| 80bc7ee8faaddfa7a650994fa82a57f41a9e7475 |
|
22-Apr-2015 |
Jeff Vander Stoep <jeffv@google.com> |
Add support for ioctl command whitelisting
Adds support for new policy statements whitelisting individual ioctl
commands. Ioctls provide many of the operations necessary for driver control.
The typical driver supports a device specific set of operations accessible
by the ioctl system call and specified by the command argument. SELinux
provides per operation access control to many system operations e.g. chown,
kill, setuid, ipc_lock, etc. Ioclts on the other hand are granted on a per
file descriptor basis using the ioctl permission, meaning that the set of
operations provided by the driver are granted on an all-or-nothing basis.
In some cases this may be acceptable, but often the same driver provides a
large and diverse set of operations such as benign and necessary functionality
as well as dangerous capabilities or access to system information that should
be restricted.
Example policy:
allow <source> <target>:<class> { 0x8900-0x8905 0x8910 }
auditallow <source> <target>:<class> 0x8901
The ioctl permission is still required in order to make an ioctl call. If no
individual ioctl commands are specified, only the ioctl permission is
checked by the kernel - i.e. status quo. This allows ioctl whitelisting to
done in a targeted manner, protecting desired drivers without requiring every
ioctl command to be known and specified before use and otherwise allowing
existing policy to be used as-is.
This only implements ioctl whitelisting support for monolithic kernel policies
built via checkpolicy. Support for modules and CIL remains to be done.
Bug: 19419509
Change-Id: I198e8c9279b94d8ce4ae5625018daa99577ee970
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/libsepol/src/expand.c
|
| f0290677091e7eee4a3724a2a86ede9e11f93802 |
|
17-Mar-2015 |
Daniel De Graaf <dgdegra@tycho.nsa.gov> |
libsepol, checkpolicy: add device tree ocontext nodes to Xen policy
In Xen on ARM, device tree nodes identified by a path (string) need to
be labeled by the security policy.
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
/external/selinux/libsepol/src/expand.c
|
| e7694874c20efaf6670f6639b0383077015b8d0c |
|
22-Feb-2015 |
Chris PeBenito <cpebenito@tresys.com> |
libsepol: Fix error path in mls_semantic_level_expand().
If the level contains a category that is not associated with a sensitivity,
the code correctly detects the condition, but does not return an error.
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
Acked-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/libsepol/src/expand.c
|
| ed7a6ba24ad3241e696fa7bc9bb56bb4f373147b |
|
16-Dec-2014 |
dcashman <dcashman@google.com> |
Allow libsepol C++ static library on device.
Change-Id: I7da601767c3a4ebed7274e33304d8b589a9115fe
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/libsepol/src/expand.c
|
| 678ec5df790b0ff3c9dbb041be670a5916838e29 |
|
24-Nov-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Fix expand logic for policy versions older than 24.
This was broken for older policy versions when we updated to
version 24.
Broken by commit 787f2f00f5d8ed6f5f.
Change-Id: I4063334c5c0462ef5c3706611c7dff5c60c612aa
Reported-by: William Roberts <bill.c.roberts@gmail.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/libsepol/src/expand.c
|
| 9e746d6a693c2090694407c218300cfa4b8469a0 |
|
16-Apr-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Improve error message for name-based transition conflicts.
Quote the component name.
Reorder the arguments to more closely align with the rule syntax.
Use a more descriptive text that will more clearly correspond to the original rule.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/libsepol/src/expand.c
|
| e910cf6e62d94d09e810bd173c14c5c4afb72242 |
|
15-Apr-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Revert "libsepol: filename_trans: use some better sorting to compare and merge"
This change was incorrect and can yield duplicate file name transition rules.
Revert it and look at converting the filename_trans list to a hashtab
as has already been done in the kernel in the future.
This reverts commit a29f6820c52b60b9028298cde9962dd140bbf9ea.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/libsepol/src/expand.c
|
| a80a48cb1907162b1fce8f0af38d062fca39a635 |
|
24-Mar-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Fix for binary policy modules.
They do not retain the neverallow source information so we must
not assume that source_filename is set. Either need a new binary
module format if we want to propagate this information for modular
builds or get rid of binary modules.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/libsepol/src/expand.c
|
| ef24ade029329a6e9981bd1de2ba7b9ea48e1c79 |
|
05-Mar-2014 |
Stephen Smalley <sds@tycho.nsa.gov> |
Report source file and line information for neverallow failures.
