commit d8146a76ceb7 Author: Petr Lautrbach Date: Mon Jan 11 13:55:28 2021 +0100 Update VERSIONs and Python bindings version to 3.2-rc1 for release Signed-off-by: Petr Lautrbach commit b15dff0feb0b Author: Vit Mojzis Date: Wed Jan 6 10:00:07 2021 +0100 python/semanage: Sort imports in alphabetical order Signed-off-by: Vit Mojzis commit 92e01969d08c Author: Vit Mojzis Date: Tue Jan 5 17:00:21 2021 +0100 python/semanage: empty stdout before exiting on BrokenPipeError Empty stdout buffer before exiting when BrokenPipeError is encountered. Otherwise python will flush the bufer during exit, which may trigger the exception again. https://docs.python.org/3/library/signal.html#note-on-sigpipe Fixes: #semanage fcontext -l | egrep -q -e '^/home' BrokenPipeError: [Errno 32] Broken pipe Exception ignored in: <_io.TextIOWrapper name='' mode='w' encoding='UTF-8'> BrokenPipeError: [Errno 32] Broken pipe Note that the error above only appears occasionally (usually only the first line is printed). Signed-off-by: Vit Mojzis Acked-by: Nicolas Iooss commit 34bd9a9d1908 Author: Nicolas Iooss Date: Wed Jan 6 09:19:22 2021 +0100 libsepol: destroy filename_trans list properly OSS-Fuzz found a direct memory leak in policydb_filetrans_insert() because filenametr_destroy() does not fully destroy the list associated with a typetransition. More precisely, let's consider this (minimized) CIL policy: (class CLASS (PERM)) (classorder (CLASS)) (sid SID) (sidorder (SID)) (user USER) (role ROLE) (type TYPE) ; "type 1" in libsepol internal structures (type TYPE2) ; "type 2" in libsepol internal structures (type TYPE3) ; "type 3" in libsepol internal structures (category CAT) (categoryorder (CAT)) (sensitivity SENS) (sensitivityorder (SENS)) (sensitivitycategory SENS (CAT)) (allow TYPE self (CLASS (PERM))) (roletype ROLE TYPE) (userrole USER ROLE) (userlevel USER (SENS)) (userrange USER ((SENS)(SENS (CAT)))) (sidcontext SID (USER ROLE TYPE ((SENS)(SENS)))) (typetransition TYPE2 TYPE CLASS "some_file" TYPE2) (typetransition TYPE3 TYPE CLASS "some_file" TYPE3) The two typetransition statements make policydb_filetrans_insert() insert an item with key {ttype=1, tclass=1, name="some_file"} in the hashmap p->filename_trans. This item contains a linked list of two filename_trans_datum_t elements: * The first one uses {otype=2, stypes=bitmap containing 2} * The second one uses {otype=3, stypes=bitmap containing 3} Nevertheless filenametr_destroy() (called by hashtab_map(p->filename_trans, filenametr_destroy, NULL);) only frees the first element. Fix this memory leak by freeing all elements. This issue was introduced by commit 42ae834a7428 ("libsepol,checkpolicy: optimize storage of filename transitions") and was never present in the kernel, as filenametr_destroy() was modified appropriately in commit https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c3a276111ea2572399281988b3129683e2a6b60b Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29138 Signed-off-by: Nicolas Iooss Acked-by: Ondrej Mosnacek commit bdf4e332b41f Author: Nicolas Iooss Date: Wed Jan 6 09:13:19 2021 +0100 libsepol/cil: fix NULL pointer dereference when parsing an improper integer OSS-Fuzz found a NULL pointer dereference when the CIL compiler tries to compile a policy with an invalid integer: $ echo '(ioportcon(2())n)' > tmp.cil $ secilc tmp.cil Segmentation fault (core dumped) This is because strtol() is called with a NULL pointer, in cil_fill_integer(). Fix this by checking that int_node->data is not NULL. While at it, use strtoul() instead of strtol() to parse an unsigned integer. When using "val > UINT32_MAX" with "unsigned long val;", it is expected that some compilers emit a warning when the size of "unsigned long" is 32 bits. In theory gcc could be such a compiler (with warning -Wtype-limits, which is included in -Wextra). Nevertheless this is currently broken, according to https://gcc.gnu.org/pipermail/gcc-help/2021-January/139755.html and https://gcc.gnu.org/bugzilla/show_bug.cgi?id=89126 (this bug was opened in January 2019). In order to prevent this warning from appearing, introduce some preprocessor macros around the bound check. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28456 Signed-off-by: Nicolas Iooss Acked-by: James Carter commit b7ea65f547c6 Author: Nicolas Iooss Date: Wed Dec 30 11:07:46 2020 +0100 libsepol/cil: destroy perm_datums when __cil_resolve_perms fails When __cil_resolve_perms fails, it does not destroy perm_datums, which leads to a memory leak reported by OSS-Fuzz with the following CIL policy: (class cl01()) (classorder(cl01)) (type at02) (type tpr3) (allow at02 tpr3(cl01((s)))) Calling cil_list_destroy() fixes the issue. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28466 Signed-off-by: Nicolas Iooss commit 228c06d97a8a Author: Nicolas Iooss Date: Wed Dec 30 11:07:45 2020 +0100 libsepol/cil: fix out-of-bound read in cil_print_recursive_blockinherit OSS-Fuzz found a heap buffer overflow (out-of-bound reads) when the CIL compiler tries to report a recursive blockinherit with an optional block: $ echo '(block b (optional o (blockinherit b)))' > tmp.cil $ secilc tmp.cil Segmentation fault (core dumped) This is because cil_print_recursive_blockinherit() assumes that all nodes are either CIL_BLOCK or CIL_BLOCKINHERIT. Add support for other block kinds, using cil_node_to_string() to show them. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28462 Signed-off-by: Nicolas Iooss commit a25d9104efa8 Author: Nicolas Iooss Date: Wed Dec 30 11:07:43 2020 +0100 libsepol/cil: constify some strings Function cil_add_file() copies its input into a newly-allocated buffer, and does not modify "name". State these properties in the types of parameters by adding "const" qualifiers. This enables using LibFuzzer directly on cil_add_file(), without a warning about discarding "const" qualifier: fuzz-secilc.c: In function ‘LLVMFuzzerTestOneInput’: fuzz-secilc.c:57:31: warning: passing argument 3 of ‘cil_add_file’ discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers] 57 | if (cil_add_file(db, "fuzz", data, size) != SEPOL_OK) | ^~~~ In file included from fuzz-secilc.c:26: /usr/include/sepol/cil/cil.h:45:57: note: expected ‘char *’ but argument is of type ‘const uint8_t *’ {aka ‘const unsigned char *’} 45 | extern int cil_add_file(cil_db_t *db, char *name, char *data, size_t size); | ~~~~~~^~~~ Signed-off-by: Nicolas Iooss commit e2d018423d59 Author: Nicolas Iooss Date: Wed Dec 30 21:11:41 2020 +0100 libsepol/cil: propagate failure of cil_fill_list() OSS-Fuzz found a Null-dereference READ in the CIL compiler when trying to compile the following policy: (optional o (validatetrans x (eq t3 (a ())))) With some logs, secilc reports: Invalid syntax Destroying Parse Tree Resolving AST Failed to resolve validatetrans statement at fuzz:1 Disabling optional 'o' at tmp.cil:1 So there is an "Invalid syntax" error, but the compilation continues. Fix this issue by stopping the compilation when cil_fill_list() reports an error: Invalid syntax Bad expression tree for constraint Bad validatetrans declaration at tmp.cil:1 Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29061 Signed-off-by: Nicolas Iooss commit 6c8fca10452e Author: Nicolas Iooss Date: Wed Dec 30 21:11:40 2020 +0100 libsepol/cil: do not add a stack variable to a list OSS-Fuzz found a heap use-after-free when the CIL compiler destroys its database after failing to compile the following policy: (validatetrans x (eq t3 (a))) This is caused by the fact that the validatetrans AST object references a stack variable local to __cil_fill_constraint_leaf_expr, when parsing the list "(a)": struct cil_list *sub_list; cil_fill_list(current->next->next->cl_head, leaf_expr_flavor, &sub_list); cil_list_append(*leaf_expr, CIL_LIST, &sub_list); Drop the & sign to really add the list like it is supposed to be. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28507 Signed-off-by: Nicolas Iooss commit 38a09b74024b Author: Nicolas Iooss Date: Wed Dec 30 21:11:39 2020 +0100 libsepol/cil: fix NULL pointer dereference when using an unused alias OSS-Fuzz found a NULL pointer dereference when the CIL compiler tries to compile a policy where a categoryalias references an unused categoryalias: $ echo '(categoryalias c0)(categoryalias c1)(categoryaliasactual c0 c1)' > tmp.cil $ secil tmp.cil Segmentation fault (core dumped) In such a case, a1 can become NULL in cil_resolve_alias_to_actual(). Add a check to report an error when this occurs. Now the error message is: Alias c0 references an unused alias c1 at tmp.cil:1 Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28471 Signed-off-by: Nicolas Iooss commit 3c3572854252 Author: Nicolas Iooss Date: Wed Dec 30 21:11:38 2020 +0100 libsepol/cil: remove useless print statement cil_copy_expandtypeattribute prints "cil_copy_expandtypeattribute 656" which is quite annoying. Remove the fprintf statement responsible for this. While at it, remove another one in cil_tree_print_node() Fixes: https://lore.kernel.org/selinux/3c2ab876-b0b7-42eb-573d-e5b450a7125a@gmail.com/T/#u Signed-off-by: Nicolas Iooss commit 5b05e829da08 Author: Petr Lautrbach Date: Fri Dec 18 13:54:31 2020 +0100 Revert "libsemanage/genhomedircon: check usepasswd" This reverts commit ce46daab7cc90a6b9cd3bff9f99cf40ff19c3d9a. The behavior described in the reverted commit is correct. `useradd -Z` creates new mapping between new created user and *unconfined_u*, `genhomedircon` then uses this new mapping, not /etc/passwd entries, for generating new homedir contexts. Signed-off-by: Petr Lautrbach commit edae9275f68f Author: Jakub Hrozek Date: Thu Dec 17 15:59:49 2020 +0100 libsemanage: Free contents of modkey in semanage_direct_remove semanage_direct_remove allocates struct semanage_module_key_t on stack, then calls semanage_module_key_set_name which allocates modkey->name on heap, but modkey->name wasn't free()-d anywhere, creating a small leak. Signed-off-by: Jakub Hrozek commit af3e6789f0ab Author: Nicolas Iooss Date: Sun Dec 6 23:22:32 2020 +0100 GitHub Actions: drop Ruby 2.4 from matrix When migrating to Ubuntu 20.04, Ruby 2.4 is no longer available, and this migration is coming soon, according to https://github.com/actions/virtual-environments/issues/1816. Signed-off-by: Nicolas Iooss commit e8d50389abc8 Author: Nicolas Iooss Date: Sun Dec 6 23:20:08 2020 +0100 GitHub Actions: upgrade to Python 3.9 Signed-off-by: Nicolas Iooss commit 90809674c13c Author: Evgeny Vereshchagin Date: Sun Dec 6 23:29:22 2020 +0100 libsepol/cil: always destroy the lexer state It was found in https://github.com/google/oss-fuzz/pull/4790: ``` Invalid token '' at line 2 of fuzz NEW_FUNC[1/2]: 0x67fff0 in yy_get_previous_state /src/selinux/libsepol/src/../cil/src/cil_lexer.c:1143 NEW_FUNC[2/2]: 0x6803e0 in yy_try_NUL_trans /src/selinux/libsepol/src/../cil/src/cil_lexer.c:1176 ================================================================= ==12==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000007992 at pc 0x000000681800 bp 0x7ffccddee530 sp 0x7ffccddee528 WRITE of size 1 at 0x602000007992 thread T0 SCARINESS: 41 (1-byte-write-heap-use-after-free) #0 0x6817ff in cil_yy_switch_to_buffer /src/selinux/libsepol/src/../cil/src/cil_lexer.c:1315:17 #1 0x6820cc in cil_yy_scan_buffer /src/selinux/libsepol/src/../cil/src/cil_lexer.c:1571:2 #2 0x682662 in cil_lexer_setup /src/selinux/libsepol/src/../cil/src/cil_lexer.l:73:6 #3 0x5cf2ae in cil_parser /src/selinux/libsepol/src/../cil/src/cil_parser.c:220:2 #4 0x56d5e2 in cil_add_file /src/selinux/libsepol/src/../cil/src/cil.c:514:7 #5 0x556e91 in LLVMFuzzerTestOneInput /src/secilc-fuzzer.c:434:7 #6 0x459ab1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 #7 0x45a755 in fuzzer::Fuzzer::TryDetectingAMemoryLeak(unsigned char