* [PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files @ 2018-10-11 12:35 James Carter 2018-10-11 12:35 ` [PATCH 1/4] libsepol: Rename kernel_to_common.c stack functions James Carter ` (4 more replies) 0 siblings, 5 replies; 9+ messages in thread From: James Carter @ 2018-10-11 12:35 UTC (permalink / raw) To: selinux; +Cc: selinux [Resending because I originally only sent these to the new list] - Removes some redundent definitions of initial sid name strings - Adds range checking when looking up an initial sid name string for an index - Adds two new Xen initial sids James Carter (4): libsepol: Rename kernel_to_common.c stack functions libsepol: Eliminate initial sid string definitions in module_to_cil.c libsepol: Check that initial sid indexes are within the valid range libsepol: Add two new Xen initial SIDs libsepol/src/kernel_to_cil.c | 78 +++++++++++++++++++++------------ libsepol/src/kernel_to_common.c | 10 ++--- libsepol/src/kernel_to_common.h | 16 ++++--- libsepol/src/kernel_to_conf.c | 78 +++++++++++++++++++++------------ libsepol/src/module_to_cil.c | 78 +++++++++------------------------ 5 files changed, 136 insertions(+), 124 deletions(-) -- 2.17.1 ^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH 1/4] libsepol: Rename kernel_to_common.c stack functions 2018-10-11 12:35 [PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files James Carter @ 2018-10-11 12:35 ` James Carter 2018-10-11 12:35 ` [PATCH 2/4] libsepol: Eliminate initial sid string definitions in module_to_cil.c James Carter ` (3 subsequent siblings) 4 siblings, 0 replies; 9+ messages in thread From: James Carter @ 2018-10-11 12:35 UTC (permalink / raw) To: selinux; +Cc: selinux Want to make use of selinux_sid_to_str[] and xen_sid_to_str[] from kernel_to_common.h in module_to_cil.c, but stack functions with the same names exist in module_to_cil.c and kernel_to_common.c (with the function prototypes in kernel_to_common.h). Since the stack functions in kernel_to_common.c are less general and only work with strings, rename those functions from stack_* to strs_stack_*. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov> --- libsepol/src/kernel_to_cil.c | 36 ++++++++++++++++----------------- libsepol/src/kernel_to_common.c | 10 ++++----- libsepol/src/kernel_to_common.h | 10 ++++----- libsepol/src/kernel_to_conf.c | 36 ++++++++++++++++----------------- 4 files changed, 46 insertions(+), 46 deletions(-) diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c index b1eb66d6..c2a733ee 100644 --- a/libsepol/src/kernel_to_cil.c +++ b/libsepol/src/kernel_to_cil.c @@ -36,7 +36,7 @@ static char *cond_expr_to_str(struct policydb *pdb, struct cond_expr *expr) char *str = NULL; int rc; - rc = stack_init(&stack); + rc = strs_stack_init(&stack); if (rc != 0) { goto exit; } @@ -65,13 +65,13 @@ static char *cond_expr_to_str(struct policydb *pdb, struct cond_expr *expr) } if (num_params == 2) { - val2 = stack_pop(stack); + val2 = strs_stack_pop(stack); if (!val2) { sepol_log_err("Invalid conditional expression"); goto exit; } } - val1 = stack_pop(stack); + val1 = strs_stack_pop(stack); if (!val1) { sepol_log_err("Invalid conditional expression"); free(val2); @@ -89,29 +89,29 @@ static char *cond_expr_to_str(struct policydb *pdb, struct cond_expr *expr) sepol_log_err("Invalid conditional expression"); goto exit; } - rc = stack_push(stack, new_val); + rc = strs_stack_push(stack, new_val); if (rc != 0) { sepol_log_err("Out of memory"); goto exit; } } - new_val = stack_pop(stack); - if (!new_val || !stack_empty(stack)) { + new_val = strs_stack_pop(stack); + if (!new_val || !strs_stack_empty(stack)) { sepol_log_err("Invalid conditional expression"); goto exit; } str = new_val; - stack_destroy(&stack); + strs_stack_destroy(&stack); return str; exit: - while ((new_val = stack_pop(stack)) != NULL) { + while ((new_val = strs_stack_pop(stack)) != NULL) { free(new_val); } - stack_destroy(&stack); + strs_stack_destroy(&stack); return NULL; } @@ -127,7 +127,7 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr *use_mls = 0; - rc = stack_init(&stack); + rc = strs_stack_init(&stack); if (rc != 0) { goto exit; } @@ -208,13 +208,13 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr } if (num_params == 2) { - val2 = stack_pop(stack); + val2 = strs_stack_pop(stack); if (!val2) { sepol_log_err("Invalid constraint expression"); goto exit; } } - val1 = stack_pop(stack); + val1 = strs_stack_pop(stack); if (!val1) { sepol_log_err("Invalid constraint expression"); goto exit; @@ -231,30 +231,30 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr if (!new_val) { goto exit; } - rc = stack_push(stack, new_val); + rc = strs_stack_push(stack, new_val); if (rc != 0) { sepol_log_err("Out of memory"); goto exit; } } - new_val = stack_pop(stack); - if (!new_val || !stack_empty(stack)) { + new_val = strs_stack_pop(stack); + if (!new_val || !strs_stack_empty(stack)) { sepol_log_err("Invalid constraint expression"); goto exit; } str = new_val; - stack_destroy(&stack); + strs_stack_destroy(&stack); return str; exit: - while ((new_val = stack_pop(stack)) != NULL) { + while ((new_val = strs_stack_pop(stack)) != NULL) { free(new_val); } - stack_destroy(&stack); + strs_stack_destroy(&stack); return