From a3698bbb34c48adeb81854ce8669061690192557 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Nov 27 2012 21:31:35 +0000 Subject: Update Richard Haines patch to show constraint information --- diff --git a/libsepol-rhat.patch b/libsepol-rhat.patch index d1d324b..bfb01af 100644 --- a/libsepol-rhat.patch +++ b/libsepol-rhat.patch @@ -307,10 +307,24 @@ index 43a71a7..7615a9b 100644 NULL }; diff --git a/libsepol/src/services.c b/libsepol/src/services.c -index 9c2920c..04f9978 100644 +index 9c2920c..096c28e 100644 --- a/libsepol/src/services.c +++ b/libsepol/src/services.c -@@ -54,6 +54,7 @@ +@@ -1,4 +1,3 @@ +- + /* + * Author : Stephen Smalley, + */ +@@ -43,6 +42,8 @@ + * Implementation of the security services. + */ + ++#define REASON_BUF_SIZE 100000 ++ + #include + #include + #include +@@ -54,6 +55,7 @@ #include #include #include @@ -318,7 +332,7 @@ index 9c2920c..04f9978 100644 #include "debug.h" #include "private.h" -@@ -112,20 +113,208 @@ int sepol_set_policydb_from_file(FILE * fp) +@@ -112,20 +114,223 @@ int sepol_set_policydb_from_file(FILE * fp) static uint32_t latest_granting = 0; /* @@ -333,7 +347,9 @@ index 9c2920c..04f9978 100644 + * then the attributes associated to them (also count these). When + * complete take the list of attributes and find those whose count + * matches the number of types. The attributes in the final list will be -+ * one of those that needs to has the type added (but which one !!!). ++ * the ones that need to have the type added to give access should this ++ * part of the expression fail (but which one - currently the only way ++ * is to check the policy source). + * + * The best way to solve this is for the compilers (checkpolicy and + * checkmodule) to add attributes to the constraint_expr_t structure @@ -349,31 +365,34 @@ index 9c2920c..04f9978 100644 +int get_names_list(const ebitmap_t * e, int type, char ** expr_buf) +{ + type_datum_t *t1 = NULL; ++ ebitmap_t *attr; + -+#define MAX_ATTRS 300 ++#define MAX_ATTRS 400 + /* Hold the type attribute names and count of instances */ + struct attr_entries { + unsigned int entry; + int count; + } attr_info[MAX_ATTRS]; + -+ int struct_count = 0; -+ int x; ++ /* Various counters */ ++ int x, rc = 0; ++ unsigned int i, z; + -+ int rc = 0; -+ unsigned int i; -+ int entry_count = 0; ++ /* ++ * If an attribute is found in ->names then set to 1. Note this ++ * will only happen with the CIL compiler 30-Mar-2012 version) and ++ * is an error but we process anyway. ++ */ + int is_attr = 0; + + char tmp_buf[100]; -+ /* if empty_set is 0, then */ ++ /* if ->names is 0, then output string */ + int empty_set = 0; + -+ ebitmap_t *attr; -+ unsigned int j; -+ ++ /* The number of types in ->names */ + int type_count = 0; + ++ /* If no buffer set then just return. */ + if (!*expr_buf) + return 0; + @@ -384,15 +403,19 @@ index 9c2920c..04f9978 100644 + + /* For type entries find how many entries so we can check attributes */ + if (type == CEXPR_TYPE) { -+ for (j = ebitmap_startbit(e); j < ebitmap_length(e); j++) { -+ if ((rc = ebitmap_get_bit(e, j)) == 0) ++ for (i = ebitmap_startbit(e); i < ebitmap_length(e); i++) { ++ if ((rc = ebitmap_get_bit(e, i)) == 0) + continue; + type_count++; + } + } + -+ /* Start the list of names where e = &e->names */ -+ strcat(*expr_buf, "{ "); ++ /* ++ * Start the list of names where e = &e->names, except for types as ++ * a list of possible attributes will be given ++ */ ++ if (type != CEXPR_TYPE) ++ strncat(*expr_buf, "names-{ ", REASON_BUF_SIZE); + + for (i = ebitmap_startbit(e); i < ebitmap_length(e); i++) { + if ((rc = ebitmap_get_bit(e, i)) == 0) @@ -400,13 +423,13 @@ index 9c2920c..04f9978 100644 + + switch (type) { + case CEXPR_USER: -+ sprintf(tmp_buf, "%s ", policydb->p_user_val_to_name[i]); -+ strcat(*expr_buf, tmp_buf); ++ snprintf(tmp_buf, sizeof(tmp_buf), "%s ", policydb->p_user_val_to_name[i]); ++ strncat(*expr_buf, tmp_buf, REASON_BUF_SIZE); + break; + + case CEXPR_ROLE: -+ sprintf(tmp_buf, "%s ", policydb->p_role_val_to_name[i]); -+ strcat(*expr_buf, tmp_buf); ++ snprintf(tmp_buf, sizeof(tmp_buf), "%s ", policydb->p_role_val_to_name[i]); ++ strncat(*expr_buf, tmp_buf, REASON_BUF_SIZE); + break; + + case CEXPR_TYPE: @@ -429,7 +452,7 @@ index 9c2920c..04f9978 100644 + * "can_change_process_role" is also in the others. + * + * The "cron_source_domain" will give the largest amount of attributes -+ * as there is only one type (crond_t) but has 36 associations. ++ * as there is only one type (crond_t) but has 36 attribute associations. + */ + /* + * Get node for the type ID and if an attribute just add name, @@ -438,17 +461,16 @@ index 9c2920c..04f9978 100644 + t1 = policydb->type_val_to_struct[i]; + if (t1->flavor == TYPE_ATTRIB) { + is_attr = 1; -+ sprintf(tmp_buf, "%s ", policydb->p_type_val_to_name[i]); -+ strcat(*expr_buf, tmp_buf); ++ snprintf(tmp_buf, sizeof(tmp_buf), "%s ", policydb->p_type_val_to_name[i]); ++ strncat(*expr_buf, tmp_buf, REASON_BUF_SIZE); + break; + } else { -+ /* Have type so but names in buffer and sort out attrs */ -+ sprintf(tmp_buf, "%s ", policydb->p_type_val_to_name[i]); -+ strcat(*expr_buf, tmp_buf); -+ /* Process attributes attached to the type */ ++ /* Don't add type names to buffer, only attributes */ ++ /* snprintf(tmp_buf, sizeof(tmp_buf), "%s ", policydb->p_type_val_to_name[i]); */ ++ /* strcat(*expr_buf, tmp_buf); */ ++ /* Process attributes attached to this type */ + attr = &policydb->type_attr_map[t1->s.value-1]; -+ unsigned int z; -+ struct_count = 0; ++ + for (z = ebitmap_startbit(attr); z < ebitmap_length(attr); z++) { + if ((rc = ebitmap_get_bit(attr, z)) == 0) + continue; @@ -468,7 +490,6 @@ index 9c2920c..04f9978 100644 + } + x++; + } -+ struct_count++; + } + } + break; @@ -481,26 +502,35 @@ index 9c2920c..04f9978 100644 + break; + } + empty_set++; -+ entry_count++; + } + -+ /* End the list of names but if type then check for attributes. */ ++ /* End processing entries, now check for attributes if CEXPR_TYPE. */ + if (empty_set == 0) { -+ strcat(*expr_buf, " }"); ++ strncat(*expr_buf, "", REASON_BUF_SIZE); + } else if (type == CEXPR_TYPE && is_attr == 0) { -+ strcat(*expr_buf, "} ** Attributes associated to the types: "); ++ strncat(*expr_buf, "# POSSIBLE_ATTRIBUTES:", REASON_BUF_SIZE); + for (x = 0; x < MAX_ATTRS; x++) { + if (attr_info[x].count == type_count) { -+ sprintf(tmp_buf, "%s ", policydb->p_type_val_to_name[attr_info[x].entry]); -+ strcat(*expr_buf, tmp_buf); ++ snprintf(tmp_buf, sizeof(tmp_buf), "%s ", ++ policydb->p_type_val_to_name[attr_info[x].entry]); ++ strncat(*expr_buf, tmp_buf, REASON_BUF_SIZE); + } + } -+ strcat(*expr_buf, "**"); -+ } else -+ strcat(*expr_buf, "}"); ++ } ++ strncat(*expr_buf, "\n", REASON_BUF_SIZE); + return 0; +} + ++static void msgcat(char **expr_buf, char *src, char *tgt, char *rel, int failed) { ++ char tmp_buf[1024]; ++ if (*expr_buf) { ++ if (failed) ++ snprintf(tmp_buf, sizeof(tmp_buf), "(%s %s %s -Fail-)\n", src, rel, tgt); ++ else ++ snprintf(tmp_buf, sizeof(tmp_buf), "(%s %s %s -Pass-)\n", src, rel, tgt); ++ strncat(*expr_buf, tmp_buf, REASON_BUF_SIZE); ++ } ++} + +/* + * Modified version of constraint_expr_eval @@ -518,7 +548,7 @@ index 9c2920c..04f9978 100644 + * + * This function will also build a buffer as the constraint is processed + * for analysis. If this option is not required, then: -+ * 'tclass' and 'allowed' should be '0' and expr_buf MUST be NULL. ++ * 'tclass' should be '0' and expr_buf MUST be NULL. */ -static int constraint_expr_eval(context_struct_t * scontext, +static int constraint_expr_eval_reason(context_struct_t * scontext, @@ -526,16 +556,16 @@ index 9c2920c..04f9978 100644 context_struct_t * xcontext, - constraint_expr_t * cexpr) + sepol_security_class_t tclass, -+ sepol_access_vector_t allowed, -+ constraint_expr_t * cexpr, ++ constraint_node_t *constraint, + char ** expr_buf) { uint32_t val1, val2; context_struct_t *c; -@@ -135,21 +324,68 @@ static int constraint_expr_eval(context_struct_t * scontext, +@@ -135,56 +340,112 @@ static int constraint_expr_eval(context_struct_t * scontext, int s[CEXPR_MAXDEPTH]; int sp = -1; +- for (e = cexpr; e; e = e->next) { + char tmp_buf[1024]; + +/* @@ -547,72 +577,75 @@ index 9c2920c..04f9978 100644 +#define XTARGET 3 + + int s_t_x_num = SOURCE; -+ ++ int rc = 0; + /* Set 0 = fail, u = CEXPR_USER, r = CEXPR_ROLE, t = CEXPR_TYPE */ + int u_r_t = 0; + + char *name1, *name2; ++ char *src=NULL; ++ char *tgt=NULL; + + if (*expr_buf) { + /* Get constraint statement type */ -+ sprintf(tmp_buf, "constrain "); -+ for (e = cexpr; e; e = e->next) { ++ strncpy(tmp_buf, "constrain ", sizeof(tmp_buf)); ++ for (e = constraint->expr; e; e = e->next) { + if (e->attr >= CEXPR_L1L2) { -+ sprintf(tmp_buf, "mlsconstrain "); ++ strncpy(tmp_buf, "mlsconstrain ", sizeof(tmp_buf)); + break; + } + } -+ strcat(*expr_buf, tmp_buf); ++ strncat(*expr_buf, tmp_buf, REASON_BUF_SIZE); + + /* Get class entry */ -+ sprintf(tmp_buf, "%s ", policydb->p_class_val_to_name[tclass - 1]); -+ strcat(*expr_buf, tmp_buf); -+ -+ /* -+ * Get permission entries sepol_av_to_string defined in util.c -+ * and its buffer to hold the perm list is 1024 chars. -+ */ -+ sprintf(tmp_buf, "{%s } ", sepol_av_to_string(policydb, tclass, allowed)); -+ strcat(*expr_buf, tmp_buf); ++ snprintf(tmp_buf, sizeof(tmp_buf), "%s ", policydb->p_class_val_to_name[tclass - 1]); ++ strncat(*expr_buf, tmp_buf, REASON_BUF_SIZE); ++ ++ /* Get permission entries from the constraint node. */ ++ snprintf(tmp_buf, sizeof(tmp_buf), "{%s } (", sepol_av_to_string(policydb, tclass, ++ constraint->permissions)); ++ strncat(*expr_buf, tmp_buf, REASON_BUF_SIZE); + } + + /* Original function but with buffer support */ - for (e = cexpr; e; e = e->next) { ++ for (e = constraint->expr; e; e = e->next) { switch (e->expr_type) { case CEXPR_NOT: BUG_ON(sp < 0); s[sp] = !s[sp]; + if (*expr_buf) -+ strcat(*expr_buf, " not "); ++ strncat(*expr_buf, " not ", REASON_BUF_SIZE); break; case CEXPR_AND: BUG_ON(sp < 1); sp--; s[sp] &= s[sp + 1]; + if (*expr_buf) -+ strcat(*expr_buf, " and "); ++ strncat(*expr_buf, " and ", REASON_BUF_SIZE); break; case CEXPR_OR: BUG_ON(sp < 1); sp--; s[sp] |= s[sp + 1]; + if (*expr_buf) -+ strcat(*expr_buf, " or "); ++ strncat(*expr_buf, " or ", REASON_BUF_SIZE); break; case CEXPR_ATTR: if (sp == (CEXPR_MAXDEPTH - 1)) -@@ -158,33 +394,57 @@ static int constraint_expr_eval(context_struct_t * scontext, +- return 0; ++ goto out; ++ + switch (e->attr) { case CEXPR_USER: val1 = scontext->user; val2 = tcontext->user; -+ if (*expr_buf) -+ strcat(*expr_buf, "(u1 u2 "); ++ free(src); src = strdup("u1"); ++ free(tgt); tgt = strdup("u2"); break; case CEXPR_TYPE: val1 = scontext->type; val2 = tcontext->type; -+ if (*expr_buf) -+ strcat(*expr_buf, "(t1 t2 "); ++ free(src); src = strdup("t1"); ++ free(tgt); tgt = strdup("t2"); break; case CEXPR_ROLE: val1 = scontext->role; @@ -622,8 +655,10 @@ index 9c2920c..04f9978 100644 + if (*expr_buf) { + name1 = policydb->p_role_val_to_name[r1->s.value - 1]; + name2 = policydb->p_role_val_to_name[r2->s.value - 1]; -+ sprintf(tmp_buf, "(r1-%s r2-%s ", name1, name2); -+ strcat(*expr_buf, tmp_buf); ++ snprintf(tmp_buf,sizeof(tmp_buf), "r1-%s", name1); ++ free(src); src = strdup(tmp_buf); ++ snprintf(tmp_buf,sizeof(tmp_buf), "r2-%s ", name2); ++ free(tgt); tgt = strdup(tmp_buf); + } switch (e->op) { case CEXPR_DOM: @@ -631,26 +666,14 @@ index 9c2920c..04f9978 100644 - ebitmap_get_bit(&r1->dominates, - val2 - 1); + s[++sp] = ebitmap_get_bit(&r1->dominates, val2 - 1); -+ if (*expr_buf) { -+ if (s[sp] == 0) { -+ strcat(*expr_buf, "dom -Fail-) "); -+ } else { -+ strcat(*expr_buf, "dom -Fail-) "); -+ } -+ } ++ msgcat(expr_buf, src, tgt, "dom", s[sp] == 0); continue; case CEXPR_DOMBY: - s[++sp] = - ebitmap_get_bit(&r2->dominates, - val1 - 1); + s[++sp] = ebitmap_get_bit(&r2->dominates, val1 - 1); -+ if (*expr_buf) { -+ if (s[sp] == 0) { -+ strcat(*expr_buf, "domby -Fail-) "); -+ } else { -+ strcat(*expr_buf, "domby +Pass+) "); -+ } -+ } ++ msgcat(expr_buf, src, tgt, "domby", s[sp] == 0); continue; case CEXPR_INCOMP: - s[++sp] = @@ -660,136 +683,101 @@ index 9c2920c..04f9978 100644 - val1 - 1)); + s[++sp] = (!ebitmap_get_bit(&r1->dominates, val2 - 1) + && !ebitmap_get_bit(&r2->dominates, val1 - 1)); -+ if (*expr_buf) { -+ if (s[sp] == 0) { -+ strcat(*expr_buf, "incomp -Fail-) "); -+ } else { -+ strcat(*expr_buf, "incomp +Pass+) "); -+ } -+ } ++ msgcat(expr_buf, src, tgt, "incomp", s[sp] == 0); continue; default: break; -@@ -193,43 +453,90 @@ static int constraint_expr_eval(context_struct_t * scontext, +@@ -193,112 +454,203 @@ static int constraint_expr_eval(context_struct_t * scontext, case CEXPR_L1L2: l1 = &(scontext->range.level[0]); l2 = &(tcontext->range.level[0]); -+ if (*expr_buf) -+ strcat(*expr_buf, "(l1 l2 "); ++ free(src); src = strdup("l1"); ++ free(tgt); tgt = strdup("l2"); goto mls_ops; case CEXPR_L1H2: l1 = &(scontext->range.level[0]); l2 = &(tcontext->range.level[1]); -+ if (*expr_buf) -+ strcat(*expr_buf, "(l1 h2 "); ++ free(src); src = strdup("l1"); ++ free(tgt); tgt = strdup("h2"); goto mls_ops; case CEXPR_H1L2: l1 = &(scontext->range.level[1]); l2 = &(tcontext->range.level[0]); -+ if (*expr_buf) -+ strcat(*expr_buf,"(h1 l2 "); ++ free(src); src = strdup("h1"); ++ free(tgt); tgt = strdup("L2"); goto mls_ops; case CEXPR_H1H2: l1 = &(scontext->range.level[1]); l2 = &(tcontext->range.level[1]); -+ if (*expr_buf) -+ strcat(*expr_buf, "(h1 h2 "); ++ free(src); src = strdup("h1"); ++ free(tgt); tgt = strdup("h2"); goto mls_ops; case CEXPR_L1H1: l1 = &(scontext->range.level[0]); l2 = &(scontext->range.level[1]); -+ if (*expr_buf) -+ strcat(*expr_buf, "(l1 h1 "); ++ free(src); src = strdup("l1"); ++ free(tgt); tgt = strdup("h1"); goto mls_ops; case CEXPR_L2H2: l1 = &(tcontext->range.level[0]); l2 = &(tcontext->range.level[1]); -+ if (*expr_buf) -+ strcat(*expr_buf, "(l2 h2 "); - goto mls_ops; +- goto mls_ops; - mls_ops: -+ mls_ops: ++ free(src); src = strdup("l2"); ++ free(tgt); tgt = strdup("h2"); ++ mls_ops: switch (e->op) { case CEXPR_EQ: s[++sp] = mls_level_eq(l1, l2); -+ if (*expr_buf) { -+ if (s[sp] == 0) { -+ strcat(*expr_buf, "eq -Fail-) "); -+ } else { -+ strcat(*expr_buf, "eq +Pass+) "); -+ } -+ } ++ msgcat(expr_buf, src, tgt, "eq", s[sp] == 0); continue; case CEXPR_NEQ: s[++sp] = !mls_level_eq(l1, l2); -+ if (*expr_buf) { -+ if (s[sp] == 0) { -+ strcat(*expr_buf, "neq -Fail-) "); -+ } else { -+ strcat(*expr_buf, "neq +Pass+) "); -+ } -+ } ++ msgcat(expr_buf, src, tgt, "neq", s[sp] == 0); continue; case CEXPR_DOM: s[++sp] = mls_level_dom(l1, l2); -+ if (*expr_buf) { -+ if (s[sp] == 0) { -+ strcat(*expr_buf, "dom -Fail-) "); -+ } else { -+ strcat(*expr_buf, "dom +Pass+) "); -+ } -+ } ++ msgcat(expr_buf, src, tgt, "dom", s[sp] == 0); continue; case CEXPR_DOMBY: s[++sp] = mls_level_dom(l2, l1); -+ if (*expr_buf) { -+ if (s[sp] == 0) { -+ strcat(*expr_buf, "domby -Fail-) "); -+ } else { -+ strcat(*expr_buf, "domby +Pass+) "); -+ } -+ } ++ msgcat(expr_buf, src, tgt, "domby", s[sp] == 0); continue; case CEXPR_INCOMP: s[++sp] = mls_level_incomp(l2, l1); -+ if (*expr_buf) { -+ if (s[sp] == 0) { -+ strcat(*expr_buf, "incomp -Fail-) "); -+ } else { -+ strcat(*expr_buf, "incomp +Pass+) "); -+ } -+ } ++ msgcat(expr_buf, src, tgt, "incomp", s[sp] == 0); continue; default: BUG(); -@@ -244,9 +551,23 @@ static int constraint_expr_eval(context_struct_t * scontext, +- return 0; ++ goto out; + } + break; + default: + BUG(); +- return 0; ++ goto out; + } + switch (e->op) { case CEXPR_EQ: s[++sp] = (val1 == val2); -+ if (*expr_buf) { -+ if (s[sp] == 0) { -+ strcat(*expr_buf, "eq -Fail-) "); -+ } else { -+ strcat(*expr_buf, "eq +Pass+) "); -+ } -+ } ++ msgcat(expr_buf, src, tgt, "eq", s[sp] == 0); break; case CEXPR_NEQ: s[++sp] = (val1 != val2); -+ if (*expr_buf) { -+ if (s[sp] == 0) { -+ strcat(*expr_buf, "neq -Fail-) "); -+ } else { -+ strcat(*expr_buf, "neq +Pass+) "); -+ } -+ } ++ msgcat(expr_buf, src, tgt, "neq", s[sp] == 0); break; default: BUG(); -@@ -256,22 +577,46 @@ static int constraint_expr_eval(context_struct_t * scontext, +- return 0; ++ goto out; + } + break; case CEXPR_NAMES: if (sp == (CEXPR_MAXDEPTH - 1)) - return 0; +- return 0; ++ goto out; + s_t_x_num = SOURCE; c = scontext; - if (e->attr & CEXPR_TARGET) @@ -808,7 +796,7 @@ index 9c2920c..04f9978 100644 - if (e->attr & CEXPR_USER) + if (!c) { + BUG(); -+ return 0; ++ goto out; + } + if (e->attr & CEXPR_USER) { + u_r_t = CEXPR_USER; @@ -816,8 +804,8 @@ index 9c2920c..04f9978 100644 - else if (e->attr & CEXPR_ROLE) + if (*expr_buf) { + name1 = policydb->p_user_val_to_name[val1 - 1]; -+ sprintf(tmp_buf, "(u%d-%s ", s_t_x_num, name1); -+ strcat(*expr_buf, tmp_buf); ++ snprintf(tmp_buf,sizeof(tmp_buf), "u%d=%s ", s_t_x_num, name1); ++ free(src); src = strdup(tmp_buf); + } + } + else if (e->attr & CEXPR_ROLE) { @@ -826,8 +814,8 @@ index 9c2920c..04f9978 100644 - else if (e->attr & CEXPR_TYPE) + if (*expr_buf) { + name1 = policydb->p_role_val_to_name[val1 - 1]; -+ sprintf(tmp_buf, "(r%d-%s ", s_t_x_num, name1); -+ strcat(*expr_buf, tmp_buf); ++ snprintf(tmp_buf,sizeof(tmp_buf), "r%d=%s ", s_t_x_num, name1); ++ free(src); src = strdup(tmp_buf); + } + } + else if (e->attr & CEXPR_TYPE) { @@ -835,14 +823,15 @@ index 9c2920c..04f9978 100644 val1 = c->type; + if (*expr_buf) { + name1 = policydb->p_type_val_to_name[val1 - 1]; -+ sprintf(tmp_buf, "(t%d-%s ", s_t_x_num, name1); -+ strcat(*expr_buf, tmp_buf); ++ snprintf(tmp_buf,sizeof(tmp_buf), "t%d=%s ", s_t_x_num, name1); ++ free(src); src = strdup(tmp_buf); + } + } else { BUG(); - return 0; -@@ -279,10 +624,61 @@ static int constraint_expr_eval(context_struct_t * scontext, +- return 0; ++ goto out; + } switch (e->op) { case CEXPR_EQ: @@ -862,15 +851,11 @@ index 9c2920c..04f9978 100644 + break; + } + -+ get_names_list(&e->names, u_r_t, expr_buf); -+ s[++sp] = ebitmap_get_bit(&e->names, val1 - 1); -+ if (*expr_buf) { -+ if (s[sp] == 0) { -+ strcat(*expr_buf, " eq -Fail-) "); -+ } else { -+ strcat(*expr_buf, " eq +Pass+) "); -+ } ++ free(tgt); tgt=strdup("ATTRIBUTE"); ++ msgcat(expr_buf, src, tgt, "neq", s[sp] == 0); ++ if (s[sp] == 0) { ++ get_names_list(&e->names, u_r_t, expr_buf); + } break; + @@ -891,150 +876,137 @@ index 9c2920c..04f9978 100644 + break; + } + -+ get_names_list(&e->names, u_r_t, expr_buf); -+ s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1); -+ if (*expr_buf) { -+ if (s[sp] == 0) { -+ strcat(*expr_buf, " neq -Fail-) "); -+ } else { -+ strcat(*expr_buf, " neq +Pass+) "); -+ } -+ } ++ free(tgt); tgt=strdup("ATTRIBUTE"); ++ msgcat(expr_buf, src, tgt, "neq", s[sp] == 0); ++ get_names_list(&e->names, u_r_t, expr_buf); break; default: BUG(); -@@ -296,9 +692,21 @@ static int constraint_expr_eval(context_struct_t * scontext, +- return 0; ++ goto out; + } + break; + default: + BUG(); +- return 0; ++ goto out; + } } ++ if (*expr_buf) ++ strncat(*expr_buf, ")", REASON_BUF_SIZE); ++ rc = s[0]; ++ ++out: ++ free(src); ++ free(tgt); BUG_ON(sp != 0); -+ -+ if (*expr_buf) { -+ if (s[0] == 0) { -+ char *denied = {"\n** Constraint DENIED access **\n\n"}; -+ strcat(*expr_buf, denied); -+ } else { -+ char *allow = {"\n** Constraint ALLOWED access **\n\n"}; -+ strcat(*expr_buf, allow); -+ } -+ } - return s[0]; +- return s[0]; ++ return rc; } + -+ /* * Compute access vectors based on a context structure pair for * the permissions in a particular class. -@@ -308,7 +716,8 @@ static int context_struct_compute_av(context_struct_t * scontext, +@@ -308,7 +660,8 @@ static int context_struct_compute_av(context_struct_t * scontext, sepol_security_class_t tclass, sepol_access_vector_t requested, struct sepol_av_decision *avd, - unsigned int *reason) + unsigned int *reason, -+ char *expr_buf) ++ char *expr_buf) { constraint_node_t *constraint; struct role_allow *ra; -@@ -383,8 +792,8 @@ static int context_struct_compute_av(context_struct_t * scontext, +@@ -383,8 +736,8 @@ static int context_struct_compute_av(context_struct_t * scontext, constraint = tclass_datum->constraints; while (constraint) { if ((constraint->permissions & (avd->allowed)) && - !constraint_expr_eval(scontext, tcontext, NULL, - constraint->expr)) { + !constraint_expr_eval_reason(scontext, tcontext, NULL, -+ tclass, avd->allowed, constraint->expr, &expr_buf)) { ++ tclass, constraint, &expr_buf)) { avd->allowed = (avd->allowed) & ~(constraint->permissions); } -@@ -459,8 +868,8 @@ int hidden sepol_validate_transition(sepol_security_id_t oldsid, +@@ -459,8 +812,8 @@ int hidden sepol_validate_transition(sepol_security_id_t oldsid, constraint = tclass_datum->validatetrans; while (constraint) { - if (!constraint_expr_eval(ocontext, ncontext, tcontext, - constraint->expr)) { + if (!constraint_expr_eval_reason(ocontext, ncontext, tcontext, -+ 0, 0, constraint->expr, NULL)) { ++ 0, constraint, NULL)) { return -EPERM; } constraint = constraint->next; -@@ -469,13 +878,21 @@ int hidden sepol_validate_transition(sepol_security_id_t oldsid, - return 0; +@@ -493,11 +846,57 @@ int hidden sepol_compute_av_reason(sepol_security_id_t ssid, + } + + rc = context_struct_compute_av(scontext, tcontext, tclass, +- requested, avd, reason); ++ requested, avd, reason, NULL); + out: + return rc; } --int hidden sepol_compute_av_reason(sepol_security_id_t ssid, +/* + * sepol_compute_av_reason_buffer - the reason buffer is malloc'd + * to REASON_BUF_SIZE that seems okay for the Reference Policy. + * TODO manage size using realloc at some stage. + */ -+#define REASON_BUF_SIZE 100000 +int hidden