* [PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files
@ 2018-10-05 13:57 James Carter
2018-10-05 13:57 ` [PATCH 1/4] libsepol: Rename kernel_to_common.c stack functions James Carter
` (3 more replies)
0 siblings, 4 replies; 6+ messages in thread
From: James Carter @ 2018-10-05 13:57 UTC (permalink / raw)
To: selinux
- Removes some redundent definitions of initial sid name strings
- Adds range checking when looking up an initial sid name string for an index
- Adds two new Xen initial sids
James Carter (4):
libsepol: Rename kernel_to_common.c stack functions
libsepol: Eliminate initial sid string definitions in module_to_cil.c
libsepol: Check that initial sid indexes are within the valid range
libsepol: Add two new Xen initial SIDs
libsepol/src/kernel_to_cil.c | 78 +++++++++++++++++++++------------
libsepol/src/kernel_to_common.c | 10 ++---
libsepol/src/kernel_to_common.h | 16 ++++---
libsepol/src/kernel_to_conf.c | 78 +++++++++++++++++++++------------
libsepol/src/module_to_cil.c | 78 +++++++++------------------------
5 files changed, 136 insertions(+), 124 deletions(-)
--
2.17.1
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 1/4] libsepol: Rename kernel_to_common.c stack functions
2018-10-05 13:57 [PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files James Carter
@ 2018-10-05 13:57 ` James Carter
2018-10-05 13:57 ` [PATCH 2/4] libsepol: Eliminate initial sid string definitions in module_to_cil.c James Carter
` (2 subsequent siblings)
3 siblings, 0 replies; 6+ messages in thread
From: James Carter @ 2018-10-05 13:57 UTC (permalink / raw)
To: selinux
Want to make use of selinux_sid_to_str[] and xen_sid_to_str[] from
kernel_to_common.h in module_to_cil.c, but stack functions with the
same names exist in module_to_cil.c and kernel_to_common.c (with
the function prototypes in kernel_to_common.h).
Since the stack functions in kernel_to_common.c are less general and
only work with strings, rename those functions from stack_* to
strs_stack_*.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
---
libsepol/src/kernel_to_cil.c | 36 ++++++++++++++++-----------------
libsepol/src/kernel_to_common.c | 10 ++++-----
libsepol/src/kernel_to_common.h | 10 ++++-----
libsepol/src/kernel_to_conf.c | 36 ++++++++++++++++-----------------
4 files changed, 46 insertions(+), 46 deletions(-)
diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index b1eb66d6..c2a733ee 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@@ -36,7 +36,7 @@ static char *cond_expr_to_str(struct policydb *pdb, struct cond_expr *expr)
char *str = NULL;
int rc;
- rc = stack_init(&stack);
+ rc = strs_stack_init(&stack);
if (rc != 0) {
goto exit;
}
@@ -65,13 +65,13 @@ static char *cond_expr_to_str(struct policydb *pdb, struct cond_expr *expr)
}
if (num_params == 2) {
- val2 = stack_pop(stack);
+ val2 = strs_stack_pop(stack);
if (!val2) {
sepol_log_err("Invalid conditional expression");
goto exit;
}
}
- val1 = stack_pop(stack);
+ val1 = strs_stack_pop(stack);
if (!val1) {
sepol_log_err("Invalid conditional expression");
free(val2);
@@ -89,29 +89,29 @@ static char *cond_expr_to_str(struct policydb *pdb, struct cond_expr *expr)
sepol_log_err("Invalid conditional expression");
goto exit;
}
- rc = stack_push(stack, new_val);
+ rc = strs_stack_push(stack, new_val);
if (rc != 0) {
sepol_log_err("Out of memory");
goto exit;
}
}
- new_val = stack_pop(stack);
- if (!new_val || !stack_empty(stack)) {
+ new_val = strs_stack_pop(stack);
+ if (!new_val || !strs_stack_empty(stack)) {
sepol_log_err("Invalid conditional expression");
goto exit;
}
str = new_val;
- stack_destroy(&stack);
+ strs_stack_destroy(&stack);
return str;
exit:
- while ((new_val = stack_pop(stack)) != NULL) {
+ while ((new_val = strs_stack_pop(stack)) != NULL) {
free(new_val);
}
- stack_destroy(&stack);
+ strs_stack_destroy(&stack);
return NULL;
}
@@ -127,7 +127,7 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
*use_mls = 0;
- rc = stack_init(&stack);
+ rc = strs_stack_init(&stack);
if (rc != 0) {
goto exit;
}
@@ -208,13 +208,13 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
}
if (num_params == 2) {
- val2 = stack_pop(stack);