Change-Id: I0def97a5f2f6097e2dad7bcd5395b8fa740d7073
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
/external/selinux/libsepol/src/expand.c
|
| 9eefe11b3a94307a3f5432316a59d1f8e3268429 |
|
28-Oct-2013 |
Richard Haines <richard_c_haines@btinternet.com> |
libsepol: V1 Allow constraint denials to be determined.
Adds policy source defined 'type' or 'typeattribute' names to
constraints by adding additional structures (->type_names->types) to a
binary policy.
Before this change all typeattributes were expanded to lists of types
and added to the constraint under ->names. This made it difficult for
system admins to determine from the policy source what attribute
needed to be updated. To facilitate analysis of constraint failures
a new function has also been added, see sepol_compute_av_reason_buffer.
As additional structures have been added to policy, the policy version
is also updated (POLICYDB_VERSION_CONSTRAINT_NAMES). There is also a
corresponding kernel patch to handle the additional structures.
sepol_compute_av_reason_buffer is an extended version of
sepol_compute_av_reason. This will return a buffer with constraint
expression information, containing the constrain type, class, perms,
keywords etc.. It will also contain which constraint expr failed plus
the final outcome. The buffer MUST be free'd with free(3).
The type information output by sepol_compute_av_reason_buffer depends on
the policy version:
If >= POLICYDB_VERSION_CONSTRAINT_NAMES, then the output will be
whatever was in the original policy (type or attribute names).
If < POLICYDB_VERSION_CONSTRAINT_NAMES, then the output will be
the types listed in the constraint (as no attribute information is
available in these versions).
For users and roles whatever policy version, only the names are listed
(as role attributes are not currently held in the constraint).
Also added are two functions that obtain the class and permissions
from a binary policy file that has been loaded for testing:
sepol_string_to_security_class
sepol_string_to_av_perm
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
/external/selinux/libsepol/src/expand.c
|
| 56258807ea4b33cf3c7a1dbf1b574ab77c91f899 |
|
25-Oct-2013 |
Stephen Smalley <sds@tycho.nsa.gov> |
Revert "Richard Haines patch that allows us discover constraint violation information"
This reverts commit 56b49ab7114f367f46b70e41d84dc7e6d52d5209.
Conflicts:
libselinux/src/audit2why.c
/external/selinux/libsepol/src/expand.c
|
| 56b49ab7114f367f46b70e41d84dc7e6d52d5209 |
|
09-Oct-2013 |
Dan Walsh <dwalsh@redhat.com> |
Richard Haines patch that allows us discover constraint violation information
Basically we need this information to allow audit2allow/audit2why to better
describe which constraint is being broken.
/external/selinux/libsepol/src/expand.c
|
| 92788715dc793f805b0ae56844216b844a34ea22 |
|
10-Jan-2013 |
Alice Chu <alice.chu@sta.samsung.com> |
libsepol: Fix memory leak issues found by Klocwork
Signed-off-by: Eric Paris <eparis@redhat.com>
/external/selinux/libsepol/src/expand.c
|
| 693f5241fdd5ae7e89d4312b85443c0fc1b1a57d |
|
18-Dec-2012 |
Eric Paris <eparis@redhat.com> |
checkpolicy: libsepol: implement default type policy syntax
We currently have a mechanism in which the default user, role, and range
can be picked up from the source or the target object. This implements
the same thing for types. The kernel will override this with type
transition rules and similar. This is just the default if nothing
specific is given.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/libsepol/src/expand.c
|
| afe88d8c69543b2ebd6e25efdaab76f40ea4d3c7 |
|
11-Dec-2012 |
Eric Paris <eparis@redhat.com> |
libsepol: coverity fixes
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/libsepol/src/expand.c
|
| a29f6820c52b60b9028298cde9962dd140bbf9ea |
|
25-May-2012 |
Adam Tkac <atkac@redhat.com> |
libsepol: filename_trans: use some better sorting to compare and merge
The expand_filename_trans() function consumed vast majority of time by comparsion
of two lists with dumb algorithm with O(n^2) complexity.
Now it chunks one list by it's filename_trans->stype value to limit length of
elements which needs to be walked when comparing filename_trans_t element with
this chunked list.
This change speeds-up se* commands by 80%.
Signed-off-by: Adam Tkac <atkac@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/libsepol/src/expand.c
|
| 2ef297d4c80b7e55d9a33e20b44c540ffc6ad351 |
|
25-Feb-2012 |
Harry Ciao <qingtao.cao@windriver.com> |
libsepol: role_fix_callback skips out-of-scope roles during expansion.