const*, unsigned long, bool) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:675:3 #8 0x45acd9 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:747:5 #9 0x45b875 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:883:5 #10 0x4499fb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6 #11 0x473a32 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #12 0x7f982296d83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f) #13 0x41e758 in _start (/out/secilc-fuzzer+0x41e758) DEDUP_TOKEN: cil_yy_switch_to_buffer--cil_yy_scan_buffer--cil_lexer_setup 0x602000007992 is located 2 bytes inside of 4-byte region [0x602000007990,0x602000007994) freed by thread T0 here: #0 0x521ef2 in free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3 #1 0x56d630 in cil_add_file /src/selinux/libsepol/src/../cil/src/cil.c:526:2 #2 0x556e91 in LLVMFuzzerTestOneInput /src/secilc-fuzzer.c:434:7 #3 0x459ab1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 #4 0x458fba in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:505:3 #5 0x45acc7 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:745:19 #6 0x45b875 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:883:5 #7 0x4499fb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6 #8 0x473a32 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #9 0x7f982296d83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f) DEDUP_TOKEN: free--cil_add_file--LLVMFuzzerTestOneInput previously allocated by thread T0 here: #0 0x52215d in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 #1 0x5cecb8 in cil_malloc /src/selinux/libsepol/src/../cil/src/cil_mem.c:39:14 #2 0x56d584 in cil_add_file /src/selinux/libsepol/src/../cil/src/cil.c:510:11 #3 0x556e91 in LLVMFuzzerTestOneInput /src/secilc-fuzzer.c:434:7 #4 0x459ab1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 #5 0x458fba in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:505:3 #6 0x45acc7 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:745:19 #7 0x45b875 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:883:5 #8 0x4499fb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6 #9 0x473a32 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #10 0x7f982296d83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f) DEDUP_TOKEN: malloc--cil_malloc--cil_add_file SUMMARY: AddressSanitizer: heap-use-after-free /src/selinux/libsepol/src/../cil/src/cil_lexer.c:1315:17 in cil_yy_switch_to_buffer Shadow bytes around the buggy address: 0x0c047fff8ee0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd 0x0c047fff8ef0: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd 0x0c047fff8f00: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd 0x0c047fff8f10: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd 0x0c047fff8f20: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa =>0x0c047fff8f30: fa fa[fd]fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff8f40: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff8f50: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa 0x0c047fff8f60: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fa 0x0c047fff8f70: fa fa 00 00 fa fa 02 fa fa fa 02 fa fa fa 00 fa 0x0c047fff8f80: fa fa 03 fa fa fa 00 fa fa fa 03 fa fa fa 00 fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==12==ABORTING ``` Signed-off-by: Evgeny Vereshchagin Acked-by: Nicolas Iooss commit ce64c473e30d Author: Nicolas Iooss Date: Thu Dec 3 09:15:12 2020 +0100 scripts/ci: add configuration for a Vagrant virtual machine Using Vagrant makes reproducing and debugging CI issues easier: after "vagrant up", a test virtual machine is up and running, and ready to run "fedora-test-runner.sh". In order to make using this VM even easier, a helper script, "run-selinux-test.sh" is created inside and instructions on how to use it are documented at the beginning of Vagrantfile. Signed-off-by: Nicolas Iooss commit f5f63035fab4 Author: Hu Keping Date: Fri Nov 