+ val2 = strs_stack_pop(stack);
if (!val2) {
sepol_log_err("Invalid constraint expression");
goto exit;
}
}
- val1 = stack_pop(stack);
+ val1 = strs_stack_pop(stack);
if (!val1) {
sepol_log_err("Invalid constraint expression");
goto exit;
@@ -231,30 +231,30 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
if (!new_val) {
goto exit;
}
- rc = stack_push(stack, new_val);
+ rc = strs_stack_push(stack, new_val);
if (rc != 0) {
sepol_log_err("Out of memory");
goto exit;
}
}
- new_val = stack_pop(stack);
- if (!new_val || !stack_empty(stack)) {
+ new_val = strs_stack_pop(stack);
+ if (!new_val || !strs_stack_empty(stack)) {
sepol_log_err("Invalid constraint expression");
goto exit;
}
str = new_val;
- stack_destroy(&stack);
+ strs_stack_destroy(&stack);
return str;
exit:
- while ((new_val = stack_pop(stack)) != NULL) {
+ while ((new_val = strs_stack_pop(stack)) != NULL) {
free(new_val);
}
- stack_destroy(&stack);
+ strs_stack_destroy(&stack);
return NULL;
}
diff --git a/libsepol/src/kernel_to_common.c b/libsepol/src/kernel_to_common.c
index 7c5699c5..891e139c 100644
--- a/libsepol/src/kernel_to_common.c
+++ b/libsepol/src/kernel_to_common.c
@@ -400,27 +400,27 @@ exit:
return str;
}
-int stack_init(struct strs **stack)
+int strs_stack_init(struct strs **stack)
{
return strs_init(stack, STACK_SIZE);
}
-void stack_destroy(struct strs **stack)
+void strs_stack_destroy(struct strs **stack)
{
return strs_destroy(stack);
}
-int stack_push(struct strs *stack, char *s)
+int strs_stack_push(struct strs *stack, char *s)
{
return strs_add(stack, s);
}
-char *stack_pop(struct strs *stack)
+char *strs_stack_pop(struct strs *stack)
{
return strs_remove_last(stack);
}
-int stack_empty(struct strs *stack)
+int strs_stack_empty(struct strs *stack)
{
return strs_num_items(stack) == 0;
}
diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h
index 992929ae..7c5edbd6 100644
--- a/libsepol/src/kernel_to_common.h
+++ b/libsepol/src/kernel_to_common.h
@@ -105,10 +105,10 @@ int hashtab_ordered_to_strs(char *key, void *data, void *args);
int ebitmap_to_strs(struct ebitmap *map, struct strs *strs, char **val_to_name);
char *ebitmap_to_str(struct ebitmap *map, char **val_to_name, int sort);
-int stack_init(struct strs **stack);
-void stack_destroy(struct strs **stack);
-int stack_push(struct strs *stack, char *s);
-char *stack_pop(struct strs *stack);
-int stack_empty(struct strs *stack);
+int strs_stack_init(struct strs **stack);
+void strs_stack_destroy(struct strs **stack);
+int strs_stack_push(struct strs *stack, char *s);
+char *strs_stack_pop(struct strs *stack);
+int strs_stack_empty(struct strs *stack);
int sort_ocontexts(struct policydb *pdb);
diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
index 95405207..a98b5ca9 100644
--- a/libsepol/src/kernel_to_conf.c
+++ b/libsepol/src/kernel_to_conf.c
@@ -35,7 +35,7 @@ static char *cond_expr_to_str(struct policydb *pdb, struct cond_expr *expr)
char *str = NULL;
int rc;
- rc = stack_init(&stack);
+ rc = strs_stack_init(&stack);
if (rc != 0) {
goto exit;
}
@@ -63,13 +63,13 @@ static char *cond_expr_to_str(struct policydb *pdb, struct cond_expr *expr)
}
if (num_params == 2) {
- val2 = stack_pop(stack);
+ val2 = strs_stack_pop(stack);
if (!val2) {
sepol_log_err("Invalid conditional expression");
goto exit;
}
}
- val1 = stack_pop(stack);
+ val1 = strs_stack_pop(stack);
if (!val1) {
sepol_log_err("Invalid conditional expression");
free(val2);
@@ -87,29 +87,29 @@ static char *cond_expr_to_str(struct policydb *pdb, struct cond_expr *expr)
sepol_log_err("Invalid conditional expression");
goto exit;
}
- rc = stack_push(stack, new_val);
+ rc = strs_stack_push(stack, new_val);
if (rc != 0) {
sepol_log_err("Out of memory");
goto exit;
}
}
- new_val = stack_pop(stack);
- if (!new_val || !stack_empty(stack)) {
+ new_val = strs_stack_pop(stack);
+ if (!new_val || !strs_stack_empty(stack)) {
sepol_log_err("Invalid conditional expression");
goto exit;
}
str = new_val;
- stack_destroy(&stack);
+ strs_stack_destroy(&stack);
return str;
exit:
- while ((new_val = stack_pop(stack)) != NULL) {
+ while ((new_val = strs_stack_pop(stack)) != NULL) {
free(new_val);
}
- stack_destroy(&stack);