If a role identifier is out of scope it would be skipped over during
expansion, accordingly, be it a role attribute, it should be skipped
over as well when role_fix_callback tries to propagate its capability
to all its sub-roles.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
/external/selinux/libsepol/src/expand.c
|
| 1f3bca77e04687afb87a7a4e034298c9c955919b |
|
12-Jun-2012 |
Chris PeBenito <cpebenito@tresys.com> |
libsepol: check for missing initial SID labeling statement.
If an initial SID is missing a labeling statement, the compiler will
segfault when trying to copy the context during expand. Check for this
situation to handle it gracefully.
This fixes ocontext_copy_selinux() and ocontext_copy_xen().
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
/external/selinux/libsepol/src/expand.c
|
| e26b58b08e92f823ff2f7e20ffd3124b7c5f8ccf |
|
12-Jun-2012 |
Chris PeBenito <cpebenito@tresys.com> |
libsepol: Move context_copy() after switch block in ocontext_copy_*().
If an initial SID is missing a labeling statement, the compiler will
segfault on the context_copy(). Move the context copy after the
switch block so that the existance of the initial SID label can be checked
before trying to copy the context.
This fixes both ocontext_copy_selinux() and ocontext_copy_xen().
Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
/external/selinux/libsepol/src/expand.c
|
| 4a33c78ca572598ff76976a41d8b456293dfaebc |
|
30-Aug-2012 |
Stephen Smalley <sds@tycho.nsa.gov> |
libsepol: fix neverallow checking on attributes
Ole Kliemann reported that allow rules written using type attributes were
not being detected by neverallow assertions in the policy. I think that
this was broken in policy.24 and later due to changes in the type datum.
Fix the expand logic to correctly distinguish type attributes from types.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Eric Paris <eparis@redhat.com>
/external/selinux/libsepol/src/expand.c
|
| d21ec5a5605f708b70e0b685b76f03a978f2008c |
|
25-May-2012 |
Adam Tkac <atkac@redhat.com> |
libsepol: prepend instead of append to filename_trans list
Currently expand_filename_trans() function use much CPU time to find
end of the state->out->filename_trans list. This is not needed because
data can be prepended instead of appended to the list.
This ends with 10% speed-up of various se* commands (semodule, setsebool).
Signed-off-by: Adam Tkac <atkac@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/libsepol/src/expand.c
|
| c43f5b1d34d9cbdc767254046d9b7e0ab47b866d |
|
29-May-2012 |
Eric Paris <eparis@redhat.com> |
libsepol: cosmetic changes to make the source easier to read
strict adherense to 80 characters means that we split stuff in stupid
places. Screw 80 characters. Buy a bigger monitor.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/libsepol/src/expand.c
|
| 09c783c9a36cd47216df827c5d2c21ec8cd613e2 |
|
05-Dec-2011 |
Eric Paris <eparis@redhat.com> |
libsepol: checkpolicy: implement new default labeling behaviors
We would like to be able to say that the user, role, or range of a newly
created object should be based on the user, role, or range of either the
source or the target of the creation operation. aka, for a new file
this could be the user of the creating process or the user or the parent
directory. This patch implements the new language and the policydb
support to give this information to the kernel.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/libsepol/src/expand.c
|
| 0a778ba601d68ef91304f90c101b5dc67d433e04 |
|
31-Oct-2011 |
Eric Paris <eparis@redhat.com> |
libsepol: expand: do filename_trans type comparison on mapped representation
The filename_trans code had a bug where duplicate detection was being
done between the unmapped type value of a new rule and the type value of
rules already in policy. This meant that duplicates were not being
silently dropped and were instead outputting a message that there was a
problem. It made things hard because the message WAS using the mapped
type to convert to the string representation, so it didn't look like a
dup!
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/libsepol/src/expand.c
|
| 9f709e6bab863036950644a7dd470d50663b558b |
|
01-Sep-2011 |
Harry Ciao <qingtao.cao@windriver.com> |
libsepol: Preserve tunables when required by semodule program.
If the "-P/--preserve_tunables" option is set for the semodule program,
the preserve_tunables flag in sepol_handle_t would be set, then all tunables
would be treated as booleans by having their TUNABLE flag bit cleared,
resulting in all tunables if-else conditionals preserved for raw policy.
