[PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files

[PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files

[James Carter]

[Resending because I originally only sent these to the new list]

- Removes some redundent definitions of initial sid name strings
- Adds range checking when looking up an initial sid name string for an index
- Adds two new Xen initial sids

James Carter (4):
  libsepol: Rename kernel_to_common.c stack functions
  libsepol: Eliminate initial sid string definitions in module_to_cil.c
  libsepol: Check that initial sid indexes are within the valid range
  libsepol: Add two new Xen initial SIDs

 libsepol/src/kernel_to_cil.c    | 78 +++++++++++++++++++++------------
 libsepol/src/kernel_to_common.c | 10 ++---
 libsepol/src/kernel_to_common.h | 16 ++++---
 libsepol/src/kernel_to_conf.c   | 78 +++++++++++++++++++++------------
 libsepol/src/module_to_cil.c    | 78 +++++++++------------------------
 5 files changed, 136 insertions(+), 124 deletions(-)

-- 
2.17.1

[PATCH 1/4] libsepol: Rename kernel_to_common.c stack functions

[James Carter]

Want to make use of selinux_sid_to_str[] and xen_sid_to_str[] from
kernel_to_common.h in module_to_cil.c, but stack functions with the
same names exist in module_to_cil.c and kernel_to_common.c (with
the function prototypes in kernel_to_common.h).

Since the stack functions in kernel_to_common.c are less general and
only work with strings, rename those functions from stack_* to
strs_stack_*.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
---
 libsepol/src/kernel_to_cil.c    | 36 ++++++++++++++++-----------------
 libsepol/src/kernel_to_common.c | 10 ++++-----
 libsepol/src/kernel_to_common.h | 10 ++++-----
 libsepol/src/kernel_to_conf.c   | 36 ++++++++++++++++-----------------
 4 files changed, 46 insertions(+), 46 deletions(-)

diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index b1eb66d6..c2a733ee 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@@ -36,7 +36,7 @@ static char *cond_expr_to_str(struct policydb *pdb, struct cond_expr *expr)
 	char *str = NULL;
 	int rc;
 
-	rc = stack_init(&stack);
+	rc = strs_stack_init(&stack);
 	if (rc != 0) {
 		goto exit;
 	}
@@ -65,13 +65,13 @@ static char *cond_expr_to_str(struct policydb *pdb, struct cond_expr *expr)
 			}
 
 			if (num_params == 2) {
-				val2 = stack_pop(stack);
+				val2 = strs_stack_pop(stack);
 				if (!val2) {
 					sepol_log_err("Invalid conditional expression");
 					goto exit;
 				}
 			}
-			val1 = stack_pop(stack);
+			val1 = strs_stack_pop(stack);
 			if (!val1) {
 				sepol_log_err("Invalid conditional expression");
 				free(val2);
@@ -89,29 +89,29 @@ static char *cond_expr_to_str(struct policydb *pdb, struct cond_expr *expr)
 			sepol_log_err("Invalid conditional expression");
 			goto exit;
 		}
-		rc = stack_push(stack, new_val);
+		rc = strs_stack_push(stack, new_val);
 		if (rc != 0) {
 			sepol_log_err("Out of memory");
 			goto exit;
 		}
 	}
 
-	new_val = stack_pop(stack);
-	if (!new_val || !stack_empty(stack)) {
+	new_val = strs_stack_pop(stack);
+	if (!new_val || !strs_stack_empty(stack)) {
 		sepol_log_err("Invalid conditional expression");
 		goto exit;
 	}
 
 	str = new_val;
 
-	stack_destroy(&stack);
+	strs_stack_destroy(&stack);
 	return str;
 
 exit:
-	while ((new_val = stack_pop(stack)) != NULL) {
+	while ((new_val = strs_stack_pop(stack)) != NULL) {
 		free(new_val);
 	}
-	stack_destroy(&stack);
+	strs_stack_destroy(&stack);
 
 	return NULL;
 }
@@ -127,7 +127,7 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
 
 	*use_mls = 0;
 
-	rc = stack_init(&stack);
+	rc = strs_stack_init(&stack);
 	if (rc != 0) {
 		goto exit;
 	}
@@ -208,13 +208,13 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
 			}
 
 			if (num_params == 2) {
-				val2 = stack_pop(stack);
+				val2 = strs_stack_pop(stack);
 				if (!val2) {
 					sepol_log_err("Invalid constraint expression");
 					goto exit;
 				}
 			}
-			val1 = stack_pop(stack);
+			val1 = strs_stack_pop(stack);
 			if (!val1) {
 				sepol_log_err("Invalid constraint expression");
 				goto exit;
@@ -231,30 +231,30 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
 		if (!new_val) {
 			goto exit;
 		}
-		rc = stack_push(stack, new_val);
+		rc = strs_stack_push(stack, new_val);
 		if (rc != 0) {
 			sepol_log_err("Out of memory");
 			goto exit;
 		}
 	}
 
-	new_val = stack_pop(stack);
-	if (!new_val || !stack_empty(stack)) {
+	new_val = strs_stack_pop(stack);
+	if (!new_val || !strs_stack_empty(stack)) {
 		sepol_log_err("Invalid constraint expression");
 		goto exit;
 	}
 
 	str = new_val;
 
-	stack_destroy(&stack);
+	strs_stack_destroy(&stack);
 
 	return str;
 
 exit:
-	while ((new_val = stack_pop(stack)) != NULL) {
+	while ((new_val = strs_stack_pop(stack)) != NULL) {
 		free(new_val);
 	}
-	stack_destroy(&stack);
+	strs_stack_destroy(&stack);
 
 	return NULL;
 }
diff --git a/libsepol/src/kernel_to_common.c b/libsepol/src/kernel_to_common.c
index 7c5699c5..891e139c 100644
--- a/libsepol/src/kernel_to_common.c
+++ b/libsepol/src/kernel_to_common.c
@@ -400,27 +400,27 @@ exit:
 	return str;
 }
 