+ strs_stack_destroy(&stack);
return NULL;
}
@@ -125,7 +125,7 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
*use_mls = 0;
- rc = stack_init(&stack);
+ rc = strs_stack_init(&stack);
if (rc != 0) {
goto exit;
}
@@ -204,13 +204,13 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
}
if (num_params == 2) {
- val2 = stack_pop(stack);
+ val2 = strs_stack_pop(stack);
if (!val2) {
sepol_log_err("Invalid constraint expression");
goto exit;
}
}
- val1 = stack_pop(stack);
+ val1 = strs_stack_pop(stack);
if (!val1) {
sepol_log_err("Invalid constraint expression");
goto exit;
@@ -227,30 +227,30 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
if (!new_val) {
goto exit;
}
- rc = stack_push(stack, new_val);
+ rc = strs_stack_push(stack, new_val);
if (rc != 0) {
sepol_log_err("Out of memory");
goto exit;
}
}
- new_val = stack_pop(stack);
- if (!new_val || !stack_empty(stack)) {
+ new_val = strs_stack_pop(stack);
+ if (!new_val || !strs_stack_empty(stack)) {
sepol_log_err("Invalid constraint expression");
goto exit;
}
str = new_val;
- stack_destroy(&stack);
+ strs_stack_destroy(&stack);
return str;
exit:
- while ((new_val = stack_pop(stack)) != NULL) {
+ while ((new_val = strs_stack_pop(stack)) != NULL) {
free(new_val);
}
- stack_destroy(&stack);
+ strs_stack_destroy(&stack);
return NULL;
}
--
2.17.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 2/4] libsepol: Eliminate initial sid string definitions in module_to_cil.c
2018-10-05 13:57 [PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files James Carter
2018-10-05 13:57 ` [PATCH 1/4] libsepol: Rename kernel_to_common.c stack functions James Carter
@ 2018-10-05 13:57 ` James Carter
2018-10-05 13:57 ` [PATCH 3/4] libsepol: Check that initial sid indexes are within the valid range James Carter
2018-10-05 13:57 ` [PATCH 4/4] libsepol: Add two new Xen initial SIDs James Carter
3 siblings, 0 replies; 6+ messages in thread
From: James Carter @ 2018-10-05 13:57 UTC (permalink / raw)
To: selinux
Since the initial sid strings are defined in kernel_to_common.h,
module_to_cil.c can use those and its initial sid string definitions
can be removed.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
---
libsepol/src/module_to_cil.c | 59 +++---------------------------------
1 file changed, 5 insertions(+), 54 deletions(-)
diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index dcf6ebb1..8ab0dfce 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -52,6 +52,7 @@
#include <sepol/policydb/services.h>
#include <sepol/policydb/util.h>
+#include "kernel_to_common.h"
#include "private.h"
#ifdef __GNUC__
@@ -2546,7 +2547,8 @@ static int context_to_cil(struct policydb *pdb, struct context_struct *con)
return 0;
}
-static int ocontext_isid_to_cil(struct policydb *pdb, const char **sid_to_string, struct ocontext *isids)
+static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_string,
+ struct ocontext *isids)
{
int rc = -1;
@@ -2602,41 +2604,7 @@ static int ocontext_selinux_isid_to_cil(struct policydb *pdb, struct ocontext *i
{
int rc = -1;
- // initial sid names aren't actually stored in the pp files, need to a have
- // a mapping, taken from the linux kernel
- static const char *selinux_sid_to_string[] = {
- "null",
- "kernel",
- "security",
- "unlabeled",
- "fs",
- "file",
- "file_labels",
- "init",
- "any_socket",
- "port",
- "netif",
- "netmsg",
- "node",
- "igmp_packet",
- "icmp_socket",
- "tcp_socket",
- "sysctl_modprobe",
- "sysctl",
- "sysctl_fs",
- "sysctl_kernel",
- "sysctl_net",
- "sysctl_net_unix",
- "sysctl_vm",
- "sysctl_dev",
- "kmod",
- "policy",
- "scmp_packet",
- "devnull",
- NULL
- };
-
- rc = ocontext_isid_to_cil(pdb, selinux_sid_to_string, isids);
+ rc = ocontext_isid_to_cil(pdb, selinux_sid_to_str, isids);
if (rc != 0) {
goto exit;
}
@@ -2865,24 +2833,7 @@ static int ocontext_xen_isid_to_cil(struct policydb *pdb, struct ocontext *isids
{
int rc = -1;
- // initial sid names aren't actually stored in the pp files, need to a have
- // a mapping, taken from the xen kernel
- static const char *xen_sid_to_string[] = {
- "null",
- "xen",
- "dom0",
- "domio",
- "domxen",
- "unlabeled",
- "security",
- "ioport",
- "iomem",
