diff --git a/libsepol-rhat.patch b/libsepol-rhat.patch index 257b5d3..d1d324b 100644 --- a/libsepol-rhat.patch +++ b/libsepol-rhat.patch @@ -11,6 +11,47 @@ index f90a48d..9152446 100644 POLICYDB_CAPABILITY_ALWAYSNETWORK, __POLICYDB_CAPABILITY_MAX }; +diff --git a/libsepol/include/sepol/policydb/services.h b/libsepol/include/sepol/policydb/services.h +index aef0c7b..3fd9700 100644 +--- a/libsepol/include/sepol/policydb/services.h ++++ b/libsepol/include/sepol/policydb/services.h +@@ -58,6 +58,36 @@ extern int sepol_compute_av_reason(sepol_security_id_t ssid, + struct sepol_av_decision *avd, + unsigned int *reason); + ++/* ++ * Same as above, but also returns the constraint expression calculations ++ * whether allowed or denied in a buffer. This buffer is allocated by ++ * this call and must be free'd by the caller. ++ * The contraint buffer is in RPN format. ++ */ ++extern int sepol_compute_av_reason_buffer(sepol_security_id_t ssid, ++ sepol_security_id_t tsid, ++ sepol_security_class_t tclass, ++ sepol_access_vector_t requested, ++ struct sepol_av_decision *avd, ++ unsigned int *reason, ++ char **reason_buf); ++ ++/* ++ * Return a class ID associated with the class string representation ++ * specified by `class_name'. ++ */ ++extern int sepol_class_name_to_id(const char *class_name, ++ sepol_security_class_t *tclass); ++ ++/* ++ * Return a permission av bit associated with tclass and the string ++ * representation of the `perm_name'. ++ */ ++extern int sepol_perm_name_to_av(sepol_security_class_t tclass, ++ const char *perm_name, ++ sepol_access_vector_t *av); ++ ++ + /* + * Compute a SID to use for labeling a new object in the + * class `tclass' based on a SID pair. diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c index 2003eb6..a2d209c 100644 --- a/libsepol/src/expand.c @@ -265,3 +306,801 @@ index 43a71a7..7615a9b 100644 "always_check_network", /* POLICYDB_CAPABILITY_ALWAYSNETWORK */ NULL }; +diff --git a/libsepol/src/services.c b/libsepol/src/services.c +index 9c2920c..04f9978 100644 +--- a/libsepol/src/services.c ++++ b/libsepol/src/services.c +@@ -54,6 +54,7 @@ + #include + #include + #include ++#include + + #include "debug.h" + #include "private.h" +@@ -112,20 +113,208 @@ int sepol_set_policydb_from_file(FILE * fp) + static uint32_t latest_granting = 0; + + /* +- * Return the boolean value of a constraint expression +- * when it is applied to the specified source and target ++ * Start of changes to support constraint reason failures. ++ */ ++ ++/* ++ * get_names_list obtains the list of users, roles or types when expr ++ * has a names list. For 'types' only, find how many in the name list, and ++ * then the attributes associated to them (also count these). When ++ * complete take the list of attributes and find those whose count ++ * matches the number of types. The attributes in the final list will be ++ * one of those that needs to has the type added (but which one !!!). ++ * ++ * The best way to solve this is for the compilers (checkpolicy and ++ * checkmodule) to