(usercon); rc = -1; diff --git a/libselinux/src/get_default_type.c b/libselinux/src/get_default_type.c index 766ea4b7..dd7b5d79 100644 --- a/libselinux/src/get_default_type.c +++ b/libselinux/src/get_default_type.c @@ -62,9 +62,10 @@ static int find_default_type(FILE * fp, const char *role, char **type) return -1; } - t = strndup(ptr, strlen(buf) - len - 1); + t = malloc(strlen(buf) - len); if (!t) return -1; + strcpy(t, ptr); *type = t; return 0; } diff --git a/libselinux/src/get_initial_context.c b/libselinux/src/get_initial_context.c index 0f25ba3f..97ae3dcf 100644 --- a/libselinux/src/get_initial_context.c +++ b/libselinux/src/get_initial_context.c @@ -23,17 +23,8 @@ int security_get_initial_context_raw(const char * name, char ** con) return -1; } - if (strchr(name, '/')) { - errno = EINVAL; - return -1; - } - - ret = snprintf(path, sizeof path, "%s%s%s", selinux_mnt, SELINUX_INITCON_DIR, name); - if (ret < 0 || (size_t)ret >= sizeof path) { - errno = EOVERFLOW; - return -1; - } - + snprintf(path, sizeof path, "%s%s%s", + selinux_mnt, SELINUX_INITCON_DIR, name); fd = open(path, O_RDONLY | O_CLOEXEC); if (fd < 0) return -1; diff --git a/libselinux/src/label_db.c b/libselinux/src/label_db.c index 3f803037..94c05c6d 100644 --- a/libselinux/src/label_db.c +++ b/libselinux/src/label_db.c @@ -31,7 +31,7 @@ * For example: * ---------------------------------------- * # - * # It is an example specfile for database objects + * # It is an example specfile for database obejcts * # * db_database template1 system_u:object_r:sepgsql_db_t:s0 * @@ -293,11 +293,6 @@ db_init(const struct selinux_opt *opts, unsigned nopts, return NULL; } rec->spec_file = strdup(path); - if (!rec->spec_file) { - free(catalog); - fclose(filp); - return NULL; - } /* * Parse for each lines @@ -327,19 +322,18 @@ db_init(const struct selinux_opt *opts, unsigned nopts, if (process_line(path, line_buf, ++line_num, catalog) < 0) goto out_error; } + free(line_buf); if (digest_add_specfile(rec->digest, filp, NULL, sb.st_size, path) < 0) goto out_error; digest_gen_hash(rec->digest); - free(line_buf); fclose(filp); return catalog; out_error: - free(line_buf); for (i = 0; i < catalog->nspec; i++) { spec_t *spec = &catalog->specs[i]; diff --git a/libselinux/src/libselinux.map b/libselinux/src/libselinux.map index 5e00f45b..6e04eb61 100644 --- a/libselinux/src/libselinux.map +++ b/libselinux/src/libselinux.map @@ -246,9 +246,3 @@ LIBSELINUX_3.4 { selinux_restorecon_get_skipped_errors; selinux_restorecon_parallel; } LIBSELINUX_1.0; - -LIBSELINUX_3.5 { - global: - getpidprevcon; - getpidprevcon_raw; -} LIBSELINUX_3.4; diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c index 17918e8b..d8c715ed 100644 --- a/libselinux/src/load_policy.c +++ b/libselinux/src/load_policy.c @@ -23,7 +23,7 @@ #define MNT_DETACH 2 #endif -int security_load_policy(const void *data, size_t len) +int security_load_policy(void *data, size_t len) { char path[PATH_MAX]; int fd, ret; diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c index bf2da083..ea78a23e 100644 --- a/libselinux/src/matchpathcon.c +++ b/libselinux/src/matchpathcon.c @@ -215,9 +215,10 @@ int matchpathcon_filespec_add(ino_t ino, int specind, const char *file) if (ret < 0 || sb.st_ino != ino) { fl->specind = specind; free(fl->file); - fl->file = strdup(file); + fl->file = malloc(strlen(file) + 1); if (!fl->file) goto oom; + strcpy(fl->file, file); return fl->specind; } @@ -231,9 +232,10 @@ int matchpathcon_filespec_add(ino_t ino, int specind, const char *file) __FUNCTION__, file, fl->file, con_array[fl->specind]); free(fl->file); - fl->file = strdup(file); + fl->file = malloc(strlen(file) + 1); if (!fl->file) goto oom; + strcpy(fl->file, file); return fl->specind; } @@ -246,9 +248,10 @@ int matchpathcon_filespec_add(ino_t ino, int specind, const char *file) goto oom; fl->ino = ino; fl->specind = specind; - fl->file = strdup(file); + fl->file = malloc(strlen(file) + 1); if (!fl->file) goto oom_freefl; + strcpy(fl->file, file); fl->next = prevfl->next; prevfl->next = fl; return fl->specind; diff --git a/libselinux/src/procattr.c b/libselinux/src/procattr.c index b7a93a2b..9896483e 100644 --- a/libselinux/src/procattr.c +++ b/libselinux/src/procattr.c @@ -11,14 +11,11 @@ #define UNSET (char *) -1 -/* Cached values so that when a thread calls set*con() then gen*con(), the value - * which was set is directly returned. - */ static __thread char *prev_current = UNSET; -static __thread char *prev_exec = UNSET; -static __thread char *prev_fscreate = UNSET; -static __thread char *prev_keycreate = UNSET; -static __thread char *prev_sockcreate = UNSET; +static __thread char * prev_exec = UNSET; +static __thread char * prev_fscreate = UNSET; +static __thread char * prev_keycreate = UNSET; +static __thread char * prev_sockcreate = UNSET; static pthread_once_t once = PTHREAD_ONCE_INIT; static pthread_key_t destructor_key; @@ -114,18 +111,43 @@ out: return fd; } -static int getprocattrcon_raw(char **context, pid_t pid, const char *attr, - const char *prev_context) +static int getprocattrcon_raw(char ** context, + pid_t pid, const char *attr) { char *buf; size_t size; int fd; ssize_t ret; int errno_hold; + char * prev_context; __selinux_once(once, init_procattr); init_thread_destructor(); + switch (attr[0]) { + case 'c': + prev_context = NULL; + break; + case 'e': + prev_context = prev_exec; + break; + case 'f': + prev_context = prev_fscreate; + break; + case 'k': + prev_context = prev_keycreate; + break; + case 's': + prev_context = prev_sockcreate; + break; + case 'p': + prev_context = NULL; + break; + default: + errno = ENOENT; + return -1; + } + if (prev_context && prev_context != UNSET) { *context = strdup(prev_context); if (!(*context)) { @@ -172,13 +194,13 @@ static int getprocattrcon_raw(char **context, pid_t pid, const char *attr, return ret; } -static int getprocattrcon(char **context, pid_t pid, const char *attr, - const char *prev_context) +static int getprocattrcon(char ** context, + pid_t pid, const char *attr) { int ret; char * rcontext; - ret = getprocattrcon_raw(&rcontext, pid, attr, prev_context); + ret = getprocattrcon_raw(&rcontext, pid, attr); if (!ret) { ret = selinux_raw_to_trans_context(rcontext, context); @@ -188,24 +210,45 @@ static int getprocattrcon(char **context, pid_t pid, const char *attr, return ret; } -static int setprocattrcon_raw(const char *context, const char *attr, - char **prev_context) +static int setprocattrcon_raw(const char * context, + pid_t pid, const char *attr) { int fd; ssize_t ret; int errno_hold; - char *context2 = NULL; + char **prev_context, *context2 = NULL; __selinux_once(once, init_procattr); init_thread_destructor(); + switch (attr[0]) { + case 'c': + prev_context = &prev_current; + break; + case 'e': + prev_context = &prev_exec; + break; + case 'f': + prev_context = &prev_fscreate; + break; + case 'k': + prev_context = &prev_keycreate; + break; + case 's': + prev_context = &prev_sockcreate; + break; + default: + errno = ENOENT; + return -1; + } + if (!context && !*prev_context) return 0; if (context && *prev_context && *prev_context != UNSET && !strcmp(context, *prev_context)) return 0; - fd = openattr(0, attr, O_RDWR | O_CLOEXEC); + fd = openattr(pid, attr, O_RDWR | O_CLOEXEC); if (fd < 0) return -1; if (context) { @@ -236,8 +279,8 @@ out: } } -static int setprocattrcon(const char *context, const char *attr, - char **prev_context) +static int setprocattrcon(const char * context, + pid_t pid, const char *attr) { int ret; char * rcontext; @@ -245,76 +288,62 @@ static int setprocattrcon(const char *context, const char *attr, if (selinux_trans_to_raw_context(context, &rcontext)) return -1; - ret = setprocattrcon_raw(rcontext, attr, prev_context); + ret = setprocattrcon_raw(rcontext, pid, attr); freecon(rcontext); return ret; } -#define getselfattr_def(fn, attr, prev_context) \ +#define getselfattr_def(fn, attr) \ int get##fn##_raw(char **c) \ { \ - return getprocattrcon_raw(c, 0, attr, prev_context); \ + return getprocattrcon_raw(c, 0, #attr); \ } \ int get##fn(char **c) \ { \ - return getprocattrcon(c, 0, attr, prev_context); \ + return getprocattrcon(c, 0, #attr); \ } -#define setselfattr_def(fn, attr, prev_context) \ +#define setselfattr_def(fn, attr) \ int set##fn##_raw(const char * c) \ { \ - return setprocattrcon_raw(c, attr, &prev_context); \ + return setprocattrcon_raw(c, 0, #attr); \ } \ int set##fn(const char * c) \ { \ - return setprocattrcon(c, attr, &prev_context); \ + return setprocattrcon(c, 0, #attr); \ } -#define all_selfattr_def(fn, attr, prev_context) \ - getselfattr_def(fn, attr, prev_context) \ - setselfattr_def(fn, attr, prev_context) - -all_selfattr_def(con, "current", prev_current) - getselfattr_def(prevcon, "prev", NULL) - all_selfattr_def(execcon, "exec", prev_exec) - all_selfattr_def(fscreatecon, "fscreate", prev_fscreate) - all_selfattr_def(sockcreatecon, "sockcreate", prev_sockcreate) - all_selfattr_def(keycreatecon, "keycreate", prev_keycreate) - -int getpidcon_raw(pid_t pid, char **c) -{ - if (pid <= 0) { - errno = EINVAL; - return -1; - } - return getprocattrcon_raw(c, pid, "current", NULL); -} +#define all_selfattr_def(fn, attr) \ + getselfattr_def(fn, attr) \ + setselfattr_def(fn, attr) -int getpidcon(pid_t pid, char **c) -{ - if (pid <= 0) { - errno = EINVAL; - return -1; +#define getpidattr_def(fn, attr) \ + int get##fn##_raw(pid_t pid, char **c) \ + { \ + if (pid <= 0) { \ + errno = EINVAL; \ + return -1; \ + } else { \ + return getprocattrcon_raw(c, pid, #attr); \ + } \ + } \ + int get##fn(pid_t pid, char **c) \ + { \ + if (pid <= 0) { \ + errno = EINVAL; \ + return -1; \ + } else { \ + return getprocattrcon(c, pid, #attr); \ + } \ } - return getprocattrcon(c, pid, "current", NULL); -} -int getpidprevcon_raw(pid_t pid, char **c) -{ - if (pid <= 0) { - errno = EINVAL; - return -1; - } - return getprocattrcon_raw(c, pid, "prev", NULL); -} +all_selfattr_def(con, current) + getpidattr_def(pidcon, current) + getselfattr_def(prevcon, prev) + all_selfattr_def(execcon, exec) + all_selfattr_def(fscreatecon, fscreate) + all_selfattr_def(sockcreatecon, sockcreate) + all_selfattr_def(keycreatecon, keycreate) -int getpidprevcon(pid_t pid, char **c) -{ - if (pid <= 0) { - errno = EINVAL; - return -1; - } - return getprocattrcon(c, pid, "prev", NULL); -} diff --git a/libselinux/src/query_user_context.c b/libselinux/src/query_user_context.c index 29a1b360..b8125c96 100644 --- a/libselinux/src/query_user_context.c +++ b/libselinux/src/query_user_context.c @@ -115,7 +115,7 @@ int manual_user_enter_context(const char *user, char ** newcon) int mls_enabled = is_selinux_mls_enabled(); context_t new_context; /* The new context chosen by the user */ - const char *user_context = NULL; /* String value of the user's context */ + char *user_context = NULL; /* String value of the user's context */ int done = 0; /* true if a valid sid has been obtained */ /* Initialize the context. How this is done depends on whether diff --git a/libselinux/src/regex.c b/libselinux/src/regex.c index 16df6790..73987d9f 100644 --- a/libselinux/src/regex.c +++ b/libselinux/src/regex.c @@ -60,13 +60,11 @@ char const *regex_arch_string(void) struct regex_data { pcre2_code *regex; /* compiled regular expression */ -#ifndef AGGRESSIVE_FREE_AFTER_REGEX_MATCH /* * match data block required for the compiled * pattern in pcre2 */ pcre2_match_data *match_data; -#endif pthread_mutex_t match_mutex; }; @@ -86,13 +84,11 @@ int regex_prepare_data(struct regex_data **regex, char const *pattern_string, goto err; } -#ifndef AGGRESSIVE_FREE_AFTER_REGEX_MATCH (*regex)->match_data = pcre2_match_data_create_from_pattern((*regex)->regex, NULL); if (!(*regex)->match_data) { goto err; } -#endif return 0; err: @@ -142,12 +138,10 @@ int regex_load_mmap(struct mmap_area *mmap_area, struct regex_data **regex, if (rc != 1) goto err; -#ifndef AGGRESSIVE_FREE_AFTER_REGEX_MATCH (*regex)->match_data = pcre2_match_data_create_from_pattern((*regex)->regex, NULL); if (!(*regex)->match_data) goto err; -#endif *regex_compiled = true; } @@ -173,7 +167,7 @@ int regex_writef(struct regex_data *regex, FILE *fp, int do_write_precompregex) PCRE2_UCHAR *bytes = NULL; if (do_write_precompregex) { - /* encode the pattern for serialization */ + /* encode the patter for serialization */ rc = pcre2_serialize_encode((const pcre2_code **)®ex->regex, 1, &bytes, &serialized_size, NULL); if (rc != 1) { @@ -209,12 +203,8 @@ void regex_data_free(struct regex_data *regex) if (regex) { if (regex->regex) pcre2_code_free(regex->regex); - -#ifndef AGGRESSIVE_FREE_AFTER_REGEX_MATCH if (regex->match_data) pcre2_match_data_free(regex->match_data); -#endif - __pthread_mutex_destroy(®ex->match_mutex); free(regex); } @@ -223,30 +213,10 @@ void regex_data_free(struct regex_data *regex) int regex_match(struct regex_data *regex, char const *subject, int partial) { int rc; - pcre2_match_data *match_data; __pthread_mutex_lock(®ex->match_mutex); - -#ifdef AGGRESSIVE_FREE_AFTER_REGEX_MATCH - match_data = pcre2_match_data_create_from_pattern( - regex->regex, NULL); - if (match_data == NULL) { - __pthread_mutex_unlock(®ex->match_mutex); - return REGEX_ERROR; - } -#else - match_data = regex->match_data; -#endif - rc = pcre2_match( regex->regex, (PCRE2_SPTR)subject, PCRE2_ZERO_TERMINATED, 0, - partial ? PCRE2_PARTIAL_SOFT : 0, match_data, NULL); - -#ifdef AGGRESSIVE_FREE_AFTER_REGEX_MATCH - // pcre2_match allocates heap and it won't be freed until - // pcre2_match_data_free, resulting in heap overhead. - pcre2_match_data_free(match_data); -#endif - + partial ? PCRE2_PARTIAL_SOFT : 0, regex->match_data, NULL); __pthread_mutex_unlock(®ex->match_mutex); if (rc > 0) return REGEX_MATCH; @@ -287,9 +257,6 @@ struct regex_data *regex_data_create(void) { struct regex_data *regex_data = (struct regex_data *)calloc(1, sizeof(struct regex_data)); - if (!regex_data) - return NULL; - __pthread_mutex_init(®ex_data->match_mutex, NULL); return regex_data; } diff --git a/libselinux/src/selinux_internal.c b/libselinux/src/selinux_internal.c deleted file mode 100644 index c2be7c0a..00000000 --- a/libselinux/src/selinux_internal.c +++ /dev/null @@ -1,18 +0,0 @@ -#include "selinux_internal.h" - -#include - - -#ifndef HAVE_STRLCPY -size_t strlcpy(char *dest, const char *src, size_t size) -{ - size_t ret = strlen(src); - - if (size) { - size_t len = (ret >= size) ? size - 1 : ret; - memcpy(dest, src, len); - dest[len] = '\0'; - } - return ret; -} -#endif /* HAVE_STRLCPY */ diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h index 06f2c038..297dcf26 100644 --- a/libselinux/src/selinux_internal.h +++ b/libselinux/src/selinux_internal.h @@ -1,6 +1,3 @@ -#ifndef SELINUX_INTERNAL_H_ -#define SELINUX_INTERNAL_H_ - #include #include @@ -93,9 +90,3 @@ extern int selinux_page_size ; #define SELINUXCONFIG SELINUXDIR "config" extern int has_selinux_config ; - -#ifndef HAVE_STRLCPY -size_t strlcpy(char *dest, const char *src, size_t size); -#endif - -#endif /* SELINUX_INTERNAL_H_ */ diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c index 2953e87d..dea3adbc 100644 --- a/libselinux/src/selinux_restorecon.c +++ b/libselinux/src/selinux_restorecon.c @@ -432,11 +432,10 @@ static pthread_mutex_t fl_mutex = PTHREAD_MUTEX_INITIALIZER; * that matched. */ static int filespec_add(ino_t ino, const char *con, const char *file, - const struct rest_flags *flags) + struct rest_flags *flags) { file_spec_t *prevfl, *fl; - uint32_t h; - int ret; + int h, ret; struct stat64 sb; __pthread_mutex_lock(&fl_mutex); @@ -525,8 +524,7 @@ unlock_1: static void filespec_eval(void) { file_spec_t *fl; - uint32_t h; - size_t used, nel, len, longest; + int h, used, nel, len, longest; if (!fl_head) return; @@ -546,7 +544,7 @@ static void filespec_eval(void) } selinux_log(SELINUX_INFO, - "filespec hash table stats: %zu elements, %zu/%zu buckets used, longest chain length %zu\n", + "filespec hash table stats: %d elements, %d/%d buckets used, longest chain length %d\n", nel, used, HASH_BUCKETS, longest); } #else @@ -561,7 +559,7 @@ static void filespec_eval(void) static void filespec_destroy(void) { file_spec_t *fl, *tmp; - uint32_t h; + int h; if (!fl_head) return; @@ -631,15 +629,16 @@ out: #define DATA_APP_EL4 "/data/app/el4/" #define DATA_ACCOUNTS_ACCOUNT_0 "/data/accounts/account_0/" -static int restorecon_sb(const char *pathname, const struct stat *sb, - const struct rest_flags *flags, bool first) +static int restorecon_sb(const char *pathname, struct rest_flags *flags, bool first) { char *newcon = NULL; char *curcon = NULL; char *newtypecon = NULL; - int rc; + int fd = -1, rc; + struct stat stat_buf; + bool updated = false; const char *lookup_path = pathname; - + float pc; if (!strncmp(pathname, DATA_APP_EL1, sizeof(DATA_APP_EL1) - 1) || !strncmp(pathname, DATA_APP_EL2, sizeof(DATA_APP_EL2) - 1) || !strncmp(pathname, DATA_APP_EL3, sizeof(DATA_APP_EL3) - 1) || @@ -647,7 +646,6 @@ static int restorecon_sb(const char *pathname, const struct stat *sb, !strncmp(pathname, DATA_ACCOUNTS_ACCOUNT_0, sizeof(DATA_ACCOUNTS_ACCOUNT_0) - 1)) { goto out; } - if (rootpath) { if (strncmp(rootpath, lookup_path, rootpathlen) != 0) { selinux_log(SELINUX_ERROR, @@ -658,13 +656,21 @@ static int restorecon_sb(const char *pathname, const struct stat *sb, lookup_path += rootpathlen; } + fd = open(pathname, O_PATH | O_NOFOLLOW | O_EXCL); + if (fd < 0) + goto err; + + rc = fstat(fd, &stat_buf); + if (rc < 0) + goto err; + if (rootpath != NULL && lookup_path[0] == '\0') /* this is actually the root dir of the alt root. */ rc = selabel_lookup_raw(fc_sehandle, &newcon, "/", - sb->st_mode & S_IFMT); + stat_buf.st_mode); else rc = selabel_lookup_raw(fc_sehandle, &newcon, lookup_path, - sb->st_mode & S_IFMT); + stat_buf.st_mode); if (rc < 0) { if (errno == ENOENT) { @@ -673,10 +679,10 @@ static int restorecon_sb(const char *pathname, const struct stat *sb, "Warning no default label for %s\n", lookup_path); - return 0; /* no match, but not an error */ + goto out; /* no match, but not an error */ } - return -1; + goto err; } if (flags->progress) { @@ -684,7 +690,7 @@ static int restorecon_sb(const char *pathname, const struct stat *sb, fc_count++; if (fc_count % STAR_COUNT == 0) { if (flags->mass_relabel && efile_count > 0) { - float pc = (fc_count < efile_count) ? (100.0 * + pc = (fc_count < efile_count) ? (100.0 * fc_count / efile_count) : 100; fprintf(stdout, "\r%-.1f%%", (double)pc); } else { @@ -696,19 +702,17 @@ static int restorecon_sb(const char *pathname, const struct stat *sb, } if (flags->add_assoc) { - rc = filespec_add(sb->st_ino, newcon, pathname, flags); + rc = filespec_add(stat_buf.st_ino, newcon, pathname, flags); if (rc < 0) { selinux_log(SELINUX_ERROR, "filespec_add error: %s\n", pathname); - freecon(newcon); - return -1; + goto out1; } if (rc > 0) { /* Already an association and it took precedence. */ - freecon(newcon); - return 0; + goto out; } } @@ -716,7 +720,7 @@ static int restorecon_sb(const char *pathname, const struct stat *sb, selinux_log(SELINUX_INFO, "%s matched by %s\n", pathname, newcon); - if (lgetfilecon_raw(pathname, &curcon) < 0) { + if (fgetfilecon_raw(fd, &curcon) < 0) { if (errno != ENODATA) goto err; @@ -724,8 +728,6 @@ static int restorecon_sb(const char *pathname, const struct stat *sb, } if (curcon == NULL || strcmp(curcon, newcon) != 0) { - bool updated = false; - if (!flags->set_specctx && curcon && (is_context_customizable(curcon) > 0)) { if (flags->verbose) { @@ -751,7 +753,7 @@ static int restorecon_sb(const char *pathname, const struct stat *sb, } if (!flags->nochange) { - if (lsetfilecon(pathname, newcon) < 0) + if (fsetfilecon(fd, newcon) < 0) goto err; updated = true; } @@ -760,9 +762,7 @@ static int restorecon_sb(const char *pathname, const struct stat *sb, selinux_log(SELINUX_INFO, "%s %s from %s to %s\n", updated ? "Relabeled" : "Would relabel", - pathname, - curcon ? curcon : "", - newcon); + pathname, curcon, newcon); if (flags->syslog_changes && !flags->nochange) { if (curcon) @@ -778,6 +778,8 @@ static int restorecon_sb(const char *pathname, const struct stat *sb, out: rc = 0; out1: + if (fd >= 0) + close(fd); freecon(curcon); freecon(newcon); return rc; @@ -875,7 +877,6 @@ static void *selinux_restorecon_thread(void *arg) FTSENT *ftsent; int error; char ent_path[PATH_MAX]; - struct stat ent_st; bool first = false; if (state->parallel) @@ -972,21 +973,12 @@ loop_body: } /* fall through */ default: - if (strlcpy(ent_path, ftsent->fts_path, sizeof(ent_path)) >= sizeof(ent_path)) { - selinux_log(SELINUX_ERROR, - "Path name too long on %s.