-int stack_init(struct strs **stack)
+int strs_stack_init(struct strs **stack)
 {
 	return strs_init(stack, STACK_SIZE);
 }
 
-void stack_destroy(struct strs **stack)
+void strs_stack_destroy(struct strs **stack)
 {
 	return strs_destroy(stack);
 }
 
-int stack_push(struct strs *stack, char *s)
+int strs_stack_push(struct strs *stack, char *s)
 {
 	return strs_add(stack, s);
 }
 
-char *stack_pop(struct strs *stack)
+char *strs_stack_pop(struct strs *stack)
 {
 	return strs_remove_last(stack);
 }
 
-int stack_empty(struct strs *stack)
+int strs_stack_empty(struct strs *stack)
 {
 	return strs_num_items(stack) == 0;
 }
diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h
index 992929ae..7c5edbd6 100644
--- a/libsepol/src/kernel_to_common.h
+++ b/libsepol/src/kernel_to_common.h
@@ -105,10 +105,10 @@ int hashtab_ordered_to_strs(char *key, void *data, void *args);
 int ebitmap_to_strs(struct ebitmap *map, struct strs *strs, char **val_to_name);
 char *ebitmap_to_str(struct ebitmap *map, char **val_to_name, int sort);
 
-int stack_init(struct strs **stack);
-void stack_destroy(struct strs **stack);
-int stack_push(struct strs *stack, char *s);
-char *stack_pop(struct strs *stack);
-int stack_empty(struct strs *stack);
+int strs_stack_init(struct strs **stack);
+void strs_stack_destroy(struct strs **stack);
+int strs_stack_push(struct strs *stack, char *s);
+char *strs_stack_pop(struct strs *stack);
+int strs_stack_empty(struct strs *stack);
 
 int sort_ocontexts(struct policydb *pdb);
diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
index 95405207..a98b5ca9 100644
--- a/libsepol/src/kernel_to_conf.c
+++ b/libsepol/src/kernel_to_conf.c
@@ -35,7 +35,7 @@ static char *cond_expr_to_str(struct policydb *pdb, struct cond_expr *expr)
 	char *str = NULL;
 	int rc;
 
-	rc = stack_init(&stack);
+	rc = strs_stack_init(&stack);
 	if (rc != 0) {
 		goto exit;
 	}
@@ -63,13 +63,13 @@ static char *cond_expr_to_str(struct policydb *pdb, struct cond_expr *expr)
 			}
 
 			if (num_params == 2) {
-				val2 = stack_pop(stack);
+				val2 = strs_stack_pop(stack);
 				if (!val2) {
 					sepol_log_err("Invalid conditional expression");
 					goto exit;
 				}
 			}
-			val1 = stack_pop(stack);
+			val1 = strs_stack_pop(stack);
 			if (!val1) {
 				sepol_log_err("Invalid conditional expression");
 				free(val2);
@@ -87,29 +87,29 @@ static char *cond_expr_to_str(struct policydb *pdb, struct cond_expr *expr)
 			sepol_log_err("Invalid conditional expression");
 			goto exit;
 		}
-		rc = stack_push(stack, new_val);
+		rc = strs_stack_push(stack, new_val);
 		if (rc != 0) {
 			sepol_log_err("Out of memory");
 			goto exit;
 		}
 	}
 
-	new_val = stack_pop(stack);
-	if (!new_val || !stack_empty(stack)) {
+	new_val = strs_stack_pop(stack);
+	if (!new_val || !strs_stack_empty(stack)) {
 		sepol_log_err("Invalid conditional expression");
 		goto exit;
 	}
 
 	str = new_val;
 
-	stack_destroy(&stack);
+	strs_stack_destroy(&stack);
 	return str;
 
 exit:
-	while ((new_val = stack_pop(stack)) != NULL) {
+	while ((new_val = strs_stack_pop(stack)) != NULL) {
 		free(new_val);
 	}
-	stack_destroy(&stack);
+	strs_stack_destroy(&stack);
 
 	return NULL;
 }
@@ -125,7 +125,7 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
 
 	*use_mls = 0;
 
-	rc = stack_init(&stack);
+	rc = strs_stack_init(&stack);
 	if (rc != 0) {
 		goto exit;
 	}
@@ -204,13 +204,13 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
 			}
 
 			if (num_params == 2) {
-				val2 = stack_pop(stack);
+				val2 = strs_stack_pop(stack);
 				if (!val2) {
 					sepol_log_err("Invalid constraint expression");
 					goto exit;
 				}
 			}
-			val1 = stack_pop(stack);
+			val1 = strs_stack_pop(stack);
 			if (!val1) {
 				sepol_log_err("Invalid constraint expression");
 				goto exit;
@@ -227,30 +227,30 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
 		if (!new_val) {
 			goto exit;
 		}
-		rc = stack_push(stack, new_val);
+		rc = strs_stack_push(stack, new_val);
 		if (rc != 0) {
 			sepol_log_err("Out of memory");
 			goto exit;
 		}
 	}
 
-	new_val = stack_pop(stack);
-	if (!new_val || !stack_empty(stack)) {
+	new_val = strs_stack_pop(stack);
+	if (!new_val || !strs_stack_empty(stack)) {
 		sepol_log_err("Invalid constraint expression");
 		goto exit;
 	}
 
 	str = new_val;
 
-	stack_destroy(&stack);
+	strs_stack_destroy(&stack);
 
 	return str;
 
 exit:
-	while ((new_val = stack_pop(stack)) != NULL) {
+	while ((new_val = strs_stack_pop(stack)) != NULL) {
 		free(new_val);
 	}
-	stack_destroy(&stack);
+	strs_stack_destroy(&stack);
 
 	return NULL;
 }
-- 
2.17.1

[PATCH 2/4] libsepol: Eliminate initial sid string definitions in module_to_cil.c

[James Carter]