- "irq",
- "device",
- NULL,
- };
-
- rc = ocontext_isid_to_cil(pdb, xen_sid_to_string, isids);
+ rc = ocontext_isid_to_cil(pdb, xen_sid_to_str, isids);
if (rc != 0) {
goto exit;
}
--
2.17.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 3/4] libsepol: Check that initial sid indexes are within the valid range
2018-10-05 13:57 [PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files James Carter
2018-10-05 13:57 ` [PATCH 1/4] libsepol: Rename kernel_to_common.c stack functions James Carter
2018-10-05 13:57 ` [PATCH 2/4] libsepol: Eliminate initial sid string definitions in module_to_cil.c James Carter
@ 2018-10-05 13:57 ` James Carter
2018-10-05 13:57 ` [PATCH 4/4] libsepol: Add two new Xen initial SIDs James Carter
3 siblings, 0 replies; 6+ messages in thread
From: James Carter @ 2018-10-05 13:57 UTC (permalink / raw)
To: selinux
When writing CIL from a policy module or when writing CIL or policy.conf
from a kernel binary policy, check that the initial sid index is within
the valid range of the selinux_sid_to_str[] array (or xen_sid_to_str[]
array for a XEN policy). If it is not, then create a unique name
("UNKNOWN"+index) for the initial sid.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
---
libsepol/src/kernel_to_cil.c | 42 +++++++++++++++++++++++++--------
libsepol/src/kernel_to_common.h | 4 ++++
libsepol/src/kernel_to_conf.c | 42 +++++++++++++++++++++++++--------
libsepol/src/module_to_cil.c | 25 ++++++++++++++------
4 files changed, 86 insertions(+), 27 deletions(-)
diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index c2a733ee..d173144e 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@@ -529,23 +529,31 @@ exit:
return rc;
}
-static int write_sids_to_cil(FILE *out, const char *const *sid_to_str, struct ocontext *isids)
+static int write_sids_to_cil(FILE *out, const char *const *sid_to_str,
+ unsigned num_sids, struct ocontext *isids)
{
struct ocontext *isid;
struct strs *strs;
char *sid;
char *prev;
+ char unknown[17];
unsigned i;
int rc;
- rc = strs_init(&strs, SECINITSID_NUM+1);
+ rc = strs_init(&strs, num_sids+1);
if (rc != 0) {
goto exit;
}
for (isid = isids; isid != NULL; isid = isid->next) {
i = isid->sid[0];
- rc = strs_add_at_index(strs, (char *)sid_to_str[i], i);
+ if (i < num_sids) {
+ sid = (char *)sid_to_str[i];
+ } else {
+ snprintf(unknown, 17, "%s%u", "UNKNOWN", i);
+ sid = strdup(unknown);
+ }
+ rc = strs_add_at_index(strs, sid, i);
if (rc != 0) {
goto exit;
}
@@ -577,6 +585,10 @@ static int write_sids_to_cil(FILE *out, const char *const *sid_to_str, struct oc
sepol_printf(out, "))\n");
exit:
+ for (i=num_sids; i<strs_num_items(strs); i++) {
+ sid = strs_read_at_index(strs, i);
+ free(sid);
+ }
strs_destroy(&strs);
if (rc != 0) {
sepol_log_err("Error writing sid rules to CIL\n");
@@ -590,9 +602,11 @@ static int write_sid_decl_rules_to_cil(FILE *out, struct policydb *pdb)
int rc = 0;
if (pdb->target_platform == SEPOL_TARGET_SELINUX) {
- rc = write_sids_to_cil(out, selinux_sid_to_str, pdb->ocontexts[0]);
+ rc = write_sids_to_cil(out, selinux_sid_to_str, SELINUX_SID_SZ,
+ pdb->ocontexts[0]);
} else if (pdb->target_platform == SEPOL_TARGET_XEN) {
- rc = write_sids_to_cil(out, xen_sid_to_str, pdb->ocontexts[0]);
+ rc = write_sids_to_cil(out, xen_sid_to_str, XEN_SID_SZ,
+ pdb->ocontexts[0]);
} else {
sepol_log_err("Unknown target platform: %i", pdb->target_platform);
rc = -1;
@@ -2479,11 +2493,12 @@ exit:
return ctx;
}
-static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const char *const *sid_to_str)
+static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const char *const *sid_to_str, unsigned num_sids)
{
struct ocontext *isid;
struct strs *strs;
- const char *sid;
+ char *sid;
+ char unknown[17];
char *ctx, *rule;
unsigned i;
int rc = -1;
@@ -2495,7 +2510,13 @@ static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const
for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) {
i = isid->sid[0];
- sid = sid_to_str[i];
+ if (i < num_sids) {
+ sid = (char *)sid_to_str[i];
+ } else {
+ snprintf(unknown, 17, "%s%u", "UNKNOWN", i);
+ sid = unknown;
+ }
+
ctx = context_to_str(pdb, &isid->context[0]);
if (!ctx) {
rc = -1;