\n", - ftsent->fts_path); - errno = ENAMETOOLONG; - state->error = -1; - state->abort = true; - goto finish; - } + strcpy(ent_path, ftsent->fts_path); - ent_st = *ftsent->fts_statp; if (state->parallel) pthread_mutex_unlock(&state->mutex); - error = restorecon_sb(ent_path, &ent_st, &state->flags, + error = restorecon_sb(ent_path, &state->flags, first); if (state->parallel) { @@ -1124,10 +1116,6 @@ static int selinux_restorecon_common(const char *pathname_orig, pathname = realpath(pathname_orig, NULL); if (!pathname) { free(basename_cpy); - /* missing parent directory */ - if (state.flags.ignore_noent && errno == ENOENT) { - return 0; - } goto realpatherr; } } else { @@ -1141,9 +1129,6 @@ static int selinux_restorecon_common(const char *pathname_orig, free(dirname_cpy); if (!pathdnamer) { free(basename_cpy); - if (state.flags.ignore_noent && errno == ENOENT) { - return 0; - } goto realpatherr; } if (!strcmp(pathdnamer, "/")) @@ -1189,7 +1174,7 @@ static int selinux_restorecon_common(const char *pathname_orig, goto cleanup; } - error = restorecon_sb(pathname, &sb, &state.flags, true); + error = restorecon_sb(pathname, &state.flags, true); goto cleanup; } diff --git a/libselinux/src/sestatus.c b/libselinux/src/sestatus.c index fbe64301..89c1f621 100644 --- a/libselinux/src/sestatus.c +++ b/libselinux/src/sestatus.c @@ -343,6 +343,7 @@ error: if (avc_using_threads) { fallback_netlink_thread = avc_create_thread(&avc_netlink_loop); + avc_netlink_trouble = 0; } fallback_sequence = 0; diff --git a/libselinux/src/setrans_client.c b/libselinux/src/setrans_client.c index 920f9032..faa12681 100644 --- a/libselinux/src/setrans_client.c +++ b/libselinux/src/setrans_client.c @@ -66,13 +66,7 @@ static int setransd_open(void) memset(&addr, 0, sizeof(addr)); addr.sun_family = AF_UNIX; - - if (strlcpy(addr.sun_path, SETRANS_UNIX_SOCKET, sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) { - close(fd); - errno = EOVERFLOW; - return -1; - } - + strncpy(addr.sun_path, SETRANS_UNIX_SOCKET, sizeof(addr.sun_path)); if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) < 0) { close(fd); return -1; diff --git a/libselinux/src/setup.py b/libselinux/src/setup.py index 48007379..71e69a10 100644 --- a/libselinux/src/setup.py +++ b/libselinux/src/setup.py @@ -1,10 +1,10 @@ #!/usr/bin/python3 -from setuptools import Extension, setup +from distutils.core import Extension, setup setup( name="selinux", - version="3.5", + version="3.4", description="SELinux python 3 bindings", author="SELinux Project", author_email="selinux@vger.kernel.org", diff --git a/libselinux/src/sha1.c b/libselinux/src/sha1.c index 9d51e04a..a8484677 100644 --- a/libselinux/src/sha1.c +++ b/libselinux/src/sha1.c @@ -11,7 +11,7 @@ // Modified to: // - stop symbols being exported for libselinux shared library - October 2015 // Richard Haines -// - Not cast the workspace from a byte array to a CHAR64LONG16 due to alignment issues. +// - Not cast the workspace from a byte array to a CHAR64LONG16 due to alignment isses. // Fixes: // sha1.c:73:33: error: cast from 'uint8_t *' (aka 'unsigned char *') to 'CHAR64LONG16 *' increases required alignment from 1 to 4 [-Werror,-Wcast-align] // CHAR64LONG16* block = (CHAR64LONG16*) workspace; diff --git a/libselinux/src/stringrep.c b/libselinux/src/stringrep.c index d2237d1c..2fe69f43 100644 --- a/libselinux/src/stringrep.c +++ b/libselinux/src/stringrep.c @@ -63,9 +63,6 @@ static struct discover_class_node * discover_class(const char *s) return NULL; } - if (strchr(s, '/') != NULL) - return NULL; - /* allocate a node */ node = malloc(sizeof(struct discover_class_node)); if (node == NULL) @@ -82,10 +79,7 @@ static struct discover_class_node * discover_class(const char *s) goto err2; /* load up class index */ - ret = snprintf(path, sizeof path, "%s/class/%s/index", selinux_mnt,s); - if (ret < 0 || (size_t)ret >= sizeof path) - goto err3; - + snprintf(path, sizeof path, "%s/class/%s/index", selinux_mnt,s); fd = open(path, O_RDONLY | O_CLOEXEC); if (fd < 0) goto err3; @@ -100,10 +94,7 @@ static struct discover_class_node * discover_class(const char *s) goto err3; /* load up permission indices */ - ret = snprintf(path, sizeof path, "%s/class/%s/perms",selinux_mnt,s); - if (ret < 0 || (size_t)ret >= sizeof path) - goto err3; - + snprintf(path, sizeof path, "%s/class/%s/perms",selinux_mnt,s); dir = opendir(path); if (dir == NULL) goto err3; @@ -113,10 +104,7 @@ static struct discover_class_node * discover_class(const char *s) unsigned int value; struct stat m; - ret = snprintf(path, sizeof path, "%s/class/%s/perms/%s", selinux_mnt,s,dentry->d_name); - if (ret < 0 || (size_t)ret >= sizeof path) - goto err4; - + snprintf(path, sizeof path, "%s/class/%s/perms/%s", selinux_mnt,s,dentry->d_name); fd = open(path, O_RDONLY | O_CLOEXEC); if (fd < 0) goto err4; diff --git a/libselinux/utils/.gitignore b/libselinux/utils/.gitignore index b19b94a8..3ef34374 100644 --- a/libselinux/utils/.gitignore +++ b/libselinux/utils/.gitignore @@ -9,7 +9,6 @@ getdefaultcon getenforce getfilecon getpidcon -getpidprevcon getsebool getseuser matchpathcon diff --git a/libselinux/utils/Makefile b/libselinux/utils/Makefile index f3cedc11..801066cb 100644 --- a/libselinux/utils/Makefile +++ b/libselinux/utils/Makefile @@ -32,7 +32,7 @@ CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissi -Wno-missing-field-initializers -Wno-sign-compare \ -Wno-format-nonliteral -Wframe-larger-than=$(MAX_STACK_SIZE) -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 \ -fstack-protector-all --param=ssp-buffer-size=4 -fexceptions \ - -fasynchronous-unwind-tables -fdiagnostics-show-option \ + -fasynchronous-unwind-tables -fdiagnostics-show-option -funit-at-a-time \ -Werror -Wno-aggregate-return -Wno-redundant-decls -Wstrict-overflow=5 \ $(EXTRA_CFLAGS) diff --git a/libselinux/utils/compute_create.c b/libselinux/utils/compute_create.c index 5401fe96..c6481f4b 100644 --- a/libselinux/utils/compute_create.c +++ b/libselinux/utils/compute_create.c @@ -10,11 +10,10 @@ int main(int argc, char **argv) { char *buf; security_class_t tclass; - const char *objname; int ret; - if (argc != 4 && argc != 5) { - fprintf(stderr, "usage: %s scontext tcontext tclass [objname]\n", + if (argc != 4) { + fprintf(stderr, "usage: %s scontext tcontext tclass\n", argv[0]); exit(1); } @@ -35,9 +34,7 @@ int main(int argc, char **argv) exit(2); } - objname = (argc == 5) ? argv[4] : NULL; - - ret = security_compute_create_name(argv[1], argv[2], tclass, objname, &buf); + ret = security_compute_create(argv[1], argv[2], tclass, &buf); if (ret < 0) { fprintf(stderr, "%s: security_compute_create failed: %s\n", argv[0], strerror(errno)); diff --git a/libselinux/utils/getpidprevcon.c b/libselinux/utils/getpidprevcon.c deleted file mode 100644 index 662ad500..00000000 --- a/libselinux/utils/getpidprevcon.c +++ /dev/null @@ -1,33 +0,0 @@ -#include -#include -#include -#include -#include -#include - -int main(int argc, char **argv) -{ - pid_t pid; - char *buf; - int rc; - - if (argc != 2) { - fprintf(stderr, "usage: %s pid\n", argv[0]); - exit(1); - } - - if (sscanf(argv[1], "%d", &pid) != 1) { - fprintf(stderr, "%s: invalid pid %s\n", argv[0], argv[1]); - exit(2); - } - - rc = getpidprevcon(pid, &buf); - if (rc < 0) { - fprintf(stderr, "%s: getpidprevcon() failed: %s\n", argv[0], strerror(errno)); - exit(3); - } - - printf("%s\n", buf); - freecon(buf); - exit(EXIT_SUCCESS); -} diff --git a/libselinux/utils/selabel_lookup_best_match.c b/libselinux/utils/selabel_lookup_best_match.c index e816c04b..a4af0679 100644 --- a/libselinux/utils/selabel_lookup_best_match.c +++ b/libselinux/utils/selabel_lookup_best_match.c @@ -30,7 +30,7 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname) exit(1); } -static mode_t string_to_mode(const char *s) +static mode_t string_to_mode(char *s) { switch (s[0]) { case 'b': @@ -53,7 +53,7 @@ static mode_t string_to_mode(const char *s) int main(int argc, char **argv) { - int raw = 0, mode = 0, rc, opt, i, num_links; + int raw = 0, mode = 0, rc, opt, i, num_links, string_len; char *validate = NULL, *path = NULL, *context = NULL, *file = NULL; char **links = NULL; @@ -101,11 +101,13 @@ int main(int argc, char **argv) } for (i = optind, num_links = 0; i < argc; i++, num_links++) { - links[num_links] = strdup(argv[i]); + string_len = strlen(argv[i]) + 1; + links[num_links] = malloc(string_len); if (!links[num_links]) { - fprintf(stderr, "ERROR: strdup failed.\n"); + fprintf(stderr, "ERROR: malloc failed.\n"); exit(1); } + strcpy(links[num_links], argv[i]); } } diff --git a/libsepol/LICENSE b/libsepol/COPYING similarity index 100% rename from libsepol/LICENSE rename to libsepol/COPYING diff --git a/libsepol/VERSION b/libsepol/VERSION index 5a958026..2f4b6075 100644 --- a/libsepol/VERSION +++ b/libsepol/VERSION @@ -1 +1 @@ -3.5 +3.4 diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c index 4177c9f6..26fa7906 100644 --- a/libsepol/cil/src/cil_build_ast.c +++ b/libsepol/cil/src/cil_build_ast.c @@ -4619,6 +4619,7 @@ int cil_gen_genfscon(struct cil_db *db, struct cil_tree_node *parse_current, str } else { cil_log(CIL_ERR, "Invalid file type \"%s\"\n", file_type); } + rc = SEPOL_ERR; goto exit; } context_node = parse_current->next->next->next->next; diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c index a7c66ead..714ce227 100644 --- a/libsepol/cil/src/cil_post.c +++ b/libsepol/cil/src/cil_post.c @@ -1191,9 +1191,10 @@ static int __cil_cat_expr_range_to_bitmap_helper(struct cil_list_item *i1, struc struct cil_tree_node *n2 = d2->nodes->head->data; struct cil_cat *c1 = (struct cil_cat *)d1; struct cil_cat *c2 = (struct cil_cat *)d2; + int i; if (n1->flavor == CIL_CATSET || n2->flavor == CIL_CATSET) { - cil_log(CIL_ERR, "Category sets cannot be used in a category range\n"); + cil_log(CIL_ERR, "Category sets cannont be used in a category range\n"); goto exit; } @@ -1212,10 +1213,12 @@ static int __cil_cat_expr_range_to_bitmap_helper(struct cil_list_item *i1, struc goto exit; } - if (ebitmap_init_range(bitmap, c1->value, c2->value)) { - cil_log(CIL_ERR, "Failed to set cat bit\n"); - ebitmap_destroy(bitmap); - goto exit; + for (i = c1->value; i <= c2->value; i++) { + if (ebitmap_set_bit(bitmap, i, 1)) { + cil_log(CIL_ERR, "Failed to set cat bit\n"); + ebitmap_destroy(bitmap); + goto exit; + } } return SEPOL_OK; @@ -1231,6 +1234,7 @@ static int __cil_permissionx_expr_range_to_bitmap_helper(struct cil_list_item *i char *p2 = i2->data; uint16_t v1; uint16_t v2; + uint32_t i; rc = __cil_permx_str_to_int(p1, &v1); if (rc != SEPOL_OK) { @@ -1242,10 +1246,12 @@ static int __cil_permissionx_expr_range_to_bitmap_helper(struct cil_list_item *i goto exit; } - if (ebitmap_init_range(bitmap, v1, v2)) { - cil_log(CIL_ERR, "Failed to set permissionx bits\n"); - ebitmap_destroy(bitmap); - goto exit; + for (i = v1; i <= v2; i++) { + if (ebitmap_set_bit(bitmap, i, 1)) { + cil_log(CIL_ERR, "Failed to set permissionx bit\n"); + ebitmap_destroy(bitmap); + goto exit; + } } return SEPOL_OK; @@ -1312,7 +1318,9 @@ static int __cil_expr_to_bitmap(struct cil_list *expr, ebitmap_t *out, int max, enum cil_flavor op = (enum cil_flavor)(uintptr_t)curr->data; if (op == CIL_ALL) { - rc = ebitmap_init_range(&tmp, 0, max - 1); + ebitmap_init(&b1); /* all zeros */ + rc = ebitmap_not(&tmp, &b1, max); + ebitmap_destroy(&b1); if (rc != SEPOL_OK) { cil_log(CIL_INFO, "Failed to expand 'all' operator\n"); ebitmap_destroy(&tmp); @@ -1320,15 +1328,19 @@ static int __cil_expr_to_bitmap(struct cil_list *expr, ebitmap_t *out, int max, } } else if (op == CIL_RANGE) { if (flavor == CIL_CAT) { + ebitmap_init(&tmp); rc = __cil_cat_expr_range_to_bitmap_helper(curr->next, curr->next->next, &tmp); if (rc != SEPOL_OK) { cil_log(CIL_INFO, "Failed to expand category range\n"); + ebitmap_destroy(&tmp); goto exit; } } else if (flavor == CIL_PERMISSIONX) { + ebitmap_init(&tmp); rc = __cil_permissionx_expr_range_to_bitmap_helper(curr->next, curr->next->next, &tmp); if (rc != SEPOL_OK) { cil_log(CIL_INFO, "Failed to expand category range\n"); + ebitmap_destroy(&tmp); goto exit; } } else { @@ -2290,7 +2302,6 @@ static int __cil_post_process_context_rules(struct cil_sort *sort, int (*compar) } else { removed++; if (!db->multiple_decls || concompar(&sort->array[i], &sort->array[j]) != 0) { - rc = SEPOL_ERR; conflicting++; if (log_level >= CIL_WARN) { struct cil_list_item li; @@ -2298,6 +2309,7 @@ static int __cil_post_process_context_rules(struct cil_sort *sort, int (*compar) li.flavor = flavor; if (conflicting == 1) { cil_log(CIL_WARN, "Found conflicting %s rules\n", flavor_str); + rc = SEPOL_ERR; li.data = sort->array[i]; rc2 = cil_tree_walk(db->ast->root, __cil_post_report_conflict, NULL, NULL, &li); diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c index d2bfdc81..f5e22c97 100644 --- a/libsepol/cil/src/cil_resolve_ast.c +++ b/libsepol/cil/src/cil_resolve_ast.c @@ -778,7 +778,7 @@ int cil_resolve_classcommon(struct cil_tree_node *current, void *extra_args) class = (struct cil_class *)class_datum; common = (struct cil_class *)common_datum; if (class->common != NULL) { - cil_log(CIL_ERR, "class cannot be associated with more than one common\n"); + cil_log(CIL_ERR, "class cannot be associeated with more than one common\n"); rc = SEPOL_ERR; goto exit; } diff --git a/libsepol/include/sepol/errcodes.h b/libsepol/include/sepol/errcodes.h index e5fe71e3..6e9ff316 100644 --- a/libsepol/include/sepol/errcodes.h +++ b/libsepol/include/sepol/errcodes.h @@ -16,14 +16,15 @@ extern "C" { * codes that don't map to system error codes should be defined * outside of the range of system error codes. */ -#define SEPOL_ERR (-1) -#define SEPOL_ENOTSUP (-2) /* feature not supported in module language */ -#define SEPOL_EREQ (-3) /* requirements not met */ +#define SEPOL_ERR -1 +#define SEPOL_ENOTSUP -2 /* feature not supported in module language */ +#define SEPOL_EREQ -3 /* requirements not met */ /* Error codes that map to system error codes */ -#define SEPOL_ENOMEM (-ENOMEM) -#define SEPOL_EEXIST (-EEXIST) -#define SEPOL_ENOENT (-ENOENT) +#define SEPOL_ENOMEM -ENOMEM +#define SEPOL_ERANGE -ERANGE +#define SEPOL_EEXIST -EEXIST +#define SEPOL_ENOENT -ENOENT #ifdef __cplusplus } diff --git a/libsepol/include/sepol/policydb/avtab.h b/libsepol/include/sepol/policydb/avtab.h index e4c48576..10ecde9a 100644 --- a/libsepol/include/sepol/policydb/avtab.h +++ b/libsepol/include/sepol/policydb/avtab.h @@ -112,7 +112,7 @@ extern avtab_datum_t *avtab_search(avtab_t * h, avtab_key_t * k); extern void avtab_destroy(avtab_t * h); -extern int avtab_map(const avtab_t * h, +extern int avtab_map(avtab_t * h, int (*apply) (avtab_key_t * k, avtab_datum_t * d, void *args), void *args); diff --git a/libsepol/include/sepol/policydb/constraint.h b/libsepol/include/sepol/policydb/constraint.h index 82335e21..b91fc4e9 100644 --- a/libsepol/include/sepol/policydb/constraint.h +++ b/libsepol/include/sepol/policydb/constraint.h @@ -18,6 +18,7 @@ #ifndef _SEPOL_POLICYDB_CONSTRAINT_H_ #define _SEPOL_POLICYDB_CONSTRAINT_H_ +#include #include #include @@ -69,6 +70,8 @@ typedef struct constraint_node { struct constraint_node *next; /* next constraint */ } constraint_node_t; +struct policydb; + extern int constraint_expr_init(constraint_expr_t * expr); extern void constraint_expr_destroy(constraint_expr_t * expr); diff --git a/libsepol/include/sepol/policydb/ebitmap.h b/libsepol/include/sepol/policydb/ebitmap.h index 85b7ccfb..81d0c7a6 100644 --- a/libsepol/include/sepol/policydb/ebitmap.h +++ b/libsepol/include/sepol/policydb/ebitmap.h @@ -94,7 +94,6 @@ extern int ebitmap_contains(const ebitmap_t * e1, const ebitmap_t * e2); extern int ebitmap_match_any(const ebitmap_t *e1, const ebitmap_t *e2); extern int ebitmap_get_bit(const ebitmap_t * e, unsigned int bit); extern int ebitmap_set_bit(ebitmap_t * e, unsigned int bit, int value); -extern int ebitmap_init_range(ebitmap_t * e, unsigned int minbit, unsigned int maxbit); extern unsigned int ebitmap_highest_set_bit(const ebitmap_t * e); extern void ebitmap_destroy(ebitmap_t * e); extern int ebitmap_read(ebitmap_t * e, void *fp); diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h index ef1a014a..de0068a6 100644 --- a/libsepol/include/sepol/policydb/policydb.h +++ b/libsepol/include/sepol/policydb/policydb.h @@ -251,9 +251,9 @@ typedef struct class_perm_node { struct class_perm_node *next; } class_perm_node_t; -#define