* [PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files
@ 2018-10-11 12:35 James Carter
2018-10-11 12:35 ` [PATCH 1/4] libsepol: Rename kernel_to_common.c stack functions James Carter
` (4 more replies)
0 siblings, 5 replies; 9+ messages in thread
From: James Carter @ 2018-10-11 12:35 UTC (permalink / raw)
To: selinux; +Cc: selinux
[Resending because I originally only sent these to the new list]
- Removes some redundent definitions of initial sid name strings
- Adds range checking when looking up an initial sid name string for an index
- Adds two new Xen initial sids
James Carter (4):
libsepol: Rename kernel_to_common.c stack functions
libsepol: Eliminate initial sid string definitions in module_to_cil.c
libsepol: Check that initial sid indexes are within the valid range
libsepol: Add two new Xen initial SIDs
libsepol/src/kernel_to_cil.c | 78 +++++++++++++++++++++------------
libsepol/src/kernel_to_common.c | 10 ++---
libsepol/src/kernel_to_common.h | 16 ++++---
libsepol/src/kernel_to_conf.c | 78 +++++++++++++++++++++------------
libsepol/src/module_to_cil.c | 78 +++++++++------------------------
5 files changed, 136 insertions(+), 124 deletions(-)
--
2.17.1
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH 1/4] libsepol: Rename kernel_to_common.c stack functions
2018-10-11 12:35 [PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files James Carter
@ 2018-10-11 12:35 ` James Carter
2018-10-11 12:35 ` [PATCH 2/4] libsepol: Eliminate initial sid string definitions in module_to_cil.c James Carter
` (3 subsequent siblings)
4 siblings, 0 replies; 9+ messages in thread
From: James Carter @ 2018-10-11 12:35 UTC (permalink / raw)
To: selinux; +Cc: selinux
Want to make use of selinux_sid_to_str[] and xen_sid_to_str[] from
kernel_to_common.h in module_to_cil.c, but stack functions with the
same names exist in module_to_cil.c and kernel_to_common.c (with
the function prototypes in kernel_to_common.h).
Since the stack functions in kernel_to_common.c are less general and
only work with strings, rename those functions from stack_* to
strs_stack_*.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
---
libsepol/src/kernel_to_cil.c | 36 ++++++++++++++++-----------------
libsepol/src/kernel_to_common.c | 10 ++++-----
libsepol/src/kernel_to_common.h | 10 ++++-----
libsepol/src/kernel_to_conf.c | 36 ++++++++++++++++-----------------
4 files changed, 46 insertions(+), 46 deletions(-)
diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index b1eb66d6..c2a733ee 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@@ -36,7 +36,7 @@ static char *cond_expr_to_str(struct policydb *pdb, struct cond_expr *expr)
char *str = NULL;
int rc;
- rc = stack_init(&stack);
+ rc = strs_stack_init(&stack);
if (rc != 0) {
goto exit;
}
@@ -65,13 +65,13 @@ static char *cond_expr_to_str(struct policydb *pdb, struct cond_expr *expr)
}
if (num_params == 2) {
- val2 = stack_pop(stack);
+ val2 = strs_stack_pop(stack);
if (!val2) {
sepol_log_err("Invalid conditional expression");
goto exit;
}
}
- val1 = stack_pop(stack);
+ val1 = strs_stack_pop(stack);
if (!val1) {
sepol_log_err("Invalid conditional expression");
free(val2);
@@ -89,29 +89,29 @@ static char *cond_expr_to_str(struct policydb *pdb, struct cond_expr *expr)
sepol_log_err("Invalid conditional expression");
goto exit;
}
- rc = stack_push(stack, new_val);
+ rc = strs_stack_push(stack, new_val);
if (rc != 0) {
sepol_log_err("Out of memory");
goto exit;
}
}
- new_val = stack_pop(stack);
- if (!new_val || !stack_empty(stack)) {
+ new_val = strs_stack_pop(stack);
+ if (!new_val || !strs_stack_empty(stack)) {
sepol_log_err("Invalid conditional expression");
goto exit;
}
str = new_val;
- stack_destroy(&stack);
+ strs_stack_destroy(&stack);
return str;
exit:
- while ((new_val = stack_pop(stack)) != NULL) {
+ while ((new_val = strs_stack_pop(stack)) != NULL) {
free(new_val);
}
- stack_destroy(&stack);
+ strs_stack_destroy(&stack);
return NULL;
}
@@ -127,7 +127,7 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
*use_mls = 0;
- rc = stack_init(&stack);
+ rc = strs_stack_init(&stack);
if (rc != 0) {
goto exit;
}
@@ -208,13 +208,13 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
}
if (num_params == 2) {
- val2 = stack_pop(stack);
+ val2 = strs_stack_pop(stack);
if (!val2) {
sepol_log_err("Invalid constraint expression");
goto exit;
}
}
- val1 = stack_pop(stack);
+ val1 = strs_stack_pop(stack);
if (!val1) {
sepol_log_err("Invalid constraint expression");
goto exit;
@@ -231,30 +231,30 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
if (!new_val) {
goto exit;
}
- rc = stack_push(stack, new_val);
+ rc = strs_stack_push(stack, new_val);
if (rc != 0) {
sepol_log_err("Out of memory");
goto exit;
}
}
- new_val = stack_pop(stack);
- if (!new_val || !stack_empty(stack)) {
+ new_val = strs_stack_pop(stack);
+ if (!new_val || !strs_stack_empty(stack)) {
sepol_log_err("Invalid constraint expression");
goto exit;
}
str = new_val;
- stack_destroy(&stack);
+ strs_stack_destroy(&stack);
return str;
exit:
- while ((new_val = stack_pop(stack)) != NULL) {
+ while ((new_val = strs_stack_pop(stack)) != NULL) {
free(new_val);
}
- stack_destroy(&stack);
+ strs_stack_destroy(&stack);
return NULL;
}
diff --git a/libsepol/src/kernel_to_common.c b/libsepol/src/kernel_to_common.c
index 7c5699c5..891e139c 100644
--- a/libsepol/src/kernel_to_common.c
+++ b/libsepol/src/kernel_to_common.c
@@ -400,27 +400,27 @@ exit:
return str;
}
-int stack_init(struct strs **stack)
+int strs_stack_init(struct strs **stack)
{
return strs_init(stack, STACK_SIZE);
}
-void stack_destroy(struct strs **stack)
+void strs_stack_destroy(struct strs **stack)
{
return strs_destroy(stack);
}
-int stack_push(struct strs *stack, char *s)
+int strs_stack_push(struct strs *stack, char *s)
{
return strs_add(stack, s);
}
-char *stack_pop(struct strs *stack)
+char *strs_stack_pop(struct strs *stack)
{
return strs_remove_last(stack);
}