27 09:52:21 2020 +0100 Simplify the tarball generating scripts Since the format of git archive is inferred from the output file, it's safe to remove the pipe for gzip. Signed-off-by: Hu Keping commit f63ac245f7ad Author: Hu Keping Date: Fri Nov 27 09:52:20 2020 +0100 Use X.Y instead of date for release tag As per discussed at github issue[1] and mailing list[2], we consider a version format of X.Y starting at 3.2. [1]: https://github.com/SELinuxProject/selinux/issues/270 [2]: https://lore.kernel.org/selinux/87d004wan2.fsf@redhat.com/T/#u Signed-off-by: Hu Keping commit 0c51cddaa3ba Author: Hu Keping Date: Fri Nov 27 09:52:19 2020 +0100 Introduce VERSION file for selinux Init it to 3.1 as the same with the other 14 VERSION files in this project. Signed-off-by: Hu Keping commit d16a1e4647a5 Author: James Carter Date: Mon Nov 16 17:07:02 2020 -0500 libsepol/cil: Use the macro FLAVOR() whenever possible In cil_symtab.h, the macro FLAVOR() is defined. It refers to the flavor of the first node in the list of nodes that declare the datum. (The flavors of every node should be the same.) While the macro was used in many places, it was not used everywhere that it could be. Change all the remaining places to use FLAVOR(). Signed-off-by: James Carter commit 2aac859a9542 Author: James Carter Date: Mon Nov 16 17:07:01 2020 -0500 libsepol/cil: Use the macro NODE() whenever possible In cil_symtab.h, the macro NODE() is defined. It refers to the first node in the list of nodes that declare that datum. (It is rare for a datum to have more than one node in this list.) While the macro was used in many places, it was not used everywhere that it could be. Change all the remaining places to use NODE(). Signed-off-by: James Carter commit d317b4707b90 Author: James Carter Date: Mon Nov 16 17:07:00 2020 -0500 libsepol/cil: Remove unnecessary assignment in cil_resolve_name_keep_aliases() Block, macro, and optional names are all in stored in a block symtab. A declarations fully-qualified name includes all of the block names from the root node to the declaration separated by dots. Macro and optional names are only used when trying to determine the block referred to by an "in" block. An optional block name might be stored in a macro's symtab, but optional blocks have no symtab and (*datum)->symtab just refers to the symtab of the datum which would be the current symtab. Since the assignment is not needed, remove it so the code is clearer. Signed-off-by: James Carter commit 9b9761cfaa09 Author: James Carter Date: Mon Nov 16 17:06:59 2020 -0500 libsepol/cil: Remove unused field from struct cil_args_resolve When resolving names, the struct cil_args_resolve is passed to the various resolve functions. The field last_resolved_name is not used. Remove the last_resolved_name field from struct cil_args_resolve. Signed-off-by: James Carter commit e257d4c74860 Author: James Carter Date: Mon Nov 16 17:06:58 2020 -0500 libsepol/cil: Get rid of unnecessary check in cil_gen_node() Since cil_gen_node() is only called from declarations, the check to determine if the node is a declaration is not needed, so remove it. Signed-off-by: James Carter commit ebba2b00f03f Author: James Carter Date: Mon Nov 16 17:06:57 2020 -0500 libsepol/cil: cil_tree_walk() helpers should use CIL_TREE_SKIP_* The function cil_tree_walk() has an argument that can be used by the process_node helper function to tell cil_tree_walk() to skip the node's sub-tree or the rest of the current branch. The constants CIL_TREE_SKIP_NOTHING, CIL_TREE_SKIP_NEXT and CIL_TREE_SKIP_HEAD are defined to be used by that argument. Fixed two instances in the function __cil_build_ast_node_helper() where the value 1 is used instead of the more informative CIL_TREE_SKIP_NEXT. Signed-off-by: James Carter commit fe985a8c84ff Author: Ondrej Mosnacek Date: Fri Nov 27 09:56:04 2020 +0100 travis: run only selinux-testsuite Now that the standard testing