Since the initial sid strings are defined in kernel_to_common.h,
module_to_cil.c can use those and its initial sid string definitions
can be removed.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
---
 libsepol/src/module_to_cil.c | 59 +++---------------------------------
 1 file changed, 5 insertions(+), 54 deletions(-)

diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index dcf6ebb1..8ab0dfce 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -52,6 +52,7 @@
 #include <sepol/policydb/services.h>
 #include <sepol/policydb/util.h>
 
+#include "kernel_to_common.h"
 #include "private.h"
 
 #ifdef __GNUC__
@@ -2546,7 +2547,8 @@ static int context_to_cil(struct policydb *pdb, struct context_struct *con)
 	return 0;
 }
 
-static int ocontext_isid_to_cil(struct policydb *pdb, const char **sid_to_string, struct ocontext *isids)
+static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_string,
+				struct ocontext *isids)
 {
 	int rc = -1;
 
@@ -2602,41 +2604,7 @@ static int ocontext_selinux_isid_to_cil(struct policydb *pdb, struct ocontext *i
 {
 	int rc = -1;
 
-	// initial sid names aren't actually stored in the pp files, need to a have
-	// a mapping, taken from the linux kernel
-	static const char *selinux_sid_to_string[] = {
-		"null",
-		"kernel",
-		"security",
-		"unlabeled",
-		"fs",
-		"file",
-		"file_labels",
-		"init",
-		"any_socket",
-		"port",
-		"netif",
-		"netmsg",
-		"node",
-		"igmp_packet",
-		"icmp_socket",
-		"tcp_socket",
-		"sysctl_modprobe",
-		"sysctl",
-		"sysctl_fs",
-		"sysctl_kernel",
-		"sysctl_net",
-		"sysctl_net_unix",
-		"sysctl_vm",
-		"sysctl_dev",
-		"kmod",
-		"policy",
-		"scmp_packet",
-		"devnull",
-		NULL
-	};
-
-	rc = ocontext_isid_to_cil(pdb, selinux_sid_to_string, isids);
+	rc = ocontext_isid_to_cil(pdb, selinux_sid_to_str, isids);
 	if (rc != 0) {
 		goto exit;
 	}
@@ -2865,24 +2833,7 @@ static int ocontext_xen_isid_to_cil(struct policydb *pdb, struct ocontext *isids
 {
 	int rc = -1;
 
-	// initial sid names aren't actually stored in the pp files, need to a have
-	// a mapping, taken from the xen kernel
-	static const char *xen_sid_to_string[] = {
-		"null",
-		"xen",
-		"dom0",
-		"domio",
-		"domxen",
-		"unlabeled",
-		"security",
-		"ioport",
-		"iomem",
-		"irq",
-		"device",
-		NULL,
-	};
-
-	rc = ocontext_isid_to_cil(pdb, xen_sid_to_string, isids);
+	rc = ocontext_isid_to_cil(pdb, xen_sid_to_str, isids);
 	if (rc != 0) {
 		goto exit;
 	}
-- 
2.17.1

[PATCH 3/4] libsepol: Check that initial sid indexes are within the valid range

[James Carter]

When writing CIL from a policy module or when writing CIL or policy.conf
from a kernel binary policy, check that the initial sid index is within
the valid range of the selinux_sid_to_str[] array (or xen_sid_to_str[]
array for a XEN policy). If it is not, then create a unique name
("UNKNOWN"+index) for the initial sid.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
---
 libsepol/src/kernel_to_cil.c    | 42 +++++++++++++++++++++++++--------
 libsepol/src/kernel_to_common.h |  4 ++++
 libsepol/src/kernel_to_conf.c   | 42 +++++++++++++++++++++++++--------
 libsepol/src/module_to_cil.c    | 25 ++++++++++++++------
 4 files changed, 86 insertions(+), 27 deletions(-)

diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index c2a733ee..d173144e 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@@ -529,23 +529,31 @@ exit:
 	return rc;
 }
 
-static int write_sids_to_cil(FILE *out, const char *const *sid_to_str, struct ocontext *isids)
+static int write_sids_to_cil(FILE *out, const char *const *sid_to_str,
+			     unsigned num_sids, struct ocontext *isids)
 {
 	struct ocontext *isid;
 	struct strs *strs;
 	char *sid;
 	char *prev;
+	char unknown[17];
 	unsigned i;
 	int rc;
 
-	rc = strs_init(&strs, SECINITSID_NUM+1);
+	rc = strs_init(&strs, num_sids+1);
 	if (rc != 0) {
 		goto exit;
 	}
 
 	for (isid = isids; isid != NULL; isid = isid->next) {
 		i = isid->sid[0];
-		rc = strs_add_at_index(strs, (char *)sid_to_str[i], i);
+		if (i < num_sids) {
+			sid = (char *)sid_to_str[i];
+		} else {
+			snprintf(unknown, 17, "%s%u", "UNKNOWN", i);
+			sid = strdup(unknown);
+		}
+		rc = strs_add_at_index(strs, sid, i);
 		if (rc != 0) {
 			goto exit;
 		}
@@ -577,6 +585,10 @@ static int write_sids_to_cil(FILE *out, const char *const *sid_to_str, struct oc
 	sepol_printf(out, "))\n");
 
 exit:
+	for (i=num_sids; i<strs_num_items(strs); i++) {
+		sid = strs_read_at_index(strs, i);
+		free(sid);
+	}
 	strs_destroy(&strs);
 	if (rc != 0) {
 		sepol_log_err("Error writing sid rules to CIL\n");
@@ -590,9 +602,11 @@ static int write_sid_decl_rules_to_cil(FILE *out, struct policydb *pdb)
 	int rc = 0;
 
 	if (pdb->target_platform == SEPOL_TARGET_SELINUX) {
-		rc = write_sids_to_cil(out, selinux_sid_to_str, pdb->ocontexts[0]);
+		rc = write_sids_to_cil(out, selinux_sid_to_str, SELINUX_SID_SZ,
+				       pdb->ocontexts[0]);
 	} else if (pdb->target_platform == SEPOL_TARGET_XEN) {
-		rc = write_sids_to_cil(out, xen_sid_to_str, pdb->ocontexts[0]);
+		rc = write_sids_to_cil(out, xen_sid_to_str, XEN_SID_SZ,
+				       pdb->ocontexts[0]);
 	} else {
 		sepol_log_err("Unknown target platform: %i", pdb->target_platform);
 		rc = -1;
@@ -2479,11 +2493,12 @@ exit:
 	return ctx;
 }
 