-int stack_empty(struct strs *stack)
+int strs_stack_empty(struct strs *stack)
{
return strs_num_items(stack) == 0;
}
diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h
index 992929ae..7c5edbd6 100644
--- a/libsepol/src/kernel_to_common.h
+++ b/libsepol/src/kernel_to_common.h
@@ -105,10 +105,10 @@ int hashtab_ordered_to_strs(char *key, void *data, void *args);
int ebitmap_to_strs(struct ebitmap *map, struct strs *strs, char **val_to_name);
char *ebitmap_to_str(struct ebitmap *map, char **val_to_name, int sort);
-int stack_init(struct strs **stack);
-void stack_destroy(struct strs **stack);
-int stack_push(struct strs *stack, char *s);
-char *stack_pop(struct strs *stack);
-int stack_empty(struct strs *stack);
+int strs_stack_init(struct strs **stack);
+void strs_stack_destroy(struct strs **stack);
+int strs_stack_push(struct strs *stack, char *s);
+char *strs_stack_pop(struct strs *stack);
+int strs_stack_empty(struct strs *stack);
int sort_ocontexts(struct policydb *pdb);
diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
index 95405207..a98b5ca9 100644
--- a/libsepol/src/kernel_to_conf.c
+++ b/libsepol/src/kernel_to_conf.c
@@ -35,7 +35,7 @@ static char *cond_expr_to_str(struct policydb *pdb, struct cond_expr *expr)
char *str = NULL;
int rc;
- rc = stack_init(&stack);
+ rc = strs_stack_init(&stack);
if (rc != 0) {
goto exit;
}
@@ -63,13 +63,13 @@ static char *cond_expr_to_str(struct policydb *pdb, struct cond_expr *expr)
}
if (num_params == 2) {
- val2 = stack_pop(stack);
+ val2 = strs_stack_pop(stack);
if (!val2) {
sepol_log_err("Invalid conditional expression");
goto exit;
}
}
- val1 = stack_pop(stack);
+ val1 = strs_stack_pop(stack);
if (!val1) {
sepol_log_err("Invalid conditional expression");
free(val2);
@@ -87,29 +87,29 @@ static char *cond_expr_to_str(struct policydb *pdb, struct cond_expr *expr)
sepol_log_err("Invalid conditional expression");
goto exit;
}
- rc = stack_push(stack, new_val);
+ rc = strs_stack_push(stack, new_val);
if (rc != 0) {
sepol_log_err("Out of memory");
goto exit;
}
}
- new_val = stack_pop(stack);
- if (!new_val || !stack_empty(stack)) {
+ new_val = strs_stack_pop(stack);
+ if (!new_val || !strs_stack_empty(stack)) {
sepol_log_err("Invalid conditional expression");
goto exit;
}
str = new_val;
- stack_destroy(&stack);
+ strs_stack_destroy(&stack);
return str;
exit:
- while ((new_val = stack_pop(stack)) != NULL) {
+ while ((new_val = strs_stack_pop(stack)) != NULL) {
free(new_val);
}
- stack_destroy(&stack);
+ strs_stack_destroy(&stack);
return NULL;
}
@@ -125,7 +125,7 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
*use_mls = 0;
- rc = stack_init(&stack);
+ rc = strs_stack_init(&stack);
if (rc != 0) {
goto exit;
}
@@ -204,13 +204,13 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
}
if (num_params == 2) {
- val2 = stack_pop(stack);
+ val2 = strs_stack_pop(stack);
if (!val2) {
sepol_log_err("Invalid constraint expression");
goto exit;
}
}
- val1 = stack_pop(stack);
+ val1 = strs_stack_pop(stack);
if (!val1) {
sepol_log_err("Invalid constraint expression");
goto exit;
@@ -227,30 +227,30 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
if (!new_val) {
goto exit;
}
- rc = stack_push(stack, new_val);
+ rc = strs_stack_push(stack, new_val);
if (rc != 0) {
sepol_log_err("Out of memory");
goto exit;
}
}
- new_val = stack_pop(stack);
- if (!new_val || !stack_empty(stack)) {
+ new_val = strs_stack_pop(stack);
+ if (!new_val || !strs_stack_empty(stack)) {
sepol_log_err("Invalid constraint expression");
goto exit;
}
str = new_val;
- stack_destroy(&stack);
+ strs_stack_destroy(&stack);
return str;
exit:
- while ((new_val = stack_pop(stack)) != NULL) {
+ while ((new_val = strs_stack_pop(stack)) != NULL) {
free(new_val);
}
- stack_destroy(&stack);
+ strs_stack_destroy(&stack);
return NULL;
}
--
2.17.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH 2/4] libsepol: Eliminate initial sid string definitions in module_to_cil.c
2018-10-11 12:35 [PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files James Carter
2018-10-11 12:35 ` [PATCH 1/4] libsepol: Rename kernel_to_common.c stack functions James Carter
@ 2018-10-11 12:35 ` James Carter
2018-10-11 12:35 ` [PATCH 3/4] libsepol: Check that initial sid indexes are within the valid range James Carter
` (2 subsequent siblings)
4 siblings, 0 replies; 9+ messages in thread
From: James Carter @ 2018-10-11 12:35 UTC (permalink / raw)
To: selinux; +Cc: selinux
Since the initial sid strings are defined in kernel_to_common.h,
module_to_cil.c can use those and its initial sid string definitions
can be removed.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
---
libsepol/src/module_to_cil.c | 59 +++---------------------------------
1 file changed, 5 insertions(+), 54 deletions(-)
diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index dcf6ebb1..8ab0dfce 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -52,6 +52,7 @@
#include <sepol/policydb/services.h>
#include <sepol/policydb/util.h>
+#include "kernel_to_common.h"
#include "private.h"
#ifdef __GNUC__
@@ -2546,7 +2547,8 @@ static int context_to_cil(struct policydb *pdb, struct context_struct *con)
return 0;
}
-static int ocontext_isid_to_cil(struct policydb *pdb, const char **sid_to_string, struct ocontext *isids)
+static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_string,
+ struct ocontext *isids)
{
int rc = -1;
@@ -2602,41 +2604,7 @@ static int ocontext_selinux_isid_to_cil(struct policydb *pdb, struct ocontext *i
{
int rc = -1;
- // initial sid names aren't actually stored in the pp files, need to a have
- // a mapping, taken from the linux kernel
- static const char *selinux_sid_to_string[] = {
- "null",
- "kernel",
- "security",
- "unlabeled",
- "fs",
- "file",
- "file_labels",
- "init",
- "any_socket",
- "port",
- "netif",
- "netmsg",
- "node",
- "igmp_packet",
- "icmp_socket",
- "tcp_socket",
- "sysctl_modprobe",
- "sysctl",
- "sysctl_fs",
- "sysctl_kernel",