@@ -2531,7 +2552,8 @@ exit:
static int write_selinux_isid_rules_to_cil(FILE *out, struct policydb *pdb)
{
- return write_sid_context_rules_to_cil(out, pdb, selinux_sid_to_str);
+ return write_sid_context_rules_to_cil(out, pdb, selinux_sid_to_str,
+ SELINUX_SID_SZ);
}
static int write_selinux_fsuse_rules_to_cil(FILE *out, struct policydb *pdb)
@@ -2884,7 +2906,7 @@ exit:
static int write_xen_isid_rules_to_cil(FILE *out, struct policydb *pdb)
{
- return write_sid_context_rules_to_cil(out, pdb, xen_sid_to_str);
+ return write_sid_context_rules_to_cil(out, pdb, xen_sid_to_str, XEN_SID_SZ);
}
static int write_xen_pirq_rules_to_cil(FILE *out, struct policydb *pdb)
diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h
index 7c5edbd6..dacfe97e 100644
--- a/libsepol/src/kernel_to_common.h
+++ b/libsepol/src/kernel_to_common.h
@@ -43,6 +43,8 @@ static const char * const selinux_sid_to_str[] = {
"devnull",
};
+#define SELINUX_SID_SZ (sizeof(selinux_sid_to_str)/sizeof(selinux_sid_to_str[0]))
+
static const char * const xen_sid_to_str[] = {
"null",
"xen",
@@ -57,6 +59,8 @@ static const char * const xen_sid_to_str[] = {
"device",
};
+#define XEN_SID_SZ (sizeof(xen_sid_to_str)/sizeof(xen_sid_to_str[0]))
+
static const uint32_t avtab_flavors[] = {
AVTAB_ALLOWED,
AVTAB_AUDITALLOW,
diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
index a98b5ca9..7e04a13b 100644
--- a/libsepol/src/kernel_to_conf.c
+++ b/libsepol/src/kernel_to_conf.c
@@ -428,22 +428,30 @@ static int write_class_decl_rules_to_conf(FILE *out, struct policydb *pdb)
return 0;
}
-static int write_sids_to_conf(FILE *out, const char *const *sid_to_str, struct ocontext *isids)
+static int write_sids_to_conf(FILE *out, const char *const *sid_to_str,
+ unsigned num_sids, struct ocontext *isids)
{
struct ocontext *isid;
struct strs *strs;
char *sid;
+ char unknown[17];
unsigned i;
int rc;
- rc = strs_init(&strs, SECINITSID_NUM+1);
+ rc = strs_init(&strs, num_sids+1);
if (rc != 0) {
goto exit;
}
for (isid = isids; isid != NULL; isid = isid->next) {
i = isid->sid[0];
- rc = strs_add_at_index(strs, (char *)sid_to_str[i], i);
+ if (i < num_sids) {
+ sid = (char *)sid_to_str[i];
+ } else {
+ snprintf(unknown, 17, "%s%u", "UNKNOWN", i);
+ sid = strdup(unknown);
+ }
+ rc = strs_add_at_index(strs, sid, i);
if (rc != 0) {
goto exit;
}
@@ -458,6 +466,10 @@ static int write_sids_to_conf(FILE *out, const char *const *sid_to_str, struct o
}
exit:
+ for (i=num_sids; i<strs_num_items(strs); i++) {
+ sid = strs_read_at_index(strs, i);
+ free(sid);
+ }
strs_destroy(&strs);
if (rc != 0) {
sepol_log_err("Error writing sid rules to policy.conf\n");
@@ -471,9 +483,11 @@ static int write_sid_decl_rules_to_conf(FILE *out, struct policydb *pdb)
int rc = 0;
if (pdb->target_platform == SEPOL_TARGET_SELINUX) {
- rc = write_sids_to_conf(out, selinux_sid_to_str, pdb->ocontexts[0]);
+ rc = write_sids_to_conf(out, selinux_sid_to_str, SELINUX_SID_SZ,
+ pdb->ocontexts[0]);
} else if (pdb->target_platform == SEPOL_TARGET_XEN) {
- rc = write_sids_to_conf(out, xen_sid_to_str, pdb->ocontexts[0]);
+ rc = write_sids_to_conf(out, xen_sid_to_str, XEN_SID_SZ,
+ pdb->ocontexts[0]);
} else {
sepol_log_err("Unknown target platform: %i", pdb->target_platform);
rc = -1;
@@ -2339,11 +2353,12 @@ static char *context_to_str(struct policydb *pdb, struct context_struct *con)
return ctx;
}
-static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, const char *const *sid_to_str)
+static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, const char *const *sid_to_str, unsigned num_sids)
{
struct ocontext *isid;
struct strs *strs;
- const char *sid;
+ char *sid;
+ char unknown[17];
char *ctx, *rule;
unsigned i;
int rc;
@@ -2355,7 +2370,13 @@ static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, cons
for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) {
i = isid->sid[0];
- sid = sid_to_str[i];
+ if (i < num_sids) {
+ sid = (char *)sid_to_str[i];
+ } else {
+ snprintf(unknown, 17, "%s%u", "UNKNOWN", i);
+ sid = unknown;
+ }
+
ctx = context_to_str(pdb, &isid->context[0]);
if (!ctx) {
rc = -1;
@@ -2391,7 +2412,8 @@ exit:
static int write_selinux_isid_rules_to_conf(FILE *out, struct policydb *pdb)