Note, such option would invalidate the logic to double-check if tunables
ever mix with booleans in one expression, so skip the call to assert()
when this option is passed.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/libsepol/src/expand.c
|
| 5722d765c756ac8dc52c52077f9311b8886fe8da |
|
01-Sep-2011 |
Harry Ciao <qingtao.cao@windriver.com> |
libsepol: Skip tunable identifier and cond_node_t in expansion.
The effective branch of a tunable has been appended to its home
decl->avrules list during link, in expansion we should just skip tunables
from expanding their rules into te_cond_avtab hashtab and adding to the
out->cond_list queue.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/libsepol/src/expand.c
|
| ad5951fcb142cf9c2e899d3d99ce35b729b66b4c |
|
01-Sep-2011 |
Harry Ciao <qingtao.cao@windriver.com> |
libsepol: Permanently discard disabled branches of tunables in expansion.
For a cond_node_t in one decl->cond_list queue, append its
avtrue_list or avfalse_list to the avrules list of its home decl
depending on its state value, so that these effective rules would
be permanently added to te_avtab hashtab.
On the other hand, the rules on the disabled unused list won't be
expanded and written to the raw policy at all.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/libsepol/src/expand.c
|
| dbc9a61819ea9a6b61bb29a2765b319ac974a775 |
|
02-Aug-2011 |
Harry Ciao <qingtao.cao@windriver.com> |
libsepol: Only call role_fix_callback for base.p_roles during expansion.
expand_role_attributes() would merge the sub role attribute's roles
ebitmap into that of the parent, then clear it off from the parent's
roles ebitmap. This supports the assertion in role_fix_callback() that
any role attribute's roles ebitmap contains just regular roles.
expand_role_attribute() works on base.p_roles table but not any
block/decl's p_roles table, so the above assertion in role_fix_callback
could fail when it is called for block/decl and some role attribute is
added into another.
Since the effect of get_local_role() would have been complemented by
the populate_roleattributes() at the end of the link phase, there is
no needs(and wrong) to call role_fix_callback() for block/decl in the
expand phase.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
/external/selinux/libsepol/src/expand.c
|
| 1867652e5424e867cea542a9311ccdc5fa9ec835 |
|
20-Apr-2011 |
Eric Paris <eparis@redhat.com> |
libsepol: use mapped role number instead of module role number
When expanding a module which includes role transitions we were
comparing the numeric value of the base policy role with the numberic
value of the unmapped role in the module. Comparisions between
role values need to both be in terms of the mapped role in the base
module.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Harry Ciao <qingtao.cao@windriver.com>
/external/selinux/libsepol/src/expand.c
|
| 3592ebea1a5beb390a520c09747d3699867af9de |
|
25-Jul-2011 |
Harry Ciao <qingtao.cao@windriver.com> |
Add role attribute support when expanding role_set_t.
When the rolemap and pointer to the base module are available, if
a non-zero bit in role_set_t.roles is a role attribute, expand it
before remap.
Note, during module compile the rolemap may not be available, the
potential duplicates of a regular role and the role attribute that
the regular role belongs to could be properly handled by
copy_role_allow() and copy_role_trans() during module expansion.
Take advantage of the role_val_to_struct[] of the base module, since
when role_set_expand() is invoked, the role_val_to_struct[] of the
out module may have not been established yet.
Also cleanup the error handling of role_set_expand().
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/libsepol/src/expand.c
|
| d4d90eceeba902874252fd7c1b9384fc5b1605d4 |
|
25-Jul-2011 |
Harry Ciao <qingtao.cao@windriver.com> |
Add role attribute support when expanding role_datum_t.
1. Copy the flavor flag into its counterpart in the out module;
2. Fix all role attributes in the base module:
2.1 remap the roles ebitmap and merge into its counterpart in the
out module;
2.2 escalate the types.types ebitmap of its counterpart in the out
module, to the counterparts for all the regular roles that belongs
to the current role attribute.