- "sysctl_net",
- "sysctl_net_unix",
- "sysctl_vm",
- "sysctl_dev",
- "kmod",
- "policy",
- "scmp_packet",
- "devnull",
- NULL
- };
-
- rc = ocontext_isid_to_cil(pdb, selinux_sid_to_string, isids);
+ rc = ocontext_isid_to_cil(pdb, selinux_sid_to_str, isids);
if (rc != 0) {
goto exit;
}
@@ -2865,24 +2833,7 @@ static int ocontext_xen_isid_to_cil(struct policydb *pdb, struct ocontext *isids
{
int rc = -1;
- // initial sid names aren't actually stored in the pp files, need to a have
- // a mapping, taken from the xen kernel
- static const char *xen_sid_to_string[] = {
- "null",
- "xen",
- "dom0",
- "domio",
- "domxen",
- "unlabeled",
- "security",
- "ioport",
- "iomem",
- "irq",
- "device",
- NULL,
- };
-
- rc = ocontext_isid_to_cil(pdb, xen_sid_to_string, isids);
+ rc = ocontext_isid_to_cil(pdb, xen_sid_to_str, isids);
if (rc != 0) {
goto exit;
}
--
2.17.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH 3/4] libsepol: Check that initial sid indexes are within the valid range
2018-10-11 12:35 [PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files James Carter
2018-10-11 12:35 ` [PATCH 1/4] libsepol: Rename kernel_to_common.c stack functions James Carter
2018-10-11 12:35 ` [PATCH 2/4] libsepol: Eliminate initial sid string definitions in module_to_cil.c James Carter
@ 2018-10-11 12:35 ` James Carter
2018-10-11 15:02 ` Yuli Khodorkovskiy
2018-10-11 12:35 ` [PATCH 4/4] libsepol: Add two new Xen initial SIDs James Carter
2018-10-11 23:58 ` [PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files William Roberts
4 siblings, 1 reply; 9+ messages in thread
From: James Carter @ 2018-10-11 12:35 UTC (permalink / raw)
To: selinux; +Cc: selinux
When writing CIL from a policy module or when writing CIL or policy.conf
from a kernel binary policy, check that the initial sid index is within
the valid range of the selinux_sid_to_str[] array (or xen_sid_to_str[]
array for a XEN policy). If it is not, then create a unique name
("UNKNOWN"+index) for the initial sid.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
---
libsepol/src/kernel_to_cil.c | 42 +++++++++++++++++++++++++--------
libsepol/src/kernel_to_common.h | 4 ++++
libsepol/src/kernel_to_conf.c | 42 +++++++++++++++++++++++++--------
libsepol/src/module_to_cil.c | 25 ++++++++++++++------
4 files changed, 86 insertions(+), 27 deletions(-)
diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index c2a733ee..d173144e 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@@ -529,23 +529,31 @@ exit:
return rc;
}
-static int write_sids_to_cil(FILE *out, const char *const *sid_to_str, struct ocontext *isids)
+static int write_sids_to_cil(FILE *out, const char *const *sid_to_str,
+ unsigned num_sids, struct ocontext *isids)
{
struct ocontext *isid;
struct strs *strs;
char *sid;
char *prev;
+ char unknown[17];
unsigned i;
int rc;
- rc = strs_init(&strs, SECINITSID_NUM+1);
+ rc = strs_init(&strs, num_sids+1);
if (rc != 0) {
goto exit;
}
for (isid = isids; isid != NULL; isid = isid->next) {
i = isid->sid[0];
- rc = strs_add_at_index(strs, (char *)sid_to_str[i], i);
+ if (i < num_sids) {
+ sid = (char *)sid_to_str[i];
+ } else {
+ snprintf(unknown, 17, "%s%u", "UNKNOWN", i);
+ sid = strdup(unknown);
+ }
+ rc = strs_add_at_index(strs, sid, i);
if (rc != 0) {
goto exit;
}
@@ -577,6 +585,10 @@ static int write_sids_to_cil(FILE *out, const char *const *sid_to_str, struct oc
sepol_printf(out, "))\n");
exit:
+ for (i=num_sids; i<strs_num_items(strs); i++) {
+ sid = strs_read_at_index(strs, i);
+ free(sid);
+ }
strs_destroy(&strs);
if (rc != 0) {
sepol_log_err("Error writing sid rules to CIL\n");
@@ -590,9 +602,11 @@ static int write_sid_decl_rules_to_cil(FILE *out, struct policydb *pdb)
int rc = 0;
if (pdb->target_platform == SEPOL_TARGET_SELINUX) {
- rc = write_sids_to_cil(out, selinux_sid_to_str, pdb->ocontexts[0]);
+ rc = write_sids_to_cil(out, selinux_sid_to_str, SELINUX_SID_SZ,
+ pdb->ocontexts[0]);
} else if (pdb->target_platform == SEPOL_TARGET_XEN) {
- rc = write_sids_to_cil(out, xen_sid_to_str, pdb->ocontexts[0]);
+ rc = write_sids_to_cil(out, xen_sid_to_str, XEN_SID_SZ,
+ pdb->ocontexts[0]);
} else {
sepol_log_err("Unknown target platform: %i", pdb->target_platform);
rc = -1;
@@ -2479,11 +2493,12 @@ exit:
return ctx;
}
-static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const char *const *sid_to_str)
+static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const char *const *sid_to_str, unsigned num_sids)
{
struct ocontext *isid;
struct strs *strs;
- const char *sid;
+ char *sid;
+ char unknown[17];
char *ctx, *rule;
unsigned i;
int rc = -1;
@@ -2495,7 +2510,13 @@ static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const
for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) {
i = isid->sid[0];
- sid = sid_to_str[i];
+ if (i < num_sids) {
+ sid = (char *)sid_to_str[i];
+ } else {
+ snprintf(unknown, 17, "%s%u", "UNKNOWN", i);
+ sid = unknown;
+ }
+
ctx = context_to_str(pdb, &isid->context[0]);
if (!ctx) {
rc = -1;
@@ -2531,7 +2552,8 @@ exit:
static int write_selinux_isid_rules_to_cil(FILE *out, struct policydb *pdb)
{
- return write_sid_context_rules_to_cil(out, pdb, selinux_sid_to_str);
+ return write_sid_context_rules_to_cil(out, pdb, selinux_sid_to_str,
+ SELINUX_SID_SZ);
}
static int write_selinux_fsuse_rules_to_cil(FILE *out, struct policydb *pdb)
@@ -2884,7 +2906,7 @@ exit:
static int write_xen_isid_rules_to_cil(FILE *out, struct policydb *pdb)
{
- return write_sid_context_rules_to_cil(out, pdb, xen_sid_to_str);
+ return write_sid_context_rules_to_cil(out, pdb, xen_sid_to_str, XEN_SID_SZ);
}
static int write_xen_pirq_rules_to_cil(FILE *out, struct policydb *pdb)
diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h
index 7c5edbd6..dacfe97e 100644
--- a/libsepol/src/kernel_to_common.h
+++ b/libsepol/src/kernel_to_common.h
@@ -43,6 +43,8 @@ static const char * const selinux_sid_to_str[] = {
"devnull",
};