{
- return write_sid_context_rules_to_conf(out, pdb, selinux_sid_to_str);
+ return write_sid_context_rules_to_conf(out, pdb, selinux_sid_to_str,
+ SELINUX_SID_SZ);
}
static int write_selinux_fsuse_rules_to_conf(FILE *out, struct policydb *pdb)
@@ -2745,7 +2767,7 @@ exit:
static int write_xen_isid_rules_to_conf(FILE *out, struct policydb *pdb)
{
- return write_sid_context_rules_to_conf(out, pdb, xen_sid_to_str);
+ return write_sid_context_rules_to_conf(out, pdb, xen_sid_to_str, XEN_SID_SZ);
}
diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index 8ab0dfce..7fc29cbd 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -2548,23 +2548,33 @@ static int context_to_cil(struct policydb *pdb, struct context_struct *con)
}
static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_string,
- struct ocontext *isids)
+ unsigned num_sids, struct ocontext *isids)
{
int rc = -1;
struct ocontext *isid;
struct sid_item {
- const char *sid_key;
+ char *sid_key;
struct sid_item *next;
};
struct sid_item *head = NULL;
struct sid_item *item = NULL;
+ char *sid;
+ char unknown[17];
+ unsigned i;
for (isid = isids; isid != NULL; isid = isid->next) {
- cil_println(0, "(sid %s)", sid_to_string[isid->sid[0]]);
- cil_printf("(sidcontext %s ", sid_to_string[isid->sid[0]]);
+ i = isid->sid[0];
+ if (i < num_sids) {
+ sid = (char*)sid_to_string[i];
+ } else {
+ snprintf(unknown, 17, "%s%u", "UNKNOWN", i);
+ sid = unknown;
+ }
+ cil_println(0, "(sid %s)", sid);
+ cil_printf("(sidcontext %s ", sid);
context_to_cil(pdb, &isid->context[0]);
cil_printf(")\n");
@@ -2576,7 +2586,7 @@ static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_
rc = -1;
goto exit;
}
- item->sid_key = sid_to_string[isid->sid[0]];
+ item->sid_key = strdup(sid);
item->next = head;
head = item;
}
@@ -2595,6 +2605,7 @@ exit:
while(head) {
item = head;
head = item->next;
+ free(item->sid_key);
free(item);
}
return rc;
@@ -2604,7 +2615,7 @@ static int ocontext_selinux_isid_to_cil(struct policydb *pdb, struct ocontext *i
{
int rc = -1;
- rc = ocontext_isid_to_cil(pdb, selinux_sid_to_str, isids);
+ rc = ocontext_isid_to_cil(pdb, selinux_sid_to_str, SELINUX_SID_SZ, isids);
if (rc != 0) {
goto exit;
}
@@ -2833,7 +2844,7 @@ static int ocontext_xen_isid_to_cil(struct policydb *pdb, struct ocontext *isids
{
int rc = -1;
- rc = ocontext_isid_to_cil(pdb, xen_sid_to_str, isids);
+ rc = ocontext_isid_to_cil(pdb, xen_sid_to_str, XEN_SID_SZ, isids);
if (rc != 0) {
goto exit;
}
--
2.17.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 4/4] libsepol: Add two new Xen initial SIDs
2018-10-05 13:57 [PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files James Carter
` (2 preceding siblings ...)
2018-10-05 13:57 ` [PATCH 3/4] libsepol: Check that initial sid indexes are within the valid range James Carter
@ 2018-10-05 13:57 ` James Carter
3 siblings, 0 replies; 6+ messages in thread
From: James Carter @ 2018-10-05 13:57 UTC (permalink / raw)
To: selinux
Xen uses the initial SIDs domU and domDM in its toolstack, so it makes
sense to add these to xen_sid_to_str[] in kernel_to_common.h
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
---
libsepol/src/kernel_to_common.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h
index dacfe97e..8aa483fa 100644
--- a/libsepol/src/kernel_to_common.h
+++ b/libsepol/src/kernel_to_common.h
@@ -57,6 +57,8 @@ static const char * const xen_sid_to_str[] = {
"iomem",
"irq",
"device",
+ "domU",
+ "domDM",
};
#define XEN_SID_SZ (sizeof(xen_sid_to_str)/sizeof(xen_sid_to_str[0]))
--
2.17.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 1/4] libsepol: Rename kernel_to_common.c stack functions
2018-10-11 12:35 [PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files James Carter
@ 2018-10-11 12:35 ` James Carter
0 siblings, 0 replies; 6+ messages in thread
From: James Carter @ 2018-10-11 12:35 UTC (permalink / raw)
To: selinux; +Cc: selinux
Want to make use of selinux_sid_to_str[] and xen_sid_to_str[] from
kernel_to_common.h in module_to_cil.c, but stack functions with the
same names exist in module_to_cil.c and kernel_to_common.c (with
the function prototypes in kernel_to_common.h).