sepol_compute_av_reason_buffer(sepol_security_id_t ssid, - sepol_security_id_t tsid, - sepol_security_class_t tclass, - sepol_access_vector_t requested, - struct sepol_av_decision *avd, -- unsigned int *reason) ++ sepol_security_id_t tsid, ++ sepol_security_class_t tclass, ++ sepol_access_vector_t requested, ++ struct sepol_av_decision *avd, + unsigned int *reason, + char **reason_buf) - { ++{ + char *expr_buf = NULL; - context_struct_t *scontext = 0, *tcontext = 0; - int rc = 0; - -@@ -485,6 +902,7 @@ int hidden sepol_compute_av_reason(sepol_security_id_t ssid, - rc = -EINVAL; - goto out; - } + - tcontext = sepol_sidtab_search(sidtab, tsid); - if (!tcontext) { - ERR(NULL, "unrecognized SID %d", tsid); -@@ -493,11 +911,36 @@ int hidden sepol_compute_av_reason(sepol_security_id_t ssid, - } - - rc = context_struct_compute_av(scontext, tcontext, tclass, -- requested, avd, reason); -- out: -+ requested, avd, reason, expr_buf); -+ if (rc) { -+ goto out; ++ expr_buf = malloc(REASON_BUF_SIZE); ++ if (!expr_buf) { ++ ERR(NULL, "malloc failed to allocate constraint reason buffer"); ++ return -ENOMEM; + } ++ bzero(expr_buf, REASON_BUF_SIZE); + -+ if (!avd->allowed && (*reason & SEPOL_COMPUTEAV_CONS) && reason_buf) { -+ expr_buf = calloc(REASON_BUF_SIZE,1); -+ if (!expr_buf) { -+ ERR(NULL, "malloc failed to allocate constraint reason buffer"); -+ return -ENOMEM; -+ } -+ rc = context_struct_compute_av(scontext, tcontext, tclass, -+ requested, avd, reason, expr_buf); -+ *reason_buf = expr_buf; ++ context_struct_t *scontext = 0, *tcontext = 0; ++ int rc = 0; ++ ++ scontext = sepol_sidtab_search(sidtab, ssid); ++ if (!scontext) { ++ ERR(NULL, "unrecognized SID %d", ssid); ++ rc = -EINVAL; ++ goto out; ++ } ++ tcontext = sepol_sidtab_search(sidtab, tsid); ++ if (!tcontext) { ++ ERR(NULL, "unrecognized SID %d", tsid); ++ rc = -EINVAL; ++ goto out; + } + -+out: - return rc; - } - -+int hidden sepol_compute_av_reason(sepol_security_id_t ssid, -+ sepol_security_id_t tsid, -+ sepol_security_class_t tclass, -+ sepol_access_vector_t requested, -+ struct sepol_av_decision *avd, -+ unsigned int *reason) -+{ -+ return sepol_compute_av_reason_buffer(ssid, tsid, tclass, requested, avd, reason, NULL); ++ rc = context_struct_compute_av(scontext, tcontext, tclass, ++ requested, avd, reason, expr_buf); ++ *reason_buf = expr_buf; ++ ++ out: ++ return rc; +} + int hidden sepol_compute_av(sepol_security_id_t ssid, sepol_security_id_t tsid, sepol_security_class_t tclass, -@@ -510,6 +953,65 @@ int hidden sepol_compute_av(sepol_security_id_t ssid, +@@ -510,6 +909,66 @@ int hidden sepol_compute_av(sepol_security_id_t ssid, } /* -+ * Return a class ID associated with the class string representation -+ * specified by `class_name'. ++ * Return a class ID associated with the class string specified by ++ * class_name. + */ +int hidden sepol_class_name_to_id(const char *class_name, + sepol_security_class_t *tclass) @@ -1055,15 +1027,15 @@ index 9c2920c..04f9978 100644 +} + +/* -+ * Return access vertor bit associated with the class / permission string. ++ * Return access vector bit associated with the class ID and permission ++ * string. + */ +int hidden sepol_perm_name_to_av(sepol_security_class_t tclass, + const char *perm_name, + sepol_access_vector_t *av) +{ + class_datum_t *tclass_datum; -+ perm_datum_t *base_perm; -+ perm_datum_t *common_perm; ++ perm_datum_t *perm_datum; + + if (!tclass || tclass > policydb->p_classes.nprim) { + ERR(NULL, "unrecognized class %d", tclass); @@ -1071,19 +1043,20 @@ index 9c2920c..04f9978 100644 + } + tclass_datum = policydb->class_val_to_struct[tclass - 1]; + -+ base_perm = (perm_datum_t *) ++ /* Check for unique perms then the common ones */ ++ perm_datum = (perm_datum_t *) + hashtab_search(tclass_datum->permissions.table, + (hashtab_key_t)perm_name); -+ if (base_perm != NULL) { -+ *av = 0x1 << (base_perm->s.value - 1); ++ if (perm_datum != NULL) { ++ *av = 0x1 << (perm_datum->s.value - 1); + return STATUS_SUCCESS; + } + -+ common_perm = (perm_datum_t *) ++ perm_datum = (perm_datum_t *) + hashtab_search(tclass_datum->comdatum->permissions.table, + (hashtab_key_t)perm_name); -+ if (common_perm != NULL) { -+ *av = 0x1 << (common_perm->s.value - 1); ++ if (perm_datum != NULL) { ++ *av = 0x1 << (perm_datum->s.value - 1); + return STATUS_SUCCESS; + } + @@ -1095,7 +1068,7 @@ index 9c2920c..04f9978 100644 * Write the security context string representation of * the context associated with `sid' into a dynamically * allocated string of the correct size. Set `*scontext' -@@ -1337,7 +1839,7 @@ int hidden sepol_get_user_sids(sepol_security_id_t fromsid, +@@ -1337,7 +1796,7 @@ int hidden sepol_get_user_sids(sepol_security_id_t fromsid, rc = context_struct_compute_av(fromcon, &usercon, SECCLASS_PROCESS, PROCESS__TRANSITION, diff --git a/libsepol.spec b/libsepol.spec index d4365ec..40020af 100644 --- a/libsepol.spec +++ b/libsepol.spec @@ -1,7 +1,7 @@ Summary: SELinux binary policy manipulation library Name: libsepol Version: 2.1.8 -Release: 3%{?dist} +Release: 4%{?dist} License: LGPLv2+ Group: System Environment/Libraries Source: http://www.nsa.gov/selinux/archives/libsepol-%{version}.tgz @@ -99,6 +99,9 @@ exit 0 /%{_lib}/libsepol.so.1 %changelog +* Tue Nov 27 2012 Dan Walsh - 2.1.8-4 +- Update Richard Haines patch to show constraint information + * Mon Nov 19 2012 Dan Walsh - 2.1.8-3 - Add sepol_compute_av_reason_buffer patch from Richard Haines @@ -185,7 +188,7 @@ dup! * setools expects expand_module_avrules to be an exported * tree: default make target to all not -* Thu Sep 14 2011 Dan Walsh - 2.1.2-3 +* Thu Sep 15 2011 Dan Walsh - 2.1.2-3 - Add patch to handle preserving tunables * Thu Sep 1 2011 Dan Walsh - 2.1.2-2 @@ -204,7 +207,7 @@ dup! - Update to upstream * Release, minor version bump -* Thu May 3 2011 Dan Walsh 2.0.45-1 +* Tue May 3 2011 Dan Walsh 2.0.45-1 - Update to upstream * Warn if filename_trans rules are dropped by Steve Lawrence. @@ -254,7 +257,7 @@ Resolves: #555835 - Upgrade to latest from NSA * Add pkgconfig file from Eamon Walsh. -* Tue Oct 14 2009 Dan Walsh 2.0.39-1 +* Wed Oct 14 2009 Dan Walsh 2.0.39-1 - Upgrade to latest from NSA * Add support for building Xen policies from Paul Nuzzi. @@ -512,7 +515,7 @@ Resolves: #555835 a policy requires the compatibility support for network checks to be enabled in the kernel. -* Thu May 15 2006 Dan Walsh 1.12.11-1 +* Thu May 18 2006 Dan Walsh 1.12.11-1 - Upgrade to latest from NSA * Merged patch to initialize sym_val_to_name arrays from Kevin Carr. Reworked to use calloc in the first place, and converted some other @@ -619,7 +622,7 @@ Resolves: #555835 - Upgrade to latest from NSA * Merged 2nd const in APIs patch from Ivan Gyurdiev. -* Fri Jan 7 2006 Dan Walsh 1.11.7-1 +* Fri Jan 6 2006 Dan Walsh 1.11.7-1 - Upgrade to latest from NSA * Merged const in APIs patch from Ivan Gyurdiev. * Merged compare2 function patch from Ivan Gyurdiev. @@ -855,7 +858,7 @@ Resolves: #555835 * Merged fix for sepol_enable/disable_debug from Ivan Gyurdiev. -* Mon Sep 14 2005 Dan Walsh 1.9.1-2 +* Wed Sep 14 2005 Dan Walsh 1.9.1-2 - Upgrade to latest from NSA * Merged stddef.h patch and debug conversion patch from Ivan Gyurdiev.