+#define SELINUX_SID_SZ (sizeof(selinux_sid_to_str)/sizeof(selinux_sid_to_str[0]))
+
static const char * const xen_sid_to_str[] = {
"null",
"xen",
@@ -57,6 +59,8 @@ static const char * const xen_sid_to_str[] = {
"device",
};
+#define XEN_SID_SZ (sizeof(xen_sid_to_str)/sizeof(xen_sid_to_str[0]))
+
static const uint32_t avtab_flavors[] = {
AVTAB_ALLOWED,
AVTAB_AUDITALLOW,
diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
index a98b5ca9..7e04a13b 100644
--- a/libsepol/src/kernel_to_conf.c
+++ b/libsepol/src/kernel_to_conf.c
@@ -428,22 +428,30 @@ static int write_class_decl_rules_to_conf(FILE *out, struct policydb *pdb)
return 0;
}
-static int write_sids_to_conf(FILE *out, const char *const *sid_to_str, struct ocontext *isids)
+static int write_sids_to_conf(FILE *out, const char *const *sid_to_str,
+ unsigned num_sids, struct ocontext *isids)
{
struct ocontext *isid;
struct strs *strs;
char *sid;
+ char unknown[17];
unsigned i;
int rc;
- rc = strs_init(&strs, SECINITSID_NUM+1);
+ rc = strs_init(&strs, num_sids+1);
if (rc != 0) {
goto exit;
}
for (isid = isids; isid != NULL; isid = isid->next) {
i = isid->sid[0];
- rc = strs_add_at_index(strs, (char *)sid_to_str[i], i);
+ if (i < num_sids) {
+ sid = (char *)sid_to_str[i];
+ } else {
+ snprintf(unknown, 17, "%s%u", "UNKNOWN", i);
+ sid = strdup(unknown);
+ }
+ rc = strs_add_at_index(strs, sid, i);
if (rc != 0) {
goto exit;
}
@@ -458,6 +466,10 @@ static int write_sids_to_conf(FILE *out, const char *const *sid_to_str, struct o
}
exit:
+ for (i=num_sids; i<strs_num_items(strs); i++) {
+ sid = strs_read_at_index(strs, i);
+ free(sid);
+ }
strs_destroy(&strs);
if (rc != 0) {
sepol_log_err("Error writing sid rules to policy.conf\n");
@@ -471,9 +483,11 @@ static int write_sid_decl_rules_to_conf(FILE *out, struct policydb *pdb)
int rc = 0;
if (pdb->target_platform == SEPOL_TARGET_SELINUX) {
- rc = write_sids_to_conf(out, selinux_sid_to_str, pdb->ocontexts[0]);
+ rc = write_sids_to_conf(out, selinux_sid_to_str, SELINUX_SID_SZ,
+ pdb->ocontexts[0]);
} else if (pdb->target_platform == SEPOL_TARGET_XEN) {
- rc = write_sids_to_conf(out, xen_sid_to_str, pdb->ocontexts[0]);
+ rc = write_sids_to_conf(out, xen_sid_to_str, XEN_SID_SZ,
+ pdb->ocontexts[0]);
} else {
sepol_log_err("Unknown target platform: %i", pdb->target_platform);
rc = -1;
@@ -2339,11 +2353,12 @@ static char *context_to_str(struct policydb *pdb, struct context_struct *con)
return ctx;
}
-static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, const char *const *sid_to_str)
+static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, const char *const *sid_to_str, unsigned num_sids)
{
struct ocontext *isid;
struct strs *strs;
- const char *sid;
+ char *sid;
+ char unknown[17];
char *ctx, *rule;
unsigned i;
int rc;
@@ -2355,7 +2370,13 @@ static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, cons
for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) {
i = isid->sid[0];
- sid = sid_to_str[i];
+ if (i < num_sids) {
+ sid = (char *)sid_to_str[i];
+ } else {
+ snprintf(unknown, 17, "%s%u", "UNKNOWN", i);
+ sid = unknown;
+ }
+
ctx = context_to_str(pdb, &isid->context[0]);
if (!ctx) {
rc = -1;
@@ -2391,7 +2412,8 @@ exit:
static int write_selinux_isid_rules_to_conf(FILE *out, struct policydb *pdb)
{
- return write_sid_context_rules_to_conf(out, pdb, selinux_sid_to_str);
+ return write_sid_context_rules_to_conf(out, pdb, selinux_sid_to_str,
+ SELINUX_SID_SZ);
}
static int write_selinux_fsuse_rules_to_conf(FILE *out, struct policydb *pdb)
@@ -2745,7 +2767,7 @@ exit:
static int write_xen_isid_rules_to_conf(FILE *out, struct policydb *pdb)
{
- return write_sid_context_rules_to_conf(out, pdb, xen_sid_to_str);
+ return write_sid_context_rules_to_conf(out, pdb, xen_sid_to_str, XEN_SID_SZ);
}
diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index 8ab0dfce..7fc29cbd 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -2548,23 +2548,33 @@ static int context_to_cil(struct policydb *pdb, struct context_struct *con)
}
static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_string,
- struct ocontext *isids)
+ unsigned num_sids, struct ocontext *isids)
{
int rc = -1;
struct ocontext *isid;
struct sid_item {
- const char *sid_key;
+ char *sid_key;
struct sid_item *next;
};
struct sid_item *head = NULL;
struct sid_item *item = NULL;
+ char *sid;
+ char unknown[17];
+ unsigned i;
for (isid = isids; isid != NULL; isid = isid->next) {
- cil_println(0, "(sid %s)", sid_to_string[isid->sid[0]]);
- cil_printf("(sidcontext %s ", sid_to_string[isid->sid[0]]);
+ i = isid->sid[0];
+ if (i < num_sids) {
+ sid = (char*)sid_to_string[i];
+ } else {
+ snprintf(unknown, 17, "%s%u", "UNKNOWN", i);
+ sid = unknown;
+ }
+ cil_println(0, "(sid %s)", sid);
+ cil_printf("(sidcontext %s ", sid);
context_to_cil(pdb, &isid->context[0]);
cil_printf(")\n");
@@ -2576,7 +2586,7 @@ static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_
rc = -1;
goto exit;
}
- item->sid_key = sid_to_string[isid->sid[0]];
+ item->sid_key = strdup(sid);
item->next = head;
head = item;
}
@@ -2595,6 +2605,7 @@ exit:
while(head) {
item = head;
head = item->next;
+ free(item->sid_key);
free(item);
}
return rc;
@@ -2604,7 +2615,7 @@ static int ocontext_selinux_isid_to_cil(struct policydb *pdb, struct ocontext *i
{
int rc = -1;
- rc = ocontext_isid_to_cil(pdb, selinux_sid_to_str, isids);
+ rc = ocontext_isid_to_cil(pdb, selinux_sid_to_str, SELINUX_SID_SZ, isids);
if (rc != 0) {
goto exit;
}
@@ -2833,7 +2844,7 @@ static int ocontext_xen_isid_to_cil(struct policydb *pdb, struct ocontext *isids
{
int rc = -1;
- rc = ocontext_isid_to_cil(pdb, xen_sid_to_str, isids);
+ rc = ocontext_isid_to_cil(pdb, xen_sid_to_str, XEN_SID_SZ, isids);
if (rc != 0) {
goto exit;
}
--
2.17.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH 4/4] libsepol: Add two new Xen initial SIDs
2018-10-11 12:35 [PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files James Carter
` (2 preceding siblings ...)