The role_fix_callback() must be called after role_copy_callback()
so that state->rolemap[] is available.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/libsepol/src/expand.c
|
| 6eeb71538ea29b639ac7549831cd1aa4da32722a |
|
12-Apr-2011 |
Eric Paris <eparis@redhat.com> |
libsepol: add support for filenametrans rule
This patch adds libsepol support for filename_trans rules. These rules
allow one to make labeling decisions for new objects based partially on
the last path component. They are stored in a list. If we find that
the number of rules grows to an significant size I will likely choose to
store these in a hash, both in libsepol and in the kernel. But as long
as the number of such rules stays small, this should be good.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/libsepol/src/expand.c
|
| 6db9b74210197f792a52038abbd10e946e99e49d |
|
25-Mar-2011 |
Harry Ciao <qingtao.cao@windriver.com> |
Userspace: handle the class in role_trans_rule
Add class support to various functions to handle role_trans_rule_t
structures.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
/external/selinux/libsepol/src/expand.c
|
| 505c75aad7f16e0db9ccfeb04eaa70f242e6b060 |
|
29-Sep-2009 |
Paul Nuzzi <pjnuzzi@tycho.ncsc.mil> |
libsepol: Add support for multiple target OSes
On Wed, 2009-09-16 at 09:58 -0400, Joshua Brindle wrote:
> I'd rather have separate ocontext structs for each system. That way it
> is very easy to understand which ones apply to which system and you
> don't get a crazy out of context ocontext struct.
>
I looked into having separate ocontext structs but that would involve
changing a lot of files making the patch much larger and more intrusive.
> > } u;
> > union {
> > uint32_t sclass; /* security class for genfs */
> > @@ -313,6 +323,17 @@ typedef struct genfs {
> > #define OCON_NODE6 6 /* IPv6 nodes */
> > #define OCON_NUM 7
> >
> > +/* object context array indices for Xen */
> > +#define OCON_ISID 0 /* initial SIDs */
> > +#define OCON_PIRQ 1 /* physical irqs */
> > +#define OCON_IOPORT 2 /* io ports */
> > +#define OCON_IOMEM 3 /* io memory */
> > +#define OCON_DEVICE 4 /* pci devices */
> > +#define OCON_DUMMY1 5 /* reserved */
> > +#define OCON_DUMMY2 6 /* reserved */
> > +#define OCON_NUM 7
> > +
> > +
> >
> Should these be namespaced? What if <random other system> has io port
> objects? You'd have to align them with each other and you have a mess of
> keeping the numbers the same (you already do this with OCON_ISID)
Variables have been namespaced and there is no more overlap with
OCON_ISID.
> Also we are relying on having the same number of OCON's which isn't good
> I don't think. As much as I hate the policydb_compat_info (read: alot)
> why aren't we using that to say how many ocons a xen policy really has?
OCON_NUM is now dynamically read through policydb_compat_info.
> This is messy, why not an ocontext_selinux_free() and
> ocontext_xen_free() (note: I realize the xen_free() one won't do
> anything except freep the ocontext_t)
>
done.
> >
> > len = buf[1];
> > - if (len != strlen(target_str)&&
> > - (!alt_target_str || len != strlen(alt_target_str))) {
> > - ERR(fp->handle, "policydb string length %zu does not match "
> > - "expected length %zu", len, strlen(target_str));
> > + if (len> 32) {
> >
>
> magic number 32?
#defined.
Thanks for your input. Below is the updated patch for libsepol.
----
libsepol/include/sepol/policydb/policydb.h | 28 ++
libsepol/src/expand.c | 85 +++++++-
libsepol/src/policydb.c | 295
+++++++++++++++++++++++------
libsepol/src/policydb_internal.h | 1
libsepol/src/private.h | 4
libsepol/src/write.c | 93 ++++++++-
6 files changed, 443 insertions(+), 63 deletions(-)
Signed-off-by: Joshua Brindle <method@manicmethod.com>
/external/selinux/libsepol/src/expand.c
|
| f470207454f5f6ce539aa543e5168a07d667254b |
|
08-Oct-2008 |
Joshua Brindle <method@manicmethod.com> |
Author: KaiGai Kohei
Email: kaigai@ak.jp.nec.com
Subject: Thread/Child-Domain Assignment (rev.6)
Date: Tue, 07 Oct 2008 15:39:45 +0900
>> Hmm....
>> It seems to me what you pointed out is a bug of my patch. It prevents to deliver
>> actual number of type/attribute symbols to policy file, but it is unclear why does
>> it makes libsepol ignore the policyvers.
>> (I guess it may be a separated matter.)
>>
>>> Rather than trying to calculate the length without attributes I just removed
>>> the attribute check. This causes attributes to be written for all versions,
>>> but this should not cause any problems at all.
>> The reason why I injected such an ad-hoc code is that we cannot decide the policy
>> version written when type_attr_remove() is invoked.
>> Is it impossible to move it to policydb_write()?
>> It is invoked after the policyvers is fixed by caller.
>
> It isn't impossible. You are going to have to make it walk to type
> symbol table to calculate the length without attributes, then write
> that length instead of the total symtab length.