add attributes to the constraint_expr_t structure ++ * (see constraint.h). The CIL compiler does add attribute names to ++ * constraint_expr_t->names, but the kernel does not translate them to ++ * types (i.e. the 30-04-12 version of the CIL compiler does not build ++ * the policy correctly). ++ * ++ * Note that the type_datum_t ->types (policydb.h) does not contain ++ * a list of types when inspecting a binary policy. This is only used ++ * in the *.pp modules. ++ */ ++int get_names_list(const ebitmap_t * e, int type, char ** expr_buf) ++{ ++ type_datum_t *t1 = NULL; ++ ++#define MAX_ATTRS 300 ++ /* Hold the type attribute names and count of instances */ ++ struct attr_entries { ++ unsigned int entry; ++ int count; ++ } attr_info[MAX_ATTRS]; ++ ++ int struct_count = 0; ++ int x; ++ ++ int rc = 0; ++ unsigned int i; ++ int entry_count = 0; ++ int is_attr = 0; ++ ++ char tmp_buf[100]; ++ /* if empty_set is 0, then */ ++ int empty_set = 0; ++ ++ ebitmap_t *attr; ++ unsigned int j; ++ ++ int type_count = 0; ++ ++ if (!*expr_buf) ++ return 0; ++ ++ for (x = 0; x < MAX_ATTRS; x++) { ++ attr_info[x].entry = '\0'; ++ attr_info[x].count = '\0'; ++ } ++ ++ /* For type entries find how many entries so we can check attributes */ ++ if (type == CEXPR_TYPE) { ++ for (j = ebitmap_startbit(e); j < ebitmap_length(e); j++) { ++ if ((rc = ebitmap_get_bit(e, j)) == 0) ++ continue; ++ type_count++; ++ } ++ } ++ ++ /* Start the list of names where e = &e->names */ ++ strcat(*expr_buf, "{ "); ++ ++ for (i = ebitmap_startbit(e); i < ebitmap_length(e); i++) { ++ if ((rc = ebitmap_get_bit(e, i)) == 0) ++ continue; ++ ++ switch (type) { ++ case CEXPR_USER: ++ sprintf(tmp_buf, "%s ", policydb->p_user_val_to_name[i]); ++ strcat(*expr_buf, tmp_buf); ++ break; ++ ++ case CEXPR_ROLE: ++ sprintf(tmp_buf, "%s ", policydb->p_role_val_to_name[i]); ++ strcat(*expr_buf, tmp_buf); ++ break; ++ ++ case CEXPR_TYPE: ++/* ++ * When checking a type for associated attributes, you can get a number ++ * of attributes, any one of which could be the one to update, for example: ++ * ++ * constrain process { transition noatsecure siginh rlimitinh } ++ * ( ++ * r1 == r2 ++ * or ( t1 == can_change_process_role and t2 == process_user_target ) ++ * or ( t1 == cron_source_domain and t2 == cron_job_domain ) ++ * or ( t1 == can_system_change and r2 == system_r ) ++ * or ( t1 == process_uncond_exempt ) ++ * ); ++ * ++ * for the 'targeted' policy it will yeld for "can_change_process_role" ++ * the following possible entries: can_change_process_role, ++ * nsswitch_domain or domain as each type that makes up ++ * "can_change_process_role" is also in the others. ++ * ++ * The "cron_source_domain" will give the largest amount of attributes ++ * as there is only one type (crond_t) but has 36 associations. ++ */ ++ /* ++ * Get node for the type ID and if an attribute just add name, ++ * otherwise find the list of attrs associated to this type. ++ */ ++ t1 = policydb->type_val_to_struct[i]; ++ if (t1->flavor == TYPE_ATTRIB) { ++ is_attr = 