-static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const char *const *sid_to_str)
+static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const char *const *sid_to_str, unsigned num_sids)
 {
 	struct ocontext *isid;
 	struct strs *strs;
-	const char *sid;
+	char *sid;
+	char unknown[17];
 	char *ctx, *rule;
 	unsigned i;
 	int rc = -1;
@@ -2495,7 +2510,13 @@ static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const
 
 	for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) {
 		i = isid->sid[0];
-		sid = sid_to_str[i];
+		if (i < num_sids) {
+			sid = (char *)sid_to_str[i];
+		} else {
+			snprintf(unknown, 17, "%s%u", "UNKNOWN", i);
+			sid = unknown;
+		}
+
 		ctx = context_to_str(pdb, &isid->context[0]);
 		if (!ctx) {
 			rc = -1;
@@ -2531,7 +2552,8 @@ exit:
 
 static int write_selinux_isid_rules_to_cil(FILE *out, struct policydb *pdb)
 {
-	return write_sid_context_rules_to_cil(out, pdb, selinux_sid_to_str);
+	return write_sid_context_rules_to_cil(out, pdb, selinux_sid_to_str,
+					      SELINUX_SID_SZ);
 }
 
 static int write_selinux_fsuse_rules_to_cil(FILE *out, struct policydb *pdb)
@@ -2884,7 +2906,7 @@ exit:
 
 static int write_xen_isid_rules_to_cil(FILE *out, struct policydb *pdb)
 {
-	return write_sid_context_rules_to_cil(out, pdb, xen_sid_to_str);
+	return write_sid_context_rules_to_cil(out, pdb, xen_sid_to_str, XEN_SID_SZ);
 }
 
 static int write_xen_pirq_rules_to_cil(FILE *out, struct policydb *pdb)
diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h
index 7c5edbd6..dacfe97e 100644
--- a/libsepol/src/kernel_to_common.h
+++ b/libsepol/src/kernel_to_common.h
@@ -43,6 +43,8 @@ static const char * const selinux_sid_to_str[] = {
 	"devnull",
 };
 
+#define SELINUX_SID_SZ (sizeof(selinux_sid_to_str)/sizeof(selinux_sid_to_str[0]))
+
 static const char * const xen_sid_to_str[] = {
 	"null",
 	"xen",
@@ -57,6 +59,8 @@ static const char * const xen_sid_to_str[] = {
 	"device",
 };
 
+#define XEN_SID_SZ (sizeof(xen_sid_to_str)/sizeof(xen_sid_to_str[0]))
+
 static const uint32_t avtab_flavors[] = {
 	AVTAB_ALLOWED,
 	AVTAB_AUDITALLOW,
diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
index a98b5ca9..7e04a13b 100644
--- a/libsepol/src/kernel_to_conf.c
+++ b/libsepol/src/kernel_to_conf.c
@@ -428,22 +428,30 @@ static int write_class_decl_rules_to_conf(FILE *out, struct policydb *pdb)
 	return 0;
 }
 
-static int write_sids_to_conf(FILE *out, const char *const *sid_to_str, struct ocontext *isids)
+static int write_sids_to_conf(FILE *out, const char *const *sid_to_str,
+			      unsigned num_sids, struct ocontext *isids)
 {
 	struct ocontext *isid;
 	struct strs *strs;
 	char *sid;
+	char unknown[17];
 	unsigned i;
 	int rc;
 
-	rc = strs_init(&strs, SECINITSID_NUM+1);
+	rc = strs_init(&strs, num_sids+1);
 	if (rc != 0) {
 		goto exit;
 	}
 
 	for (isid = isids; isid != NULL; isid = isid->next) {
 		i = isid->sid[0];
-		rc = strs_add_at_index(strs, (char *)sid_to_str[i], i);
+		if (i < num_sids) {
+			sid = (char *)sid_to_str[i];
+		} else {
+			snprintf(unknown, 17, "%s%u", "UNKNOWN", i);
+			sid = strdup(unknown);
+		}
+		rc = strs_add_at_index(strs, sid, i);
 		if (rc != 0) {
 			goto exit;
 		}
@@ -458,6 +466,10 @@ static int write_sids_to_conf(FILE *out, const char *const *sid_to_str, struct o
 	}
 
 exit:
+	for (i=num_sids; i<strs_num_items(strs); i++) {
+		sid = strs_read_at_index(strs, i);
+		free(sid);
+	}
 	strs_destroy(&strs);
 	if (rc != 0) {
 		sepol_log_err("Error writing sid rules to policy.conf\n");
@@ -471,9 +483,11 @@ static int write_sid_decl_rules_to_conf(FILE *out, struct policydb *pdb)
 	int rc = 0;
 
 	if (pdb->target_platform == SEPOL_TARGET_SELINUX) {
-		rc = write_sids_to_conf(out, selinux_sid_to_str, pdb->ocontexts[0]);
+		rc = write_sids_to_conf(out, selinux_sid_to_str, SELINUX_SID_SZ,
+					pdb->ocontexts[0]);
 	} else if (pdb->target_platform == SEPOL_TARGET_XEN) {
-		rc = write_sids_to_conf(out, xen_sid_to_str, pdb->ocontexts[0]);
+		rc = write_sids_to_conf(out, xen_sid_to_str, XEN_SID_SZ,
+					pdb->ocontexts[0]);
 	} else {
 		sepol_log_err("Unknown target platform: %i", pdb->target_platform);
 		rc = -1;
@@ -2339,11 +2353,12 @@ static char *context_to_str(struct policydb *pdb, struct context_struct *con)
 	return ctx;
 }
 