2018-10-11 12:35 ` [PATCH 3/4] libsepol: Check that initial sid indexes are within the valid range James Carter
@ 2018-10-11 12:35 ` James Carter
2018-10-11 23:58 ` [PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files William Roberts
4 siblings, 0 replies; 9+ messages in thread
From: James Carter @ 2018-10-11 12:35 UTC (permalink / raw)
To: selinux; +Cc: selinux
Xen uses the initial SIDs domU and domDM in its toolstack, so it makes
sense to add these to xen_sid_to_str[] in kernel_to_common.h
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
---
libsepol/src/kernel_to_common.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h
index dacfe97e..8aa483fa 100644
--- a/libsepol/src/kernel_to_common.h
+++ b/libsepol/src/kernel_to_common.h
@@ -57,6 +57,8 @@ static const char * const xen_sid_to_str[] = {
"iomem",
"irq",
"device",
+ "domU",
+ "domDM",
};
#define XEN_SID_SZ (sizeof(xen_sid_to_str)/sizeof(xen_sid_to_str[0]))
--
2.17.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH 3/4] libsepol: Check that initial sid indexes are within the valid range
2018-10-11 12:35 ` [PATCH 3/4] libsepol: Check that initial sid indexes are within the valid range James Carter
@ 2018-10-11 15:02 ` Yuli Khodorkovskiy
0 siblings, 0 replies; 9+ messages in thread
From: Yuli Khodorkovskiy @ 2018-10-11 15:02 UTC (permalink / raw)
To: James Carter; +Cc: selinux, selinux
> On Oct 11, 2018, at 8:35 AM, James Carter <jwcart2@tycho.nsa.gov> wrote:
>
> When writing CIL from a policy module or when writing CIL or policy.conf
> from a kernel binary policy, check that the initial sid index is within
> the valid range of the selinux_sid_to_str[] array (or xen_sid_to_str[]
> array for a XEN policy). If it is not, then create a unique name
> ("UNKNOWN"+index) for the initial sid.
>
> Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
> ---
> libsepol/src/kernel_to_cil.c | 42 +++++++++++++++++++++++++--------
> libsepol/src/kernel_to_common.h | 4 ++++
> libsepol/src/kernel_to_conf.c | 42 +++++++++++++++++++++++++--------
> libsepol/src/module_to_cil.c | 25 ++++++++++++++------
> 4 files changed, 86 insertions(+), 27 deletions(-)
>
> diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
> index c2a733ee..d173144e 100644
> --- a/libsepol/src/kernel_to_cil.c
> +++ b/libsepol/src/kernel_to_cil.c
> @@ -529,23 +529,31 @@ exit:
> return rc;
> }
>
> -static int write_sids_to_cil(FILE *out, const char *const *sid_to_str, struct ocontext *isids)
> +static int write_sids_to_cil(FILE *out, const char *const *sid_to_str,
> + unsigned num_sids, struct ocontext *isids)
> {
> struct ocontext *isid;
> struct strs *strs;
> char *sid;
> char *prev;
> + char unknown[17];
Maybe store this magic number in a #define?
> unsigned i;
> int rc;
>
> - rc = strs_init(&strs, SECINITSID_NUM+1);
> + rc = strs_init(&strs, num_sids+1);
> if (rc != 0) {
> goto exit;
> }
>
> for (isid = isids; isid != NULL; isid = isid->next) {
> i = isid->sid[0];
> - rc = strs_add_at_index(strs, (char *)sid_to_str[i], i);
> + if (i < num_sids) {
> + sid = (char *)sid_to_str[i];
> + } else {
> + snprintf(unknown, 17, "%s%u", "UNKNOWN", i);
> + sid = strdup(unknown);
> + }
> + rc = strs_add_at_index(strs, sid, i);
> if (rc != 0) {
> goto exit;
> }
> @@ -577,6 +585,10 @@ static int write_sids_to_cil(FILE *out, const char *const *sid_to_str, struct oc
> sepol_printf(out, "))\n");
>
> exit:
> + for (i=num_sids; i<strs_num_items(strs); i++) {
> + sid = strs_read_at_index(strs, i);
> + free(sid);
> + }
> strs_destroy(&strs);
> if (rc != 0) {
> sepol_log_err("Error writing sid rules to CIL\n");
> @@ -590,9 +602,11 @@ static int write_sid_decl_rules_to_cil(FILE *out, struct policydb *pdb)
> int rc = 0;
>
> if (pdb->target_platform == SEPOL_TARGET_SELINUX) {
> - rc = write_sids_to_cil(out, selinux_sid_to_str, pdb->ocontexts[0]);
> + rc = write_sids_to_cil(out, selinux_sid_to_str, SELINUX_SID_SZ,
> + pdb->ocontexts[0]);
> } else if (pdb->target_platform == SEPOL_TARGET_XEN) {
> - rc = write_sids_to_cil(out, xen_sid_to_str, pdb->ocontexts[0]);
> + rc = write_sids_to_cil(out, xen_sid_to_str, XEN_SID_SZ,
> + pdb->ocontexts[0]);
> } else {
> sepol_log_err("Unknown target platform: %i", pdb->target_platform);
> rc = -1;
> @@ -2479,11 +2493,12 @@ exit:
> return ctx;
> }
>
> -static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const char *const *sid_to_str)
> +static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const char *const *sid_to_str, unsigned num_sids)
> {
> struct ocontext *isid;
> struct strs *strs;
> - const char *sid;
> + char *sid;
> + char unknown[17];
> char *ctx, *rule;
> unsigned i;
> int rc = -1;
> @@ -2495,7 +2510,13 @@ static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const
>
> for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) {
> i = isid->sid[0];
> - sid = sid_to_str[i];
> + if (i < num_sids) {
> + sid = (char *)sid_to_str[i];
> + } else {
> + snprintf(unknown, 17, "%s%u", "UNKNOWN", i);
> + sid = unknown;
> + }
> +
> ctx = context_to_str(pdb, &isid->context[0]);
> if (!ctx) {
> rc = -1;
> @@ -2531,7 +2552,8 @@ exit:
>
> static int write_selinux_isid_rules_to_cil(FILE *out, struct policydb *pdb)
> {
> - return write_sid_context_rules_to_cil(out, pdb, selinux_sid_to_str);
> + return write_sid_context_rules_to_cil(out, pdb, selinux_sid_to_str,
> + SELINUX_SID_SZ);
> }
>
> static int write_selinux_fsuse_rules_to_cil(FILE *out, struct policydb *pdb)
> @@ -2884,7 +2906,7 @@ exit:
>
> static int write_xen_isid_rules_to_cil(FILE *out, struct policydb *pdb)
> {
> - return write_sid_context_rules_to_cil(out, pdb, xen_sid_to_str);
> + return write_sid_context_rules_to_cil(out, pdb, xen_sid_to_str, XEN_SID_SZ);
> }
>
> static int write_xen_pirq_rules_to_cil(FILE *out, struct policydb *pdb)
> diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h
> index 7c5edbd6..dacfe97e 100644
> --- a/libsepol/src/kernel_to_common.h
> +++ b/libsepol/src/kernel_to_common.h
> @@ -43,6 +43,8 @@ static const char * const selinux_sid_to_str[] = {
> "devnull",
> };
>
> +#define SELINUX_SID_SZ (sizeof(selinux_sid_to_str)/sizeof(selinux_sid_to_str[0]))
> +
> static const char * const xen_sid_to_str[] = {
> "null",
> "xen",