1; ++ sprintf(tmp_buf, "%s ", policydb->p_type_val_to_name[i]); ++ strcat(*expr_buf, tmp_buf); ++ break; ++ } else { ++ /* Have type so but names in buffer and sort out attrs */ ++ sprintf(tmp_buf, "%s ", policydb->p_type_val_to_name[i]); ++ strcat(*expr_buf, tmp_buf); ++ /* Process attributes attached to the type */ ++ attr = &policydb->type_attr_map[t1->s.value-1]; ++ unsigned int z; ++ struct_count = 0; ++ for (z = ebitmap_startbit(attr); z < ebitmap_length(attr); z++) { ++ if ((rc = ebitmap_get_bit(attr, z)) == 0) ++ continue; ++ t1 = policydb->type_val_to_struct[z]; ++ if (t1->flavor == TYPE_ATTRIB) { ++ x = 0; ++ while (x < MAX_ATTRS) { ++ if (attr_info[x].entry == z) { ++ attr_info[x].entry = z; ++ attr_info[x].count++; ++ break; ++ } ++ if (attr_info[x].entry == 0) { ++ attr_info[x].entry = z; ++ attr_info[x].count++; ++ break; ++ } ++ x++; ++ } ++ struct_count++; ++ } ++ } ++ break; ++ } ++ break; ++ ++ default: ++ ERR(NULL, "Invalid u_r_t value: %d\n", type); ++ return -1; ++ break; ++ } ++ empty_set++; ++ entry_count++; ++ } ++ ++ /* End the list of names but if type then check for attributes. */ ++ if (empty_set == 0) { ++ strcat(*expr_buf, " }"); ++ } else if (type == CEXPR_TYPE && is_attr == 0) { ++ strcat(*expr_buf, "} ** Attributes associated to the types: "); ++ for (x = 0; x < MAX_ATTRS; x++) { ++ if (attr_info[x].count == type_count) { ++ sprintf(tmp_buf, "%s ", policydb->p_type_val_to_name[attr_info[x].entry]); ++ strcat(*expr_buf, tmp_buf); ++ } ++ } ++ strcat(*expr_buf, "**"); ++ } else ++ strcat(*expr_buf, "}"); ++ return 0; ++} ++ ++ ++/* ++ * Modified version of constraint_expr_eval ++ * ++ * Return the boolean value of a constraint expression ++ * when it is applied to the specified source and target + * security contexts. + * + * xcontext is a special beast... It is used by the validatetrans rules + * only. For these rules, scontext is the context before the transition, + * tcontext is the context after the transition, and xcontext is the context + * of the process performing the transition. All other callers of +- * constraint_expr_eval should pass in NULL for xcontext. ++ * constraint_expr_eval_reason should pass in NULL for xcontext. ++ * ++ * This function will also build a buffer as the constraint is processed ++ * for analysis. If this option is not required, then: ++ * 'tclass' and 'allowed' should be '0' and expr_buf MUST be NULL. + */ +-static int constraint_expr_eval(context_struct_t * scontext, ++static int constraint_expr_eval_reason(context_struct_t * scontext, + context_struct_t * tcontext, + context_struct_t * xcontext, +- constraint_expr_t * cexpr) ++ sepol_security_class_t tclass, ++ sepol_access_vector_t allowed, ++ constraint_expr_t * cexpr, ++ char ** expr_buf) + { + uint32_t val1, val2; + context_struct_t *c; +@@ -135,21 +324,68 @@ static int constraint_expr_eval(context_struct_t * scontext, + int s[CEXPR_MAXDEPTH]; + int sp = -1; + ++ char tmp_buf[1024]; ++ ++/* ++ * Define the s_t_x_num values that make up r1, t2 etc. in text strings ++ * Set 1 = source, 2 = target, 3 = xcontext for validatetrans ++ */ ++#define SOURCE 1 ++#define TARGET 2 ++#define XTARGET 3 ++ ++ int s_t_x_num = SOURCE; ++ ++ /* Set 0 = fail, u = CEXPR_USER, r = CEXPR_ROLE, t = CEXPR_TYPE */ ++ int u_r_t = 0; ++ ++ char *name1, *name2; ++ ++ if (*expr_buf) { ++ /* Get constraint statement type */ ++ sprintf(tmp_buf, "constrain "); ++ for (e = cexpr; e; e = e->next) { ++ if (e->attr >= CEXPR_L1L2) { ++ sprintf(tmp_buf, "mlsconstrain "); ++ break; ++ } ++ } ++ strcat(*expr_buf, tmp_buf); ++ ++ /* Get class entry */ ++ sprintf(tmp_buf, "%s ", policydb->p_class_val_to_name[tclass - 1]); ++ strcat(*expr_buf, tmp_buf); ++ ++ /* ++ * Get permission entries sepol_av_to_string defined in util.c ++ * and its buffer to hold the perm list is 1024 chars. ++ */ ++ sprintf(tmp_buf, "{%s } ", sepol_av_to_string(policydb, tclass, allowed)); ++ strcat(*expr_buf, tmp_buf); ++ } ++ ++ /* Original function but with buffer support */ + for (e = cexpr; e; e = e->next) { + switch (e->expr_type) { + case CEXPR_NOT: + BUG_ON(sp < 0); + s[sp] = !s[sp]; ++ if (*expr_buf) ++ strcat(*expr_buf, " not "); + break; + case CEXPR_AND: + BUG_ON(sp < 1); + sp--; + s[sp] &= s[sp + 1]; ++ if (*expr_buf) ++ strcat(*expr_buf, " and "); + break; + case CEXPR_OR: + BUG_ON(sp < 1); + sp--; + s[sp] |= s[sp + 1]; ++ if (*expr_buf) ++ strcat(*expr_buf, " or "); + break; + case CEXPR_ATTR: + if (sp == (CEXPR_MAXDEPTH - 1)) +@@ -158,33 +394,57 @@ static int constraint_expr_eval(context_struct_t * scontext, + case CEXPR_USER: + val1 = scontext->user; + val2 = tcontext->user; ++ if (*expr_buf) ++ strcat(*expr_buf, "(u1 u2 "); + break; + case CEXPR_TYPE: + val1 = scontext->type; + val2 = tcontext->type; ++ if (*expr_buf) ++ strcat(*expr_buf, "(t1 t2 "); + break; + case CEXPR_ROLE: + val1 = scontext->role; + val2 = tcontext->role; + r1 = policydb->role_val_to_struct[val1 - 1]; + r2 = policydb->role_val_to_struct[val2 - 1]; ++ if (*expr_buf) { ++ name1 = policydb->p_role_val_to_name[r1->s.value - 1]; ++ name2 = policydb->p_role_val_to_name[r2->s.value - 1]; ++ sprintf(tmp_buf, "(r1-%s r2-%s ", name1, name2); ++ strcat(*expr_buf, tmp_buf); ++ } + switch (e->op) { + case CEXPR_DOM: +- s[++sp] = +- ebitmap_get_bit(&r1->dominates, +- val2 - 1); ++ s[++sp] = ebitmap_get_bit(&r1->dominates, val2 - 1); ++ if (*expr_buf) { ++ if (s[sp] == 0) { ++ strcat(*expr_buf, "dom -Fail-) "); ++ } else { ++ strcat(*expr_buf, "dom -Fail-) "); ++ } ++ } + continue; + case CEXPR_DOMBY: +- s[++sp] = +- ebitmap_get_bit(&r2->dominates, +- val1 - 1); ++ s[++sp] = ebitmap_get_bit(&r2->dominates, val1 - 1); ++ if (*expr_buf) { ++ if (s[sp] == 0) { ++ strcat(*expr_buf, "domby -Fail-) "); ++ } else { ++ strcat(*expr_buf, "domby +Pass+) "); ++ } ++ } + continue; + case CEXPR_INCOMP: +- s[++sp] = +- (!ebitmap_get_bit +- (&r1->dominates, val2 - 1) +- && !ebitmap_get_bit(&r2->dominates, +- val1 - 1)); ++ s[++sp] = (!ebitmap_get_bit(&r1->dominates, val2 - 1) ++ && !ebitmap_get_bit(&r2->dominates, val1 - 1)); ++ if (*expr_buf) { ++ if (s[sp] == 0) { ++ strcat(*expr_buf, "incomp -Fail-) "); ++ } else { ++ strcat(*expr_buf, "incomp +Pass+) "); ++ } ++ } + continue; + default: + break; +@@ -193,43 +453,90 @@ static int constraint_expr_eval(context_struct_t * scontext, + case CEXPR_L1L2: + l1 = &(scontext->range.level[0]); + l2 = &(tcontext->range.level[0]); ++ if (*expr_buf) ++ strcat(*expr_buf, "(l1 l2 "); + goto mls_ops; + case CEXPR_L1H2: + l1 = &(scontext->range.level[0]); + l2 = &(tcontext->range.level[1]); ++ if (*expr_buf) ++ strcat(*expr_buf, "(l1 h2 "); + goto mls_ops; + case CEXPR_H1L2: + l1 = &(scontext->range.level[1]); + l2 = &(tcontext->range.level[0]); ++ if (*expr_buf) ++ strcat(*expr_buf,"(h1 l2 "); + goto mls_ops; + case CEXPR_H1H2: + l1 = &(scontext->range.level[1]); + l2 = &(tcontext->range.level[1]); ++ if (*expr_buf) ++ strcat(*expr_buf, "(h1 h2 "); + goto mls_ops; + case CEXPR_L1H1: + l1 = &(scontext->range.level[0]); + l2 = &(scontext->range.level[1]); ++ if (*expr_buf) ++ strcat(*expr_buf, "(l1 h1 "); + goto mls_ops; + case CEXPR_L2H2: + l1 = &(tcontext->range.level[0]); + l2 = &(tcontext->range.level[1]); ++ if (*expr_buf) ++ strcat(*expr_buf, "(l2 h2 "); + goto mls_ops; +- mls_ops: ++ mls_ops: + switch (e->op) { + case CEXPR_EQ: + s[++sp] = mls_level_eq(l1, l2); ++ if (*expr_buf) { ++ if (s[sp] == 0) { ++ strcat(*expr_buf, "eq -Fail-) "); ++ } else { ++ strcat(*expr_buf, "eq +Pass+) "); ++ } ++ } + continue; + case CEXPR_NEQ: + s[++sp] = !mls_level_eq(l1, l2); ++ if (*expr_buf) { ++ if (s[sp] == 0) { ++ strcat(*expr_buf, "neq -Fail-) "); ++ } else { ++ strcat(*expr_buf, "neq +Pass+) "); ++ } ++ } + continue; + case CEXPR_DOM: + s[++sp] = mls_level_dom(l1, l2); ++ if (*expr_buf) { ++ if (s[sp] == 0) { ++ strcat(*expr_buf, "dom -Fail-) "); ++ } else { ++ strcat(*expr_buf, "dom +Pass+) "); ++ } ++ } + continue; + case CEXPR_DOMBY: + s[++sp] = mls_level_dom(l2, l1); ++ if (*expr_buf) { ++ if (s[sp] == 0) { ++ strcat(*expr_buf, "domby -Fail-) "); ++ } else { ++ strcat(*expr_buf, "domby +Pass+) "); ++ } ++ } + continue; + case CEXPR_INCOMP: + s[++sp] = mls_level_incomp(l2, l1); ++ if (*expr_buf) { ++ if (s[sp] == 0) { ++ strcat(*expr_buf, "incomp -Fail-) "); ++ } else { ++ strcat(*expr_buf, "incomp +Pass+) "); ++ } ++ } + continue; + default: + BUG(); +@@ -244,9 +551,23 @@ static int constraint_expr_eval(context_struct_t * scontext, + switch (e->op) { + case CEXPR_EQ: + s[++sp] = (val1 == val2); ++ if (*expr_buf) { ++ if (s[sp] == 0) { ++ strcat(*expr_buf, "eq -Fail-) "); ++ } else { ++ strcat(*expr_buf, "eq +Pass+) "); ++ } ++ } + break; + case CEXPR_NEQ: + s[++sp] = (val1 != val2); ++ if (*expr_buf) { ++ if (s[sp] == 0) { ++ strcat(*expr_buf, "neq -Fail-) "); ++ } else { ++ strcat(*expr_buf, "neq +Pass+) "); ++ } ++ } + break; + default: + BUG(); +@@ -256,22 +577,46 @@ static int constraint_expr_eval(context_struct_t * scontext, + case CEXPR_NAMES: + if (sp == (CEXPR_MAXDEPTH - 1)) + return 0; ++ s_t_x_num = SOURCE; + c = scontext; +- if (e->attr & CEXPR_TARGET) ++ if (e->attr & CEXPR_TARGET) { ++ s_t_x_num = TARGET; + c = tcontext; +- else if (e->attr & CEXPR_XTARGET) { ++ } else if (e->attr & CEXPR_XTARGET) { ++ s_t_x_num = XTARGET; + c = xcontext; +- if (!c) { +- BUG(); +- return 0; +- } + } +- if (e->attr & CEXPR_USER) ++ if (!c) { ++ BUG(); ++ return 0; ++ } ++ if (e->attr & CEXPR_USER) { ++ u_r_t = CEXPR_USER; + val1 = c->user; +- else if (e->attr & CEXPR_ROLE) ++ if (*expr_buf) { ++ name1 = policydb->p_user_val_to_name[val1 - 1]; ++ sprintf(tmp_buf, "(u%d-%s ", s_t_x_num, name1); ++ strcat(*expr_buf, tmp_buf); ++ } ++ } ++ else if (e->attr & CEXPR_ROLE) { ++ u_r_t = CEXPR_ROLE; + val1 = c->role; +- else if (e->attr & CEXPR_TYPE) ++ if (*expr_buf) { ++ name1 = policydb->p_role_val_to_name[val1 - 1]; ++ sprintf(tmp_buf, "(r%d-%s ", s_t_x_num, name1); ++ strcat(*expr_buf, tmp_buf); ++ } ++ } ++ else if (e->attr & CEXPR_TYPE) { ++ u_r_t = CEXPR_TYPE; + val1 = c->type; ++ if (*expr_buf) { ++ name1 = policydb->p_type_val_to_name[val1 - 1]; ++ sprintf(tmp_buf, "(t%d-%s ", s_t_x_num, name1); ++ strcat(*expr_buf, tmp_buf); ++ } ++ } + else { + BUG(); + return 0; +@@ -279,10 +624,61 @@ static int constraint_expr_eval(context_struct_t * scontext, + + switch (e->op) { + case CEXPR_EQ: ++ switch (u_r_t) { ++ case CEXPR_USER: ++ name1 = policydb->p_user_val_to_name[val1 - 1]; ++ break; ++ case CEXPR_ROLE: ++ name1 = policydb->p_role_val_to_name[val1 - 1]; ++ break; ++ case CEXPR_TYPE: ++ name1 = policydb->p_type_val_to_name[val1 - 1]; ++ break; ++ default: ++ name1 = NULL; ++ ERR(NULL, "unrecognized u_r_t Value: %d", u_r_t); ++ break; ++ } ++ ++ get_names_list(&e->names, u_r_t, expr_buf); ++ + s[++sp] = ebitmap_get_bit(&e->names, val1 - 1); ++ if (*expr_buf) { ++ if (s[sp] == 0) { ++ strcat(*expr_buf, " eq -Fail-) "); ++ } else { ++ strcat(*expr_buf, " eq +Pass+) "); ++ } ++ } + break; ++ + case CEXPR_NEQ: ++ switch (u_r_t) { ++ case CEXPR_USER: ++ name1 = policydb->p_user_val_to_name[val1 - 1]; ++ break; ++ case CEXPR_ROLE: ++ name1 = policydb->p_role_val_to_name[val1 - 1]; ++ break; ++ case CEXPR_TYPE: ++ name1 = policydb->p_type_val_to_name[val1 - 1]; ++ break; ++ default: ++ name1 = NULL; ++ ERR(NULL, "unrecognized u_r_t Value: %d", u_r_t); ++ break; ++ } ++ ++ get_names_list(&e->names, u_r_t, expr_buf); ++ + s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1); ++ if (*expr_buf) { ++ if (s[sp] == 0) { ++ strcat(*expr_buf, " neq -Fail-) "); ++ } else { ++ strcat(*expr_buf, " neq +Pass+) "); ++ } ++ } + break; + default: + BUG(); +@@ -296,9 +692,21 @@ static int constraint_expr_eval(context_struct_t * scontext, + } + + BUG_ON(sp != 0); ++ ++ if (*expr_buf) { ++ if (s[0] == 0) { ++ char *denied = {"\n** Constraint DENIED access **\n\n"}; ++ strcat(*expr_buf, denied); ++ } else { ++ char *allow = {"\n** Constraint ALLOWED access **\n\n"}; ++ strcat(*expr_buf, allow); ++ } ++ } + return s[0]; + } + ++ ++ + /* + * Compute access vectors based on a context structure pair for + * the permissions in a particular class. +@@ -308,7 +716,8 @@ static int