-static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, const char *const *sid_to_str)
+static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, const char *const *sid_to_str, unsigned num_sids)
 {
 	struct ocontext *isid;
 	struct strs *strs;
-	const char *sid;
+	char *sid;
+	char unknown[17];
 	char *ctx, *rule;
 	unsigned i;
 	int rc;
@@ -2355,7 +2370,13 @@ static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, cons
 
 	for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) {
 		i = isid->sid[0];
-		sid = sid_to_str[i];
+		if (i < num_sids) {
+			sid = (char *)sid_to_str[i];
+		} else {
+			snprintf(unknown, 17, "%s%u", "UNKNOWN", i);
+			sid = unknown;
+		}
+
 		ctx = context_to_str(pdb, &isid->context[0]);
 		if (!ctx) {
 			rc = -1;
@@ -2391,7 +2412,8 @@ exit:
 
 static int write_selinux_isid_rules_to_conf(FILE *out, struct policydb *pdb)
 {
-	return write_sid_context_rules_to_conf(out, pdb, selinux_sid_to_str);
+	return write_sid_context_rules_to_conf(out, pdb, selinux_sid_to_str,
+					       SELINUX_SID_SZ);
 }
 
 static int write_selinux_fsuse_rules_to_conf(FILE *out, struct policydb *pdb)
@@ -2745,7 +2767,7 @@ exit:
 
 static int write_xen_isid_rules_to_conf(FILE *out, struct policydb *pdb)
 {
-	return write_sid_context_rules_to_conf(out, pdb, xen_sid_to_str);
+	return write_sid_context_rules_to_conf(out, pdb, xen_sid_to_str, XEN_SID_SZ);
 }
 
 
diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index 8ab0dfce..7fc29cbd 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -2548,23 +2548,33 @@ static int context_to_cil(struct policydb *pdb, struct context_struct *con)
 }
 
 static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_string,
-				struct ocontext *isids)
+				unsigned num_sids, struct ocontext *isids)
 {
 	int rc = -1;
 
 	struct ocontext *isid;
 
 	struct sid_item {
-		const char *sid_key;
+		char *sid_key;
 		struct sid_item *next;
 	};
 
 	struct sid_item *head = NULL;
 	struct sid_item *item = NULL;
+	char *sid;
+	char unknown[17];
+	unsigned i;
 
 	for (isid = isids; isid != NULL; isid = isid->next) {
-		cil_println(0, "(sid %s)", sid_to_string[isid->sid[0]]);
-		cil_printf("(sidcontext %s ", sid_to_string[isid->sid[0]]);
+		i = isid->sid[0];
+		if (i < num_sids) {
+			sid = (char*)sid_to_string[i];
+		} else {
+			snprintf(unknown, 17, "%s%u", "UNKNOWN", i);
+			sid = unknown;
+		}
+		cil_println(0, "(sid %s)", sid);
+		cil_printf("(sidcontext %s ", sid);
 		context_to_cil(pdb, &isid->context[0]);
 		cil_printf(")\n");
 
@@ -2576,7 +2586,7 @@ static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_
 			rc = -1;
 			goto exit;
 		}
-		item->sid_key = sid_to_string[isid->sid[0]];
+		item->sid_key = strdup(sid);
 		item->next = head;
 		head = item;
 	}
@@ -2595,6 +2605,7 @@ exit:
 	while(head) {
 		item = head;
 		head = item->next;
+		free(item->sid_key);
 		free(item);
 	}
 	return rc;
@@ -2604,7 +2615,7 @@ static int ocontext_selinux_isid_to_cil(struct policydb *pdb, struct ocontext *i
 {
 	int rc = -1;
 
-	rc = ocontext_isid_to_cil(pdb, selinux_sid_to_str, isids);
+	rc = ocontext_isid_to_cil(pdb, selinux_sid_to_str, SELINUX_SID_SZ, isids);
 	if (rc != 0) {
 		goto exit;
 	}
@@ -2833,7 +2844,7 @@ static int ocontext_xen_isid_to_cil(struct policydb *pdb, struct ocontext *isids
 {
 	int rc = -1;
 
-	rc = ocontext_isid_to_cil(pdb, xen_sid_to_str, isids);
+	rc = ocontext_isid_to_cil(pdb, xen_sid_to_str, XEN_SID_SZ, isids);
 	if (rc != 0) {
 		goto exit;
 	}
-- 
2.17.1

[PATCH 4/4] libsepol: Add two new Xen initial SIDs

[James Carter]

Xen uses the initial SIDs domU and domDM in its toolstack, so it makes
sense to add these to xen_sid_to_str[] in kernel_to_common.h

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
---
 libsepol/src/kernel_to_common.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h
index dacfe97e..8aa483fa 100644
--- a/libsepol/src/kernel_to_common.h
+++ b/libsepol/src/kernel_to_common.h
@@ -57,6 +57,8 @@ static const char * const xen_sid_to_str[] = {
 	"iomem",
 	"irq",
 	"device",
+	"domU",
+	"domDM",
 };
 
 #define XEN_SID_SZ (sizeof(xen_sid_to_str)/sizeof(xen_sid_to_str[0]))
-- 
2.17.1

Re: [PATCH 3/4] libsepol: Check that initial sid indexes are within the valid range

[Yuli Khodorkovskiy]