xperm_test(x, p) (UINT32_C(1) & ((p)[(x) >> 5] >> ((x) & 0x1f))) -#define xperm_set(x, p) ((p)[(x) >> 5] |= (UINT32_C(1) << ((x) & 0x1f))) -#define xperm_clear(x, p) ((p)[(x) >> 5] &= ~(UINT32_C(1) << ((x) & 0x1f))) +#define xperm_test(x, p) (UINT32_C(1) & (p[x >> 5] >> (x & 0x1f))) +#define xperm_set(x, p) (p[x >> 5] |= (UINT32_C(1) << (x & 0x1f))) +#define xperm_clear(x, p) (p[x >> 5] &= ~(UINT32_C(1) << (x & 0x1f))) #define EXTENDED_PERMS_LEN 8 typedef struct av_extended_perms { @@ -795,9 +795,9 @@ extern int policydb_set_target_platform(policydb_t *p, int platform); #define policydb_has_boundary_feature(p) \ (((p)->policy_type == POLICY_KERN \ - && (p)->policyvers >= POLICYDB_VERSION_BOUNDARY) || \ + && p->policyvers >= POLICYDB_VERSION_BOUNDARY) || \ ((p)->policy_type != POLICY_KERN \ - && (p)->policyvers >= MOD_POLICYDB_VERSION_BOUNDARY)) + && p->policyvers >= MOD_POLICYDB_VERSION_BOUNDARY)) /* the config flags related to unknown classes/perms are bits 2 and 3 */ #define DENY_UNKNOWN SEPOL_DENY_UNKNOWN diff --git a/libsepol/include/sepol/policydb/util.h b/libsepol/include/sepol/policydb/util.h index db8da213..ee236a25 100644 --- a/libsepol/include/sepol/policydb/util.h +++ b/libsepol/include/sepol/policydb/util.h @@ -23,8 +23,6 @@ #ifndef __SEPOL_UTIL_H__ #define __SEPOL_UTIL_H__ -#include - #ifdef __cplusplus extern "C" { #endif diff --git a/libsepol/src/avtab.c b/libsepol/src/avtab.c index 82fec783..7920b60a 100644 --- a/libsepol/src/avtab.c +++ b/libsepol/src/avtab.c @@ -330,7 +330,7 @@ void avtab_destroy(avtab_t * h) h->mask = 0; } -int avtab_map(const avtab_t * h, +int avtab_map(avtab_t * h, int (*apply) (avtab_key_t * k, avtab_datum_t * d, void *args), void *args) { diff --git a/libsepol/src/ebitmap.c b/libsepol/src/ebitmap.c index 3ec1042f..bd98c0f8 100644 --- a/libsepol/src/ebitmap.c +++ b/libsepol/src/ebitmap.c @@ -31,6 +31,7 @@ int ebitmap_or(ebitmap_t * dst, const ebitmap_t * e1, const ebitmap_t * e2) ebitmap_destroy(dst); return -ENOMEM; } + memset(new, 0, sizeof(ebitmap_node_t)); if (n1 && n2 && n1->startbit == n2->startbit) { new->startbit = n1->startbit; new->map = n1->map | n2->map; @@ -73,143 +74,41 @@ int ebitmap_union(ebitmap_t * dst, const ebitmap_t * e1) int ebitmap_and(ebitmap_t *dst, const ebitmap_t *e1, const ebitmap_t *e2) { - const ebitmap_node_t *n1, *n2; - ebitmap_node_t *new, *prev = NULL; - + unsigned int i, length = min(ebitmap_length(e1), ebitmap_length(e2)); ebitmap_init(dst); - - n1 = e1->node; - n2 = e2->node; - while (n1 && n2) { - if (n1->startbit == n2->startbit) { - if (n1->map & n2->map) { - new = malloc(sizeof(ebitmap_node_t)); - if (!new) { - ebitmap_destroy(dst); - return -ENOMEM; - } - new->startbit = n1->startbit; - new->map = n1->map & n2->map; - new->next = NULL; - - if (prev) - prev->next = new; - else - dst->node = new; - prev = new; - } - - n1 = n1->next; - n2 = n2->next; - } else if (n1->startbit > n2->startbit) { - n2 = n2->next; - } else { - n1 = n1->next; + for (i=0; i < length; i++) { + if (ebitmap_get_bit(e1, i) && ebitmap_get_bit(e2, i)) { + int rc = ebitmap_set_bit(dst, i, 1); + if (rc < 0) + return rc; } } - - if (prev) - dst->highbit = prev->startbit + MAPSIZE; - return 0; } int ebitmap_xor(ebitmap_t *dst, const ebitmap_t *e1, const ebitmap_t *e2) { - const ebitmap_node_t *n1, *n2; - ebitmap_node_t *new, *prev = NULL; - uint32_t startbit; - MAPTYPE map; - + unsigned int i, length = max(ebitmap_length(e1), ebitmap_length(e2)); ebitmap_init(dst); - - n1 = e1->node; - n2 = e2->node; - while (n1 || n2) { - if (n1 && n2 && n1->startbit == n2->startbit) { - startbit = n1->startbit; - map = n1->map ^ n2->map; - n1 = n1->next; - n2 = n2->next; - } else if (!n2 || (n1 && n1->startbit < n2->startbit)) { - startbit = n1->startbit; - map = n1->map; - n1 = n1->next; - } else { - startbit = n2->startbit; - map = n2->map; - n2 = n2->next; - } - - if (map != 0) { - new = malloc(sizeof(ebitmap_node_t)); - if (!new) { - ebitmap_destroy(dst); - return -ENOMEM; - } - new->startbit = startbit; - new->map = map; - new->next = NULL; - if (prev) - prev->next = new; - else - dst->node = new; - prev = new; - } + for (i=0; i < length; i++) { + int val = ebitmap_get_bit(e1, i) ^ ebitmap_get_bit(e2, i); + int rc = ebitmap_set_bit(dst, i, val); + if (rc < 0) + return rc; } - - if (prev) - dst->highbit = prev->startbit + MAPSIZE; - return 0; } int ebitmap_not(ebitmap_t *dst, const ebitmap_t *e1, unsigned int maxbit) { - const ebitmap_node_t *n; - ebitmap_node_t *new, *prev = NULL; - uint32_t startbit, cur_startbit; - MAPTYPE map; - + unsigned int i; ebitmap_init(dst); - - n = e1->node; - for (cur_startbit = 0; cur_startbit < maxbit; cur_startbit += MAPSIZE) { - if (n && n->startbit == cur_startbit) { - startbit = n->startbit; - map = ~n->map; - - n = n->next; - } else { - startbit = cur_startbit; - map = ~((MAPTYPE) 0); - } - - if (maxbit - cur_startbit < MAPSIZE) - map &= (((MAPTYPE)1) << (maxbit - cur_startbit)) - 1; - - if (map != 0) { - new = malloc(sizeof(ebitmap_node_t)); - if (!new) { - ebitmap_destroy(dst); - return -ENOMEM; - } - - new->startbit = startbit; - new->map = map; - new->next = NULL; - - if (prev) - prev->next = new; - else - dst->node = new; - prev = new; - } + for (i=0; i < maxbit; i++) { + int val = ebitmap_get_bit(e1, i); + int rc = ebitmap_set_bit(dst, i, !val); + if (rc < 0) + return rc; } - - if (prev) - dst->highbit = prev->startbit + MAPSIZE; - return 0; } @@ -289,6 +188,7 @@ int ebitmap_cpy(ebitmap_t * dst, const ebitmap_t * src) ebitmap_destroy(dst); return -ENOMEM; } + memset(new, 0, sizeof(ebitmap_node_t)); new->startbit = n->startbit; new->map = n->map; new->next = 0; @@ -428,6 +328,7 @@ int ebitmap_set_bit(ebitmap_t * e, unsigned int bit, int value) new = (ebitmap_node_t *) malloc(sizeof(ebitmap_node_t)); if (!new) return -ENOMEM; + memset(new, 0, sizeof(ebitmap_node_t)); new->startbit = startbit; new->map = (MAPBIT << (bit - new->startbit)); @@ -448,55 +349,6 @@ int ebitmap_set_bit(ebitmap_t * e, unsigned int bit, int value) return 0; } -int ebitmap_init_range(ebitmap_t * e, unsigned int minbit, unsigned int maxbit) -{ - ebitmap_node_t *new, *prev = NULL; - uint32_t minstartbit = minbit & ~(MAPSIZE - 1); - uint32_t maxstartbit = maxbit & ~(MAPSIZE - 1); - uint32_t minhighbit = minstartbit + MAPSIZE; - uint32_t maxhighbit = maxstartbit + MAPSIZE; - uint32_t startbit; - MAPTYPE mask; - - ebitmap_init(e); - - if (minbit > maxbit) - return -EINVAL; - - if (minhighbit == 0 || maxhighbit == 0) - return -EOVERFLOW; - - for (startbit = minstartbit; startbit <= maxstartbit; startbit += MAPSIZE) { - new = malloc(sizeof(ebitmap_node_t)); - if (!new) - return -ENOMEM; - - new->next = NULL; - new->startbit = startbit; - - if (startbit != minstartbit && startbit != maxstartbit) { - new->map = ~((MAPTYPE)0); - } else if (startbit != maxstartbit) { - new->map = ~((MAPTYPE)0) << (minbit - startbit); - } else if (startbit != minstartbit) { - new->map = ~((MAPTYPE)0) >> (MAPSIZE - (maxbit - startbit + 1)); - } else { - mask = ~((MAPTYPE)0) >> (MAPSIZE - (maxbit - minbit + 1)); - new->map = (mask << (minbit - startbit)); - } - - if (prev) - prev->next = new; - else - e->node = new; - prev = new; - } - - e->highbit = maxhighbit; - - return 0; -} - unsigned int ebitmap_highest_set_bit(const ebitmap_t * e) { const ebitmap_node_t *n; diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c index ad4121d5..9128ac55 100644 --- a/libsepol/src/kernel_to_cil.c +++ b/libsepol/src/kernel_to_cil.c @@ -1626,7 +1626,7 @@ exit: return rc; } -#define next_bit_in_range(i, p) (((i) + 1 < sizeof(p)*8) && xperm_test(((i) + 1), p)) +#define next_bit_in_range(i, p) ((i + 1 < sizeof(p)*8) && xperm_test((i + 1), p)) static char *xperms_to_str(avtab_extended_perms_t *xperms) { @@ -1894,7 +1894,7 @@ static int map_filename_trans_to_str(hashtab_key_t key, void *data, void *arg) ebitmap_for_each_positive_bit(&datum->stypes, node, bit) { src = pdb->p_type_val_to_name[bit]; rc = strs_create_and_add(strs, - "(typetransition %s %s %s \"%s\" %s)", + "(typetransition %s %s %s %s %s)", 5, src, tgt, class, filename, new); if (rc) return rc; diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c index 73b72b5d..63dffd9b 100644 --- a/libsepol/src/kernel_to_conf.c +++ b/libsepol/src/kernel_to_conf.c @@ -591,21 +591,16 @@ static int write_class_and_common_rules_to_conf(FILE *out, struct policydb *pdb) class = pdb->class_val_to_struct[i]; if (!class) continue; name = pdb->p_class_val_to_name[i]; + sepol_printf(out, "class %s", name); + if (class->comkey) { + sepol_printf(out, " inherits %s", class->comkey); + } perms = class_or_common_perms_to_str(&class->permissions); - /* Do not write empty classes, their declaration was alreedy - * printed in write_class_decl_rules_to_conf() */ - if (perms || class->comkey) { - sepol_printf(out, "class %s", name); - if (class->comkey) { - sepol_printf(out, " inherits %s", class->comkey); - } - - if (perms) { - sepol_printf(out, " { %s }", perms); - free(perms); - } - sepol_printf(out, "\n"); + if (perms) { + sepol_printf(out, " { %s }", perms); + free(perms); } + sepol_printf(out, "\n"); } exit: diff --git a/libsepol/src/link.c b/libsepol/src/link.c index cbe4cea4..7e8313cb 100644 --- a/libsepol/src/link.c +++ b/libsepol/src/link.c @@ -958,28 +958,26 @@ static int alias_copy_callback(hashtab_key_t key, hashtab_datum_t datum, /*********** callbacks that fix bitmaps ***********/ -static int ebitmap_convert(const ebitmap_t *src, ebitmap_t *dst, const uint32_t *map) +static int type_set_convert(type_set_t * types, type_set_t * dst, + policy_module_t * mod, link_state_t * state + __attribute__ ((unused))) { - unsigned int bit; - ebitmap_node_t *node; - ebitmap_for_each_positive_bit(src, node, bit) { - assert(map[bit]); - if (ebitmap_set_bit(dst, map[bit] - 1, 1)) - return -1; + unsigned int i; + ebitmap_node_t *tnode; + ebitmap_for_each_positive_bit(&types->types, tnode, i) { + assert(mod->map[SYM_TYPES][i]); + if (ebitmap_set_bit + (&dst->types, mod->map[SYM_TYPES][i] - 1, 1)) { + goto cleanup; + } + } + ebitmap_for_each_positive_bit(&types->negset, tnode, i) { + assert(mod->map[SYM_TYPES][i]); + if (ebitmap_set_bit + (&dst->negset, mod->map[SYM_TYPES][i] - 1, 1)) { + goto cleanup; + } } - - return 0; -} - -static int type_set_convert(const type_set_t * types, type_set_t * dst, - const policy_module_t * mod) -{ - if (ebitmap_convert(&types->types, &dst->types, mod->map[SYM_TYPES])) - goto cleanup; - - if (ebitmap_convert(&types->negset, &dst->negset, mod->map[SYM_TYPES])) - goto cleanup; - dst->flags = types->flags; return 0; @@ -990,13 +988,13 @@ static int type_set_convert(const type_set_t * types, type_set_t * dst, /* OR 2 typemaps together and at the same time map the src types to * the correct values in the dst typeset. */ -static int type_set_or_convert(const type_set_t * types, type_set_t * dst, - const policy_module_t * mod) +static int type_set_or_convert(type_set_t * types, type_set_t * dst, + policy_module_t * mod, link_state_t * state) { type_set_t ts_tmp; type_set_init(&ts_tmp); - if (type_set_convert(types, &ts_tmp, mod) == -1) { + if (type_set_convert(types, &ts_tmp, mod, state) == -1) { goto cleanup; } if (type_set_or_eq(dst, &ts_tmp)) { @@ -1006,6 +1004,7 @@ static int type_set_or_convert(const type_set_t * types, type_set_t * dst, return 0; cleanup: + ERR(state->handle, "Out of memory!"); type_set_destroy(&ts_tmp); return -1; } @@ -1013,11 +1012,18 @@ static int type_set_or_convert(const type_set_t * types, type_set_t * dst, static int role_set_or_convert(role_set_t * roles, role_set_t * dst, policy_module_t * mod, link_state_t * state) { + unsigned int i; ebitmap_t tmp; + ebitmap_node_t *rnode; ebitmap_init(&tmp); - if (ebitmap_convert(&roles->roles, &tmp, mod->map[SYM_ROLES])) - goto cleanup; + ebitmap_for_each_positive_bit(&roles->roles, rnode, i) { + assert(mod->map[SYM_ROLES][i]); + if (ebitmap_set_bit + (&tmp, mod->map[SYM_ROLES][i] - 1, 1)) { + goto cleanup; + } + } if (ebitmap_union(&dst->roles, &tmp)) { goto cleanup; } @@ -1082,11 +1088,13 @@ static int mls_range_convert(mls_semantic_range_t * src, mls_semantic_range_t * static int role_fix_callback(hashtab_key_t key, hashtab_datum_t datum, void *data) { + unsigned int i; char *id = key; role_datum_t *role, *dest_role = NULL; link_state_t *state = (link_state_t *) data; ebitmap_t e_tmp; policy_module_t *mod = state->cur; + ebitmap_node_t *rnode; hashtab_t role_tab; role = (role_datum_t *) datum; @@ -1103,20 +1111,30 @@ static int role_fix_callback(hashtab_key_t key, hashtab_datum_t datum, } ebitmap_init(&e_tmp); - if (ebitmap_convert(&role->dominates, &e_tmp, mod->map[SYM_ROLES])) - goto cleanup; + ebitmap_for_each_positive_bit(&role->dominates, rnode, i) { + assert(mod->map[SYM_ROLES][i]); + if (ebitmap_set_bit + (&e_tmp, mod->map[SYM_ROLES][i] - 1, 1)) { + goto cleanup; + } + } if (ebitmap_union(&dest_role->dominates, &e_tmp)) { goto cleanup; } - if (type_set_or_convert(&role->types, &dest_role->types, mod)) { + if (type_set_or_convert(&role->types, &dest_role->types, mod, state)) { goto cleanup; } ebitmap_destroy(&e_tmp); if (role->flavor == ROLE_ATTRIB) { ebitmap_init(&e_tmp); - if (ebitmap_convert(&role->roles, &e_tmp, mod->map[SYM_ROLES])) - goto cleanup; + ebitmap_for_each_positive_bit(&role->roles, rnode, i) { + assert(mod->map[SYM_ROLES][i]); + if (ebitmap_set_bit + (&e_tmp, mod->map[SYM_ROLES][i] - 1, 1)) { + goto cleanup; + } + } if (ebitmap_union(&dest_role->roles, &e_tmp)) { goto cleanup; } @@ -1134,11 +1152,13 @@ static int role_fix_callback(hashtab_key_t key, hashtab_datum_t datum, static int type_fix_callback(hashtab_key_t key, hashtab_datum_t datum, void *data) { + unsigned int i; char *id = key; type_datum_t *type, *new_type = NULL; link_state_t *state = (link_state_t *) data; ebitmap_t e_tmp; policy_module_t *mod = state->cur; + ebitmap_node_t *tnode; symtab_t *typetab; type = (type_datum_t *) datum; @@ -1161,8 +1181,13 @@ static int type_fix_callback(hashtab_key_t key, hashtab_datum_t datum, } ebitmap_init(&e_tmp); - if (ebitmap_convert(&type->types, &e_tmp, mod->map[SYM_TYPES])) - goto cleanup; + ebitmap_for_each_positive_bit(&type->types, tnode, i) { + assert(mod->map[SYM_TYPES][i]); + if (ebitmap_set_bit + (&e_tmp, mod->map[SYM_TYPES][i] - 1, 1)) { + goto cleanup; + } + } if (ebitmap_union(&new_type->types, &e_tmp)) { goto cleanup; } @@ -1244,8 +1269,9 @@ static int copy_avrule_list(avrule_t * list, avrule_t ** dst, new_rule->specified = cur->specified; new_rule->flags = cur->flags; if (type_set_convert - (&cur->stypes, &new_rule->stypes, module) == -1 - || type_set_convert(&cur->ttypes, &new_rule->ttypes, module) == -1) { + (&cur->stypes, &new_rule->stypes, module, state) == -1 + || type_set_convert(&cur->ttypes, &new_rule->ttypes, module, + state) == -1) { goto cleanup; } @@ -1329,6 +1355,8 @@ static int copy_role_trans_list(role_trans_rule_t * list, policy_module_t * module, link_state_t * state) { role_trans_rule_t *cur, *new_rule = NULL, *tail; + unsigned int i; + ebitmap_node_t *cnode; cur = list; tail = *dst; @@ -1346,12 +1374,19 @@ static int copy_role_trans_list(role_trans_rule_t * list, if (role_set_or_convert (&cur->roles, &new_rule->roles, module, state) || type_set_or_convert(&cur->types, &new_rule->types, - module)) { + module, state)) { goto cleanup; } - if (ebitmap_convert(&cur->classes, &new_rule->classes, module->map[SYM_CLASSES])) - goto cleanup; + ebitmap_for_each_positive_bit(&cur->classes, cnode, i) { + assert(module->map[SYM_CLASSES][i]); + if (ebitmap_set_bit(&new_rule->classes, + module-> + map[SYM_CLASSES][i] - 1, + 1)) { + goto cleanup; + } + } new_rule->new_role = module->map[SYM_ROLES][cur->new_role - 1]; @@ -1441,8 +1476,8 @@ static int copy_filename_trans_list(filename_trans_rule_t * list, if (!new_rule->name) goto err; - if (type_set_or_convert(&cur->stypes, &new_rule->stypes, module) || - type_set_or_convert(&cur->ttypes, &new_rule->ttypes, module)) + if (type_set_or_convert(&cur->stypes, &new_rule->stypes, module, state) || + type_set_or_convert(&cur->ttypes, &new_rule->ttypes, module, state)) goto err; new_rule->tclass = module->map[SYM_CLASSES][cur->tclass - 1]; @@ -1462,6 +1497,8 @@ static int copy_range_trans_list(range_trans_rule_t * rules, policy_module_t * mod, link_state_t * state) { range_trans_rule_t *rule, *new_rule = NULL; + unsigned int i; + ebitmap_node_t *cnode; for (rule = rules; rule; rule = rule->next) { new_rule = @@ -1475,15 +1512,21 @@ static int copy_range_trans_list(range_trans_rule_t * rules, *dst = new_rule; if (type_set_convert(&rule->stypes, &new_rule->stypes, - mod)) + mod, state)) goto cleanup; if (type_set_convert(&rule->ttypes, &new_rule->ttypes, - mod)) + mod, state)) goto cleanup; - if (ebitmap_convert(&rule->tclasses, &new_rule->tclasses, mod->map[SYM_CLASSES])) - goto cleanup; + ebitmap_for_each_positive_bit(&rule->tclasses, cnode, i) { + assert(mod->map[SYM_CLASSES][i]); + if (ebitmap_set_bit + (&new_rule->tclasses, + mod->map[SYM_CLASSES][i] - 1, 1)) { + goto cleanup; + } + } if (mls_range_convert(&rule->trange, &new_rule->trange, mod, state)) goto cleanup; @@ -1645,12 +1688,15 @@ static int copy_scope_index(scope_index_t * src, scope_index_t * dest, } dest->class_perms_len = largest_mapped_class_value; for (i = 0; i < src->class_perms_len; i++) { - const ebitmap_t *srcmap = src->class_perms_map + i; + ebitmap_t *srcmap = src->class_perms_map + i; ebitmap_t *destmap = dest->class_perms_map + module->map[SYM_CLASSES][i] - 1; - - if (ebitmap_convert(srcmap, destmap, module->perm_map[i])) - goto cleanup; + ebitmap_for_each_positive_bit(srcmap, node, j) { + if (ebitmap_set_bit(destmap, module->perm_map[i][j] - 1, + 1)) { + goto cleanup; + } + } } return 0; diff --git a/libsepol/src/mls.h b/libsepol/src/mls.h index befd12c5..eb4a1cb8 100644 --- a/libsepol/src/mls.h +++ b/libsepol/src/mls.h @@ -25,7 +25,6 @@ #include "policydb_internal.h" #include -#include #include "handle.h" extern int mls_from_string(sepol_handle_t * handle, diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c index 2b24d33e..b35bf055 100644 --- a/libsepol/src/module_to_cil.c +++ b/libsepol/src/module_to_cil.c @@ -624,7 +624,7 @@ exit: return rc; } -#define next_bit_in_range(i, p) (((i) + 1 < sizeof(p)*8) && xperm_test(((i) + 1), p)) +#define next_bit_in_range(i, p) ((i + 1 < sizeof(p)*8) && xperm_test((i + 1), p)) static int xperms_to_cil(const av_extended_perms_t *xperms) { @@ -2330,7 +2330,7 @@ static int user_to_cil(int indent, struct policydb *pdb, struct avrule_block *bl } if (block->flags & AVRULE_OPTIONAL) { - // sensitivities in user statements in optionals do not have the + // sensitivites in user statements in optionals do not have the // standard -1 offset sens_offset = 0; } diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c index b79c19b9..fc260eb6 100644 --- a/libsepol/src/policydb.c +++ b/libsepol/src/policydb.c @@ -776,11 +776,12 @@ static int roles_init(policydb_t * p) rc = -ENOMEM; goto out; } - key = strdup(OBJECT_R); + key = malloc(strlen(OBJECT_R) + 1); if (!key) { rc = -ENOMEM; goto out_free_role; } + strcpy(key, OBJECT_R); rc = symtab_insert(p, SYM_ROLES, key, role, (p->policy_type == POLICY_MOD ? SCOPE_REQ : SCOPE_DECL), 1, @@ -4569,7 +4570,7 @@ int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose) } } - if (policydb_validate(fp->handle, p)) + if (validate_policydb(fp->handle, p)) goto bad; return POLICYDB_SUCCESS; diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c index 469c14f4..da18282b 100644 --- a/libsepol/src/policydb_validate.c +++ b/libsepol/src/policydb_validate.c @@ -8,7 +8,7 @@ #include "policydb_validate.h" #define bool_xor(a, b) (!