NULL; } diff --git a/libsepol/src/kernel_to_common.c b/libsepol/src/kernel_to_common.c index 7c5699c5..891e139c 100644 --- a/libsepol/src/kernel_to_common.c +++ b/libsepol/src/kernel_to_common.c @@ -400,27 +400,27 @@ exit: return str; } -int stack_init(struct strs **stack) +int strs_stack_init(struct strs **stack) { return strs_init(stack, STACK_SIZE); } -void stack_destroy(struct strs **stack) +void strs_stack_destroy(struct strs **stack) { return strs_destroy(stack); } -int stack_push(struct strs *stack, char *s) +int strs_stack_push(struct strs *stack, char *s) { return strs_add(stack, s); } -char *stack_pop(struct strs *stack) +char *strs_stack_pop(struct strs *stack) { return strs_remove_last(stack); } -int stack_empty(struct strs *stack) +int strs_stack_empty(struct strs *stack) { return strs_num_items(stack) == 0; } diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h index 992929ae..7c5edbd6 100644 --- a/libsepol/src/kernel_to_common.h +++ b/libsepol/src/kernel_to_common.h @@ -105,10 +105,10 @@ int hashtab_ordered_to_strs(char *key, void *data, void *args); int ebitmap_to_strs(struct ebitmap *map, struct strs *strs, char **val_to_name); char *ebitmap_to_str(struct ebitmap *map, char **val_to_name, int sort); -int stack_init(struct strs **stack); -void stack_destroy(struct strs **stack); -int stack_push(struct strs *stack, char *s); -char *stack_pop(struct strs *stack); -int stack_empty(struct strs *stack); +int strs_stack_init(struct strs **stack); +void strs_stack_destroy(struct strs **stack); +int strs_stack_push(struct strs *stack, char *s); +char *strs_stack_pop(struct strs *stack); +int strs_stack_empty(struct strs *stack); int sort_ocontexts(struct policydb *pdb); diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c index 95405207..a98b5ca9 100644 --- a/libsepol/src/kernel_to_conf.c +++ b/libsepol/src/kernel_to_conf.c @@ -35,7 +35,7 @@ static char *cond_expr_to_str(struct policydb *pdb, struct cond_expr *expr) char *str = NULL; int rc; - rc = stack_init(&stack); + rc = strs_stack_init(&stack); if (rc != 0) { goto exit; } @@ -63,13 +63,13 @@ static char *cond_expr_to_str(struct policydb *pdb, struct cond_expr *expr) } if (num_params == 2) { - val2 = stack_pop(stack); + val2 = strs_stack_pop(stack); if (!val2) { sepol_log_err("Invalid conditional expression"); goto exit; } } - val1 = stack_pop(stack); + val1 = strs_stack_pop(stack); if (!val1) { sepol_log_err("Invalid conditional expression"); free(val2); @@ -87,29 +87,29 @@ static char *cond_expr_to_str(struct policydb *pdb, struct cond_expr *expr) sepol_log_err("Invalid conditional expression"); goto exit; } - rc = stack_push(stack, new_val); + rc = strs_stack_push(stack, new_val); if (rc != 0) { sepol_log_err("Out of memory"); goto exit; } } - new_val = stack_pop(stack); - if (!new_val || !stack_empty(stack)) { + new_val = strs_stack_pop(stack); + if (!new_val || !strs_stack_empty(stack)) { sepol_log_err("Invalid conditional expression"); goto exit; } str = new_val; - stack_destroy(&stack); + strs_stack_destroy(&stack); return str; exit: - while ((new_val = stack_pop(stack)) != NULL) { + while ((new_val = strs_stack_pop(stack)) != NULL) { free(new_val); } - stack_destroy(&stack); + strs_stack_destroy(&stack); return NULL; } @@ -125,7 +125,7 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr *use_mls = 0; - rc = stack_init(&stack); + rc = strs_stack_init(&stack); if (rc != 0) { goto exit; } @@ -204,13 +204,13 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr } if (num_params == 2) { - val2 = stack_pop(stack); + val2 = strs_stack_pop(stack); if (!val2) { sepol_log_err("Invalid constraint expression"); goto exit; } } - val1 = stack_pop(stack); + val1 = strs_stack_pop(stack); if (!val1) { sepol_log_err("Invalid constraint expression"); goto exit; @@ -227,30 +227,30 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr if (!new_val) { goto exit; } - rc = stack_push(stack, new_val); + rc = strs_stack_push(stack, new_val); if (rc != 0) { sepol_log_err("Out of memory"); goto exit; } } - new_val = stack_pop(stack); - if (!new_val || !stack_empty(stack)) { + new_val = strs_stack_pop(stack); + if (!new_val || !strs_stack_empty(stack)) { sepol_log_err("Invalid constraint expression"); goto exit; } str = new_val; - stack_destroy(&stack); + strs_stack_destroy(&stack); return str; exit: - while ((new_val = stack_pop(stack)) != NULL) { + while ((new_val = strs_stack_pop(stack)) != NULL) { free(new_val); } - stack_destroy(&stack); + strs_stack_destroy(&stack); return NULL; } -- 2.17.1 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH 2/4] libsepol: Eliminate initial sid string definitions in module_to_cil.c 2018-10-11 12:35 [PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files James Carter 2018-10-11 12:35 ` [PATCH 1/4] libsepol: Rename kernel_to_common.c stack functions James Carter @ 2018-10-11 12:35 ` James Carter 2018-10-11 12:35 ` [PATCH 3/4] libsepol: Check that initial sid indexes are within the valid range James Carter ` (2 subsequent siblings) 4 siblings, 0 replies; 9+ messages in thread From: James Carter @ 2018-10-11 12:35 UTC (permalink / raw) To: selinux; +Cc: selinux Since the initial sid strings are defined in kernel_to_common.h, module_to_cil.c can use those and its initial sid string definitions can be removed. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov> --- libsepol/src/module_to_cil.c | 59 +++--------------------------------- 1 file changed, 5 insertions(+), 54 deletions(-) diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c index dcf6ebb1..8ab0dfce 100644 --- a/libsepol/src/module_to_cil.c +++ b/libsepol/src/module_to_cil.c @@ -52,6 +52,7 @@ #include <sepol/policydb/services.h> #include <sepol/policydb/util.h> +#include "kernel_to_common.h" #include "private.h" #ifdef __GNUC__ @@ -2546,7 +2547,8 @@ static int context_to_cil(struct policydb *pdb, struct context_struct *con) return 0; } -static int ocontext_isid_to_cil(struct policydb *pdb, const char **sid_to_string, struct ocontext *isids) +static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_string, + struct ocontext *isids) { int rc = -1; @@ -2602,41 +2604,7 @@ static int ocontext_selinux_isid_to_cil(struct policydb *pdb, struct ocontext *i { int rc = -1; - // initial sid names aren't actually stored in the pp files, need to a have - // a mapping, taken from the linux kernel - static const char *selinux_sid_to_string[] = { - "null", - "kernel", - "security", - "unlabeled", - "fs", - "file", - "file_labels", - "init", - "any_socket", - "port", - "netif", - "netmsg", - "node", - "igmp_packet", - "icmp_socket", - "tcp_socket", - "sysctl_modprobe", - "sysctl", - "sysctl_fs", - "sysctl_kernel", - "sysctl_net", - "sysctl_net_unix", - "sysctl_vm", - "sysctl_dev", - "kmod", - "policy", - "scmp_packet", - "devnull", - NULL - }; - - rc = ocontext_isid_to_cil(pdb, selinux_sid_to_string, isids); + rc = ocontext_isid_to_cil(pdb, selinux_sid_to_str, isids); if (rc != 0) { goto exit; } @@ -2865,24 +2833,7 @@ static int ocontext_xen_isid_to_cil(struct policydb *pdb, struct ocontext *isids { int rc = -1; - // initial sid names aren't actually stored in the pp files, need to a have - // a mapping, taken from the xen kernel - static const char *xen_sid_to_string[] = { - "null", - "xen", - "dom0", - "domio", - "domxen", - "unlabeled", - "security", - "ioport", - "iomem", - "irq", - "device", - NULL, - }; - - rc = ocontext_isid_to_cil(pdb, xen_sid_to_string, isids); + rc = ocontext_isid_to_cil(pdb, xen_sid_to_str, isids); if (rc != 0) { goto exit; } -- 2.17.1 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH 3/4] libsepol: Check that initial sid indexes are within the valid range 2018-10-11 12:35 [PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files James Carter 2018-10-11 12:35 ` [PATCH 1/4] libsepol: Rename kernel_to_common.c stack functions James Carter 2018-10-11 12:35 ` [PATCH 2/4] libsepol: Eliminate initial sid string definitions in module_to_cil.c James Carter @ 2018-10-11 12:35 ` James Carter 2018-10-11 15:02 ` Yuli Khodorkovskiy 2018-10-11 12:35 ` [PATCH 4/4] libsepol: Add two new Xen initial SIDs James Carter 2018-10-11 23:58 ` [PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files William Roberts 4 siblings, 1 reply; 9+ messages in thread From: James Carter @ 2018-10-11 12:35 UTC (permalink / raw) To: selinux; +Cc: selinux When writing CIL from a policy module or when writing CIL or policy.conf from a kernel binary policy, check that the initial sid index is within the valid range of the selinux_sid_to_str[] array (or xen_sid_to_str[] array for a XEN policy). If it is not, then create a unique name ("UNKNOWN"+index) for the initial sid. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov> --- libsepol/src/kernel_to_cil.c | 42 +++++++++++++++++++++++++-------- libsepol/src/kernel_to_common.h | 4 ++++ libsepol/src/kernel_to_conf.c | 42 +++++++++++++++++++++++++-------- libsepol/src/module_to_cil.c | 25 ++++++++++++++------ 4 files changed, 86 insertions(+), 27 deletions(-) diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c index c2a733ee..d173144e 100644 --- a/libsepol/src/kernel_to_cil.c +++ b/libsepol/src/kernel_to_cil.c @@ -529,23 +529,31 @@ exit: return rc; } -static int write_sids_to_cil(FILE *out, const char *const *sid_to_str, struct ocontext *isids) +static int write_sids_to_cil(FILE *out, const char *const *sid_to_str, + unsigned num_sids, struct ocontext *isids) { struct ocontext *isid; struct strs *strs; char *sid; char *prev; + char unknown[17]; unsigned i; int rc; - rc = strs_init(&strs, SECINITSID_NUM+1); + rc = strs_init(&strs, num_sids+1); if (rc != 0) { goto exit; } for (isid = isids; isid != NULL; isid = isid->next) { i = isid->sid[0]; - rc = strs_add_at_index(strs, (char *)sid_to_str[i], i); + if (i < num_sids) { + sid = (char *)sid_to_str[i]; + } else { + snprintf(unknown, 17, "%s%u", "UNKNOWN", i); + sid = strdup(unknown); + } + rc = strs_add_at_index(strs, sid, i); if (rc != 0) { goto exit; } @@ -577,6 +585,10 @@ static int write_sids_to_cil(FILE *out, const char *const *sid_to_str, struct oc sepol_printf(out, "))\n"); exit: + for (i=num_sids; i<strs_num_items(strs); i++) { + sid = strs_read_at_index(strs, i); + free(sid); + } strs_destroy(&strs); if (rc != 0) { sepol_log_err("Error writing sid rules to CIL\n"); @@ -590,9 +602,11 @@ static int write_sid_decl_rules_to_cil(FILE *out, struct policydb *pdb) int rc = 0; if (pdb->target_platform == SEPOL_TARGET_SELINUX) { - rc = write_sids_to_cil(out, selinux_sid_to_str, pdb->ocontexts[0]); + rc = write_sids_to_cil(out, selinux_sid_to_str, SELINUX_SID_SZ, + pdb->ocontexts[0]); } else if (pdb->target_platform == SEPOL_TARGET_XEN) { - rc = write_sids_to_cil(out, xen_sid_to_str, pdb->ocontexts[0]); + rc = write_sids_to_cil(out, xen_sid_to_str, XEN_SID_SZ, + pdb->ocontexts[0]); } else { sepol_log_err("Unknown target platform: %i", pdb->target_platform); rc = -1; @@ -2479,11 +2493,12 @@ exit: return ctx; } -static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const char *const *sid_to_str) +static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const char *const *sid_to_str, unsigned num_sids) { struct ocontext *isid; struct strs *strs; - const char *sid; + char *sid; + char unknown[17]; char *ctx, *rule; unsigned i; int rc = -1; @@ -2495,7 +2510,13 @@ static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) { i = isid->sid[0]; - sid = sid_to_str[i]; + if (i < num_sids) { + sid = (char *)sid_to_str[i]; + } else { + snprintf(unknown, 17, "%s%u", "UNKNOWN", i); + sid = unknown; + } + ctx = context_to_str(pdb, &isid->context[0]); if (!ctx) { rc = -1; @@ -2531,7 +2552,8 @@ exit: static int write_selinux_isid_rules_to_cil(FILE *out, struct policydb *pdb) { - return write_sid_context_rules_to_cil(out, pdb, selinux_sid_to_str); + return write_sid_context_rules_to_cil(out, pdb, selinux_sid_to_str, + SELINUX_SID_SZ); } static int write_selinux_fsuse_rules_to_cil(FILE *out, struct policydb *pdb) @@ -2884,7 +2906,7 @@ exit: static int write_xen_isid_rules_to_cil(FILE *out, struct policydb *pdb) { - return write_sid_context_rules_to_cil(out, pdb, xen_sid_to_str); + return write_sid_context_rules_to_cil(out, pdb, xen_sid_to_str, XEN_SID_SZ); } static int write_xen_pirq_rules_to_cil(FILE *out, struct policydb *pdb) diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h index 7c5edbd6..dacfe97e 100644 --- a/libsepol/src/kernel_to_common.h +++ b/libsepol/src/kernel_to_common.h @@ -43,6 +43,8 @@ static const char * const selinux_sid_to_str[] = { "devnull", }; +#define SELINUX_SID_SZ (sizeof(selinux_sid_to_str)/sizeof(selinux_sid_to_str[0])) + static const char * const xen_sid_to_str[] = { "null", "xen", @@ -57,6 +59,8 @@ static const char * const xen_sid_to_str[] = { "device", }; +#define XEN_SID_SZ (sizeof(xen_sid_to_str)/sizeof(xen_sid_to_str[0])) + static const uint32_t avtab_flavors[] = { AVTAB_ALLOWED, AVTAB_AUDITALLOW, diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c index a98b5ca9..7e04a13b 100644 --- a/libsepol/src/kernel_to_conf.c +++ b/libsepol/src/kernel_to_conf.c @@ -428,22 +428,30 @@ static int write_class_decl_rules_to_conf(FILE *out, struct policydb *pdb) return 0; } -static int write_sids_to_conf(FILE *out, const char *const *sid_to_str, struct ocontext *isids) +static int write_sids_to_conf(FILE *out, const char *const *sid_to_str, + unsigned num_sids, struct ocontext *isids) { struct ocontext *isid; struct strs *strs; char *sid; + char unknown[17]; unsigned i; int rc; - rc = strs_init(&strs, SECINITSID_NUM+1); + rc = strs_init(&strs, num_sids+1); if (rc != 0) { goto exit; } for (isid = isids; isid != NULL; isid = isid->next) { i = isid->sid[0]; - rc = strs_add_at_index(strs, (char *)sid_to_str[i], i); + if (i < num_sids) { + sid = (char *)sid_to_str[i]; + } else { + snprintf(unknown, 17, "%s%u", "UNKNOWN", i); + sid = strdup(unknown); + } + rc = strs_add_at_index(strs, sid, i); if (rc != 0) { goto exit; } @@ -458,6 +466,10 @@ static int write_sids_to_conf(FILE *out, const char *const *sid_to_str, struct o } exit: + for (i=num_sids; i<strs_num_items(strs); i++) { + sid = strs_read_at_index(strs, i); + free(sid); + } strs_destroy(&strs); if (rc != 0) { sepol_log_err("Error writing sid rules to policy.conf\n"); @@ -471,9 +483,11 @@ static int write_sid_decl_rules_to_conf(FILE *out, struct policydb *pdb) int rc = 0; if (pdb->target_platform == SEPOL_TARGET_SELINUX) { - rc = write_sids_to_conf(out, selinux_sid_to_str, pdb->ocontexts[0]); + rc = write_sids_to_conf(out, selinux_sid_to_str, SELINUX_SID_SZ, + pdb->ocontexts[0]); } else if (pdb->target_platform == SEPOL_TARGET_XEN) { - rc = write_sids_to_conf(out, xen_sid_to_str, pdb->ocontexts[0]); + rc = write_sids_to_conf(out, xen_sid_to_str, XEN_SID_SZ, + pdb->ocontexts[0]); } else { sepol_log_err("Unknown target platform: %i", pdb->target_platform); rc = -1; @@ -2339,11 +2353,12 @@ static char *context_to_str(struct policydb *pdb, struct context_struct *con) return ctx; } -static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, const char *const *sid_to_str) +static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, const char *const *sid_to_str, unsigned num_sids) { struct ocontext *isid; struct strs *strs; - const char *sid; + char *sid; + char unknown[17]; char *ctx, *rule; unsigned i; int rc; @@ -2355,7 +2370,13 @@ static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, cons for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) { i = isid->sid[0]; - sid = sid_to_str[i]; + if (i < num_sids) { + sid = (char *)sid_to_str[i]; + } else { + snprintf(unknown, 17, "%s%u", "UNKNOWN", i); + sid = unknown; + } + ctx = context_to_str(pdb, &isid->context[0]); if (!ctx) { rc = -1; @@ -2391,7 +2412,8 @@ exit: static int write_selinux_isid_rules_to_conf(FILE *out, struct policydb *pdb) { - return write_sid_context_rules_to_conf(out, pdb, selinux_sid_to_str); + return write_sid_context_rules_to_conf(out, pdb, selinux_sid_to_str, + SELINUX_SID_SZ); } static int write_selinux_fsuse_rules_to_conf(FILE *out, struct policydb *pdb) @@ -2745,7 +2767,7 @@ exit: static int write_xen_isid_rules_to_conf(FILE *out, struct policydb *pdb) { - return write_sid_context_rules_to_conf(out, pdb, xen_sid_to_str); + return write_sid_context_rules_to_conf(out, pdb, xen_sid_to_str, XEN_SID_SZ); } diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c index 8ab0dfce..7fc29cbd 100644 --- a/libsepol/src/module_to_cil.c +++ b/libsepol/src/module_to_cil.c @@ -2548,23 +2548,33 @@ static int context_to_cil(struct policydb *pdb, struct context_struct *con) } static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_string, - struct ocontext *isids) + unsigned num_sids, struct ocontext *isids) { int rc = -1; struct ocontext *isid; struct sid_item { - const char *sid_key; + char *sid_key; struct sid_item *next; }; struct sid_item *head = NULL; struct sid_item *item = NULL; + char *sid; + char unknown[17]; + unsigned i; for (isid = isids; isid != NULL; isid = isid->next) { - cil_println(0, "(sid %s)", sid_to_string[isid->sid[0]]); - cil_printf("(sidcontext %s ", sid_to_string[isid->sid[0]]); + i = isid->sid[0]; + if (i < num_sids) { + sid = (char*)sid_to_string[i]; + } else { + snprintf(unknown, 17, "%s%u", "UNKNOWN", i); + sid = unknown; + } + cil_println(0, "(sid %s)", sid); + cil_printf("(sidcontext %s ", sid); context_to_cil(pdb, &isid->context[0]); cil_printf(")\n"); @@ -2576,7 +2586,7 @@ static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_ rc = -1; goto exit; } - item->sid_key = sid_to_string[isid->sid[0]]; + item->sid_key = strdup(sid); item->next = head; head = item; } @@ -2595,6 +2605,7 @@ exit: while(head) { item = head; head = item->next; + free(item->sid_key); free(item); } return rc; @@ -2604,7 +2615,7 @@ static int ocontext_selinux_isid_to_cil(struct policydb *pdb, struct ocontext *i { int rc = -1; - rc = ocontext_isid_to_cil(pdb, selinux_sid_to_str, isids); + rc = ocontext_isid_to_cil(pdb, selinux_sid_to_str, SELINUX_SID_SZ, isids); if (rc != 0) { goto exit; } @@ -2833,7 +2844,7 @@ static int ocontext_xen_isid_to_cil(struct policydb *pdb, struct ocontext *isids { int rc = -1; - rc = ocontext_isid_to_cil(pdb, xen_sid_to_str, isids); + rc = ocontext_isid_to_cil(pdb, xen_sid_to_str, XEN_SID_SZ, isids); if (rc != 0) { goto exit; } -- 2.17.1 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH 3/4] libsepol: Check that initial sid indexes are within the valid range 2018-10-11 12:35 ` [PATCH 3/4] libsepol: Check that initial sid indexes are within the valid range James Carter @ 2018-10-11 15:02 ` Yuli Khodorkovskiy 0 siblings, 0 replies; 9+ messages in thread From: Yuli Khodorkovskiy @ 2018-10-11 15:02 UTC (permalink / raw) To: James Carter; +Cc: selinux, selinux > On Oct 11, 2018, at 8:35 AM, James Carter <jwcart2@tycho.nsa.gov> wrote: > > When writing CIL from a policy module or when writing CIL or policy.conf > from a kernel binary policy, check that the initial sid index is within > the valid range of the selinux_sid_to_str[] array (or xen_sid_to_str[] > array for a XEN policy). If it is not, then create a unique name > ("UNKNOWN"+index) for the initial sid. > > Signed-off-by: James Carter <jwcart2@tycho.nsa.gov> > --- > libsepol/src/kernel_to_cil.c | 42 +++++++++++++++++++++++++-------- > libsepol/src/kernel_to_common.h | 4 ++++ > libsepol/src/kernel_to_conf.c | 42 +++++++++++++++++++++++++-------- > libsepol/src/module_to_cil.c | 25 ++++++++++++++------ > 4 files changed, 86 insertions(+), 27 deletions(-) > > diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c > index c2a733ee..d173144e 100644 > --- a/libsepol/src/kernel_to_cil.c > +++ b/libsepol/src/kernel_to_cil.c > @@ -529,23 +529,31 @@ exit: > return rc; > } > > -static int write_sids_to_cil(FILE *out, const char *const *sid_to_str, struct ocontext *isids) > +static int write_sids_to_cil(FILE *out, const char *const *sid_to_str, > + unsigned num_sids, struct ocontext *isids) > { > struct ocontext *isid; > struct strs *strs; > char *sid; > char *prev; > + char unknown[17]; Maybe store this magic number in a #define? > unsigned i; > int rc; > > - rc = strs_init(&strs, SECINITSID_NUM+1); > + rc = strs_init(&strs, num_sids+1); > if (rc != 0) { > goto exit; > } > > for (isid = isids; isid != NULL; isid = isid->next) { > i = isid->sid[0]; > - rc = strs_add_at_index(strs, (char *)sid_to_str[i], i); > + if (i < num_sids) { > + sid = (char *)sid_to_str[i]; > + } else { > + snprintf(unknown, 17, "%s%u", "UNKNOWN", i); > + sid = strdup(unknown); > + } > + rc = strs_add_at_index(strs, sid, i); > if (rc != 0) { > goto exit; > } > @@ -577,6 +585,10 @@ static int write_sids_to_cil(FILE *out, const char *const *sid_to_str, struct oc > sepol_printf(out, "))\n"); > > exit: > + for (i=num_sids; i<strs_num_items(strs); i++) { > + sid = strs_read_at_index(strs, i); > + free(sid); > + } > strs_destroy(&strs); > if (rc != 0) { > sepol_log_err("Error writing sid rules to CIL\n"); > @@ -590,9 +602,11 @@ static int write_sid_decl_rules_to_cil(FILE *out, struct policydb *pdb) > int rc = 0; > > if (pdb->target_platform == SEPOL_TARGET_SELINUX) { > - rc = write_sids_to_cil(out, selinux_sid_to_str, pdb->ocontexts[0]); > + rc = write_sids_to_cil(out, selinux_sid_to_str, SELINUX_SID_SZ, > + pdb->ocontexts[0]); > } else if (pdb->target_platform == SEPOL_TARGET_XEN) { > - rc = write_sids_to_cil(out, xen_sid_to_str, pdb->ocontexts[0]); > + rc = write_sids_to_cil(out, xen_sid_to_str, XEN_SID_SZ, > + pdb->ocontexts[0]); > } else { > sepol_log_err("Unknown target platform: %i", pdb->target_platform); > rc = -1; > @@ -2479,11 +2493,12 @@ exit: > return ctx; > } > > -static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const char *const *sid_to_str) > +static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const char *const *sid_to_str, unsigned num_sids) > { > struct ocontext *isid; > struct strs *strs; > - const char *sid; > + char *sid; > + char unknown[17]; > char *ctx, *rule; > unsigned i; > int rc = -1; > @@ -2495,7 +2510,13 @@ static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const > > for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) { > i = isid->sid[0]; > - sid = sid_to_str[i]; > + if (i < num_sids) { > + sid = (char *)sid_to_str[i]; > + } else { > + snprintf(unknown, 17, "%s%u", "UNKNOWN", i); > + sid = unknown; > + } > + > ctx = context_to_str(pdb, &isid->context[0]); > if (!ctx) { > rc = -1; > @@ -2531,7 +2552,8 @@ exit: > > static int write_selinux_isid_rules_to_cil(FILE *out, struct policydb *pdb) > { > - return write_sid_context_rules_to_cil(out, pdb, selinux_sid_to_str); > + return write_sid_context_rules_to_cil(out, pdb, selinux_sid_to_str, > + SELINUX_SID_SZ); > } > > static int write_selinux_fsuse_rules_to_cil(FILE *out, struct policydb *pdb) > @@ -2884,7 +2906,7 @@ exit: > > static int write_xen_isid_rules_to_cil(FILE *out, struct policydb *pdb) > { > - return write_sid_context_rules_to_cil(out, pdb, xen_sid_to_str); > + return write_sid_context_rules_to_cil(out, pdb, xen_sid_to_str, XEN_SID_SZ); > } > > static int write_xen_pirq_rules_to_cil(FILE *out, struct policydb *pdb) > diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h > index 7c5edbd6..dacfe97e 100644 > --- a/libsepol/src/kernel_to_common.h > +++ b/libsepol/src/kernel_to_common.h > @@ -43,6 +43,8 @@ static const char * const selinux_sid_to_str[] = { > "devnull", > }; > > +#define SELINUX_SID_SZ (sizeof(selinux_sid_to_str)/sizeof(selinux_sid_to_str[0])) > + > static const char * const xen_sid_to_str[] = { > "null", > "xen", > @@ -57,6 +59,8 @@ static const char * const xen_sid_to_str[] = { > "device", > }; > > +#define XEN_SID_SZ (sizeof(xen_sid_to_str)/sizeof(xen_sid_to_str[0])) > + > static const uint32_t avtab_flavors[] = { > AVTAB_ALLOWED, > AVTAB_AUDITALLOW, > diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c > index a98b5ca9..7e04a13b 100644 > --- a/libsepol/src/kernel_to_conf.c > +++ b/libsepol/src/kernel_to_conf.c > @@ -428,22 +428,30 @@ static int write_class_decl_rules_to_conf(FILE *out, struct policydb *pdb) > return 0; > } > > -static int write_sids_to_conf(FILE *out, const char *const *sid_to_str, struct ocontext *isids) > +static int write_sids_to_conf(FILE *out, const char *const *sid_to_str, > + unsigned num_sids, struct ocontext *isids) > { > struct ocontext *isid; > struct strs *strs; > char *sid; > + char unknown[17]; > unsigned i; > int rc; > > - rc = strs_init(&strs, SECINITSID_NUM+1); > + rc = strs_init(&strs, num_sids+1); > if (rc != 0) { > goto exit; > } > > for (isid = isids; isid != NULL; isid = isid->next) { > i = isid->sid[0]; > - rc = strs_add_at_index(strs, (char *)sid_to_str[i], i); > + if (i < num_sids) { > + sid = (char *)sid_to_str[i]; > + } else { > + snprintf(unknown, 17, "%s%u", "UNKNOWN", i); > + sid = strdup(unknown); > + } > + rc = strs_add_at_index(strs, sid, i); > if (rc != 0) { > goto exit; > } > @@ -458,6 +466,10 @@ static int write_sids_to_conf(FILE *out, const char *const *sid_to_str, struct o > } > > exit: > + for (i=num_sids; i<strs_num_items(strs); i++) { > + sid = strs_read_at_index(strs, i); > + free(sid); > + } > strs_destroy(&strs); > if (rc != 0) { > sepol_log_err("Error writing sid rules to policy.conf\n"); > @@ -471,9 +483,11 @@ static int write_sid_decl_rules_to_conf(FILE *out, struct policydb *pdb) > int rc = 0; > > if (pdb->target_platform == SEPOL_TARGET_SELINUX) { > - rc = write_sids_to_conf(out, selinux_sid_to_str, pdb->ocontexts[0]); > + rc = write_sids_to_conf(out, selinux_sid_to_str, SELINUX_SID_SZ, > + pdb->ocontexts[0]); > } else if (pdb->target_platform == SEPOL_TARGET_XEN) { > - rc = write_sids_to_conf(out, xen_sid_to_str, pdb->ocontexts[0]); > + rc = write_sids_to_conf(out, xen_sid_to_str, XEN_SID_SZ, > + pdb->ocontexts[0]); > } else { > sepol_log_err("Unknown target platform: %i", pdb->target_platform); > rc = -1; > @@ -2339,11 +2353,12 @@ static char *context_to_str(struct