> On Oct 11, 2018, at 8:35 AM, James Carter <jwcart2@tycho.nsa.gov> wrote:
> 
> When writing CIL from a policy module or when writing CIL or policy.conf
> from a kernel binary policy, check that the initial sid index is within
> the valid range of the selinux_sid_to_str[] array (or xen_sid_to_str[]
> array for a XEN policy). If it is not, then create a unique name
> ("UNKNOWN"+index) for the initial sid.
> 
> Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
> ---
> libsepol/src/kernel_to_cil.c    | 42 +++++++++++++++++++++++++--------
> libsepol/src/kernel_to_common.h |  4 ++++
> libsepol/src/kernel_to_conf.c   | 42 +++++++++++++++++++++++++--------
> libsepol/src/module_to_cil.c    | 25 ++++++++++++++------
> 4 files changed, 86 insertions(+), 27 deletions(-)
> 
> diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
> index c2a733ee..d173144e 100644
> --- a/libsepol/src/kernel_to_cil.c
> +++ b/libsepol/src/kernel_to_cil.c
> @@ -529,23 +529,31 @@ exit:
> 	return rc;
> }
> 
> -static int write_sids_to_cil(FILE *out, const char *const *sid_to_str, struct ocontext *isids)
> +static int write_sids_to_cil(FILE *out, const char *const *sid_to_str,
> +			     unsigned num_sids, struct ocontext *isids)
> {
> 	struct ocontext *isid;
> 	struct strs *strs;
> 	char *sid;
> 	char *prev;
> +	char unknown[17];

Maybe store this magic number in a #define?