context_struct_compute_av(context_struct_t * scontext, + sepol_security_class_t tclass, + sepol_access_vector_t requested, + struct sepol_av_decision *avd, +- unsigned int *reason) ++ unsigned int *reason, ++ char *expr_buf) + { + constraint_node_t *constraint; + struct role_allow *ra; +@@ -383,8 +792,8 @@ static int context_struct_compute_av(context_struct_t * scontext, + constraint = tclass_datum->constraints; + while (constraint) { + if ((constraint->permissions & (avd->allowed)) && +- !constraint_expr_eval(scontext, tcontext, NULL, +- constraint->expr)) { ++ !constraint_expr_eval_reason(scontext, tcontext, NULL, ++ tclass, avd->allowed, constraint->expr, &expr_buf)) { + avd->allowed = + (avd->allowed) & ~(constraint->permissions); + } +@@ -459,8 +868,8 @@ int hidden sepol_validate_transition(sepol_security_id_t oldsid, + + constraint = tclass_datum->validatetrans; + while (constraint) { +- if (!constraint_expr_eval(ocontext, ncontext, tcontext, +- constraint->expr)) { ++ if (!constraint_expr_eval_reason(ocontext, ncontext, tcontext, ++ 0, 0, constraint->expr, NULL)) { + return -EPERM; + } + constraint = constraint->next; +@@ -469,13 +878,21 @@ int hidden sepol_validate_transition(sepol_security_id_t oldsid, + return 0; + } + +-int hidden sepol_compute_av_reason(sepol_security_id_t ssid, ++/* ++ * sepol_compute_av_reason_buffer - the reason buffer is malloc'd ++ * to REASON_BUF_SIZE that seems okay for the Reference Policy. ++ * TODO manage size using realloc at some stage. ++ */ ++#define REASON_BUF_SIZE 100000 ++int hidden sepol_compute_av_reason_buffer(sepol_security_id_t ssid, + sepol_security_id_t tsid, + sepol_security_class_t tclass, + sepol_access_vector_t requested, + struct sepol_av_decision *avd, +- unsigned int *reason) ++ unsigned int *reason, ++ char **reason_buf) + { ++ char *expr_buf = NULL; + context_struct_t *scontext = 0, *tcontext = 0; + int rc = 0; + +@@ -485,6 +902,7 @@ int hidden sepol_compute_av_reason(sepol_security_id_t ssid, + rc = -EINVAL; + goto out; + } ++ + tcontext = sepol_sidtab_search(sidtab, tsid); + if (!tcontext) { + ERR(NULL, "unrecognized SID %d", tsid); +@@ -493,11 +911,36 @@ int hidden sepol_compute_av_reason(sepol_security_id_t ssid, + } + + rc = context_struct_compute_av(scontext, tcontext, tclass, +- requested, avd, reason); +- out: ++ requested, avd, reason, expr_buf); ++ if (rc) { ++ goto out; ++ } ++ ++ if (!avd->allowed && (*reason & SEPOL_COMPUTEAV_CONS) && reason_buf) { ++ expr_buf = calloc(REASON_BUF_SIZE,1); ++ if (!expr_buf) { ++ ERR(NULL, "malloc failed to allocate constraint reason buffer"); ++ return -ENOMEM; ++ } ++ rc = context_struct_compute_av(scontext, tcontext, tclass, ++ requested, avd, reason, expr_buf); ++ *reason_buf = expr_buf; ++ } ++ ++out: + return rc; + } + ++int hidden sepol_compute_av_reason(sepol_security_id_t ssid, ++ sepol_security_id_t tsid, ++ sepol_security_class_t tclass, ++ sepol_access_vector_t requested, ++ struct sepol_av_decision *avd, ++ unsigned int *reason) ++{ ++ return