> @@ -57,6 +59,8 @@ static const char * const xen_sid_to_str[] = {
> "device",
> };
>
> +#define XEN_SID_SZ (sizeof(xen_sid_to_str)/sizeof(xen_sid_to_str[0]))
> +
> static const uint32_t avtab_flavors[] = {
> AVTAB_ALLOWED,
> AVTAB_AUDITALLOW,
> diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
> index a98b5ca9..7e04a13b 100644
> --- a/libsepol/src/kernel_to_conf.c
> +++ b/libsepol/src/kernel_to_conf.c
> @@ -428,22 +428,30 @@ static int write_class_decl_rules_to_conf(FILE *out, struct policydb *pdb)
> return 0;
> }
>
> -static int write_sids_to_conf(FILE *out, const char *const *sid_to_str, struct ocontext *isids)
> +static int write_sids_to_conf(FILE *out, const char *const *sid_to_str,
> + unsigned num_sids, struct ocontext *isids)
> {
> struct ocontext *isid;
> struct strs *strs;
> char *sid;
> + char unknown[17];
> unsigned i;
> int rc;
>
> - rc = strs_init(&strs, SECINITSID_NUM+1);
> + rc = strs_init(&strs, num_sids+1);
> if (rc != 0) {
> goto exit;
> }
>
> for (isid = isids; isid != NULL; isid = isid->next) {
> i = isid->sid[0];
> - rc = strs_add_at_index(strs, (char *)sid_to_str[i], i);
> + if (i < num_sids) {
> + sid = (char *)sid_to_str[i];
> + } else {
> + snprintf(unknown, 17, "%s%u", "UNKNOWN", i);
> + sid = strdup(unknown);
> + }
> + rc = strs_add_at_index(strs, sid, i);
> if (rc != 0) {
> goto exit;
> }
> @@ -458,6 +466,10 @@ static int write_sids_to_conf(FILE *out, const char *const *sid_to_str, struct o
> }
>
> exit:
> + for (i=num_sids; i<strs_num_items(strs); i++) {
> + sid = strs_read_at_index(strs, i);
> + free(sid);
> + }
> strs_destroy(&strs);
> if (rc != 0) {
> sepol_log_err("Error writing sid rules to policy.conf\n");
> @@ -471,9 +483,11 @@ static int write_sid_decl_rules_to_conf(FILE *out, struct policydb *pdb)
> int rc = 0;
>
> if (pdb->target_platform == SEPOL_TARGET_SELINUX) {
> - rc = write_sids_to_conf(out, selinux_sid_to_str, pdb->ocontexts[0]);
> + rc = write_sids_to_conf(out, selinux_sid_to_str, SELINUX_SID_SZ,
> + pdb->ocontexts[0]);
> } else if (pdb->target_platform == SEPOL_TARGET_XEN) {
> - rc = write_sids_to_conf(out, xen_sid_to_str, pdb->ocontexts[0]);
> + rc = write_sids_to_conf(out, xen_sid_to_str, XEN_SID_SZ,
> + pdb->ocontexts[0]);
> } else {
> sepol_log_err("Unknown target platform: %i", pdb->target_platform);
> rc = -1;
> @@ -2339,11 +2353,12 @@ static char *context_to_str(struct policydb *pdb, struct context_struct *con)
> return ctx;
> }
>
> -static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, const char *const *sid_to_str)
> +static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, const char *const *sid_to_str, unsigned num_sids)
> {
> struct ocontext *isid;
> struct strs *strs;
> - const char *sid;
> + char *sid;
> + char unknown[17];
> char *ctx, *rule;
> unsigned i;
> int rc;
> @@ -2355,7 +2370,13 @@ static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, cons
>
> for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) {
> i = isid->sid[0];
> - sid = sid_to_str[i];
> + if (i < num_sids) {
> + sid = (char *)sid_to_str[i];
> + } else {
> + snprintf(unknown, 17, "%s%u", "UNKNOWN", i);
> + sid = unknown;
> + }
> +
> ctx = context_to_str(pdb, &isid->context[0]);
> if (!ctx) {
> rc = -1;
> @@ -2391,7 +2412,8 @@ exit:
>
> static int write_selinux_isid_rules_to_conf(FILE *out, struct policydb *pdb)
> {
> - return write_sid_context_rules_to_conf(out, pdb, selinux_sid_to_str);
> + return write_sid_context_rules_to_conf(out, pdb, selinux_sid_to_str,
> + SELINUX_SID_SZ);
> }
>
> static int write_selinux_fsuse_rules_to_conf(FILE *out, struct policydb *pdb)
> @@ -2745,7 +2767,7 @@ exit:
>
> static int write_xen_isid_rules_to_conf(FILE *out, struct policydb *pdb)
> {
> - return write_sid_context_rules_to_conf(out, pdb, xen_sid_to_str);
> + return write_sid_context_rules_to_conf(out, pdb, xen_sid_to_str, XEN_SID_SZ);
> }
>
>
> diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
> index 8ab0dfce..7fc29cbd 100644
> --- a/libsepol/src/module_to_cil.c
> +++ b/libsepol/src/module_to_cil.c
> @@ -2548,23 +2548,33 @@ static int context_to_cil(struct policydb *pdb, struct context_struct *con)
> }
>
> static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_string,
> - struct ocontext *isids)
> + unsigned num_sids, struct ocontext *isids)
> {
> int rc = -1;
>
> struct ocontext *isid;
>
> struct sid_item {
> - const char *sid_key;
> + char *sid_key;
> struct sid_item *next;
> };
>
> struct sid_item *head = NULL;
> struct sid_item *item = NULL;
> + char *sid;
> + char unknown[17];
> + unsigned i;
>
> for (isid = isids; isid != NULL; isid = isid->next) {
> - cil_println(0, "(sid %s)", sid_to_string[isid->sid[0]]);
> - cil_printf("(sidcontext %s ", sid_to_string[isid->sid[0]]);
> + i = isid->sid[0];
> + if (i < num_sids) {
> + sid = (char*)sid_to_string[i];
> + } else {
> + snprintf(unknown, 17, "%s%u", "UNKNOWN", i);
> + sid = unknown;
> + }
> + cil_println(0, "(sid %s)", sid);
> + cil_printf("(sidcontext %s ", sid);
> context_to_cil(pdb, &isid->context[0]);
> cil_printf(")\n");
>
> @@ -2576,7 +2586,7 @@ static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_
> rc = -1;
> goto exit;
> }
> - item->sid_key = sid_to_string[isid->sid[0]];
> + item->sid_key = strdup(sid);
> item->next = head;
> head = item;
> }
> @@ -2595,6 +2605,7 @@ exit:
> while(head) {
> item = head;
> head = item->next;
> + free(item->sid_key);
> free(item);
> }
> return rc;
> @@ -2604,7 +2615,7 @@ static int ocontext_selinux_isid_to_cil(struct policydb *pdb, struct ocontext *i
> {
> int rc = -1;
>
> - rc = ocontext_isid_to_cil(pdb, selinux_sid_to_str, isids);
> + rc = ocontext_isid_to_cil(pdb, selinux_sid_to_str, SELINUX_SID_SZ, isids);
> if (rc != 0) {
> goto exit;
> }
> @@ -2833,7 +2844,7 @@ static int ocontext_xen_isid_to_cil(struct policydb *pdb, struct ocontext *isids
> {
> int rc = -1;
>
> - rc = ocontext_isid_to_cil(pdb, xen_sid_to_str, isids);
> + rc = ocontext_isid_to_cil(pdb, xen_sid_to_str, XEN_SID_SZ, isids);
> if (rc != 0) {
> goto exit;
> }
> --
> 2.17.1
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files
2018-10-11 12:35 [PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files James Carter
` (3 preceding siblings ...)