> 	unsigned i;
> 	int rc;
> 
> -	rc = strs_init(&strs, SECINITSID_NUM+1);
> +	rc = strs_init(&strs, num_sids+1);
> 	if (rc != 0) {
> 		goto exit;
> 	}
> 
> 	for (isid = isids; isid != NULL; isid = isid->next) {
> 		i = isid->sid[0];
> -		rc = strs_add_at_index(strs, (char *)sid_to_str[i], i);
> +		if (i < num_sids) {
> +			sid = (char *)sid_to_str[i];
> +		} else {
> +			snprintf(unknown, 17, "%s%u", "UNKNOWN", i);
> +			sid = strdup(unknown);
> +		}
> +		rc = strs_add_at_index(strs, sid, i);
> 		if (rc != 0) {
> 			goto exit;
> 		}
> @@ -577,6 +585,10 @@ static int write_sids_to_cil(FILE *out, const char *const *sid_to_str, struct oc
> 	sepol_printf(out, "))\n");
> 
> exit:
> +	for (i=num_sids; i<strs_num_items(strs); i++) {
> +		sid = strs_read_at_index(strs, i);
> +		free(sid);
> +	}
> 	strs_destroy(&strs);
> 	if (rc != 0) {
> 		sepol_log_err("Error writing sid rules to CIL\n");
> @@ -590,9 +602,11 @@ static int write_sid_decl_rules_to_cil(FILE *out, struct policydb *pdb)
> 	int rc = 0;
> 
> 	if (pdb->target_platform == SEPOL_TARGET_SELINUX) {
> -		rc = write_sids_to_cil(out, selinux_sid_to_str, pdb->ocontexts[0]);
> +		rc = write_sids_to_cil(out, selinux_sid_to_str, SELINUX_SID_SZ,
> +				       pdb->ocontexts[0]);
> 	} else if (pdb->target_platform == SEPOL_TARGET_XEN) {
> -		rc = write_sids_to_cil(out, xen_sid_to_str, pdb->ocontexts[0]);
> +		rc = write_sids_to_cil(out, xen_sid_to_str, XEN_SID_SZ,
> +				       pdb->ocontexts[0]);
> 	} else {
> 		sepol_log_err("Unknown target platform: %i", pdb->target_platform);
> 		rc = -1;
> @@ -2479,11 +2493,12 @@ exit:
> 	return ctx;
> }
> 
> -static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const char *const *sid_to_str)
> +static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const char *const *sid_to_str, unsigned num_sids)
> {
> 	struct ocontext *isid;
> 	struct strs *strs;
> -	const char *sid;
> +	char *sid;
> +	char unknown[17];
> 	char *ctx, *rule;
> 	unsigned i;
> 	int rc = -1;
> @@ -2495,7 +2510,13 @@ static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const
> 
> 	for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) {
> 		i = isid->sid[0];
> -		sid = sid_to_str[i];
> +		if (i < num_sids) {
> +			sid = (char *)sid_to_str[i];
> +		} else {
> +			snprintf(unknown, 17, "%s%u", "UNKNOWN", i);
> +			sid = unknown;
> +		}
> +
> 		ctx = context_to_str(pdb, &isid->context[0]);
> 		if (!ctx) {
> 			rc = -1;
> @@ -2531,7 +2552,8 @@ exit:
> 
> static int write_selinux_isid_rules_to_cil(FILE *out, struct policydb *pdb)
> {
> -	return write_sid_context_rules_to_cil(out, pdb, selinux_sid_to_str);
> +	return write_sid_context_rules_to_cil(out, pdb, selinux_sid_to_str,
> +					      SELINUX_SID_SZ);
> }
> 
> static int write_selinux_fsuse_rules_to_cil(FILE *out, struct policydb *pdb)
> @@ -2884,7 +2906,7 @@ exit:
> 
> static int write_xen_isid_rules_to_cil(FILE *out, struct policydb *pdb)
> {
> -	return write_sid_context_rules_to_cil(out, pdb, xen_sid_to_str);
> +	return write_sid_context_rules_to_cil(out, pdb, xen_sid_to_str, XEN_SID_SZ);
> }
> 
> static int write_xen_pirq_rules_to_cil(FILE *out, struct policydb *pdb)
> diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h
> index 7c5edbd6..dacfe97e 100644
> --- a/libsepol/src/kernel_to_common.h
> +++ b/libsepol/src/kernel_to_common.h
> @@ -43,6 +43,8 @@ static const char * const selinux_sid_to_str[] = {
> 	"devnull",
> };
> 
> +#define SELINUX_SID_SZ (sizeof(selinux_sid_to_str)/sizeof(selinux_sid_to_str[0]))
> +
> static const char * const xen_sid_to_str[] = {
> 	"null",
> 	"xen",
> @@ -57,6 +59,8 @@ static const char * const xen_sid_to_str[] = {
> 	"device",
> };
> 
> +#define XEN_SID_SZ (sizeof(xen_sid_to_str)/sizeof(xen_sid_to_str[0]))
> +
> static const uint32_t avtab_flavors[] = {
> 	AVTAB_ALLOWED,
> 	AVTAB_AUDITALLOW,
> diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
> index a98b5ca9..7e04a13b 100644
> --- a/libsepol/src/kernel_to_conf.c
> +++ b/libsepol/src/kernel_to_conf.c
> @@ -428,22 +428,30 @@ static int write_class_decl_rules_to_conf(FILE *out, struct policydb *pdb)
> 	return 0;
> }
> 
> -static int write_sids_to_conf(FILE *out, const char *const *sid_to_str, struct ocontext *isids)
> +static int write_sids_to_conf(FILE *out, const char *const *sid_to_str,
> +			      unsigned num_sids, struct ocontext *isids)
> {
> 	struct ocontext *isid;
> 	struct strs *strs;
> 	char *sid;
> +	char unknown[17];
> 	unsigned i;
> 	int rc;
> 
> -	rc = strs_init(&strs, SECINITSID_NUM+1);
> +	rc = strs_init(&strs, num_sids+1);
> 	if (rc != 0) {
> 		goto exit;
> 	}
> 
> 	for (isid = isids; isid != NULL; isid = isid->next) {
> 		i = isid->sid[0];
> -		rc = strs_add_at_index(strs, (char *)sid_to_str[i], i);
> +		if (i < num_sids) {
> +			sid = (char *)sid_to_str[i];
> +		} else {
> +			snprintf(unknown, 17, "%s%u", "UNKNOWN", i);
> +			sid = strdup(unknown);
> +		}
> +		rc = strs_add_at_index(strs, sid, i);
> 		if (rc != 0) {
> 			goto exit;
> 		}
> @@ -458,6 +466,10 @@ static int write_sids_to_conf(FILE *out, const char *const *sid_to_str, struct o
> 	}
> 
> exit:
> +	for (i=num_sids; i<strs_num_items(strs); i++) {
> +		sid = strs_read_at_index(strs, i);
> +		free(sid);
> +	}
> 	strs_destroy(&strs);
> 	if (rc != 0) {
> 		sepol_log_err("Error writing sid rules to policy.conf\n");
> @@ -471,9 +483,11 @@ static int write_sid_decl_rules_to_conf(FILE *out, struct policydb *pdb)
> 	int rc = 0;
> 
> 	if (pdb->target_platform == SEPOL_TARGET_SELINUX) {
> -		rc = write_sids_to_conf(out, selinux_sid_to_str, pdb->ocontexts[0]);
> +		rc = write_sids_to_conf(out, selinux_sid_to_str, SELINUX_SID_SZ,
> +					pdb->ocontexts[0]);
> 	} else if (pdb->target_platform == SEPOL_TARGET_XEN) {
> -		rc = write_sids_to_conf(out, xen_sid_to_str, pdb->ocontexts[0]);
> +		rc = write_sids_to_conf(out, xen_sid_to_str, XEN_SID_SZ,
> +					pdb->ocontexts[0]);
> 	} else {
> 		sepol_log_err("Unknown target platform: %i", pdb->target_platform);
> 		rc = -1;
> @@ -2339,11 +2353,12 @@ static char *context_to_str(struct policydb *pdb, struct context_struct *con)
> 	return ctx;
> }
> 
> -static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, const char *const *sid_to_str)
> +static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, const char *const *sid_to_str, unsigned num_sids)
> {
> 	struct ocontext *isid;
> 	struct strs *strs;
> -	const char *sid;
> +	char *sid;
> +	char unknown[17];
> 	char *ctx, *rule;
> 	unsigned i;
> 	int rc;
> @@ -2355,7 +2370,13 @@ static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, cons
> 
> 	for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) {
> 		i = isid->sid[0];
> -		sid = sid_to_str[i];
> +		if (i < num_sids) {
> +			sid = (char *)sid_to_str[i];
> +		} else {
> +			snprintf(unknown, 17, "%s%u", "UNKNOWN", i);
> +			sid = unknown;
> +		}
> +
> 		ctx = context_to_str(pdb, &isid->context[0]);
> 		if (!ctx) {
> 			rc = -1;
> @@ -2391,7 +2412,8 @@ exit:
> 
> static int write_selinux_isid_rules_to_conf(FILE *out, struct policydb *pdb)
> {
> -	return write_sid_context_rules_to_conf(out, pdb, selinux_sid_to_str);
> +	return write_sid_context_rules_to_conf(out, pdb, selinux_sid_to_str,
> +					       SELINUX_SID_SZ);
> }
> 
> static int write_selinux_fsuse_rules_to_conf(FILE *out, struct policydb *pdb)
> @@ -2745,7 +2767,7 @@ exit:
> 
> static int write_xen_isid_rules_to_conf(FILE *out, struct policydb *pdb)
> {
> -	return write_sid_context_rules_to_conf(out, pdb, xen_sid_to_str);
> +	return write_sid_context_rules_to_conf(out, pdb, xen_sid_to_str, XEN_SID_SZ);
> }
> 
> 
> diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
> index 8ab0dfce..7fc29cbd 100644
> --- a/libsepol/src/module_to_cil.c
> +++ b/libsepol/src/module_to_cil.c
> @@ -2548,23 +2548,33 @@ static int context_to_cil(struct policydb *pdb, struct context_struct *con)
> }
> 
> static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_string,
> -				struct ocontext *isids)
> +				unsigned num_sids, struct ocontext *isids)
> {
> 	int rc = -1;
> 
> 	struct ocontext *isid;
> 
> 	struct sid_item {
> -		const char *sid_key;
> +		char *sid_key;
> 		struct sid_item *next;
> 	};
> 
> 	struct sid_item *head = NULL;
> 	struct sid_item *item = NULL;
> +	char *sid;
> +	char unknown[17];
> +	unsigned i;
> 
> 	for (isid = isids; isid != NULL; isid = isid->next) {
> -		cil_println(0, "(sid %s)", sid_to_string[isid->sid[0]]);
> -		cil_printf("(sidcontext %s ", sid_to_string[isid->sid[0]]);
> +		i = isid->sid[0];
> +		if (i < num_sids) {
> +			sid = (char*)sid_to_string[i];
> +		} else {
> +			snprintf(unknown, 17, "%s%u", "UNKNOWN", i);
> +			sid = unknown;
> +		}
> +		cil_println(0, "(sid %s)", sid);
> +		cil_printf("(sidcontext %s ", sid);
> 		context_to_cil(pdb, &isid->context[0]);
> 		cil_printf(")\n");
> 
> @@ -2576,7 +2586,7 @@ static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_
> 			rc = -1;
> 			goto exit;
> 		}
> -		item->sid_key = sid_to_string[isid->sid[0]];
> +		item->sid_key = strdup(sid);
> 		item->next = head;
> 		head = item;
> 	}
> @@ -2595,6 +2605,7 @@ exit:
> 	while(head) {
> 		item = head;
> 		head = item->next;
> +		free(item->sid_key);
> 		free(item);
> 	}
> 	return rc;
> @@ -2604,7 +2615,7 @@ static int ocontext_selinux_isid_to_cil(struct policydb *pdb, struct ocontext *i
> {
> 	int rc = -1;
> 
> -	rc = ocontext_isid_to_cil(pdb, selinux_sid_to_str, isids);
> +	rc = ocontext_isid_to_cil(pdb, selinux_sid_to_str, SELINUX_SID_SZ, isids);
> 	if (rc != 0) {
> 		goto exit;
> 	}
> @@ -2833,7 +2844,7 @@ static int ocontext_xen_isid_to_cil(struct policydb *pdb, struct ocontext *isids
> {
> 	int rc = -1;
> 
> -	rc = ocontext_isid_to_cil(pdb, xen_sid_to_str, isids);
> +	rc = ocontext_isid_to_cil(pdb, xen_sid_to_str, XEN_SID_SZ, isids);
> 	if (rc != 0) {
> 		goto exit;
> 	}
> -- 
> 2.17.1
> 
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