The attached patch enables to fixup the number of type/attribute entries
to be written. The type_attr_uncount() decrements the number of attribute
entries skipped at type_write().
At first, I had a plan to invoke type_attr_remove() with
hashtab_map_remove_on_error(), but it means the given policydb structure
is modified at policydb_write() and implicit changes to external interface.
Differences from the previous version are here:
Signed-off-by: Joshua Brindle <method@manicmethod.com>
/external/selinux/libsepol/src/expand.c
|
| e61b36a5c78852c5d30d9512e0c69546d23ea25c |
|
07-Oct-2008 |
Joshua Brindle <method@manicmethod.com> |
Author: Joshua Brindle
Email: method@manicmethod.com
Subject: BUGREPORT: A type alias of invisible primary one
Date: Mon, 22 Sep 2008 16:43:04 -0400
KaiGai Kohei wrote:
> Joshua Brindle wrote:
>> KaiGai Kohei wrote:
>>> I found a strange type_datum_t object which has 0 for its s.value
>>> during development of new type hierarchy checks.
>>>
>>> The strange one is "xguest_javaplugin_default_xproperty_t" which
>>> is an alias type of "xguest_javaplugin_xproperty_t".
>>>
>>> I doubted my patch at first, but it can be reproduced on the normal
>>> libsepol. It seems to me an original matter which is not exposed yet,
>>> and I am innocence. :-)
>>>
>>> During tracing the matter, I noticed the primary type is invisible
>>> at expand_module(), but the aliased one is visible. It can make the
>>> strange type_datum_t object.
>>>
>>> * at the expand_module()
>>> 1. The expand_state_t which includes typemap is initialized.
>>>
>>> 2. The type_copy_callback is invoked for any types via hashtab_map.
>>> It only copies primary and visible types into newer hashtab,
>>> and set up typemap to translate between old and new s.value.
>>> Thus, the given primary type is invisible, its slot of typemap
>>> is kept to zero.
>>> (*) is_id_enabled() for "xguest_javaplugin_xproperty_t" returned false.
>>>
>>> 3. The alias_copy_callback is invoked for any types via hashtab_map.
>>> It only copies alias and visible types into newer hashtab.
>>> Here is no check whether the primary side is visible, or not.
>>> A copied type_datum_t object for the given alias has new s.value
>>> which is picked up from state->typemap.
>>>
>>> 4. However, the target slot of state->typemap was zero, because
>>> its primary one is invisible. The aliased type has a strange
>>> s.value.
>>>
>>> 5. Type hierarchy checks got a segmentation fault, due to
>>> "p->type_val_to_name[datum->s.value - 1]".
>>> ^^^^^^^^^^^^^^^^^^ == -1
>>> Yes, we can identify cause of the matter.
>> Do you have a policy that can be used to reproduce this?
>
> Yes, the following policy can reproduce the matter.
> - - - - [ cut here ] - - - -
> policy_module(baz, 1.0)
>
> optional_policy(`
> gen_require(`
> type invisible_primary_t;
> ')
> typealias invisible_primary_t alias visible_alias_t;
> ')
> - - - - - - - - - - - - - - -
>
> The attached patch can inject some of printf()'s.
> You can see that invisible_primary_t is skipped at type_copy_callback()
> and an incorrect s.value is assigned at alias_copy_callback().
>
> Thanks,
>
This should fix it. I tested with and without your patchset on a few policies. Let me know if it doesn't work for you:
/external/selinux/libsepol/src/expand.c
|
| eeb520a0453ccc3d51770c4281125086e91c4ff7 |
|
30-Sep-2008 |
Joshua Brindle <method@manicmethod.com> |
Revert "Subject: remove expand_rule function"
This reverts commit 45e94541ecbe3594482975018e4ceb0fadacd92a.
/external/selinux/libsepol/src/expand.c
|
| 45e94541ecbe3594482975018e4ceb0fadacd92a |
|
12-Aug-2008 |
Joshua Brindle <method@manicmethod.com> |
Subject: remove expand_rule function
Send again with the right date and time ;)
This removes the (apparently) unused expand_rule function
Signed-off-by: Joshua Brindle <method@manicmethod.com>
/external/selinux/libsepol/src/expand.c
|
| 13cd4c8960688af11ad23b4c946149015c80d549 |
|
19-Aug-2008 |
Joshua Brindle <method@manicmethod.com> |
initial import from svn trunk revision 2950
/external/selinux/libsepol/src/expand.c
|