(a) != !(b)) -#define bool_xnor(a, b) (!bool_xor(a, b)) +#define bool_xnor(a, b) !bool_xor(a, b) typedef struct validate { uint32_t nprim; @@ -18,7 +18,7 @@ typedef struct validate { typedef struct map_arg { validate_t *flavors; sepol_handle_t *handle; - const policydb_t *policy; + int mls; } map_arg_t; static int create_gap_ebitmap(char **val_to_name, uint32_t nprim, ebitmap_t *gaps) @@ -46,10 +46,8 @@ static int validate_init(validate_t *flavor, char **val_to_name, uint32_t nprim) return 0; } -static int validate_array_init(const policydb_t *p, validate_t flavors[]) +static int validate_array_init(policydb_t *p, validate_t flavors[]) { - if (validate_init(&flavors[SYM_COMMONS], p->p_common_val_to_name, p->p_commons.nprim)) - goto bad; if (validate_init(&flavors[SYM_CLASSES], p->p_class_val_to_name, p->p_classes.nprim)) goto bad; if (validate_init(&flavors[SYM_ROLES], p->p_role_val_to_name, p->p_roles.nprim)) @@ -93,7 +91,7 @@ int value_isvalid(uint32_t value, uint32_t nprim) return 1; } -static int validate_value(uint32_t value, const validate_t *flavor) +static int validate_value(uint32_t value, validate_t *flavor) { if (!value || value > flavor->nprim) goto bad; @@ -106,7 +104,7 @@ bad: return -1; } -static int validate_ebitmap(const ebitmap_t *map, const validate_t *flavor) +static int validate_ebitmap(ebitmap_t *map, validate_t *flavor) { if (ebitmap_length(map) > 0 && ebitmap_highest_set_bit(map) >= flavor->nprim) goto bad; @@ -119,7 +117,7 @@ bad: return -1; } -static int validate_type_set(const type_set_t *type_set, const validate_t *type) +static int validate_type_set(type_set_t *type_set, validate_t *type) { if (validate_ebitmap(&type_set->types, type)) goto bad; @@ -141,7 +139,7 @@ bad: return -1; } -static int validate_empty_type_set(const type_set_t *type_set) +static int validate_empty_type_set(type_set_t *type_set) { if (!ebitmap_is_empty(&type_set->types)) goto bad; @@ -156,7 +154,7 @@ bad: return -1; } -static int validate_role_set(const role_set_t *role_set, const validate_t *role) +static int validate_role_set(role_set_t *role_set, validate_t *role) { if (validate_ebitmap(&role_set->roles, role)) goto bad; @@ -178,8 +176,8 @@ bad: static int validate_scope(__attribute__ ((unused)) hashtab_key_t k, hashtab_datum_t d, void *args) { - const scope_datum_t *scope_datum = (scope_datum_t *)d; - const uint32_t *nprim = (uint32_t *)args; + scope_datum_t *scope_datum = (scope_datum_t *)d; + uint32_t *nprim = (uint32_t *)args; unsigned int i; switch (scope_datum->scope) { @@ -201,9 +199,9 @@ bad: return -1; } -static int validate_scopes(sepol_handle_t *handle, const symtab_t scopes[], const avrule_block_t *block) +static int validate_scopes(sepol_handle_t *handle, symtab_t scopes[], avrule_block_t *block) { - const avrule_decl_t *decl; + avrule_decl_t *decl; unsigned int i; unsigned int num_decls = 0; @@ -225,9 +223,9 @@ bad: return -1; } -static int validate_constraint_nodes(sepol_handle_t *handle, unsigned int nperms, const constraint_node_t *cons, validate_t flavors[]) +static int validate_constraint_nodes(sepol_handle_t *handle, unsigned int nperms, constraint_node_t *cons, validate_t flavors[]) { - const constraint_expr_t *cexp; + constraint_expr_t *cexp; for (; cons; cons = cons->next) { if (nperms == 0 && cons->permissions != 0) @@ -237,9 +235,6 @@ static int validate_constraint_nodes(sepol_handle_t *handle, unsigned int nperms if (nperms > 0 && nperms != PERM_SYMTAB_SIZE && cons->permissions >= (UINT32_C(1) << nperms)) goto bad; - if (!cons->expr) - goto bad; - for (cexp = cons->expr; cexp; cexp = cexp->next) { if (cexp->expr_type == CEXPR_NAMES) { if (cexp->attr & CEXPR_XTARGET && nperms != 0) @@ -344,33 +339,10 @@ bad: return -1; } -static int validate_common_datum(sepol_handle_t *handle, const common_datum_t *common, validate_t flavors[]) -{ - if (validate_value(common->s.value, &flavors[SYM_COMMONS])) - goto bad; - if (common->permissions.nprim > PERM_SYMTAB_SIZE) - goto bad; - - return 0; - -bad: - ERR(handle, "Invalid common class datum"); - return -1; -} - -static int validate_common_datum_wrapper(__attribute__((unused)) hashtab_key_t k, hashtab_datum_t d, void *args) -{ - map_arg_t *margs = args; - - return validate_common_datum(margs->handle, d, margs->flavors); -} - -static int validate_class_datum(sepol_handle_t *handle, const class_datum_t *class, validate_t flavors[]) +static int validate_class_datum(sepol_handle_t *handle, class_datum_t *class, validate_t flavors[]) { if (validate_value(class->s.value, &flavors[SYM_CLASSES])) goto bad; - if (class->comdatum && validate_common_datum(handle, class->comdatum, flavors)) - goto bad; if (class->permissions.nprim > PERM_SYMTAB_SIZE) goto bad; if (validate_constraint_nodes(handle, class->permissions.nprim, class->constraints, flavors)) @@ -433,7 +405,26 @@ static int validate_class_datum_wrapper(__attribute__((unused)) hashtab_key_t k, return validate_class_datum(margs->handle, d, margs->flavors); } -static int validate_role_datum(sepol_handle_t *handle, const role_datum_t *role, validate_t flavors[]) +static int validate_common_datum(sepol_handle_t *handle, common_datum_t *common) +{ + if (common->permissions.nprim > PERM_SYMTAB_SIZE) + goto bad; + + return 0; + +bad: + ERR(handle, "Invalid common class datum"); + return -1; +} + +static int validate_common_datum_wrapper(__attribute__((unused)) hashtab_key_t k, hashtab_datum_t d, void *args) +{ + map_arg_t *margs = args; + + return validate_common_datum(margs->handle, d); +} + +static int validate_role_datum(sepol_handle_t *handle, role_datum_t *role, validate_t flavors[]) { if (validate_value(role->s.value, &flavors[SYM_ROLES])) goto bad; @@ -446,14 +437,6 @@ static int validate_role_datum(sepol_handle_t *handle, const role_datum_t *role, if (validate_ebitmap(&role->roles, &flavors[SYM_ROLES])) goto bad; - switch(role->flavor) { - case ROLE_ROLE: - case ROLE_ATTRIB: - break; - default: - goto bad; - } - return 0; bad: @@ -468,46 +451,19 @@ static int validate_role_datum_wrapper(__attribute__((unused)) hashtab_key_t k, return validate_role_datum(margs->handle, d, margs->flavors); } -static int validate_simpletype(uint32_t value, const policydb_t *p, validate_t flavors[]) -{ - const type_datum_t *type; - - if (validate_value(value, &flavors[SYM_TYPES])) - goto bad; - - type = p->type_val_to_struct[value - 1]; - if (!type) - goto bad; - - if (type->flavor == TYPE_ATTRIB) - goto bad; - - return 0; - -bad: - return -1; -} - -static int validate_type_datum(sepol_handle_t *handle, const type_datum_t *type, const policydb_t *p, validate_t flavors[]) +static int validate_type_datum(sepol_handle_t *handle, type_datum_t *type, validate_t flavors[]) { if (validate_value(type->s.value, &flavors[SYM_TYPES])) goto bad; - if (type->primary && validate_value(type->primary, &flavors[SYM_TYPES])) + if (validate_ebitmap(&type->types, &flavors[SYM_TYPES])) + goto bad; + if (type->bounds && validate_value(type->bounds, &flavors[SYM_TYPES])) goto bad; switch (type->flavor) { case TYPE_TYPE: - case TYPE_ALIAS: - if (!ebitmap_is_empty(&type->types)) - goto bad; - if (type->bounds && validate_simpletype(type->bounds, p, flavors)) - goto bad; - break; case TYPE_ATTRIB: - if (validate_ebitmap(&type->types, &flavors[SYM_TYPES])) - goto bad; - if (type->bounds) - goto bad; + case TYPE_ALIAS: break; default: goto bad; @@ -535,10 +491,10 @@ static int validate_type_datum_wrapper(__attribute__((unused)) hashtab_key_t k, { map_arg_t *margs = args; - return validate_type_datum(margs->handle, d, margs->policy, margs->flavors); + return validate_type_datum(margs->handle, d, margs->flavors); } -static int validate_mls_semantic_cat(const mls_semantic_cat_t *cat, const validate_t *cats) +static int validate_mls_semantic_cat(mls_semantic_cat_t *cat, validate_t *cats) { for (; cat; cat = cat->next) { if (validate_value(cat->low, cats)) @@ -553,7 +509,7 @@ bad: return -1; } -static int validate_mls_semantic_level(const mls_semantic_level_t *level, const validate_t *sens, const validate_t *cats) +static int validate_mls_semantic_level(mls_semantic_level_t *level, validate_t *sens, validate_t *cats) { if (level->sens == 0) return 0; @@ -568,7 +524,7 @@ bad: return -1; } -static int validate_mls_semantic_range(const mls_semantic_range_t *range, const validate_t *sens, const validate_t *cats) +static int validate_mls_semantic_range(mls_semantic_range_t *range, validate_t *sens, validate_t *cats) { if (validate_mls_semantic_level(&range->level[0], sens, cats)) goto bad; @@ -581,7 +537,7 @@ bad: return -1; } -static int validate_mls_level(const mls_level_t *level, const validate_t *sens, const validate_t *cats) +static int validate_mls_level(mls_level_t *level, validate_t *sens, validate_t *cats) { if (validate_value(level->sens, sens)) goto bad; @@ -602,7 +558,7 @@ static int validate_level_datum(__attribute__ ((unused)) hashtab_key_t k, hashta return validate_mls_level(level->level, &flavors[SYM_LEVELS], &flavors[SYM_CATS]); } -static int validate_mls_range(const mls_range_t *range, const validate_t *sens, const validate_t *cats) +static int validate_mls_range(mls_range_t *range, validate_t *sens, validate_t *cats) { if (validate_mls_level(&range->level[0], sens, cats)) goto bad; @@ -615,7 +571,7 @@ static int validate_mls_range(const mls_range_t *range, const validate_t *sens, return -1; } -static int validate_user_datum(sepol_handle_t *handle, const user_datum_t *user, validate_t flavors[], const policydb_t *p) +static int validate_user_datum(sepol_handle_t *handle, user_datum_t *user, validate_t flavors[], int mls) { if (validate_value(user->s.value, &flavors[SYM_USERS])) goto bad; @@ -625,9 +581,9 @@ static int validate_user_datum(sepol_handle_t *handle, const user_datum_t *user, goto bad; if (validate_mls_semantic_level(&user->dfltlevel, &flavors[SYM_LEVELS], &flavors[SYM_CATS])) goto bad; - if (p->mls && p->policy_type != POLICY_MOD && validate_mls_range(&user->exp_range, &flavors[SYM_LEVELS], &flavors[SYM_CATS])) + if (mls && validate_mls_range(&user->exp_range, &flavors[SYM_LEVELS], &flavors[SYM_CATS])) goto bad; - if (p->mls && p->policy_type != POLICY_MOD && validate_mls_level(&user->exp_dfltlevel, &flavors[SYM_LEVELS], &flavors[SYM_CATS])) + if (mls && validate_mls_level(&user->exp_dfltlevel, &flavors[SYM_LEVELS], &flavors[SYM_CATS])) goto bad; if (user->bounds && validate_value(user->bounds, &flavors[SYM_USERS])) goto bad; @@ -643,10 +599,10 @@ static int validate_user_datum_wrapper(__attribute__((unused)) hashtab_key_t k, { map_arg_t *margs = args; - return validate_user_datum(margs->handle, d, margs->flavors, margs->policy); + return validate_user_datum(margs->handle, d, margs->flavors, margs->mls); } -static int validate_bool_datum(sepol_handle_t *handle, const cond_bool_datum_t *boolean, validate_t flavors[]) +static int validate_bool_datum(sepol_handle_t *handle, cond_bool_datum_t *boolean, validate_t flavors[]) { if (validate_value(boolean->s.value, &flavors[SYM_BOOLS])) goto bad; @@ -681,7 +637,7 @@ static int validate_bool_datum_wrapper(__attribute__((unused)) hashtab_key_t k, return validate_bool_datum(margs->handle, d, margs->flavors); } -static int validate_datum_array_gaps(sepol_handle_t *handle, const policydb_t *p, validate_t flavors[]) +static int validate_datum_array_gaps(sepol_handle_t *handle, policydb_t *p, validate_t flavors[]) { unsigned int i; @@ -731,9 +687,9 @@ static int validate_datum(__attribute__ ((unused))hashtab_key_t k, hashtab_datum return !value_isvalid(s->value, *nprim); } -static int validate_datum_array_entries(sepol_handle_t *handle, const policydb_t *p, validate_t flavors[]) +static int validate_datum_array_entries(sepol_handle_t *handle, policydb_t *p, validate_t flavors[]) { - map_arg_t margs = { flavors, handle, p }; + map_arg_t margs = { flavors, handle, p->mls }; if (hashtab_map(p->p_commons.table, validate_common_datum_wrapper, &margs)) goto bad; @@ -770,20 +726,12 @@ bad: * Functions to validate a kernel policydb */ -static int validate_avtab_key(const avtab_key_t *key, int conditional, const policydb_t *p, validate_t flavors[]) +static int validate_avtab_key(avtab_key_t *key, int conditional, validate_t flavors[]) { - if (p->policy_type == POLICY_KERN && key->specified & AVTAB_TYPE) { - if (validate_simpletype(key->source_type, p, flavors)) - goto bad; - if (validate_simpletype(key->target_type, p, flavors)) - goto bad; - } else { - if (validate_value(key->source_type, &flavors[SYM_TYPES])) - goto bad; - if (validate_value(key->target_type, &flavors[SYM_TYPES])) - goto bad; - } - + if (validate_value(key->source_type, &flavors[SYM_TYPES])) + goto bad; + if (validate_value(key->target_type, &flavors[SYM_TYPES])) + goto bad; if (validate_value(key->target_class, &flavors[SYM_CLASSES])) goto bad; switch (0xFFF & key->specified) { @@ -810,42 +758,22 @@ bad: return -1; } -static int validate_xperms(const avtab_extended_perms_t *xperms) -{ - switch (xperms->specified) { - case AVTAB_XPERMS_IOCTLDRIVER: - case AVTAB_XPERMS_IOCTLFUNCTION: - break; - default: - goto bad; - } - - return 0; - -bad: - return -1; -} static int validate_avtab_key_and_datum(avtab_key_t *k, avtab_datum_t *d, void *args) { - map_arg_t *margs = args; - - if (validate_avtab_key(k, 0, margs->policy, margs->flavors)) - return -1; + validate_t *flavors = (validate_t *)args; - if ((k->specified & AVTAB_TYPE) && validate_simpletype(d->data, margs->policy, margs->flavors)) + if (validate_avtab_key(k, 0, flavors)) return -1; - if ((k->specified & AVTAB_XPERMS) && validate_xperms(d->xperms)) + if ((k->specified & AVTAB_TYPE) && validate_value(d->data, &flavors[SYM_TYPES])) return -1; return 0; } -static int validate_avtab(sepol_handle_t *handle, const avtab_t *avtab, const policydb_t *p, validate_t flavors[]) +static int validate_avtab(sepol_handle_t *handle, avtab_t *avtab, validate_t flavors[]) { - map_arg_t margs = { flavors, handle, p }; - - if (avtab_map(avtab, validate_avtab_key_and_datum, &margs)) { + if (avtab_map(avtab, validate_avtab_key_and_datum, flavors)) { ERR(handle, "Invalid avtab"); return -1; } @@ -853,13 +781,13 @@ static int validate_avtab(sepol_handle_t *handle, const avtab_t *avtab, const po return 0; } -static int validate_cond_av_list(sepol_handle_t *handle, const cond_av_list_t *cond_av, const policydb_t *p, validate_t flavors[]) +static int validate_cond_av_list(sepol_handle_t *handle, cond_av_list_t *cond_av, validate_t flavors[]) { - const struct avtab_node *avtab_ptr; + avtab_ptr_t avtab_ptr; for (; cond_av; cond_av = cond_av->next) { for (avtab_ptr = cond_av->node; avtab_ptr; avtab_ptr = avtab_ptr->next) { - if (validate_avtab_key(&avtab_ptr->key, 1, p, flavors)) { + if (validate_avtab_key(&avtab_ptr->key, 1, flavors)) { ERR(handle, "Invalid cond av list"); return -1; } @@ -869,15 +797,20 @@ static int validate_cond_av_list(sepol_handle_t *handle, const cond_av_list_t *c return 0; } -static int validate_avrules(sepol_handle_t *handle, const avrule_t *avrule, int conditional, const policydb_t *p, validate_t flavors[]) +static int validate_avrules(sepol_handle_t *handle, avrule_t *avrule, int conditional, validate_t flavors[]) { - const class_perm_node_t *classperm; + class_perm_node_t *class; for (; avrule; avrule = avrule->next) { if (validate_type_set(&avrule->stypes, &flavors[SYM_TYPES])) goto bad; if (validate_type_set(&avrule->ttypes, &flavors[SYM_TYPES])) goto bad; + class = avrule->perms; + for (; class; class = class->next) { + if (validate_value(class->tclass, &flavors[SYM_CLASSES])) + goto bad; + } switch(avrule->specified) { case AVRULE_ALLOWED: @@ -900,13 +833,6 @@ static int validate_avrules(sepol_handle_t *handle, const avrule_t *avrule, int goto bad; } - for (classperm = avrule->perms; classperm; classperm = classperm->next) { - if (validate_value(classperm->tclass, &flavors[SYM_CLASSES])) - goto bad; - if ((avrule->specified & AVRULE_TYPE) && validate_simpletype(classperm->data, p, flavors)) - goto bad; - } - if (avrule->specified & AVRULE_XPERMS) { if (!avrule->xperms) goto bad; @@ -936,7 +862,7 @@ bad: return -1; } -static int validate_bool_id_array(sepol_handle_t *handle, const uint32_t bool_ids[], unsigned int nbools, const validate_t *boolean) +static int validate_bool_id_array(sepol_handle_t *handle, uint32_t bool_ids[], unsigned int nbools, validate_t *bool) { unsigned int i; @@ -944,7 +870,7 @@ static int validate_bool_id_array(sepol_handle_t *handle, const uint32_t bool_id goto bad; for (i=0; i < nbools; i++) { - if (validate_value(bool_ids[i], boolean)) + if (validate_value(bool_ids[i], bool)) goto bad; } @@ -955,17 +881,14 @@ bad: return -1; } -static int validate_cond_expr(sepol_handle_t *handle, const struct cond_expr *expr, const validate_t *boolean) +static int validate_cond_expr(sepol_handle_t *handle, struct cond_expr *expr, validate_t *bool) { int depth = -1; - if (!expr) - goto bad; - for (; expr; expr = expr->next) { switch(expr->expr_type) { case COND_BOOL: - if (validate_value(expr->bool, boolean)) + if (validate_value(expr->bool, bool)) goto bad; if (depth == (COND_EXPR_MAXDEPTH - 1)) goto bad; @@ -999,37 +922,21 @@ bad: return -1; } -static int validate_cond_list(sepol_handle_t *handle, const cond_list_t *cond, const policydb_t *p, validate_t flavors[]) +static int validate_cond_list(sepol_handle_t *handle, cond_list_t *cond, validate_t flavors[]) { for (; cond; cond = cond->next) { if (validate_cond_expr(handle, cond->expr, &flavors[SYM_BOOLS])) goto bad; - if (validate_cond_av_list(handle, cond->true_list, p, flavors)) + if (validate_cond_av_list(handle, cond->true_list, flavors)) goto bad; - if (validate_cond_av_list(handle, cond->false_list, p, flavors)) + if (validate_cond_av_list(handle, cond->false_list, flavors)) goto bad; - if (validate_avrules(handle, cond->avtrue_list, 1, p, flavors)) + if (validate_avrules(handle, cond->avtrue_list, 1, flavors)) goto bad; - if (validate_avrules(handle, cond->avfalse_list, 1, p, flavors)) + if (validate_avrules(handle, cond->avfalse_list, 1, flavors)) goto bad; if (validate_bool_id_array(handle, cond->bool_ids, cond->nbools, &flavors[SYM_BOOLS])) goto bad; - - switch (cond->cur_state) { - case 0: - case 1: - break; - default: - goto bad; - } - - switch (cond->flags) { - case 0: - case COND_NODE_FLAGS_TUNABLE: - break; - default: - goto bad; - } } return 0; @@ -1039,7 +946,7 @@ bad: return -1; } -static int validate_role_transes(sepol_handle_t *handle, const role_trans_t *role_trans, validate_t flavors[]) +static int validate_role_transes(sepol_handle_t *handle, role_trans_t *role_trans, validate_t flavors[]) { for (; role_trans; role_trans = role_trans->next) { if (validate_value(role_trans->role, &flavors[SYM_ROLES])) @@ -1059,7 +966,7 @@ bad: return -1; } -static int validate_role_allows(sepol_handle_t *handle, const role_allow_t *role_allow, validate_t flavors[]) +static int validate_role_allows(sepol_handle_t *handle, role_allow_t *role_allow, validate_t flavors[]) { for (; role_allow; role_allow = role_allow->next) { if (validate_value(role_allow->role, &flavors[SYM_ROLES])) @@ -1077,16 +984,14 @@ bad: static int validate_filename_trans(hashtab_key_t k, hashtab_datum_t d, void *args) { - const filename_trans_key_t *ftk = (filename_trans_key_t *)k; - const filename_trans_datum_t *ftd = d; + filename_trans_key_t *ftk = (filename_trans_key_t *)k; + filename_trans_datum_t *ftd = d; validate_t *flavors = (validate_t *)args; if (validate_value(ftk->ttype, &flavors[SYM_TYPES])) goto bad; if (validate_value(ftk->tclass, &flavors[SYM_CLASSES])) goto bad; - if (!ftd) - goto bad; for (; ftd; ftd = ftd->next) { if (validate_ebitmap(&ftd->stypes, &flavors[SYM_TYPES])) goto bad; @@ -1110,7 +1015,7 @@ static int validate_filename_trans_hashtab(sepol_handle_t *handle, hashtab_t fil return 0; } -static int validate_context(const context_struct_t *con, validate_t flavors[], int mls) +static int validate_context(context_struct_t *con, validate_t flavors[], int mls) { if (validate_value(con->user, &flavors[SYM_USERS])) return -1; @@ -1124,9 +1029,9 @@ static int validate_context(const context_struct_t *con, validate_t flavors[], i return 0; } -static int validate_ocontexts(sepol_handle_t *handle, const policydb_t *p, validate_t flavors[]) +static int validate_ocontexts(sepol_handle_t *handle, policydb_t *p, validate_t flavors[]) { - const ocontext_t *octx; + ocontext_t *octx; unsigned int i; for (i = 0; i < OCON_NUM; i++) { @@ -1141,10 +1046,6 @@ static int validate_ocontexts(sepol_handle_t *handle, const policydb_t *p, valid if (validate_context(&octx->context[1], flavors, p->mls)) goto bad; break; - case OCON_PORT: - if (octx->u.port.low_port > octx->u.port.high_port) - goto bad; - break; case OCON_FSUSE: switch (octx->v.behavior) { case SECURITY_FS_USE_XATTR: @@ -1166,21 +1067,16 @@ bad: return -1; } -static int validate_genfs(sepol_handle_t *handle, const policydb_t *p, validate_t flavors[]) +static int validate_genfs(sepol_handle_t *handle, policydb_t *p, validate_t flavors[]) { - const genfs_t *genfs; - const ocontext_t *octx; + genfs_t *genfs; + ocontext_t *octx; for (genfs = p->genfs; genfs; genfs = genfs->next) { for (octx = genfs->head; octx; octx = octx->next) { if (validate_context(&octx->context[0], flavors, p->mls)) goto bad; - if (octx->v.sclass && validate_value(octx->v.sclass, &flavors[SYM_CLASSES])) - goto bad; } - - if (!genfs->fstype) - goto bad; } return 0; @@ -1194,7 +1090,7 @@ bad: * Functions to validate a module policydb */ -static int validate_role_trans_rules(sepol_handle_t *handle, const role_trans_rule_t *role_trans, validate_t flavors[]) +static int validate_role_trans_rules(sepol_handle_t *handle, role_trans_rule_t *role_trans, validate_t flavors[]) { for (; role_trans; role_trans = role_trans->next) { if (validate_role_set(&role_trans->roles, &flavors[SYM_ROLES])) @@ -1214,7 +1110,7 @@ bad: return -1; } -static int validate_role_allow_rules(sepol_handle_t *handle, const role_allow_rule_t *role_allow, validate_t flavors[]) +static int validate_role_allow_rules(sepol_handle_t *handle, role_allow_rule_t *role_allow, validate_t flavors[]) { for (; role_allow; role_allow = role_allow->next) { if (validate_role_set(&role_allow->roles, &flavors[SYM_ROLES])) @@ -1230,7 +1126,7 @@ bad: return -1; } -static int validate_range_trans_rules(sepol_handle_t *handle, const range_trans_rule_t *range_trans, validate_t flavors[]) +static int validate_range_trans_rules(sepol_handle_t *handle, range_trans_rule_t *range_trans, validate_t flavors[]) { for (; range_trans; range_trans = range_trans->next) { if (validate_type_set(&range_trans->stypes, &flavors[SYM_TYPES])) @@ -1250,7 +1146,7 @@ bad: return -1; } -static int validate_scope_index(sepol_handle_t *handle, const scope_index_t *scope_index, validate_t flavors[]) +static int validate_scope_index(sepol_handle_t *handle, scope_index_t *scope_index, validate_t flavors[]) { if (validate_ebitmap(&scope_index->p_classes_scope, &flavors[SYM_CLASSES])) goto bad; @@ -1277,7 +1173,7 @@ bad: } -static int validate_filename_trans_rules(sepol_handle_t *handle, const filename_trans_rule_t *filename_trans, const policydb_t *p, validate_t flavors[]) +static int validate_filename_trans_rules(sepol_handle_t *handle, filename_trans_rule_t *filename_trans, validate_t flavors[]) { for (; filename_trans; filename_trans = filename_trans->next) { if (validate_type_set(&filename_trans->stypes, &flavors[SYM_TYPES])) @@ -1286,7 +1182,7 @@ static int validate_filename_trans_rules(sepol_handle_t *handle, const filename_ goto bad; if (validate_value(filename_trans->tclass,&flavors[SYM_CLASSES] )) goto bad; - if (validate_simpletype(filename_trans->otype, p, flavors)) + if (validate_value(filename_trans->otype, &flavors[SYM_TYPES])) goto bad; /* currently only the RULE_SELF flag can be set */ @@ -1301,7 +1197,7 @@ bad: return -1; } -static int validate_symtabs(sepol_handle_t *handle, const symtab_t symtabs[], validate_t flavors[]) +static int validate_symtabs(sepol_handle_t *handle, symtab_t symtabs[], validate_t flavors[]) { unsigned int i; @@ -1315,15 +1211,15 @@ static int validate_symtabs(sepol_handle_t *handle, const symtab_t symtabs[], va return 0; } -static int validate_avrule_blocks(sepol_handle_t *handle, const avrule_block_t *avrule_block, const policydb_t *p, validate_t flavors[]) +static int validate_avrule_blocks(sepol_handle_t *handle, avrule_block_t *avrule_block, validate_t flavors[]) { - const avrule_decl_t *decl; + avrule_decl_t *decl; for (; avrule_block; avrule_block = avrule_block->next) { for (decl = avrule_block->branch_list; decl != NULL; decl = decl->next) { - if (validate_cond_list(handle, decl->cond_list, p, flavors)) + if (validate_cond_list(handle, decl->cond_list, flavors)) goto bad; - if (validate_avrules(handle, decl->avrules, 0, p, flavors)) + if (validate_avrules(handle, decl->avrules, 0, flavors)) goto bad; if (validate_role_trans_rules(handle, decl->role_tr_rules, flavors)) goto bad; @@ -1335,7 +1231,7 @@ static int validate_avrule_blocks(sepol_handle_t *handle, const avrule_block_t * goto bad; if (validate_scope_index(handle, &decl->declared, flavors)) goto bad; - if (validate_filename_trans_rules(handle, decl->filename_trans_rules, p, flavors)) + if (validate_filename_trans_rules(handle, decl->filename_trans_rules, flavors)) goto bad; if (validate_symtabs(handle, decl->symtab, flavors)) goto bad; @@ -1357,13 +1253,13 @@ bad: return -1; } -static int validate_permissives(sepol_handle_t *handle, const policydb_t *p, validate_t flavors[]) +static int validate_permissives(sepol_handle_t *handle, policydb_t *p, validate_t flavors[]) { ebitmap_node_t *node; unsigned i; ebitmap_for_each_positive_bit(&p->permissive_map, node, i) { - if (validate_simpletype(i, p, flavors)) + if (validate_value(i, &flavors[SYM_TYPES])) goto bad; } @@ -1374,62 +1270,7 @@ bad: return -1; } -static int validate_range_transition(hashtab_key_t key, hashtab_datum_t data, void *args) -{ - const range_trans_t *rt = (const range_trans_t *)key; - const mls_range_t *r = data; - const map_arg_t *margs = args; - const validate_t *flavors = margs->flavors; - - if (validate_value(rt->source_type, &flavors[SYM_TYPES])) - goto bad; - if (validate_value(rt->target_type, &flavors[SYM_TYPES])) - goto bad; - if (validate_value(rt->target_class, &flavors[SYM_CLASSES])) - goto bad; - - if (validate_mls_range(r, &flavors[SYM_LEVELS], &flavors[SYM_CATS])) - goto bad; - - return 0; - -bad: - return -1; -} - -static int validate_range_transitions(sepol_handle_t *handle, const policydb_t *p, validate_t flavors[]) -{ - map_arg_t margs = { flavors, handle, p }; - - if (hashtab_map(p->range_tr, validate_range_transition, &margs)) { - ERR(handle, "Invalid range transition"); - return -1; - } - - return 0; -} - -static int validate_typeattr_map(sepol_handle_t *handle, const policydb_t *p, validate_t flavors[]) -{ - const ebitmap_t *maps = p->type_attr_map; - unsigned int i; - - if (p->policy_type == POLICY_KERN) { - for (i = 0; i < p->p_types.nprim; i++) { - if (validate_ebitmap(&maps[i], &flavors[SYM_TYPES])) - goto bad; - } - } else if (maps) - goto bad; - - return 0; - -bad: - ERR(handle, "Invalid type attr map"); - return -1; -} - -static int validate_properties(sepol_handle_t *handle, const policydb_t *p) +static int validate_properties(sepol_handle_t *handle, policydb_t *p) { switch (p->policy_type) { case POLICY_KERN: @@ -1489,7 +1330,7 @@ static void validate_array_destroy(validate_t flavors[]) /* * Validate policydb */ -int policydb_validate(sepol_handle_t *handle, const policydb_t *p) +int validate_policydb(sepol_handle_t *handle, policydb_t *p) { validate_t flavors[SYM_NUM] = {}; @@ -1500,10 +1341,10 @@ int policydb_validate(sepol_handle_t *handle, const policydb_t *p) goto bad; if (p->policy_type == POLICY_KERN) { - if (validate_avtab(handle, &p->te_avtab, p, flavors)) + if (validate_avtab(handle, &p->te_avtab, flavors)) goto bad; if (p->policyvers >= POLICYDB_VERSION_BOOL) - if (validate_cond_list(handle, p->cond_list, p, flavors)) + if (validate_cond_list(handle, p->cond_list, flavors)) goto bad; if (validate_role_transes(handle, p->role_tr, flavors)) goto bad; @@ -1513,7 +1354,7 @@ int policydb_validate(sepol_handle_t *handle, const policydb_t *p) if (validate_filename_trans_hashtab(handle, p->filename_trans, flavors)) goto bad; } else { - if (validate_avrule_blocks(handle, p->global, p, flavors)) + if (validate_avrule_blocks(handle, p->global, flavors)) goto bad; } @@ -1535,14 +1376,6 @@ int policydb_validate(sepol_handle_t *handle, const policydb_t *p) if (validate_permissives(handle, p, flavors)) goto bad; - if (validate_range_transitions(handle, p, flavors)) - goto bad; - - if (p->policyvers >= POLICYDB_VERSION_AVTAB) { - if (validate_typeattr_map(handle, p, flavors)) - goto bad; - } - validate_array_destroy(flavors); return 0; diff --git a/libsepol/src/policydb_validate.h b/libsepol/src/policydb_validate.h index 86a53168..d9f7229b 100644 --- a/libsepol/src/policydb_validate.h +++ b/libsepol/src/policydb_validate.h @@ -4,4 +4,4 @@ #include int value_isvalid(uint32_t value, uint32_t nprim); -int policydb_validate(sepol_handle_t *handle, const policydb_t *p); +int validate_policydb(sepol_handle_t *handle, policydb_t *p); diff --git a/libsepol/src/services.c b/libsepol/src/services.c index 062510ab..d7510e9d 100644 --- a/libsepol/src/services.c +++ b/libsepol/src/services.c @@ -394,7 +394,7 @@ static int constraint_expr_eval_reason(context_struct_t *scontext, role_datum_t *r1, *r2; mls_level_t *l1, *l2; constraint_expr_t *e; - int s[CEXPR_MAXDEPTH] = {}; + int s[CEXPR_MAXDEPTH]; int sp = -1; char tmp_buf[128]; @@ -894,8 +894,7 @@ static void type_attribute_bounds_av(context_struct_t *scontext, /* mask violated permissions */ avd->allowed &= ~masked; - if (reason) - *reason |= SEPOL_COMPUTEAV_BOUNDS; + *reason |= SEPOL_COMPUTEAV_BOUNDS; } /* diff --git a/libsepol/src/util.c b/libsepol/src/util.c index 0a2edc85..1cd1308d 100644 --- a/libsepol/src/util.c +++ b/libsepol/src/util.c @@ -124,7 +124,7 @@ char *sepol_av_to_string(policydb_t * policydbp, uint32_t tclass, return avbuf; } -#define next_bit_in_range(i, p) (((i) + 1 < sizeof(p)*8) && xperm_test(((i) + 1), p)) +#define next_bit_in_range(i, p) ((i + 1 < sizeof(p)*8) && xperm_test((i + 1), p)) char *sepol_extended_perms_to_string(avtab_extended_perms_t *xperms) { diff --git a/libsepol/src/write.c b/libsepol/src/write.c index a9fdf93a..48ed21ea 100644 --- a/libsepol/src/write.c +++ b/libsepol/src/write.c @@ -1097,18 +1097,16 @@ static int class_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr) p->policyvers >= POLICYDB_VERSION_NEW_OBJECT_DEFAULTS) || (p->policy_type == POLICY_BASE && p->policyvers >= MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS)) { - char default_range = cladatum->default_range; - buf[0] = cpu_to_le32(cladatum->default_user); buf[1] = cpu_to_le32(cladatum->default_role); - if (!glblub_version && default_range == DEFAULT_GLBLUB) { + if (!glblub_version && cladatum->default_range == DEFAULT_GLBLUB) { WARN(fp->handle, - "class %s default_range set to GLBLUB but policy version is %d (%d required), discarding", - p->p_class_val_to_name[cladatum->s.value - 1], p->policyvers, - p->policy_type == POLICY_KERN? POLICYDB_VERSION_GLBLUB:MOD_POLICYDB_VERSION_GLBLUB); - default_range = 0; - } - buf[2] = cpu_to_le32(default_range); + "class %s default_range set to GLBLUB but policy version is %d (%d required), discarding", + p->p_class_val_to_name[cladatum->s.value - 1], p->policyvers, + p->policy_type == POLICY_KERN? POLICYDB_VERSION_GLBLUB:MOD_POLICYDB_VERSION_GLBLUB); + cladatum->default_range = 0; + } + buf[2] = cpu_to_le32(cladatum->default_range); items = put_entry(buf, sizeof(uint32_t), 3, fp); if (items != 3) return POLICYDB_ERROR; diff --git a/libsepol/tests/Makefile b/libsepol/tests/Makefile index 273373b0..a72c327d 100644 --- a/libsepol/tests/Makefile +++ b/libsepol/tests/Makefile @@ -1,24 +1,9 @@ ENV ?= env -M4 ?= m4 -E -E +M4 ?= m4 MKDIR ?= mkdir EXE ?= libsepol-tests -CFLAGS += -g3 -gdwarf-2 -O0 \ - -Werror -Wall -Wextra \ - -Wfloat-equal \ - -Wformat=2 \ - -Winit-self \ - -Wmissing-format-attribute \ - -Wmissing-noreturn \ - -Wmissing-prototypes \ - -Wnull-dereference \ - -Wpointer-arith \ - -Wshadow \ - -Wstrict-prototypes \ - -Wundef \ - -Wunused \ - -Wwrite-strings \ - -fno-common +CFLAGS += -g3 -gdwarf-2 -O0 -Wall -W -Wundef -Wmissing-noreturn -Wmissing-format-attribute -Wno-unused-parameter -Werror # Statically link libsepol on the assumption that we are going to # be testing internal functions. diff --git a/libsepol/tests/libsepol-tests.c b/libsepol/tests/libsepol-tests.c index 968e3cc2..dc8fd5ce 100644 --- a/libsepol/tests/libsepol-tests.c +++ b/libsepol/tests/libsepol-tests.c @@ -19,12 +19,10 @@ */ #include "test-cond.h" -#include "test-ebitmap.h" #include "test-linker.h" #include "test-expander.h" #include "test-deps.h" #include "test-downgrade.h" -#include "test-neverallow.h" #include #include @@ -66,13 +64,11 @@ static bool do_tests(int interactive, int verbose) if (CUE_SUCCESS != CU_initialize_registry()) return CU_get_error(); - DECLARE_SUITE(ebitmap); DECLARE_SUITE(cond); DECLARE_SUITE(linker); DECLARE_SUITE(expander); DECLARE_SUITE(deps); DECLARE_SUITE(downgrade); - DECLARE_SUITE(neverallow); if (verbose) CU_basic_set_mode(CU_BRM_VERBOSE); diff --git a/libsepol/tests/policies/test-deps/base-metreq.conf b/libsepol/tests/policies/test-deps/base-metreq.conf index d8e1f40b..b7528dde 100644 --- a/libsepol/tests/policies/test-deps/base-metreq.conf +++ b/libsepol/tests/policies/test-deps/base-metreq.conf @@ -33,7 +33,7 @@ class key_socket class unix_stream_socket class unix_dgram_socket -# sysv-ipc-related classes +# sysv-ipc-related clases class sem class msg class msgq diff --git a/libsepol/tests/policies/test-deps/base-notmetreq.conf b/libsepol/tests/policies/test-deps/base-notmetreq.conf index ecd92f6f..eee36dca 100644 --- a/libsepol/tests/policies/test-deps/base-notmetreq.conf +++ b/libsepol/tests/policies/test-deps/base-notmetreq.conf @@ -33,7 +33,7 @@ class key_socket class unix_stream_socket class unix_dgram_socket -# sysv-ipc-related classes +# sysv-ipc-related clases class msg class msgq class shm diff --git a/libsepol/tests/policies/test-deps/small-base.conf b/libsepol/tests/policies/test-deps/small-base.conf index 848d1741..98f49c23 100644 --- a/libsepol/tests/policies/test-deps/small-base.conf +++ b/libsepol/tests/policies/test-deps/small-base.conf @@ -33,7 +33,7 @@ class key_socket class unix_stream_socket class unix_dgram_socket -# sysv-ipc-related classes +# sysv-ipc-related clases class sem class msg class msgq diff --git a/libsepol/tests/policies/test-expander/alias-base.conf b/libsepol/tests/policies/test-expander/alias-base.conf index 34955924..b950039d 100644 --- a/libsepol/tests/policies/test-expander/alias-base.conf +++ b/libsepol/tests/policies/test-expander/alias-base.conf @@ -33,7 +33,7 @@ class key_socket class unix_stream_socket class unix_dgram_socket -# sysv-ipc-related classes +# sysv-ipc-related clases class sem class msg class msgq diff --git a/libsepol/tests/policies/test-expander/role-base.conf b/libsepol/tests/policies/test-expander/role-base.conf index a387c8c0..8e88b4be 100644 --- a/libsepol/tests/policies/test-expander/role-base.conf +++ b/libsepol/tests/policies/test-expander/role-base.conf @@ -33,7 +33,7 @@ class key_socket class unix_stream_socket class unix_dgram_socket -# sysv-ipc-related classes +# sysv-ipc-related clases class sem class msg class msgq diff --git a/libsepol/tests/policies/test-expander/small-base.conf b/libsepol/tests/policies/test-expander/small-base.conf index ac180f35..055ea054 100644 --- a/libsepol/tests/policies/test-expander/small-base.conf +++ b/libsepol/tests/policies/test-expander/small-base.conf @@ -33,7 +33,7 @@ class key_socket class unix_stream_socket class unix_dgram_socket -# sysv-ipc-related classes +# sysv-ipc-related clases class sem class msg class msgq diff --git a/libsepol/tests/policies/test-expander/user-base.conf b/libsepol/tests/policies/test-expander/user-base.conf index 789a59a2..b31ee8cd 100644 --- a/libsepol/tests/policies/test-expander/user-base.conf +++ b/libsepol/tests/policies/test-expander/user-base.conf @@ -33,7 +33,7 @@ class key_socket class unix_stream_socket class unix_dgram_socket -# sysv-ipc-related classes +# sysv-ipc-related clases class sem class msg class msgq diff --git a/libsepol/tests/policies/test-hooks/cmp_policy.conf b/libsepol/tests/policies/test-hooks/cmp_policy.conf index 3c510bc4..9082b333 100644 --- a/libsepol/tests/policies/test-hooks/cmp_policy.conf +++ b/libsepol/tests/policies/test-hooks/cmp_policy.conf @@ -33,7 +33,7 @@ class key_socket class unix_stream_socket class unix_dgram_socket -# sysv-ipc-related classes +# sysv-ipc-related clases class sem class msg class msgq diff --git a/libsepol/tests/policies/test-hooks/small-base.conf b/libsepol/tests/policies/test-hooks/small-base.conf index 3c510bc4..9082b333 100644 --- a/libsepol/tests/policies/test-hooks/small-base.conf +++ b/libsepol/tests/policies/test-hooks/small-base.conf @@ -33,7 +33,7 @@ class key_socket class unix_stream_socket class unix_dgram_socket -# sysv-ipc-related classes +# sysv-ipc-related clases class sem class msg class msgq diff --git a/libsepol/tests/policies/test-linker/small-base.conf b/libsepol/tests/policies/test-linker/small-base.conf index 15ced459..890ebbeb 100644 --- a/libsepol/tests/policies/test-linker/small-base.conf +++ b/libsepol/tests/policies/test-linker/small-base.conf @@ -33,7 +33,7 @@ class key_socket class unix_stream_socket class unix_dgram_socket -# sysv-ipc-related classes +# sysv-ipc-related clases class sem class msg class msgq diff --git a/libsepol/tests/policies/test-neverallow/policy.conf b/libsepol/tests/policies/test-neverallow/policy.conf deleted file mode 100644 index 67a16372..00000000 --- a/libsepol/tests/policies/test-neverallow/policy.conf +++ /dev/null @@ -1,298 +0,0 @@ -class process -class blk_file -class chr_file -class dir -class fifo_file -class file -class lnk_file -class sock_file - -sid kernel -sid security -sid unlabeled -sid file -sid port -sid netif -sid netmsg -sid node -sid devnull - -class process { dyntransition transition } -class file { getattr ioctl open read write } - -ifdef(`enable_mls',` -sensitivity s0; -dominance { s0 } -category c0; category c1; category c2; category c3; -category c4; category c5; category c6; category c7; -category c8; category c9; category c10; category c11; -category c12; category c13; category c14; category c15; -category c16; category c17; category c18; category c19; -category c20; category c21; category c22; category c23; - -level s0:c0.c23; - -mlsconstrain file { write } ( h1 dom h2 ); -') - - -######################################## -# -# Test start -# -######################################## - - -## Test 1 (basic) - -type test1_t; -allow test1_t test1_t : file { read write }; -neverallow test1_t test1_t : file read; - - -## Test 2 (wildcard permission) - -type test2_t; -allow test2_t test2_t : file { read write }; -neverallow test2_t test2_t : file *; - - -## Test 3 (complement permission) - -type test3_t; -allow test3_t test3_t : file { read write }; -neverallow test3_t test3_t : file ~{ write }; - - -## Test 4 (wildcard source) - -type test4_t; -allow test4_t test4_t : file { read write }; -neverallow * test4_t : file read; - - -## Test 5 (wildcard target) - -type test5_t; -allow test5_t test5_t : file { read write }; -neverallow test5_t * : file read; - - -## Test 6 (complement source) - -type test6_1_t; -type test6_2_t; -allow { test6_1_t test6_2_t } { test6_1_t test6_2_t } : file { read write }; -neverallow ~{ test6_2_t } test6_1_t : file read; - - -## Test 7 (complement target) - -type test7_1_t; -type test7_2_t; -allow { test7_1_t test7_2_t } { test7_1_t test7_2_t } : file { read write }; -neverallow test7_1_t ~{ test7_2_t } : file read; - - -## Test 8 (source attribute) - -attribute test8_a; -type test8_t, test8_a; -allow test8_a test8_a : file read; -allow test8_t test8_t : file write; -neverallow test8_a test8_t : file { read write }; - - -## Test 9 (target attribute) - -attribute test9_a; -type test9_t, test9_a; -allow test9_a test9_a : file read; -allow test9_t test9_t : file write; -neverallow test9_t test9_a : file { read write }; - - -## Test 10 (self) - -attribute test10_a; -type test10_1_t, test10_a; -type test10_2_t; -allow { test10_1_t test10_2_t } { test10_1_t test10_2_t } : file read; -neverallow test10_a self : file *; - - -## Test 11 (wildcard) - -type test11_t; -allow test11_t self : process *; -neverallow * * : process *; - - -## Test 12 (complement attributes) - -attribute test12_1_a; -attribute test12_2_a; -attribute test12_3_a; -type test12_1_t, test12_1_a; -type test12_2_t, test12_2_a; -type test12_3_t, test12_3_a; -allow { test12_1_a test12_2_a test12_3_a } { test12_1_a test12_2_a test12_3_a } : file *; -neverallow ~{ test12_1_a test12_2_t } ~{ test12_3_a } : file getattr; -neverallow ~{ test12_1_a } ~{ test12_2_a test12_3_t } : file open; - - -## Test 13 (excludes) - -attribute test13_1_a; -attribute test13_2_a; -attribute test13_3_a; -type test13_1_t, test13_1_a; -type test13_2_t, test13_2_a; -type test13_3_t, test13_3_a; -allow { test13_1_a test13_2_a test13_3_a } { test13_1_a test13_2_a test13_3_a } : file { read write }; -neverallow { test13_1_a test13_2_a test13_3_a -test13_2_a -test13_3_t } { test13_1_a test13_2_a test13_3_a -test13_2_t -test13_3_a } : file read; - - -## Test 14 (misc avrules) - -type test14_t; -auditallow test14_t test14_t : file read; -dontaudit test14_t test14_t : file write; -neverallow test14_t test14_t : file { read write }; -type_transition test14_t test14_t : file test14_t; -type_transition test14_t test14_t : file test14_t "objname"; -neverallow test14_t test14_t : file *; # nofail - - -## Test 15 (extended permissions - standard allow) - -type test15_t; -allow test15_t self : file ioctl; -neverallowxperm test15_t self : file ioctl 0x1111; - - -## Test 16 (extended permissions - allowxperm) - -type test16_t; -allow test16_t self : file ioctl; -allowxperm test16_t self : file ioctl 0x1111; -neverallowxperm test16_t self : file ioctl 0x1111; - - -## Test 17 (extended permissions - allowxperm mismatch) - -type test17_t; -allow test17_t self : file ioctl; -allowxperm test17_t self : file ioctl 0x1111; -neverallowxperm test17_t self : file ioctl 0x2222; # nofail - - -## Test 18 (extended permissions - allowxperm range I) - -type test18_t; -allow test18_t self : file ioctl; -allowxperm test18_t self : file ioctl { 0x1100-0x1300 }; -neverallowxperm test18_t self : file ioctl 0x1111; - - -## Test 19 (extended permissions - allowxperm range II) - -type test19_t; -allow test19_t self : file ioctl; -allowxperm test19_t self : file ioctl 0x1111; -neverallowxperm test19_t self : file ioctl { 0x1100-0x1300 }; - - -## Test 20 (extended permissions - misc targets I) - -attribute test20_a; -type test20_t, test20_a; - -allow test20_a test20_a : file ioctl; -allowxperm test20_a test20_a : file ioctl 0x1111; -neverallowxperm test20_a self : file ioctl 0x1111; - - -## Test 21 (extended permissions - misc targets II) - -attribute test21_1_a; -attribute test21_2_a; -type test21_t, test21_1_a, test21_2_a; - -allow test21_1_a test21_1_a : file ioctl; -allowxperm test21_1_a test21_2_a : file ioctl 0x1111; -neverallowxperm test21_1_a self : file ioctl 0x1111; - - -## Test 22 (extended permissions - misc targets III) - -attribute test22_a; -type test22_t, test22_a; - -allow test22_a test22_a : file ioctl; -allowxperm test22_t self : file ioctl 0x1111; -neverallowxperm test22_a self : file ioctl 0x1111; - - -## Test 23 (extended permissions - misc targets IV) - -attribute test23_a; -type test23_t, test23_a; - -allow test23_a test23_a : file ioctl; -allowxperm test23_t test23_t : file ioctl 0x1111; -neverallowxperm test23_a self : file ioctl 0x1111; - - -## Test 24 (extended permissions - misc targets V) - -attribute test24_a; -type test24_t, test24_a; - -allow test24_a test24_a : file ioctl; -allowxperm test24_t test24_a : file ioctl 0x1111; -neverallowxperm test24_a self : file ioctl 0x1111; - - -## Test 25 (extended permissions - misc targets VI) - -attribute test25_a; -type test25_t, test25_a; - -allow test25_a test25_a : file ioctl; -allowxperm test25_a self : file ioctl 0x1111; -neverallowxperm test25_a self : file ioctl 0x1111; - - -## Test 26 (extended permissions - assert twice) - -attribute test26_a; -type test26_1_t, test26_a; -type test26_2_t, test26_a; -allow test26_a test26_a : file ioctl; -allowxperm test26_a test26_a : file ioctl 0x1111; -neverallowxperm test26_1_t test26_a : file ioctl 0x1111; - - -######################################## -# -# Test End -# -######################################## - - -type sys_isid; -role sys_role; -role sys_role types sys_isid; -gen_user(sys_user,, sys_role, s0, s0 - s0:c0.c23) -sid kernel gen_context(sys_user:sys_role:sys_isid, s0) -sid security gen_context(sys_user:sys_role:sys_isid, s0) -sid unlabeled gen_context(sys_user:sys_role:sys_isid, s0) -sid file gen_context(sys_user:sys_role:sys_isid, s0) -sid port gen_context(sys_user:sys_role:sys_isid, s0) -sid netif gen_context(sys_user:sys_role:sys_isid, s0) -sid netmsg gen_context(sys_user:sys_role:sys_isid, s0) -sid node gen_context(sys_user:sys_role:sys_isid, s0) -sid devnull gen_context(sys_user:sys_role:sys_isid, s0) -fs_use_trans devpts gen_context(sys_user:sys_role:sys_isid, s0); -fs_use_trans devtmpfs gen_context(sys_user:sys_role:sys_isid, s0); diff --git a/libsepol/tests/test-ebitmap.c b/libsepol/tests/test-ebitmap.c deleted file mode 100644 index 8774555e..00000000 --- a/libsepol/tests/test-ebitmap.c +++ /dev/null @@ -1,1080 +0,0 @@ -#include "test-ebitmap.h" - -#include -#include - -#include -#include - -#define RANDOM_ROUNDS 10 - - -static int ebitmap_init_random(ebitmap_t *e, unsigned int length, int set_chance) -{ - unsigned int i; - int rc; - - if (set_chance <= 0 || set_chance > 100) - return -EINVAL; - - ebitmap_init(e); - - for (i = 0; i < length; i++) { - if ((random() % 100) < set_chance) { - rc = ebitmap_set_bit(e, i, 1); - if (rc) - return rc; - } - } - - return 0; -} - -static void test_ebitmap_init_destroy(void) -{ - ebitmap_t e; - - /* verify idempotence */ - ebitmap_init(&e); - ebitmap_init(&e); - ebitmap_init(&e); - - CU_ASSERT(ebitmap_is_empty(&e)); - CU_ASSERT_PTR_NULL(ebitmap_startnode(&e)); - - /* verify idempotence */ - ebitmap_destroy(&e); - ebitmap_destroy(&e); - ebitmap_destroy(&e); - - CU_ASSERT(ebitmap_is_empty(&e)); - CU_ASSERT_PTR_NULL(ebitmap_startnode(&e)); -} - -static void test_ebitmap_cmp(void) -{ - ebitmap_t e1, e2; - - ebitmap_init(&e1); - ebitmap_init(&e2); - - CU_ASSERT(ebitmap_cmp(&e1, &e2)); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 10, 1), 0); - CU_ASSERT_FALSE(ebitmap_cmp(&e1, &e2)); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e2, 10, 1), 0); - CU_ASSERT(ebitmap_cmp(&e1, &e2)); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 63, 1), 0); - CU_ASSERT_FALSE(ebitmap_cmp(&e1, &e2)); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e2, 63, 1), 0); - CU_ASSERT(ebitmap_cmp(&e1, &e2)); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 64, 1), 0); - CU_ASSERT_FALSE(ebitmap_cmp(&e1, &e2)); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e2, 64, 1), 0); - CU_ASSERT(ebitmap_cmp(&e1, &e2)); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 1022, 1), 0); - CU_ASSERT_FALSE(ebitmap_cmp(&e1, &e2)); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e2, 1022, 1), 0); - CU_ASSERT(ebitmap_cmp(&e1, &e2)); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 1023, 1), 0); - CU_ASSERT_FALSE(ebitmap_cmp(&e1, &e2)); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e2, 1023, 1), 0); - CU_ASSERT(ebitmap_cmp(&e1, &e2)); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 1024, 1), 0); - CU_ASSERT_FALSE(ebitmap_cmp(&e1, &e2)); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e2, 1024, 1), 0); - CU_ASSERT(ebitmap_cmp(&e1, &e2)); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 1025, 1), 0); - CU_ASSERT_FALSE(ebitmap_cmp(&e1, &e2)); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e2, 1025, 1), 0); - CU_ASSERT(ebitmap_cmp(&e1, &e2)); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 255, 1), 0); - CU_ASSERT_FALSE(ebitmap_cmp(&e1, &e2)); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e2, 255, 1), 0); - CU_ASSERT(ebitmap_cmp(&e1, &e2)); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 256, 1), 0); - CU_ASSERT_FALSE(ebitmap_cmp(&e1, &e2)); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e2, 256, 1), 0); - CU_ASSERT(ebitmap_cmp(&e1, &e2)); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 639, 1), 0); - CU_ASSERT_FALSE(ebitmap_cmp(&e1, &e2)); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e2, 639, 1), 0); - CU_ASSERT(ebitmap_cmp(&e1, &e2)); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 640, 1), 0); - CU_ASSERT_FALSE(ebitmap_cmp(&e1, &e2)); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e2, 640, 1), 0); - CU_ASSERT(ebitmap_cmp(&e1, &e2)); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 900, 1), 0); - CU_ASSERT_FALSE(ebitmap_cmp(&e1, &e2)); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e2, 900, 1), 0); - CU_ASSERT(ebitmap_cmp(&e1, &e2)); - - ebitmap_destroy(&e2); - - CU_ASSERT_FALSE(ebitmap_cmp(&e1, &e2)); - - ebitmap_destroy(&e1); - - CU_ASSERT(ebitmap_cmp(&e1, &e2)); -} - -static void test_ebitmap_set_and_get(void) -{ - ebitmap_t e; - - ebitmap_init(&e); - - CU_ASSERT(ebitmap_is_empty(&e)); - CU_ASSERT_TRUE(ebitmap_is_empty(&e)); - CU_ASSERT_EQUAL(ebitmap_cardinality(&e), 0); - CU_ASSERT_EQUAL(ebitmap_highest_set_bit(&e), 0); - CU_ASSERT_EQUAL(ebitmap_get_bit(&e, 10), 0); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e, UINT32_MAX, 1), -EINVAL); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e, 10, 0), 0); - CU_ASSERT(ebitmap_is_empty(&e)); - CU_ASSERT_EQUAL(ebitmap_cardinality(&e), 0); - CU_ASSERT_EQUAL(ebitmap_highest_set_bit(&e), 0); - CU_ASSERT_EQUAL(ebitmap_get_bit(&e, 10), 0); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e, 10, 1), 0); - CU_ASSERT_FALSE(ebitmap_is_empty(&e)); - CU_ASSERT_EQUAL(ebitmap_cardinality(&e), 1); - CU_ASSERT_EQUAL(ebitmap_highest_set_bit(&e), 10); - CU_ASSERT_EQUAL(ebitmap_get_bit(&e, 10), 1); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e, 100, 1), 0); - CU_ASSERT_FALSE(ebitmap_is_empty(&e)); - CU_ASSERT_EQUAL(ebitmap_cardinality(&e), 2); - CU_ASSERT_EQUAL(ebitmap_highest_set_bit(&e), 100); - CU_ASSERT_EQUAL(ebitmap_get_bit(&e, 100), 1); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e, 50, 1), 0); - CU_ASSERT_FALSE(ebitmap_is_empty(&e)); - CU_ASSERT_EQUAL(ebitmap_cardinality(&e), 3); - CU_ASSERT_EQUAL(ebitmap_highest_set_bit(&e), 100); - CU_ASSERT_EQUAL(ebitmap_get_bit(&e, 50), 1); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e, 1023, 1), 0); - CU_ASSERT_FALSE(ebitmap_is_empty(&e)); - CU_ASSERT_EQUAL(ebitmap_cardinality(&e), 4); - CU_ASSERT_EQUAL(ebitmap_highest_set_bit(&e), 1023); - CU_ASSERT_EQUAL(ebitmap_get_bit(&e, 1023), 1); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e, 1024, 1), 0); - CU_ASSERT_FALSE(ebitmap_is_empty(&e)); - CU_ASSERT_EQUAL(ebitmap_cardinality(&e), 5); - CU_ASSERT_EQUAL(ebitmap_highest_set_bit(&e), 1024); - CU_ASSERT_EQUAL(ebitmap_get_bit(&e, 1024), 1); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e, 1050, 1), 0); - CU_ASSERT_FALSE(ebitmap_is_empty(&e)); - CU_ASSERT_EQUAL(ebitmap_cardinality(&e), 6); - CU_ASSERT_EQUAL(ebitmap_highest_set_bit(&e), 1050); - CU_ASSERT_EQUAL(ebitmap_get_bit(&e, 1050), 1); - - { - ebitmap_node_t *n; - unsigned int bit, count; - - /* iterate all allocated bits */ - count = 0; - ebitmap_for_each_bit(&e, n, bit) { - CU_ASSERT( bit < 64 || - (64 <= bit && bit < 128) || - (960 <= bit && bit < 1024) || - (1024 <= bit && bit < 1088)); - count++; - } - CU_ASSERT_EQUAL(count, 4 * 64); - - count = 0; - ebitmap_for_each_positive_bit(&e, n, bit) { - CU_ASSERT(bit == 10 || - bit == 50 || - bit == 100 || - bit == 1023 || - bit == 1024 || - bit == 1050); - CU_ASSERT_EQUAL(ebitmap_get_bit(&e, bit), 1); - count++; - } - CU_ASSERT_EQUAL(count, 6); - } - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e, 1024, 0), 0); - CU_ASSERT_FALSE(ebitmap_is_empty(&e)); - CU_ASSERT_EQUAL(ebitmap_cardinality(&e), 5); - CU_ASSERT_EQUAL(ebitmap_highest_set_bit(&e), 1050); - CU_ASSERT_EQUAL(ebitmap_get_bit(&e, 1024), 0); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e, 1050, 0), 0); - CU_ASSERT_FALSE(ebitmap_is_empty(&e)); - CU_ASSERT_EQUAL(ebitmap_cardinality(&e), 4); - CU_ASSERT_EQUAL(ebitmap_highest_set_bit(&e), 1023); - CU_ASSERT_EQUAL(ebitmap_get_bit(&e, 1050), 0); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e, 100, 0), 0); - CU_ASSERT_FALSE(ebitmap_is_empty(&e)); - CU_ASSERT_EQUAL(ebitmap_cardinality(&e), 3); - CU_ASSERT_EQUAL(ebitmap_highest_set_bit(&e), 1023); - CU_ASSERT_EQUAL(ebitmap_get_bit(&e, 100), 0); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e, 10, 0), 0); - CU_ASSERT_FALSE(ebitmap_is_empty(&e)); - CU_ASSERT_EQUAL(ebitmap_cardinality(&e), 2); - CU_ASSERT_EQUAL(ebitmap_highest_set_bit(&e), 1023); - CU_ASSERT_EQUAL(ebitmap_get_bit(&e, 10), 0); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e, 50, 0), 0); - CU_ASSERT_FALSE(ebitmap_is_empty(&e)); - CU_ASSERT_EQUAL(ebitmap_cardinality(&e), 1); - CU_ASSERT_EQUAL(ebitmap_highest_set_bit(&e), 1023); - CU_ASSERT_EQUAL(ebitmap_get_bit(&e, 50), 0); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e, 1023, 0), 0); - CU_ASSERT_TRUE(ebitmap_is_empty(&e)); - CU_ASSERT_EQUAL(ebitmap_cardinality(&e), 0); - CU_ASSERT_EQUAL(ebitmap_highest_set_bit(&e), 0); - CU_ASSERT_EQUAL(ebitmap_get_bit(&e, 1023), 0); - - ebitmap_destroy(&e); -} - -static void test_ebitmap_init_range(void) -{ - ebitmap_t e1, e2, e3, e4, e5, e6; - - CU_ASSERT_EQUAL(ebitmap_init_range(&e1, 0, 0), 0); - CU_ASSERT_EQUAL(ebitmap_highest_set_bit(&e1), 0); - CU_ASSERT_EQUAL(ebitmap_cardinality(&e1), 1); - - CU_ASSERT_EQUAL(ebitmap_init_range(&e2, 0, 5), 0); - CU_ASSERT_EQUAL(ebitmap_highest_set_bit(&e2), 5); - CU_ASSERT_EQUAL(ebitmap_cardinality(&e2), 6); - - CU_ASSERT_EQUAL(ebitmap_init_range(&e3, 