Re: [PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files

[William Roberts]

On Thu, Oct 11, 2018 at 5:37 AM James Carter <jwcart2@tycho.nsa.gov> wrote:
>
> [Resending because I originally only sent these to the new list]
>
> - Removes some redundent definitions of initial sid name strings
> - Adds range checking when looking up an initial sid name string for an index
> - Adds two new Xen initial sids
>
> James Carter (4):
>   libsepol: Rename kernel_to_common.c stack functions
>   libsepol: Eliminate initial sid string definitions in module_to_cil.c
>   libsepol: Check that initial sid indexes are within the valid range
>   libsepol: Add two new Xen initial SIDs
>
>  libsepol/src/kernel_to_cil.c    | 78 +++++++++++++++++++++------------
>  libsepol/src/kernel_to_common.c | 10 ++---
>  libsepol/src/kernel_to_common.h | 16 ++++---
>  libsepol/src/kernel_to_conf.c   | 78 +++++++++++++++++++++------------
>  libsepol/src/module_to_cil.c    | 78 +++++++++------------------------
>  5 files changed, 136 insertions(+), 124 deletions(-)

LGTM. I ran these locally and they seemed to be OK and I was able
to list the new SIDs from the policy db.

I staged them here to have travis run the CI as well:
https://github.com/SELinuxProject/selinux/pull/104

>
> --
> 2.17.1
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

Re: [PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files

[William Roberts]

merged:
https://github.com/SELinuxProject/selinux/pull/104
On Thu, Oct 11, 2018 at 4:58 PM William Roberts
<bill.c.roberts@gmail.com> wrote:
>
> On Thu, Oct 11, 2018 at 5:37 AM James Carter <jwcart2@tycho.nsa.gov> wrote:
> >
> > [Resending because I originally only sent these to the new list]
> >
> > - Removes some redundent definitions of initial sid name strings
> > - Adds range checking when looking up an initial sid name string for an index
> > - Adds two new Xen initial sids
> >
> > James Carter (4):
> >   libsepol: Rename kernel_to_common.c stack functions
> >   libsepol: Eliminate initial sid string definitions in module_to_cil.c
> >   libsepol: Check that initial sid indexes are within the valid range
> >   libsepol: Add two new Xen initial SIDs
> >
> >  libsepol/src/kernel_to_cil.c    | 78 +++++++++++++++++++++------------
> >  libsepol/src/kernel_to_common.c | 10 ++---
> >  libsepol/src/kernel_to_common.h | 16 ++++---
> >  libsepol/src/kernel_to_conf.c   | 78 +++++++++++++++++++++------------
> >  libsepol/src/module_to_cil.c    | 78 +++++++++------------------------
> >  5 files changed, 136 insertions(+), 124 deletions(-)
>
> LGTM. I ran these locally and they seemed to be OK and I was able
> to list the new SIDs from the policy db.
>
> I staged them here to have travis run the CI as well:
> https://github.com/SELinuxProject/selinux/pull/104
>
> >
> > --
> > 2.17.1
> >
> > _______________________________________________
> > Selinux mailing list
> > Selinux@tycho.nsa.gov
> > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.

[PATCH 4/4] libsepol: Add two new Xen initial SIDs

[James Carter]

Xen uses the initial SIDs domU and domDM in its toolstack, so it makes
sense to add these to xen_sid_to_str[] in kernel_to_common.h

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
---
 libsepol/src/kernel_to_common.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h
index dacfe97e..8aa483fa 100644
--- a/libsepol/src/kernel_to_common.h
+++ b/libsepol/src/kernel_to_common.h
@@ -57,6 +57,8 @@ static const char * const xen_sid_to_str[] = {
 	"iomem",
 	"irq",
 	"device",
+	"domU",
+	"domDM",
 };
 
 #define XEN_SID_SZ (sizeof(xen_sid_to_str)/sizeof(xen_sid_to_str[0]))
-- 
2.17.1