policydb *pdb, struct context_struct *con) > return ctx; > } > > -static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, const char *const *sid_to_str) > +static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, const char *const *sid_to_str, unsigned num_sids) > { > struct ocontext *isid; > struct strs *strs; > - const char *sid; > + char *sid; > + char unknown[17]; > char *ctx, *rule; > unsigned i; > int rc; > @@ -2355,7 +2370,13 @@ static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, cons > > for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) { > i = isid->sid[0]; > - sid = sid_to_str[i]; > + if (i < num_sids) { > + sid = (char *)sid_to_str[i]; > + } else { > + snprintf(unknown, 17, "%s%u", "UNKNOWN", i); > + sid = unknown; > + } > + > ctx = context_to_str(pdb, &isid->context[0]); > if (!ctx) { > rc = -1; > @@ -2391,7 +2412,8 @@ exit: > > static int write_selinux_isid_rules_to_conf(FILE *out, struct policydb *pdb) > { > - return write_sid_context_rules_to_conf(out, pdb, selinux_sid_to_str); > + return write_sid_context_rules_to_conf(out, pdb, selinux_sid_to_str, > + SELINUX_SID_SZ); > } > > static int write_selinux_fsuse_rules_to_conf(FILE *out, struct policydb *pdb) > @@ -2745,7 +2767,7 @@ exit: > > static int write_xen_isid_rules_to_conf(FILE *out, struct policydb *pdb) > { > - return write_sid_context_rules_to_conf(out, pdb, xen_sid_to_str); > + return write_sid_context_rules_to_conf(out, pdb, xen_sid_to_str, XEN_SID_SZ); > } > > > diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c > index 8ab0dfce..7fc29cbd 100644 > --- a/libsepol/src/module_to_cil.c > +++ b/libsepol/src/module_to_cil.c > @@ -2548,23 +2548,33 @@ static int context_to_cil(struct policydb *pdb, struct context_struct *con) > } > > static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_string, > - struct ocontext *isids) > + unsigned num_sids, struct ocontext *isids) > { > int rc = -1; > > struct ocontext *isid; > > struct sid_item { > - const char *sid_key; > + char *sid_key; > struct sid_item *next; > }; > > struct sid_item *head = NULL; > struct sid_item *item = NULL; > + char *sid; > + char unknown[17]; > + unsigned i; > > for (isid = isids; isid != NULL; isid = isid->next) { > - cil_println(0, "(sid %s)", sid_to_string[isid->sid[0]]); > - cil_printf("(sidcontext %s ", sid_to_string[isid->sid[0]]); > + i = isid->sid[0]; > + if (i < num_sids) { > + sid = (char*)sid_to_string[i]; > + } else { > + snprintf(unknown, 17, "%s%u", "UNKNOWN", i); > + sid = unknown; > + } > + cil_println(0, "(sid %s)", sid); > + cil_printf("(sidcontext %s ", sid); > context_to_cil(pdb, &isid->context[0]); > cil_printf(")\n"); > > @@ -2576,7 +2586,7 @@ static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_ > rc = -1; > goto exit; > } > - item->sid_key = sid_to_string[isid->sid[0]]; > + item->sid_key = strdup(sid); > item->next = head; > head = item; > } > @@ -2595,6 +2605,7 @@ exit: > while(head) { > item = head; > head = item->next; > + free(item->sid_key); > free(item); > } > return rc; > @@ -2604,7 +2615,7 @@ static int ocontext_selinux_isid_to_cil(struct policydb *pdb, struct ocontext *i > { > int rc = -1; > > - rc = ocontext_isid_to_cil(pdb, selinux_sid_to_str, isids); > + rc = ocontext_isid_to_cil(pdb, selinux_sid_to_str, SELINUX_SID_SZ, isids); > if (rc != 0) { > goto exit; > } > @@ -2833,7 +2844,7 @@ static int ocontext_xen_isid_to_cil(struct policydb *pdb, struct ocontext *isids > { > int rc = -1; > > - rc = ocontext_isid_to_cil(pdb, xen_sid_to_str, isids); > + rc = ocontext_isid_to_cil(pdb, xen_sid_to_str, XEN_SID_SZ, isids); > if (rc != 0) { > goto exit; > } > -- > 2.17.1 > > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. ^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH 4/4] libsepol: Add two new Xen initial SIDs 2018-10-11 12:35 [PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files James Carter ` (2 preceding siblings ...) 2018-10-11 12:35 ` [PATCH 3/4] libsepol: Check that initial sid indexes are within the valid range James Carter @ 2018-10-11 12:35 ` James Carter 2018-10-11 23:58 ` [PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files William Roberts 4 siblings, 0 replies; 9+ messages in thread From: James Carter @ 2018-10-11 12:35 UTC (permalink / raw) To: selinux; +Cc: selinux Xen uses the initial SIDs domU and domDM in its toolstack, so it makes sense to add these to xen_sid_to_str[] in kernel_to_common.h Signed-off-by: James Carter <jwcart2@tycho.nsa.gov> --- libsepol/src/kernel_to_common.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h index dacfe97e..8aa483fa 100644 --- a/libsepol/src/kernel_to_common.h +++ b/libsepol/src/kernel_to_common.h @@ -57,6 +57,8 @@ static const char * const xen_sid_to_str[] = { "iomem", "irq", "device", + "domU", + "domDM", }; #define XEN_SID_SZ (sizeof(xen_sid_to_str)/sizeof(xen_sid_to_str[0])) -- 2.17.1 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files 2018-10-11 12:35 [PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files James Carter ` (3 preceding siblings ...) 