Since the stack functions in kernel_to_common.c are less general and
only work with strings, rename those functions from stack_* to
strs_stack_*.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
---
libsepol/src/kernel_to_cil.c | 36 ++++++++++++++++-----------------
libsepol/src/kernel_to_common.c | 10 ++++-----
libsepol/src/kernel_to_common.h | 10 ++++-----
libsepol/src/kernel_to_conf.c | 36 ++++++++++++++++-----------------
4 files changed, 46 insertions(+), 46 deletions(-)
diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index b1eb66d6..c2a733ee 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@@ -36,7 +36,7 @@ static char *cond_expr_to_str(struct policydb *pdb, struct cond_expr *expr)
char *str = NULL;
int rc;
- rc = stack_init(&stack);
+ rc = strs_stack_init(&stack);
if (rc != 0) {
goto exit;
}
@@ -65,13 +65,13 @@ static char *cond_expr_to_str(struct policydb *pdb, struct cond_expr *expr)
}
if (num_params == 2) {
- val2 = stack_pop(stack);
+ val2 = strs_stack_pop(stack);
if (!val2) {
sepol_log_err("Invalid conditional expression");
goto exit;
}
}
- val1 = stack_pop(stack);
+ val1 = strs_stack_pop(stack);
if (!val1) {
sepol_log_err("Invalid conditional expression");
free(val2);
@@ -89,29 +89,29 @@ static char *cond_expr_to_str(struct policydb *pdb, struct cond_expr *expr)
sepol_log_err("Invalid conditional expression");
goto exit;
}
- rc = stack_push(stack, new_val);
+ rc = strs_stack_push(stack, new_val);
if (rc != 0) {
sepol_log_err("Out of memory");
goto exit;
}
}
- new_val = stack_pop(stack);
- if (!new_val || !stack_empty(stack)) {
+ new_val = strs_stack_pop(stack);
+ if (!new_val || !strs_stack_empty(stack)) {
sepol_log_err("Invalid conditional expression");
goto exit;
}
str = new_val;
- stack_destroy(&stack);
+ strs_stack_destroy(&stack);
return str;
exit:
- while ((new_val = stack_pop(stack)) != NULL) {
+ while ((new_val = strs_stack_pop(stack)) != NULL) {
free(new_val);
}
- stack_destroy(&stack);
+ strs_stack_destroy(&stack);
return NULL;
}
@@ -127,7 +127,7 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
*use_mls = 0;
- rc = stack_init(&stack);
+ rc = strs_stack_init(&stack);
if (rc != 0) {
goto exit;
}
@@ -208,13 +208,13 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
}
if (num_params == 2) {
- val2 = stack_pop(stack);
+ val2 = strs_stack_pop(stack);
if (!val2) {
sepol_log_err("Invalid constraint expression");
goto exit;
}
}
- val1 = stack_pop(stack);
+ val1 = strs_stack_pop(stack);
if (!val1) {
sepol_log_err("Invalid constraint expression");
goto exit;
@@ -231,30 +231,30 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
if (!new_val) {
goto exit;
}
- rc = stack_push(stack, new_val);
+ rc = strs_stack_push(stack, new_val);
if (rc != 0) {
sepol_log_err("Out of memory");
goto exit;
}
}
- new_val = stack_pop(stack);
- if (!new_val || !stack_empty(stack)) {
+ new_val = strs_stack_pop(stack);
+ if (!new_val || !strs_stack_empty(stack)) {
sepol_log_err("Invalid constraint expression");
goto exit;
}
str = new_val;
- stack_destroy(&stack);
+ strs_stack_destroy(&stack);
return str;
exit:
- while ((new_val = stack_pop(stack)) != NULL) {
+ while ((new_val = strs_stack_pop(stack)) != NULL) {
free(new_val);
}
- stack_destroy(&stack);
+ strs_stack_destroy(&stack);
return NULL;
}
diff --git a/libsepol/src/kernel_to_common.c b/libsepol/src/kernel_to_common.c
index 7c5699c5..891e139c 100644
--- a/libsepol/src/kernel_to_common.c
+++ b/libsepol/src/kernel_to_common.c
@@ -400,27 +400,27 @@ exit:
return str;
}
-int stack_init(struct strs **stack)
+int strs_stack_init(struct strs **stack)
{
return strs_init(stack, STACK_SIZE);
}
-void stack_destroy(struct strs **stack)
+void strs_stack_destroy(struct strs **stack)
{
return strs_destroy(stack);
}
-int stack_push(struct strs *stack, char *s)
+int strs_stack_push(struct strs *stack, char *s)
{
return strs_add(stack, s);
}
-char *stack_pop(struct strs *stack)
+char *strs_stack_pop(struct strs *stack)
{
return strs_remove_last(stack);
}
-int stack_empty(struct strs *stack)
+int strs_stack_empty(struct strs *stack)
{
return strs_num_items(stack) == 0;
}
diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h
index 992929ae..7c5edbd6 100644
--- a/libsepol/src/kernel_to_common.h
+++ b/libsepol/src/kernel_to_common.h
@@ -105,10 +105,10 @@ int hashtab_ordered_to_strs(char *key, void *data, void *args);