2018-10-11 12:35 ` [PATCH 4/4] libsepol: Add two new Xen initial SIDs James Carter
@ 2018-10-11 23:58 ` William Roberts
2018-10-15 17:39 ` William Roberts
4 siblings, 1 reply; 9+ messages in thread
From: William Roberts @ 2018-10-11 23:58 UTC (permalink / raw)
To: James Carter; +Cc: selinux, selinux
On Thu, Oct 11, 2018 at 5:37 AM James Carter <jwcart2@tycho.nsa.gov> wrote:
>
> [Resending because I originally only sent these to the new list]
>
> - Removes some redundent definitions of initial sid name strings
> - Adds range checking when looking up an initial sid name string for an index
> - Adds two new Xen initial sids
>
> James Carter (4):
> libsepol: Rename kernel_to_common.c stack functions
> libsepol: Eliminate initial sid string definitions in module_to_cil.c
> libsepol: Check that initial sid indexes are within the valid range
> libsepol: Add two new Xen initial SIDs
>
> libsepol/src/kernel_to_cil.c | 78 +++++++++++++++++++++------------
> libsepol/src/kernel_to_common.c | 10 ++---
> libsepol/src/kernel_to_common.h | 16 ++++---
> libsepol/src/kernel_to_conf.c | 78 +++++++++++++++++++++------------
> libsepol/src/module_to_cil.c | 78 +++++++++------------------------
> 5 files changed, 136 insertions(+), 124 deletions(-)
LGTM. I ran these locally and they seemed to be OK and I was able
to list the new SIDs from the policy db.
I staged them here to have travis run the CI as well:
https://github.com/SELinuxProject/selinux/pull/104
>
> --
> 2.17.1
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files
2018-10-11 23:58 ` [PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files William Roberts
@ 2018-10-15 17:39 ` William Roberts
0 siblings, 0 replies; 9+ messages in thread
From: William Roberts @ 2018-10-15 17:39 UTC (permalink / raw)
To: James Carter; +Cc: selinux, selinux
merged:
https://github.com/SELinuxProject/selinux/pull/104
On Thu, Oct 11, 2018 at 4:58 PM William Roberts
<bill.c.roberts@gmail.com> wrote:
>
> On Thu, Oct 11, 2018 at 5:37 AM James Carter <jwcart2@tycho.nsa.gov> wrote:
> >
> > [Resending because I originally only sent these to the new list]
> >
> > - Removes some redundent definitions of initial sid name strings
> > - Adds range checking when looking up an initial sid name string for an index
> > - Adds two new Xen initial sids
> >
> > James Carter (4):
> > libsepol: Rename kernel_to_common.c stack functions
> > libsepol: Eliminate initial sid string definitions in module_to_cil.c
> > libsepol: Check that initial sid indexes are within the valid range
> > libsepol: Add two new Xen initial SIDs
> >
> > libsepol/src/kernel_to_cil.c | 78 +++++++++++++++++++++------------
> > libsepol/src/kernel_to_common.c | 10 ++---
> > libsepol/src/kernel_to_common.h | 16 ++++---
> > libsepol/src/kernel_to_conf.c | 78 +++++++++++++++++++++------------
> > libsepol/src/module_to_cil.c | 78 +++++++++------------------------
> > 5 files changed, 136 insertions(+), 124 deletions(-)
>
> LGTM. I ran these locally and they seemed to be OK and I was able
> to list the new SIDs from the policy db.
>
> I staged them here to have travis run the CI as well:
> https://github.com/SELinuxProject/selinux/pull/104
>
> >
> > --
> > 2.17.1
> >
> > _______________________________________________
> > Selinux mailing list
> > Selinux@tycho.nsa.gov
> > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH 1/4] libsepol: Rename kernel_to_common.c stack functions
2018-10-05 13:57 James Carter
@ 2018-10-05 13:57 ` James Carter
0 siblings, 0 replies; 9+ messages in thread
From: James Carter @ 2018-10-05 13:57 UTC (permalink / raw)
To: selinux
Want to make use of selinux_sid_to_str[] and xen_sid_to_str[] from
kernel_to_common.h in module_to_cil.c, but stack functions with the
same names exist in module_to_cil.c and kernel_to_common.c (with
the function prototypes in kernel_to_common.h).
Since the stack functions in kernel_to_common.c are less general and
only work with strings, rename those functions from stack_* to
strs_stack_*.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
---
libsepol/src/kernel_to_cil.c | 36 ++++++++++++++++-----------------
libsepol/src/kernel_to_common.c | 10 ++++-----
libsepol/src/kernel_to_common.h | 10 ++++-----
libsepol/src/kernel_to_conf.c | 36 ++++++++++++++++-----------------
4 files changed, 46 insertions(+), 46 deletions(-)
diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index b1eb66d6..c2a733ee 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@@ -36,7 +36,7 @@ static char *cond_expr_to_str(struct policydb *pdb, struct cond_expr *expr)
char *str = NULL;
int rc;
- rc = stack_init(&stack);
+ rc = strs_stack_init(&stack);
if (rc != 0) {
goto exit;
}
@@ -65,13 +65,13 @@ static char *cond_expr_to_str(struct policydb *pdb, struct cond_expr *expr)
}
if (num_params == 2) {
- val2 = stack_pop(stack);
+ val2 = strs_stack_pop(stack);
if (!val2) {
sepol_log_err("Invalid conditional expression");
goto exit;
}
}
- val1 = stack_pop(stack);
+ val1 = strs_stack_pop(stack);
if (!val1) {
sepol_log_err("Invalid conditional expression");
free(val2);
@@ -89,29 +89,29 @@ static char *cond_expr_to_str(struct policydb *pdb, struct cond_expr *expr)
sepol_log_err("Invalid conditional expression");
goto exit;
}
- rc = stack_push(stack, new_val);
+ rc = strs_stack_push(stack, new_val);
if (rc != 0) {
sepol_log_err("Out of memory");
goto exit;
}
}
- new_val = stack_pop(stack);
- if (!new_val || !stack_empty(stack)) {
+ new_val = strs_stack_pop(stack);
+ if (!new_val || !strs_stack_empty(stack)) {
sepol_log_err("Invalid conditional expression");
goto exit;
}
str = new_val;
- stack_destroy(&stack);
+ strs_stack_destroy(&stack);
return str;
exit:
- while ((new_val = stack_pop(stack)) != NULL) {
+ while ((new_val = strs_stack_pop(stack)) != NULL) {
free(new_val);
}
- stack_destroy(&stack);
+ strs_stack_destroy(&stack);
return NULL;
}
@@ -127,7 +127,7 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
*use_mls = 0;
- rc = stack_init(&stack);
+ rc = strs_stack_init(&stack);
if (rc != 0) {
goto exit;
}
@@ -208,13 +208,13 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
}
if (num_params == 2) {
- val2 = stack_pop(stack);
+ val2 = strs_stack_pop(stack);
if (!val2) {
sepol_log_err("Invalid constraint expression");
goto exit;
}
}
- val1 = stack_pop(stack);
+ val1 = strs_stack_pop(stack);
if (!val1) {
sepol_log_err("Invalid constraint expression");