20, 100), 0); - CU_ASSERT_EQUAL(ebitmap_highest_set_bit(&e3), 100); - CU_ASSERT_EQUAL(ebitmap_cardinality(&e3), 81); - - CU_ASSERT_EQUAL(ebitmap_init_range(&e4, 100, 400), 0); - CU_ASSERT_EQUAL(ebitmap_highest_set_bit(&e4), 400); - CU_ASSERT_EQUAL(ebitmap_cardinality(&e4), 301); - - CU_ASSERT_EQUAL(ebitmap_init_range(&e5, 10, 5), -EINVAL); - CU_ASSERT_EQUAL(ebitmap_init_range(&e6, 0, UINT32_MAX), -EOVERFLOW); - - ebitmap_destroy(&e6); - ebitmap_destroy(&e5); - ebitmap_destroy(&e4); - ebitmap_destroy(&e3); - ebitmap_destroy(&e2); - ebitmap_destroy(&e1); -} - -static void test_ebitmap_or(void) -{ - ebitmap_t e1, e2, e3, e4; - - ebitmap_init(&e1); - ebitmap_init(&e2); - ebitmap_init(&e3); - ebitmap_init(&e4); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 10, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 100, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 101, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 318, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 319, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 383, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 384, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 449, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 1013, 1), 0); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e2, 11, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e2, 101, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e2, 430, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e2, 665, 1), 0); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e3, 10, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e3, 11, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e3, 100, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e3, 101, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e3, 318, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e3, 319, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e3, 383, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e3, 384, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e3, 430, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e3, 449, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e3, 665, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e3, 1013, 1), 0); - - { - ebitmap_t dst; - - CU_ASSERT_EQUAL(ebitmap_or(&dst, &e1, &e1), 0); - CU_ASSERT(ebitmap_cmp(&dst, &e1)); - - ebitmap_destroy(&dst); - } - - { - ebitmap_t dst; - - CU_ASSERT_EQUAL(ebitmap_or(&dst, &e2, &e2), 0); - CU_ASSERT(ebitmap_cmp(&dst, &e2)); - - ebitmap_destroy(&dst); - } - - { - ebitmap_t dst; - - CU_ASSERT_EQUAL(ebitmap_or(&dst, &e1, &e2), 0); - CU_ASSERT(ebitmap_cmp(&dst, &e3)); - - ebitmap_destroy(&dst); - } - - { - ebitmap_t dst; - - CU_ASSERT_EQUAL(ebitmap_or(&dst, &e3, &e3), 0); - CU_ASSERT(ebitmap_cmp(&dst, &e3)); - - ebitmap_destroy(&dst); - } - - { - ebitmap_t dst; - - CU_ASSERT_EQUAL(ebitmap_or(&dst, &e3, &e4), 0); - CU_ASSERT(ebitmap_cmp(&dst, &e3)); - - ebitmap_destroy(&dst); - } - - { - ebitmap_t dst; - - CU_ASSERT_EQUAL(ebitmap_or(&dst, &e4, &e4), 0); - CU_ASSERT(ebitmap_cmp(&dst, &e4)); - - ebitmap_destroy(&dst); - } - - ebitmap_destroy(&e4); - ebitmap_destroy(&e3); - ebitmap_destroy(&e2); - ebitmap_destroy(&e1); -} - -static void test_ebitmap_and(void) -{ - { - ebitmap_t e1, e2, e12, e3, e4; - - ebitmap_init(&e1); - ebitmap_init(&e2); - ebitmap_init(&e12); - ebitmap_init(&e3); - ebitmap_init(&e4); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 10, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 100, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 101, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 318, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 319, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 383, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 384, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 449, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 1013, 1), 0); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e2, 11, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e2, 101, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e2, 319, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e2, 665, 1), 0); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e12, 101, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e12, 319, 1), 0); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e3, 10, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e3, 11, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e3, 100, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e3, 101, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e3, 318, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e3, 319, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e3, 383, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e3, 384, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e3, 430, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e3, 449, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e3, 665, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e3, 1013, 1), 0); - - { - ebitmap_t dst; - - CU_ASSERT_EQUAL(ebitmap_and(&dst, &e1, &e1), 0); - CU_ASSERT(ebitmap_cmp(&dst, &e1)); - - ebitmap_destroy(&dst); - } - - { - ebitmap_t dst; - - CU_ASSERT_EQUAL(ebitmap_and(&dst, &e2, &e2), 0); - CU_ASSERT(ebitmap_cmp(&dst, &e2)); - - ebitmap_destroy(&dst); - } - - { - ebitmap_t dst; - - CU_ASSERT_EQUAL(ebitmap_and(&dst, &e1, &e2), 0); - CU_ASSERT(ebitmap_cmp(&dst, &e12)); - - ebitmap_destroy(&dst); - } - - { - ebitmap_t dst; - - CU_ASSERT_EQUAL(ebitmap_and(&dst, &e3, &e3), 0); - CU_ASSERT(ebitmap_cmp(&dst, &e3)); - - ebitmap_destroy(&dst); - } - - { - ebitmap_t dst; - - CU_ASSERT_EQUAL(ebitmap_and(&dst, &e1, &e3), 0); - CU_ASSERT(ebitmap_cmp(&dst, &e1)); - - ebitmap_destroy(&dst); - } - - { - ebitmap_t dst; - - CU_ASSERT_EQUAL(ebitmap_and(&dst, &e2, &e3), 0); - CU_ASSERT(ebitmap_cmp(&dst, &e2)); - - ebitmap_destroy(&dst); - } - - { - ebitmap_t dst; - - CU_ASSERT_EQUAL(ebitmap_and(&dst, &e4, &e4), 0); - CU_ASSERT(ebitmap_cmp(&dst, &e4)); - - ebitmap_destroy(&dst); - } - - { - ebitmap_t dst; - - CU_ASSERT_EQUAL(ebitmap_and(&dst, &e3, &e4), 0); - CU_ASSERT(ebitmap_cmp(&dst, &e4)); - - ebitmap_destroy(&dst); - } - - ebitmap_destroy(&e4); - ebitmap_destroy(&e3); - ebitmap_destroy(&e12); - ebitmap_destroy(&e2); - ebitmap_destroy(&e1); - } - - { - ebitmap_t e5; - ebitmap_t e6; - ebitmap_t e56; - ebitmap_t dst; - - ebitmap_init(&e5); - ebitmap_init(&e6); - ebitmap_init(&e56); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e5, 63, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e5, 191, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e5, 192, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e5, 318, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e5, 319, 1), 0); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e6, 64, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e6, 192, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e6, 319, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e6, 320, 1), 0); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e56, 192, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e56, 319, 1), 0); - - CU_ASSERT_EQUAL(ebitmap_and(&dst, &e5, &e6), 0); - CU_ASSERT(ebitmap_cmp(&dst, &e56)); - - ebitmap_destroy(&dst); - ebitmap_destroy(&e56); - ebitmap_destroy(&e6); - ebitmap_destroy(&e5); - } -} - -static void test_ebitmap_xor(void) -{ - { - ebitmap_t e1, e2, e3, e4; - - ebitmap_init(&e1); - ebitmap_init(&e2); - ebitmap_init(&e3); - ebitmap_init(&e4); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 1, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 5, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 10, 1), 0); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e2, 1, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e2, 3, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e2, 6, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e2, 9, 1), 0); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e3, 3, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e3, 5, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e3, 6, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e3, 9, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e3, 10, 1), 0); - - { - ebitmap_t dst1, dst2; - - CU_ASSERT_EQUAL(ebitmap_xor(&dst1, &e1, &e1), 0); - CU_ASSERT(ebitmap_cmp(&dst1, &e4)); - CU_ASSERT_EQUAL(ebitmap_xor(&dst2, &dst1, &e1), 0); - CU_ASSERT(ebitmap_cmp(&dst2, &e1)); - - ebitmap_destroy(&dst2); - ebitmap_destroy(&dst1); - } - - { - ebitmap_t dst; - - CU_ASSERT_EQUAL(ebitmap_xor(&dst, &e2, &e2), 0); - CU_ASSERT(ebitmap_cmp(&dst, &e4)); - - ebitmap_destroy(&dst); - } - - { - ebitmap_t dst; - - CU_ASSERT_EQUAL(ebitmap_xor(&dst, &e3, &e3), 0); - CU_ASSERT(ebitmap_cmp(&dst, &e4)); - - ebitmap_destroy(&dst); - } - - { - ebitmap_t dst; - - CU_ASSERT_EQUAL(ebitmap_xor(&dst, &e4, &e4), 0); - CU_ASSERT(ebitmap_cmp(&dst, &e4)); - - ebitmap_destroy(&dst); - } - - { - ebitmap_t dst; - - CU_ASSERT_EQUAL(ebitmap_xor(&dst, &e1, &e2), 0); - CU_ASSERT(ebitmap_cmp(&dst, &e3)); - - ebitmap_destroy(&dst); - } - - { - ebitmap_t dst; - - CU_ASSERT_EQUAL(ebitmap_xor(&dst, &e2, &e4), 0); - CU_ASSERT(ebitmap_cmp(&dst, &e2)); - - ebitmap_destroy(&dst); - } - - ebitmap_destroy(&e4); - ebitmap_destroy(&e3); - ebitmap_destroy(&e2); - ebitmap_destroy(&e1); - } - - { - ebitmap_t e5; - ebitmap_t e6; - ebitmap_t e56; - ebitmap_t dst; - - ebitmap_init(&e5); - ebitmap_init(&e6); - ebitmap_init(&e56); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e5, 63, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e5, 191, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e5, 192, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e5, 318, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e5, 319, 1), 0); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e6, 64, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e6, 192, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e6, 319, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e6, 320, 1), 0); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e56, 63, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e56, 64, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e56, 191, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e56, 318, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e56, 320, 1), 0); - - CU_ASSERT_EQUAL(ebitmap_xor(&dst, &e5, &e6), 0); - CU_ASSERT(ebitmap_cmp(&dst, &e56)); - - ebitmap_destroy(&dst); - ebitmap_destroy(&e56); - ebitmap_destroy(&e6); - ebitmap_destroy(&e5); - } -} - -static void test_ebitmap_not(void) -{ - { - ebitmap_t e1, e2, e3, e4; - - ebitmap_init(&e1); - ebitmap_init(&e2); - ebitmap_init(&e3); - ebitmap_init(&e4); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 0, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 1, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 5, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 10, 1), 0); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e2, 2, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e2, 3, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e2, 4, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e2, 6, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e2, 7, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e2, 8, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e2, 9, 1), 0); - - { - ebitmap_t dst1, dst2; - - CU_ASSERT_EQUAL(ebitmap_not(&dst1, &e3, 10), 0); - CU_ASSERT_EQUAL(ebitmap_highest_set_bit(&dst1), 9); - CU_ASSERT_EQUAL(ebitmap_cardinality(&dst1), 10); - - CU_ASSERT_EQUAL(ebitmap_not(&dst2, &dst1, 10), 0); - CU_ASSERT(ebitmap_cmp(&dst2, &e3)); - - ebitmap_destroy(&dst2); - ebitmap_destroy(&dst1); - } - - { - ebitmap_t dst1, dst2; - - CU_ASSERT_EQUAL(ebitmap_not(&dst1, &e1, 11), 0); - CU_ASSERT(ebitmap_cmp(&dst1, &e2)); - CU_ASSERT_EQUAL(ebitmap_not(&dst2, &dst1, 11), 0); - CU_ASSERT(ebitmap_cmp(&dst2, &e1)); - - ebitmap_destroy(&dst2); - ebitmap_destroy(&dst1); - } - - { - ebitmap_t dst; - - CU_ASSERT_EQUAL(ebitmap_not(&dst, &e1, 8), 0); - CU_ASSERT_EQUAL(ebitmap_highest_set_bit(&dst), 7); - CU_ASSERT_EQUAL(ebitmap_cardinality(&dst), 5); - - ebitmap_destroy(&dst); - } - - { - ebitmap_t dst; - - CU_ASSERT_EQUAL(ebitmap_not(&dst, &e1, 12), 0); - CU_ASSERT_EQUAL(ebitmap_highest_set_bit(&dst), 11); - CU_ASSERT_EQUAL(ebitmap_cardinality(&dst), 8); - - ebitmap_destroy(&dst); - } - - ebitmap_destroy(&e3); - ebitmap_destroy(&e2); - ebitmap_destroy(&e1); - } - - { - ebitmap_t e5; - ebitmap_t e5not; - ebitmap_node_t *n; - unsigned int bit; - - ebitmap_init(&e5); - ebitmap_init(&e5not); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e5, 63, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e5, 191, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e5, 192, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e5, 318, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e5, 319, 1), 0); - - for (bit = 0; bit < 317; bit++) - CU_ASSERT_EQUAL(ebitmap_set_bit(&e5not, bit, 1), 0); - ebitmap_for_each_positive_bit(&e5, n, bit) - CU_ASSERT_EQUAL(ebitmap_set_bit(&e5not, bit, 0), 0); - - { - ebitmap_t dst; - - CU_ASSERT_EQUAL(ebitmap_not(&dst, &e5, 317), 0); - CU_ASSERT(ebitmap_cmp(&dst, &e5not)); - - ebitmap_destroy(&dst); - } - - { - ebitmap_t dst; - - CU_ASSERT_EQUAL(ebitmap_not(&dst, &e5, 318), 0); - CU_ASSERT_FALSE(ebitmap_cmp(&dst, &e5not)); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e5not, 317, 1), 0); - CU_ASSERT(ebitmap_cmp(&dst, &e5not)); - - ebitmap_destroy(&dst); - } - - { - ebitmap_t dst; - - CU_ASSERT_EQUAL(ebitmap_not(&dst, &e5, 319), 0); - CU_ASSERT(ebitmap_cmp(&dst, &e5not)); - - ebitmap_destroy(&dst); - } - - ebitmap_destroy(&e5not); - ebitmap_destroy(&e5); - } -} - -static void test_ebitmap_andnot(void) -{ - { - ebitmap_t e1, e2, e12, e3, e4; - - ebitmap_init(&e1); - ebitmap_init(&e2); - ebitmap_init(&e12); - ebitmap_init(&e3); - ebitmap_init(&e4); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 10, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 100, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 101, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 430, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e1, 1013, 1), 0); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e2, 11, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e2, 101, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e2, 665, 1), 0); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e12, 10, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e12, 100, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e12, 430, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e12, 1013, 1), 0); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e3, 10, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e3, 11, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e3, 100, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e3, 101, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e3, 430, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e3, 665, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e3, 1013, 1), 0); - - { - ebitmap_t dst; - - CU_ASSERT_EQUAL(ebitmap_andnot(&dst, &e1, &e1, 1024), 0); - CU_ASSERT(ebitmap_cmp(&dst, &e4)); - - ebitmap_destroy(&dst); - } - - { - ebitmap_t dst; - - CU_ASSERT_EQUAL(ebitmap_andnot(&dst, &e2, &e2, 1024), 0); - CU_ASSERT(ebitmap_cmp(&dst, &e4)); - - ebitmap_destroy(&dst); - } - - { - ebitmap_t dst; - - CU_ASSERT_EQUAL(ebitmap_andnot(&dst, &e1, &e2, 1024), 0); - CU_ASSERT(ebitmap_cmp(&dst, &e12)); - - ebitmap_destroy(&dst); - } - - { - ebitmap_t dst; - - CU_ASSERT_EQUAL(ebitmap_andnot(&dst, &e3, &e3, 1024), 0); - CU_ASSERT(ebitmap_cmp(&dst, &e4)); - - ebitmap_destroy(&dst); - } - - { - ebitmap_t dst; - - CU_ASSERT_EQUAL(ebitmap_andnot(&dst, &e1, &e3, 1024), 0); - CU_ASSERT(ebitmap_cmp(&dst, &e4)); - - ebitmap_destroy(&dst); - } - - { - ebitmap_t dst; - - CU_ASSERT_EQUAL(ebitmap_andnot(&dst, &e2, &e12, 1024), 0); - CU_ASSERT(ebitmap_cmp(&dst, &e2)); - - ebitmap_destroy(&dst); - } - - { - ebitmap_t dst; - - CU_ASSERT_EQUAL(ebitmap_andnot(&dst, &e4, &e4, 1024), 0); - CU_ASSERT(ebitmap_cmp(&dst, &e4)); - - ebitmap_destroy(&dst); - } - - { - ebitmap_t dst; - - CU_ASSERT_EQUAL(ebitmap_andnot(&dst, &e3, &e4, 1024), 0); - CU_ASSERT(ebitmap_cmp(&dst, &e3)); - - ebitmap_destroy(&dst); - } - - ebitmap_destroy(&e4); - ebitmap_destroy(&e3); - ebitmap_destroy(&e12); - ebitmap_destroy(&e2); - ebitmap_destroy(&e1); - } - - { - ebitmap_t e5; - ebitmap_t e6; - ebitmap_t e56; - - ebitmap_init(&e5); - ebitmap_init(&e6); - ebitmap_init(&e56); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e5, 63, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e5, 191, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e5, 192, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e5, 318, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e5, 319, 1), 0); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e6, 64, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e6, 192, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e6, 319, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e6, 320, 1), 0); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e56, 63, 1), 0); - CU_ASSERT_EQUAL(ebitmap_set_bit(&e56, 191, 1), 0); - - { - ebitmap_t dst; - - CU_ASSERT_EQUAL(ebitmap_andnot(&dst, &e5, &e6, 317), 0); - CU_ASSERT(ebitmap_cmp(&dst, &e56)); - - ebitmap_destroy(&dst); - } - - { - ebitmap_t dst; - - CU_ASSERT_EQUAL(ebitmap_andnot(&dst, &e5, &e6, 318), 0); - CU_ASSERT(ebitmap_cmp(&dst, &e56)); - - ebitmap_destroy(&dst); - } - - { - ebitmap_t dst; - - CU_ASSERT_EQUAL(ebitmap_andnot(&dst, &e5, &e6, 319), 0); - CU_ASSERT_FALSE(ebitmap_cmp(&dst, &e56)); - - CU_ASSERT_EQUAL(ebitmap_set_bit(&e56, 318, 1), 0); - CU_ASSERT(ebitmap_cmp(&dst, &e56)); - - ebitmap_destroy(&dst); - } - - { - ebitmap_t dst; - - CU_ASSERT_EQUAL(ebitmap_andnot(&dst, &e5, &e6, 320), 0); - CU_ASSERT(ebitmap_cmp(&dst, &e56)); - - ebitmap_destroy(&dst); - } - - ebitmap_destroy(&e56); - ebitmap_destroy(&e6); - ebitmap_destroy(&e5); - } -} - -static void test_ebitmap__random_impl(unsigned int length, int set_chance) -{ - ebitmap_t e1, e2, dst_cpy, dst_or, dst_and, dst_xor1, dst_xor2, dst_not1, dst_not2, dst_andnot; - unsigned int i; - - CU_ASSERT_EQUAL(ebitmap_init_random(&e1, length, set_chance), 0); - CU_ASSERT_EQUAL(ebitmap_init_random(&e2, length, set_chance), 0); - - CU_ASSERT_EQUAL(ebitmap_cpy(&dst_cpy, &e1), 0); - CU_ASSERT(ebitmap_cmp(&dst_cpy, &e1)); - - CU_ASSERT_EQUAL(ebitmap_or(&dst_or, &e1, &e2), 0); - for (i = 0; i < length; i++) - CU_ASSERT_EQUAL(ebitmap_get_bit(&dst_or, i), ebitmap_get_bit(&e1, i) | ebitmap_get_bit(&e2, i)); - - CU_ASSERT_EQUAL(ebitmap_and(&dst_and, &e1, &e2), 0); - for (i = 0; i < length; i++) - CU_ASSERT_EQUAL(ebitmap_get_bit(&dst_and, i), ebitmap_get_bit(&e1, i) & ebitmap_get_bit(&e2, i)); - - CU_ASSERT_EQUAL(ebitmap_xor(&dst_xor1, &e1, &e2), 0); - for (i = 0; i < length; i++) - CU_ASSERT_EQUAL(ebitmap_get_bit(&dst_xor1, i), ebitmap_get_bit(&e1, i) ^ ebitmap_get_bit(&e2, i)); - CU_ASSERT_EQUAL(ebitmap_xor(&dst_xor2, &dst_xor1, &e2), 0); - CU_ASSERT(ebitmap_cmp(&dst_xor2, &e1)); - - CU_ASSERT_EQUAL(ebitmap_not(&dst_not1, &e1, length), 0); - for (i = 0; i < length; i++) - CU_ASSERT_EQUAL(ebitmap_get_bit(&dst_not1, i), !ebitmap_get_bit(&e1, i)); - CU_ASSERT_EQUAL(ebitmap_not(&dst_not2, &dst_not1, length), 0); - CU_ASSERT(ebitmap_cmp(&dst_not2, &e1)); - - CU_ASSERT_EQUAL(ebitmap_andnot(&dst_andnot, &e1, &e2, length), 0); - for (i = 0; i < length; i++) - CU_ASSERT_EQUAL(ebitmap_get_bit(&dst_andnot, i), ebitmap_get_bit(&e1, i) & !ebitmap_get_bit(&e2, i)); - - ebitmap_destroy(&dst_andnot); - ebitmap_destroy(&dst_not2); - ebitmap_destroy(&dst_not1); - ebitmap_destroy(&dst_xor2); - ebitmap_destroy(&dst_xor1); - ebitmap_destroy(&dst_and); - ebitmap_destroy(&dst_or); - ebitmap_destroy(&dst_cpy); - ebitmap_destroy(&e2); - ebitmap_destroy(&e1); -} - -static void test_ebitmap__random(void) -{ - unsigned int i; - - for (i = 0; i < RANDOM_ROUNDS; i++) - test_ebitmap__random_impl(5, 10); - - for (i = 0; i < RANDOM_ROUNDS; i++) - test_ebitmap__random_impl(5, 90); - - for (i = 0; i < RANDOM_ROUNDS; i++) - test_ebitmap__random_impl(1024, 50); - - for (i = 0; i < RANDOM_ROUNDS; i++) - test_ebitmap__random_impl(8000, 5); - - for (i = 0; i < RANDOM_ROUNDS; i++) - test_ebitmap__random_impl(8000, 95); -} - -/* - * External hooks - */ - -int ebitmap_test_init(void) -{ - srandom(time(NULL)); - - /* silence ebitmap_set_bit() failure message */ - sepol_debug(0); - - return 0; -} - -int ebitmap_test_cleanup(void) -{ - return 0; -} - -#define ADD_TEST(name) \ - do { \ - if (NULL == CU_add_test(suite, #name, test_##name)) { \ - return CU_get_error(); \ - } \ - } while (0) - -int ebitmap_add_tests(CU_pSuite suite) -{ - ADD_TEST(ebitmap_init_destroy); - ADD_TEST(ebitmap_cmp); - ADD_TEST(ebitmap_set_and_get); - ADD_TEST(ebitmap_init_range); - ADD_TEST(ebitmap_or); - ADD_TEST(ebitmap_and); - ADD_TEST(ebitmap_xor); - ADD_TEST(ebitmap_not); - ADD_TEST(ebitmap_andnot); - ADD_TEST(ebitmap__random); - return 0; -} diff --git a/libsepol/tests/test-ebitmap.h b/libsepol/tests/test-ebitmap.h deleted file mode 100644 index 952a0421..00000000 --- a/libsepol/tests/test-ebitmap.