int ebitmap_to_strs(struct ebitmap *map, struct strs *strs, char **val_to_name);
char *ebitmap_to_str(struct ebitmap *map, char **val_to_name, int sort);
-int stack_init(struct strs **stack);
-void stack_destroy(struct strs **stack);
-int stack_push(struct strs *stack, char *s);
-char *stack_pop(struct strs *stack);
-int stack_empty(struct strs *stack);
+int strs_stack_init(struct strs **stack);
+void strs_stack_destroy(struct strs **stack);
+int strs_stack_push(struct strs *stack, char *s);
+char *strs_stack_pop(struct strs *stack);
+int strs_stack_empty(struct strs *stack);
int sort_ocontexts(struct policydb *pdb);
diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
index 95405207..a98b5ca9 100644
--- a/libsepol/src/kernel_to_conf.c
+++ b/libsepol/src/kernel_to_conf.c
@@ -35,7 +35,7 @@ static char *cond_expr_to_str(struct policydb *pdb, struct cond_expr *expr)
char *str = NULL;
int rc;
- rc = stack_init(&stack);
+ rc = strs_stack_init(&stack);
if (rc != 0) {
goto exit;
}
@@ -63,13 +63,13 @@ static char *cond_expr_to_str(struct policydb *pdb, struct cond_expr *expr)
}
if (num_params == 2) {
- val2 = stack_pop(stack);
+ val2 = strs_stack_pop(stack);
if (!val2) {
sepol_log_err("Invalid conditional expression");
goto exit;
}
}
- val1 = stack_pop(stack);
+ val1 = strs_stack_pop(stack);
if (!val1) {
sepol_log_err("Invalid conditional expression");
free(val2);
@@ -87,29 +87,29 @@ static char *cond_expr_to_str(struct policydb *pdb, struct cond_expr *expr)
sepol_log_err("Invalid conditional expression");
goto exit;
}
- rc = stack_push(stack, new_val);
+ rc = strs_stack_push(stack, new_val);
if (rc != 0) {
sepol_log_err("Out of memory");
goto exit;
}
}
- new_val = stack_pop(stack);
- if (!new_val || !stack_empty(stack)) {
+ new_val = strs_stack_pop(stack);
+ if (!new_val || !strs_stack_empty(stack)) {
sepol_log_err("Invalid conditional expression");
goto exit;
}
str = new_val;
- stack_destroy(&stack);
+ strs_stack_destroy(&stack);
return str;
exit:
- while ((new_val = stack_pop(stack)) != NULL) {
+ while ((new_val = strs_stack_pop(stack)) != NULL) {
free(new_val);
}
- stack_destroy(&stack);
+ strs_stack_destroy(&stack);
return NULL;
}
@@ -125,7 +125,7 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
*use_mls = 0;
- rc = stack_init(&stack);
+ rc = strs_stack_init(&stack);
if (rc != 0) {
goto exit;
}
@@ -204,13 +204,13 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
}
if (num_params == 2) {
- val2 = stack_pop(stack);
+ val2 = strs_stack_pop(stack);
if (!val2) {
sepol_log_err("Invalid constraint expression");
goto exit;
}
}
- val1 = stack_pop(stack);
+ val1 = strs_stack_pop(stack);
if (!val1) {
sepol_log_err("Invalid constraint expression");
goto exit;
@@ -227,30 +227,30 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
if (!new_val) {
goto exit;
}
- rc = stack_push(stack, new_val);
+ rc = strs_stack_push(stack, new_val);
if (rc != 0) {
sepol_log_err("Out of memory");
goto exit;
}
}
- new_val = stack_pop(stack);
- if (!new_val || !stack_empty(stack)) {
+ new_val = strs_stack_pop(stack);
+ if (!new_val || !strs_stack_empty(stack)) {
sepol_log_err("Invalid constraint expression");
goto exit;
}
str = new_val;
- stack_destroy(&stack);
+ strs_stack_destroy(&stack);
return str;
exit:
- while ((new_val = stack_pop(stack)) != NULL) {
+ while ((new_val = strs_stack_pop(stack)) != NULL) {
free(new_val);
}
- stack_destroy(&stack);
+ strs_stack_destroy(&stack);
return NULL;
}
--
2.17.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2018-10-11 12:35 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-10-05 13:57 [PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files James Carter
2018-10-05 13:57 ` [PATCH 1/4] libsepol: Rename kernel_to_common.c stack functions James Carter
2018-10-05 13:57 ` [PATCH 2/4] libsepol: Eliminate initial sid string definitions in module_to_cil.c James Carter
2018-10-05 13:57 ` [PATCH 3/4] libsepol: Check that initial sid indexes are within the valid range James Carter
2018-10-05 13:57 ` [PATCH 4/4] libsepol: Add two new Xen initial SIDs James Carter
2018-10-11 12:35 [PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files James Carter
2018-10-11 12:35 ` [PATCH 1/4] libsepol: Rename kernel_to_common.c stack functions James Carter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).