goto exit;
@@ -231,30 +231,30 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
if (!new_val) {
goto exit;
}
- rc = stack_push(stack, new_val);
+ rc = strs_stack_push(stack, new_val);
if (rc != 0) {
sepol_log_err("Out of memory");
goto exit;
}
}
- new_val = stack_pop(stack);
- if (!new_val || !stack_empty(stack)) {
+ new_val = strs_stack_pop(stack);
+ if (!new_val || !strs_stack_empty(stack)) {
sepol_log_err("Invalid constraint expression");
goto exit;
}
str = new_val;
- stack_destroy(&stack);
+ strs_stack_destroy(&stack);
return str;
exit:
- while ((new_val = stack_pop(stack)) != NULL) {
+ while ((new_val = strs_stack_pop(stack)) != NULL) {
free(new_val);
}
- stack_destroy(&stack);
+ strs_stack_destroy(&stack);
return NULL;
}
diff --git a/libsepol/src/kernel_to_common.c b/libsepol/src/kernel_to_common.c
index 7c5699c5..891e139c 100644
--- a/libsepol/src/kernel_to_common.c
+++ b/libsepol/src/kernel_to_common.c
@@ -400,27 +400,27 @@ exit:
return str;
}
-int stack_init(struct strs **stack)
+int strs_stack_init(struct strs **stack)
{
return strs_init(stack, STACK_SIZE);
}
-void stack_destroy(struct strs **stack)
+void strs_stack_destroy(struct strs **stack)
{
return strs_destroy(stack);
}
-int stack_push(struct strs *stack, char *s)
+int strs_stack_push(struct strs *stack, char *s)
{
return strs_add(stack, s);
}
-char *stack_pop(struct strs *stack)
+char *strs_stack_pop(struct strs *stack)
{
return strs_remove_last(stack);
}
-int stack_empty(struct strs *stack)
+int strs_stack_empty(struct strs *stack)
{
return strs_num_items(stack) == 0;
}
diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h
index 992929ae..7c5edbd6 100644
--- a/libsepol/src/kernel_to_common.h
+++ b/libsepol/src/kernel_to_common.h
@@ -105,10 +105,10 @@ int hashtab_ordered_to_strs(char *key, void *data, void *args);
int ebitmap_to_strs(struct ebitmap *map, struct strs *strs, char **val_to_name);
char *ebitmap_to_str(struct ebitmap *map, char **val_to_name, int sort);
-int stack_init(struct strs **stack);
-void stack_destroy(struct strs **stack);
-int stack_push(struct strs *stack, char *s);
-char *stack_pop(struct strs *stack);
-int stack_empty(struct strs *stack);
+int strs_stack_init(struct strs **stack);
+void strs_stack_destroy(struct strs **stack);
+int strs_stack_push(struct strs *stack, char *s);
+char *strs_stack_pop(struct strs *stack);
+int strs_stack_empty(struct strs *stack);
int sort_ocontexts(struct policydb *pdb);
diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
index 95405207..a98b5ca9 100644
--- a/libsepol/src/kernel_to_conf.c
+++ b/libsepol/src/kernel_to_conf.c
@@ -35,7 +35,7 @@ static char *cond_expr_to_str(struct policydb *pdb, struct cond_expr *expr)
char *str = NULL;
int rc;
- rc = stack_init(&stack);
+ rc = strs_stack_init(&stack);
if (rc != 0) {
goto exit;
}
@@ -63,13 +63,13 @@ static char *cond_expr_to_str(struct policydb *pdb, struct cond_expr *expr)
}
if (num_params == 2) {
- val2 = stack_pop(stack);
+ val2 = strs_stack_pop(stack);
if (!val2) {
sepol_log_err("Invalid conditional expression");
goto exit;
}
}
- val1 = stack_pop(stack);
+ val1 = strs_stack_pop(stack);
if (!val1) {
sepol_log_err("Invalid conditional expression");
free(val2);
@@ -87,29 +87,29 @@ static char *cond_expr_to_str(struct policydb *pdb, struct cond_expr *expr)
sepol_log_err("Invalid conditional expression");
goto exit;
}
- rc = stack_push(stack, new_val);
+ rc = strs_stack_push(stack, new_val);
if (rc != 0) {
sepol_log_err("Out of memory");
goto exit;
}
}
- new_val = stack_pop(stack);
- if (!new_val || !stack_empty(stack)) {
+ new_val = strs_stack_pop(stack);
+ if (!new_val || !strs_stack_empty(stack)) {
sepol_log_err("Invalid conditional expression");
goto exit;
}
str = new_val;
- stack_destroy(&stack);
+ strs_stack_destroy(&stack);
return str;
exit:
- while ((new_val = stack_pop(stack)) != NULL) {
+ while ((new_val = strs_stack_pop(stack)) != NULL) {
free(new_val);
}
- stack_destroy(&stack);
+ strs_stack_destroy(&stack);
return NULL;
}
@@ -125,7 +125,7 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
*use_mls = 0;
- rc = stack_init(&stack);
+ rc = strs_stack_init(&stack);
if (rc != 0) {
goto exit;
}
@@ -204,13 +204,13 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
}
if (num_params == 2) {
- val2 = stack_pop(stack);
+ val2 = strs_stack_pop(stack);
if (!val2) {
sepol_log_err("Invalid constraint expression");
goto exit;
}
}
- val1 = stack_pop(stack);
+ val1 = strs_stack_pop(stack);
if (!val1) {
sepol_log_err("Invalid constraint expression");
goto exit;
@@ -227,30 +227,30 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr
if (!new_val) {
goto exit;
}
- rc = stack_push(stack, new_val);
+ rc = strs_stack_push(stack, new_val);
if (rc != 0) {
sepol_log_err("Out of memory");
goto exit;
}
}
- new_val = stack_pop(stack);
- if (!new_val || !stack_empty(stack)) {
+ new_val = strs_stack_pop(stack);
+ if (!new_val || !strs_stack_empty(stack)) {
sepol_log_err("Invalid constraint expression");
goto exit;
}
str = new_val;
- stack_destroy(&stack);
+ strs_stack_destroy(&stack);
return str;
exit:
- while ((new_val = stack_pop(stack)) != NULL) {
+ while ((new_val = strs_stack_pop(stack)) != NULL) {
free(new_val);
}
- stack_destroy(&stack);
+ strs_stack_destroy(&stack);
return NULL;
}
--
2.17.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
end of thread, other threads:[~2018-10-15 17:39 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-10-11 12:35 [PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files James Carter
2018-10-11 12:35 ` [PATCH 1/4] libsepol: Rename kernel_to_common.c stack functions James Carter
2018-10-11 12:35 ` [PATCH 2/4] libsepol: Eliminate initial sid string definitions in module_to_cil.c James Carter
2018-10-11 12:35 ` [PATCH 3/4] libsepol: Check that initial sid indexes are within the valid range James Carter
2018-10-11 15:02 ` Yuli Khodorkovskiy
2018-10-11 12:35 ` [PATCH 4/4] libsepol: Add two new Xen initial SIDs James Carter
2018-10-11 23:58 ` [PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files William Roberts
2018-10-15 17:39 ` William Roberts
-- strict thread matches above, loose matches on Subject: below --
2018-10-05 13:57 James Carter
2018-10-05 13:57 ` [PATCH 1/4] libsepol: Rename kernel_to_common.c stack functions James Carter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).