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef TEST_EBITMAP_H__ -#define TEST_EBITMAP_H__ - -#include - -int ebitmap_test_init(void); -int ebitmap_test_cleanup(void); -int ebitmap_add_tests(CU_pSuite suite); - -#endif /* TEST_EBITMAP_H__ */ diff --git a/libsepol/tests/test-linker-roles.c b/libsepol/tests/test-linker-roles.c index b35bdbe6..2b17dffd 100644 --- a/libsepol/tests/test-linker-roles.c +++ b/libsepol/tests/test-linker-roles.c @@ -53,7 +53,7 @@ /* this simply tests whether the passed in role only has its own * value in its dominates ebitmap */ -static void only_dominates_self(policydb_t * p __attribute__ ((unused)), role_datum_t * role) +static void only_dominates_self(policydb_t * p, role_datum_t * role) { ebitmap_node_t *tnode; unsigned int i; diff --git a/libsepol/tests/test-neverallow.c b/libsepol/tests/test-neverallow.c deleted file mode 100644 index d973a0e3..00000000 --- a/libsepol/tests/test-neverallow.c +++ /dev/null @@ -1,172 +0,0 @@ -#define _GNU_SOURCE /* vasprintf(3) */ - -#include "test-neverallow.h" - -#include "helpers.h" -#include "test-common.h" - -#include -#include -#include - -#include -#include - -extern int mls; - -int neverallow_test_init(void) -{ - return 0; -} - -int neverallow_test_cleanup(void) -{ - return 0; -} - -static struct msg_list { - char *msg; - struct msg_list *next; -} *messages; - -static void messages_clean(void) -{ - while (messages) { - struct msg_list *n = messages->next; - free(messages->msg); - free(messages); - messages = n; - } -} - -static void messages_check(unsigned count, const char *const expected[count]) -{ - unsigned i; - const struct msg_list *m = messages; - - for (i = 0; i < count; i++, m = m->next) { - if (!m) { - CU_FAIL("less messages than expected"); - fprintf(stderr, "\n\n", count, i); - return; - } - - if (strcmp(expected[i], m->msg) != 0) { - CU_FAIL("messages differ from expected"); - fprintf(stderr, "\n\n", expected[i], m->msg); - } - } - - if (m) { - CU_FAIL("more messages than expected"); - fprintf(stderr, "\n\n", count, m->msg); - } -} - -__attribute__ ((format(printf, 3, 4))) -static void msg_handler(void *varg __attribute__ ((unused)), - sepol_handle_t * handle __attribute__ ((unused)), - const char *fmt, ...) -{ - char *msg; - va_list ap; - int r; - - va_start(ap, fmt); - r = vasprintf(&msg, fmt, ap); - if (r < 0) - CU_FAIL_FATAL("oom"); - va_end(ap); - - struct msg_list *new = malloc(sizeof(*new)); - if (!new) - CU_FAIL_FATAL("oom"); - new->msg = msg; - new->next = messages; - messages = new; -} - -#define ARRAY_SIZE(a) (sizeof(a) / sizeof(*a)) - -static void test_neverallow_basic(void) -{ - policydb_t basemod, base_expanded; - sepol_handle_t *handle; - static const char *const expected_messages[] = { - "30 neverallow failures occurred", - "neverallow on line 53 of policies/test-neverallow/policy.conf.std (or line 53 of policies/test-neverallow/policy.conf.std) violated by allow test1_t test1_t:file { read };", - "neverallow on line 60 of policies/test-neverallow/policy.conf.std (or line 60 of policies/test-neverallow/policy.conf.std) violated by allow test2_t test2_t:file { read write };", - "neverallow on line 67 of policies/test-neverallow/policy.conf.std (or line 67 of policies/test-neverallow/policy.conf.std) violated by allow test3_t test3_t:file { read };", - "neverallow on line 74 of policies/test-neverallow/policy.conf.std (or line 74 of policies/test-neverallow/policy.conf.std) violated by allow test4_t test4_t:file { read };", - "neverallow on line 81 of policies/test-neverallow/policy.conf.std (or line 81 of policies/test-neverallow/policy.conf.std) violated by allow test5_t test5_t:file { read };", - "neverallow on line 89 of policies/test-neverallow/policy.conf.std (or line 89 of policies/test-neverallow/policy.conf.std) violated by allow test6_1_t test6_1_t:file { read };", - "neverallow on line 97 of policies/test-neverallow/policy.conf.std (or line 97 of policies/test-neverallow/policy.conf.std) violated by allow test7_1_t test7_1_t:file { read };", - "neverallow on line 106 of policies/test-neverallow/policy.conf.std (or line 106 of policies/test-neverallow/policy.conf.std) violated by allow test8_t test8_t:file { write };", - "neverallow on line 106 of policies/test-neverallow/policy.conf.std (or line 106 of policies/test-neverallow/policy.conf.std) violated by allow test8_t test8_t:file { read };", - "neverallow on line 115 of policies/test-neverallow/policy.conf.std (or line 115 of policies/test-neverallow/policy.conf.std) violated by allow test9_t test9_t:file { read };", - "neverallow on line 115 of policies/test-neverallow/policy.conf.std (or line 115 of policies/test-neverallow/policy.conf.std) violated by allow test9_t test9_t:file { write };", - "neverallow on line 124 of policies/test-neverallow/policy.conf.std (or line 124 of policies/test-neverallow/policy.conf.std) violated by allow test10_1_t test10_1_t:file { read };", - "neverallow on line 131 of policies/test-neverallow/policy.conf.std (or line 131 of policies/test-neverallow/policy.conf.std) violated by allow test11_t test11_t:process { dyntransition transition };", - "neverallow on line 143 of policies/test-neverallow/policy.conf.std (or line 143 of policies/test-neverallow/policy.conf.std) violated by allow test12_3_t test12_1_t:file { getattr };", - "neverallow on line 143 of policies/test-neverallow/policy.conf.std (or line 143 of policies/test-neverallow/policy.conf.std) violated by allow test12_3_t test12_2_t:file { getattr };", - "neverallow on line 144 of policies/test-neverallow/policy.conf.std (or line 144 of policies/test-neverallow/policy.conf.std) violated by allow test12_3_t test12_1_t:file { open };", - "neverallow on line 144 of policies/test-neverallow/policy.conf.std (or line 144 of policies/test-neverallow/policy.conf.std) violated by allow test12_2_t test12_1_t:file { open };", - "neverallow on line 156 of policies/test-neverallow/policy.conf.std (or line 156 of policies/test-neverallow/policy.conf.std) violated by allow test13_1_t test13_1_t:file { read };", - "neverallowxperm on line 174 of policies/test-neverallow/policy.conf.std (or line 174 of policies/test-neverallow/policy.conf.std) violated by\nallow test15_t test15_t:file { ioctl };", - "neverallowxperm on line 182 of policies/test-neverallow/policy.conf.std (or line 182 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test16_t test16_t:file ioctl { 0x1111 };", - "neverallowxperm on line 198 of policies/test-neverallow/policy.conf.std (or line 198 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test18_t test18_t:file ioctl { 0x1111 };", - "neverallowxperm on line 206 of policies/test-neverallow/policy.conf.std (or line 206 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test19_t test19_t:file ioctl { 0x1111 };", - "neverallowxperm on line 216 of policies/test-neverallow/policy.conf.std (or line 216 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test20_a test20_a:file ioctl { 0x1111 };", - "neverallowxperm on line 227 of policies/test-neverallow/policy.conf.std (or line 227 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test21_1_a test21_2_a:file ioctl { 0x1111 };", - "neverallowxperm on line 237 of policies/test-neverallow/policy.conf.std (or line 237 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test22_t test22_t:file ioctl { 0x1111 };", - "neverallowxperm on line 247 of policies/test-neverallow/policy.conf.std (or line 247 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test23_t test23_t:file ioctl { 0x1111 };", - "neverallowxperm on line 257 of policies/test-neverallow/policy.conf.std (or line 257 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test24_t test24_a:file ioctl { 0x1111 };", - "neverallowxperm on line 267 of policies/test-neverallow/policy.conf.std (or line 267 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test25_t test25_t:file ioctl { 0x1111 };", - "neverallowxperm on line 277 of policies/test-neverallow/policy.conf.std (or line 277 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test26_a test26_a:file ioctl { 0x1111 };", - "neverallowxperm on line 277 of policies/test-neverallow/policy.conf.std (or line 277 of policies/test-neverallow/policy.conf.std) violated by\nallowxperm test26_a test26_a:file ioctl { 0x1111 };", - }; - - if (policydb_init(&base_expanded)) - CU_FAIL_FATAL("Failed to initialize policy"); - - if (test_load_policy(&basemod, POLICY_BASE, mls, "test-neverallow", "policy.conf")) - CU_FAIL_FATAL("Failed to load policy"); - - if (link_modules(NULL, &basemod, NULL, 0, 0)) - CU_FAIL_FATAL("Failed to link base module"); - - if (expand_module(NULL, &basemod, &base_expanded, 0, 0)) - CU_FAIL_FATAL("Failed to expand policy"); - - if ((handle = sepol_handle_create()) == NULL) - CU_FAIL_FATAL("Failed to initialize handle"); - - sepol_msg_set_callback(handle, msg_handler, NULL); - - if (check_assertions(handle, &base_expanded, base_expanded.global->branch_list->avrules) != -1) - CU_FAIL("Assertions did not trigger"); - - messages_check(ARRAY_SIZE(expected_messages), expected_messages); - - sepol_handle_destroy(handle); - messages_clean(); - policydb_destroy(&basemod); - policydb_destroy(&base_expanded); -} - -int neverallow_add_tests(CU_pSuite suite) -{ - /* - * neverallow rules operate only on types and are unaffected by MLS - * (avoid adjusting the messages for std and mls) - */ - if (mls) - return 0; - - if (NULL == CU_add_test(suite, "neverallow_basic", test_neverallow_basic)) { - CU_cleanup_registry(); - return CU_get_error(); - } - - return 0; -} diff --git a/libsepol/tests/test-neverallow.h b/libsepol/tests/test-neverallow.h deleted file mode 100644 index d3c2a74e..00000000 --- a/libsepol/tests/test-neverallow.h +++ /dev/null @@ -1,10 +0,0 @@ -#ifndef TEST_NEVERALLOW_H__ -#define TEST_NEVERALLOW_H__ - -#include - -int neverallow_test_init(void); -int neverallow_test_cleanup(void); -int neverallow_add_tests(CU_pSuite suite); - -#endif /* TEST_NEVERALLOW_H__ */ diff --git a/libsepol/utils/sepol_check_access.c b/libsepol/utils/sepol_check_access.c index 5d2bf679..bd2ea896 100644 --- a/libsepol/utils/sepol_check_access.c +++ b/libsepol/utils/sepol_check_access.c @@ -109,7 +109,7 @@ int main(int argc, char *argv[]) if (reason & SEPOL_COMPUTEAV_RBAC) { if (i > 0) printf(", "); - printf("role-transition"); + printf("transition-constraint"); i++; } if (reason & SEPOL_COMPUTEAV_BOUNDS) { diff --git a/secilc/LICENSE b/secilc/COPYING similarity index 100% rename from secilc/LICENSE rename to secilc/COPYING diff --git a/secilc/VERSION b/secilc/VERSION index 5a958026..2f4b6075 100644 --- a/secilc/VERSION +++ b/secilc/VERSION @@ -1 +1 @@ -3.5 +3.4 diff --git a/secilc/docs/Makefile b/secilc/docs/Makefile index 7e2ba40e..a03ebeed 100644 --- a/secilc/docs/Makefile +++ b/secilc/docs/Makefile @@ -58,25 +58,11 @@ $(TMPDIR)/policy.cil: $(TESTDIR)/policy.cil html: $(PANDOC_FILE_LIST) $(TMPDIR)/policy.cil secil.xml mkdir -p $(HTMLDIR) - $(PANDOC) \ - --highlight-style=$(PANDOC_HIGHLIGHT_STYLE) \ - --syntax-definition=secil.xml \ - --standalone \ - --metadata title="CIL Reference Guide" \ - --metadata document-css=false \ - -t html \ - $(PANDOC_FILE_LIST) $(TMPDIR)/policy.cil \ - -o $(HTMLDIR)/$(HTML_OUT) + $(PANDOC) --highlight-style=$(PANDOC_HIGHLIGHT_STYLE) --syntax-definition=secil.xml --standalone --metadata title="CIL Reference Guide" -t html $(PANDOC_FILE_LIST) $(TMPDIR)/policy.cil -o $(HTMLDIR)/$(HTML_OUT) pdf: $(PANDOC_FILE_LIST) $(TMPDIR)/policy.cil secil.xml mkdir -p $(PDFDIR) - $(PANDOC) \ - --highlight-style=$(PANDOC_HIGHLIGHT_STYLE) \ - --syntax-definition=secil.xml \ - --standalone \ - --toc \ - $(PANDOC_FILE_LIST) $(TMPDIR)/policy.cil \ - -o $(PDFDIR)/$(PDF_OUT) + $(PANDOC) --highlight-style=$(PANDOC_HIGHLIGHT_STYLE) --syntax-definition=secil.xml --standalone --toc $(PANDOC_FILE_LIST) $(TMPDIR)/policy.cil -o $(PDFDIR)/$(PDF_OUT) clean: rm -rf $(HTMLDIR) diff --git a/secilc/docs/cil_class_and_permission_statements.md b/secilc/docs/cil_class_and_permission_statements.md index c494f144..368e3a4d 100644 --- a/secilc/docs/cil_class_and_permission_statements.md +++ b/secilc/docs/cil_class_and_permission_statements.md @@ -536,7 +536,7 @@ Defines a named extended permission, which can be used in the [`allowx`](cil_acc

class_id

-

A single previously declared class or classmap identifier.

+

A single previously declared class identifier.

permission

diff --git a/secilc/docs/secil.xml b/secilc/docs/secil.xml index 38d7b030..b015490d 100644 --- a/secilc/docs/secil.xml +++ b/secilc/docs/secil.xml @@ -2,182 +2,182 @@ - - - - allow - allowx - auditallow - auditallowx - block - blockabstract - boolean - booleanif - category - categoryalias - categoryaliasactual - categoryorder - categoryset - class - classcommon - classmap - classmapping - classorder - classpermission - classpermissionset - common - constrain - context - defaultrange - defaultrole - defaulttype - defaultuser - devicetreecon - dontaudit - dontauditx - expandtypeattribute - false - filecon - fsuse - genfscon - handleunknown - ibendportcon - ibpkeycon - ioctl - iomemcon - ioportcon - ipaddr - level - levelrange - mls - mlsconstrain - mlsvalidatetrans - netifcon - neverallow - neverallowx - nodecon - optional - pcidevicecon - perm - permissionx - pirqcon - policycap - portcon - rangetransition - role - roleallow - roleattribute - roleattributeset - rolebounds - roletransition - roletype - selinuxuser - selinuxuserdefault - sensitivity - sensitivityalias - sensitivityaliasactual - sensitivitycategory - sensitivityorder - sid - sidcontext - sidorder - true - tunable - tunableif - type - typealias - typealiasactual - typeattribute - typeattributeset - typebounds - typechange - typemember - typepermissive - typetransition - unordered - user - userattribute - userattributeset - userbounds - userlevel - userprefix - userrange - userrole - validatetrans - + + + allow + allowx + auditallow + auditallowx + block + blockabstract + boolean + booleanif + category + categoryalias + categoryaliasactual + categoryorder + categoryset + class + classcommon + classmap + classmapping + classorder + classpermission + classpermissionset + common + constrain + context + defaultrange + defaultrole + defaulttype + defaultuser + devicetreecon + dontaudit + dontauditx + expandtypeattribute + false + filecon + fsuse + genfscon + handleunknown + ibendportcon + ibpkeycon + ioctl + iomemcon + ioportcon + ipaddr + level + levelrange + mls + mlsconstrain + mlsvalidatetrans + netifcon + neverallow + neverallowx + nodecon + optional + pcidevicecon + perm + permissionx + pirqcon + policycap + portcon + rangetransition + role + roleallow + roleattribute + roleattributeset + rolebounds + roletransition + roletype + selinuxuser + selinuxuserdefault + sensitivity + sensitivityalias + sensitivityaliasactual + sensitivitycategory + sensitivityorder + sid + sidcontext + sidorder + true + tunable + tunableif + type + typealias + typealiasactual + typeattribute + typeattributeset + typebounds + typechange + typemember + typepermissive + typetransition + unordered + user + userattribute + userattributeset + userbounds + userlevel + userprefix + userrange + userrole + validatetrans + - - blockinherit - call - in - macro - + + blockinherit + call + in + macro + - - and - dom - domby - eq - incomp - neq - not - or - range - xor - + + and + dom + domby + eq + incomp + neq + not + or + range + xor + - - - * - all - dccp - false - h1 - h2 - l1 - l2 - object_r - r1 - r2 - r3 - sctp - self - t1 - t2 - t3 - tcp - true - u1 - u2 - u3 - udp + + + * + all + dccp + false + h1 + h2 + l1 + l2 + object_r + r1 + r2 + r3 + sctp + self + t1 + t2 + t3 + tcp + true + u1 + u2 + u3 + udp - - + + + -- Gitee