2018-10-11 12:35 ` [PATCH 4/4] libsepol: Add two new Xen initial SIDs James Carter @ 2018-10-11 23:58 ` William Roberts 2018-10-15 17:39 ` William Roberts 4 siblings, 1 reply; 9+ messages in thread From: William Roberts @ 2018-10-11 23:58 UTC (permalink / raw) To: James Carter; +Cc: selinux, selinux On Thu, Oct 11, 2018 at 5:37 AM James Carter <jwcart2@tycho.nsa.gov> wrote: > > [Resending because I originally only sent these to the new list] > > - Removes some redundent definitions of initial sid name strings > - Adds range checking when looking up an initial sid name string for an index > - Adds two new Xen initial sids > > James Carter (4): > libsepol: Rename kernel_to_common.c stack functions > libsepol: Eliminate initial sid string definitions in module_to_cil.c > libsepol: Check that initial sid indexes are within the valid range > libsepol: Add two new Xen initial SIDs > > libsepol/src/kernel_to_cil.c | 78 +++++++++++++++++++++------------ > libsepol/src/kernel_to_common.c | 10 ++--- > libsepol/src/kernel_to_common.h | 16 ++++--- > libsepol/src/kernel_to_conf.c | 78 +++++++++++++++++++++------------ > libsepol/src/module_to_cil.c | 78 +++++++++------------------------ > 5 files changed, 136 insertions(+), 124 deletions(-) LGTM. I ran these locally and they seemed to be OK and I was able to list the new SIDs from the policy db. I staged them here to have travis run the CI as well: https://github.com/SELinuxProject/selinux/pull/104 > > -- > 2.17.1 > > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files 2018-10-11 23:58 ` [PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files William Roberts @ 2018-10-15 17:39 ` William Roberts 0 siblings, 0 replies; 9+ messages in thread From: William Roberts @ 2018-10-15 17:39 UTC (permalink / raw) To: James Carter; +Cc: selinux, selinux merged: https://github.com/SELinuxProject/selinux/pull/104 On Thu, Oct 11, 2018 at 4:58 PM William Roberts <bill.c.roberts@gmail.com> wrote: > > On Thu, Oct 11, 2018 at 5:37 AM James Carter <jwcart2@tycho.nsa.gov> wrote: > > > > [Resending because I originally only sent these to the new list] > > > > - Removes some redundent definitions of initial sid name strings > > - Adds range checking when looking up an initial sid name string for an index > > - Adds two new Xen initial sids > > > > James Carter (4): > > libsepol: Rename kernel_to_common.c stack functions > > libsepol: Eliminate initial sid string definitions in module_to_cil.c > > libsepol: Check that initial sid indexes are within the valid range > > libsepol: Add two new Xen initial SIDs > > > > libsepol/src/kernel_to_cil.c | 78 +++++++++++++++++++++------------ > > libsepol/src/kernel_to_common.c | 10 ++--- > > libsepol/src/kernel_to_common.h | 16 ++++--- > > libsepol/src/kernel_to_conf.c | 78 +++++++++++++++++++++------------ > > libsepol/src/module_to_cil.c | 78 +++++++++------------------------ > > 5 files changed, 136 insertions(+), 124 deletions(-) > > LGTM. I ran these locally and they seemed to be OK and I was able > to list the new SIDs from the policy db. > > I staged them here to have travis run the CI as well: > https://github.com/SELinuxProject/selinux/pull/104 > > > > > -- > > 2.17.1 > > > > _______________________________________________ > > Selinux mailing list > > Selinux@tycho.nsa.gov > > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. ^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files @ 2018-10-05 13:57 James Carter 0 siblings, 0 replies; 9+ messages in thread From: James Carter @ 2018-10-05 13:57 UTC (permalink / raw) To: selinux - Removes some redundent definitions of initial sid name strings - Adds range checking when looking up an initial sid name string for an index - Adds two new Xen initial sids James Carter (4): libsepol: Rename kernel_to_common.c stack functions libsepol: Eliminate initial sid string definitions in module_to_cil.c libsepol: Check that initial sid indexes are within the valid range libsepol: Add two new Xen initial SIDs libsepol/src/kernel_to_cil.c | 78 +++++++++++++++++++++------------ libsepol/src/kernel_to_common.c | 10 ++--- libsepol/src/kernel_to_common.h | 16 ++++--- libsepol/src/kernel_to_conf.c | 78 +++++++++++++++++++++------------ libsepol/src/module_to_cil.c | 78 +++++++++------------------------ 5 files changed, 136 insertions(+), 124 deletions(-) -- 2.17.1 ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2018-10-15 17:39 UTC | newest] Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2018-10-11 12:35 [PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files James Carter 2018-10-11 12:35 ` [PATCH 1/4] libsepol: Rename kernel_to_common.c stack functions James Carter 2018-10-11 12:35 ` [PATCH 2/4] libsepol: Eliminate initial sid string definitions in module_to_cil.c James Carter 2018-10-11 12:35 ` [PATCH 3/4] libsepol: Check that initial sid indexes are within the valid range James Carter 2018-10-11 15:02 ` Yuli Khodorkovskiy 2018-10-11 12:35 ` [PATCH 4/4] libsepol: Add two new Xen initial SIDs James Carter 2018-10-11 23:58 ` [PATCH 0/4] libsepol: Cleanup initial sid handling when writing CIL and policy.conf files William Roberts 2018-10-15 17:39 ` William Roberts -- strict thread matches above, loose matches on Subject: below -- 2018-10-05 13:57 James Carter
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).