sepol_compute_av_reason_buffer(ssid, tsid, tclass, requested, avd, reason, NULL); ++} ++ + int hidden sepol_compute_av(sepol_security_id_t ssid, + sepol_security_id_t tsid, + sepol_security_class_t tclass, +@@ -510,6 +953,65 @@ int hidden sepol_compute_av(sepol_security_id_t ssid, + } + + /* ++ * Return a class ID associated with the class string representation ++ * specified by `class_name'. ++ */ ++int hidden sepol_class_name_to_id(const char *class_name, ++ sepol_security_class_t *tclass) ++{ ++ char *class = NULL; ++ sepol_security_class_t id; ++ ++ for (id = 1; ; id++) { ++ if ((class = policydb->p_class_val_to_name[id - 1]) == NULL) { ++ ERR(NULL, "could not convert %s to class id", class_name); ++ return STATUS_ERR; ++ } ++ if ((strcmp(class, class_name)) == 0) { ++ *tclass = id; ++ return STATUS_SUCCESS; ++ } ++ } ++} ++ ++/* ++ * Return access vertor bit associated with the class / permission string. ++ */ ++int hidden sepol_perm_name_to_av(sepol_security_class_t tclass, ++ const char *perm_name, ++ sepol_access_vector_t *av) ++{ ++ class_datum_t *tclass_datum; ++ perm_datum_t *base_perm; ++ perm_datum_t *common_perm; ++ ++ if (!tclass || tclass > policydb->p_classes.nprim) { ++ ERR(NULL, "unrecognized class %d", tclass); ++ return -EINVAL; ++ } ++ tclass_datum = policydb->class_val_to_struct[tclass - 1]; ++ ++ base_perm = (perm_datum_t *) ++ hashtab_search(tclass_datum->permissions.table, ++ (hashtab_key_t)perm_name); ++ if (base_perm != NULL) { ++ *av = 0x1 << (base_perm->s.value - 1); ++ return STATUS_SUCCESS; ++ } ++ ++ common_perm = (perm_datum_t *) ++ hashtab_search(tclass_datum->comdatum->permissions.table, ++ (hashtab_key_t)perm_name); ++ if (common_perm != NULL) { ++ *av = 0x1 << (common_perm->s.value - 1); ++ return STATUS_SUCCESS; ++ } ++ ++ ERR(NULL, "could not convert %s to av bit", perm_name); ++ return STATUS_ERR; ++} ++ ++/* + * Write the security context string representation of + * the context associated with `sid' into a dynamically + * allocated string of the correct size. Set `*scontext' +@@ -1337,7 +1839,7 @@ int hidden sepol_get_user_sids(sepol_security_id_t fromsid, + rc = context_struct_compute_av(fromcon, &usercon, + SECCLASS_PROCESS, + PROCESS__TRANSITION, +- &avd, &reason); ++ &avd, &reason, NULL); + if (rc || !(avd.allowed & PROCESS__TRANSITION)) + continue; + rc = sepol_sidtab_context_to_sid(sidtab, &usercon, diff --git a/libsepol.spec b/libsepol.spec index eb67dab..d4365ec 100644 --- a/libsepol.spec +++ b/libsepol.spec @@ -1,7 +1,7 @@ Summary: SELinux binary policy manipulation library Name: libsepol Version: 2.1.8 -Release: 2%{?dist} +Release: 3%{?dist} License: LGPLv2+ Group: System Environment/Libraries Source: http://www.nsa.gov/selinux/archives/libsepol-%{version}.tgz @@ -99,6 +99,9 @@ exit 0 /%{_lib}/libsepol.so.1 %changelog +* Mon Nov 19 2012 Dan Walsh - 2.1.8-3 +- Add sepol_compute_av_reason_buffer patch from Richard Haines + * Wed Sep 19 2012 Dan Walsh - 2.1.8-2 - Revert patch that was attempting to expand filetrans attributes, but is breaking filetrans rules