is run on GitHub Actions, we can remove it from .travis.yml, leaving only the selinux-testsuite sanity check, which can't be migrated. Hopefully this will save some precious minutesfrom the limited "plan" Travis gave us... Signed-off-by: Ondrej Mosnacek commit 7844cd212fbc Author: Nicolas Iooss Date: Tue Nov 24 08:50:22 2020 +0100 Add configuration to build and run tests in GitHub Actions Copy the tests that are currently run on Travis CI, in order to no longer depends on Travis CI. For more context: Travis-CI is changing its offer, as documented in https://docs.travis-ci.com/user/migrate/open-source-repository-migration and SELinuxProject moved to https://travis-ci.com https://lore.kernel.org/selinux/CAFqZXNspH6MmB-o0wtJJwj-p0DKKrH-ZjfW2YkF_yQS_gCBwqQ@mail.gmail.com/T/#t Unfortunately the credits for opensource projects are quite limited, and require interaction with Travis CI support (which was quite unresponsive when I contacted them for other opensource projects I am maintaining). Create a configuration for Github Actions that duplicates most Travis CI checks. * macOS check has not yet been converted, but GitHub Actions support this platform so this can be done in another patch (and in another configuration in .github/workflows ?). * KVM support is not available on GitHub Actions so running SELinux testsuite in a Fedora VM is not possible. This is a known issue (https://github.com/actions/virtual-environments/issues/183) and other projects seem to face the same issue (for example https://github.com/opencontainers/runc/issues/2670). This configuration has been tested on https://github.com/fishilico/selinux/actions/runs/380579153 Signed-off-by: Nicolas Iooss Signed-off-by: Ondrej Mosnacek commit fadcc8396c41 Author: Bernhard M. Wiedemann Date: Fri Oct 30 22:53:09 2020 +0100 python/sepolicy: allow to override manpage date in order to make builds reproducible. See https://reproducible-builds.org/ for why this is good and https://reproducible-builds.org/specs/source-date-epoch/ for the definition of this variable. This patch was done while working on reproducible builds for openSUSE. Signed-off-by: Bernhard M. Wiedemann commit 89dab4675dc7 Author: Nicolas Iooss Date: Thu Nov 12 21:24:06 2020 +0100 libsepol: free memory when realloc() fails In get_class_info(), if realloc(class_buf, new_class_buf_len) fails to grow the memory, the function returns NULL without freeing class_buf. This leads to a memory leak which is reported by clang's static analyzer: https://580-118970575-gh.circle-artifacts.com/0/output-scan-build/2020-11-11-194150-6152-1/report-42a899.html#EndPath Fix the memory leak by calling free(class_buf). While at it, use size_t insted of int to store the size of the buffer which is growing. Signed-off-by: Nicolas Iooss commit e08162081298 Author: Ondrej Mosnacek Date: Thu Nov 12 10:15:19 2020 +0100 ci: add new dependencies needed by selinux-testsuite The testsuite now runs filesystem tests also on other filesystems than just the default ext4. [1] That means a few more userspace utilities are needed to format these filesystems. [2] [1] https://github.com/SELinuxProject/selinux-testsuite/commit/071ec9c5e5f0442aae0b14f455ea6e6b34ada1e0 [2] https://github.com/SELinuxProject/selinux-testsuite/commit/d4e507f78a1784334611421cdfa3683a8214b22d Signed-off-by: Ondrej Mosnacek commit c064d214834b Author: Ondrej Mosnacek Date: Wed Nov 11 17:23:40 2020 +0100 selinux_config(5): add a note that runtime disable is deprecated ...and refer to selinux(8), which explains it further. Signed-off-by: Ondrej Mosnacek commit 45b15c2216d0 Author: Ondrej Mosnacek Date: Wed Nov 11 17:23:39 2020 +0100 selinux(8): explain that runtime disable is deprecated Update the main SELinux manpage to explain that runtime disable (i.e. disabling SELinux using SELINUX=Disabled) is deprecated and recommend disabling SELinux only via the kernel boot parameter. Signed-off-by: Ondrej Mosnacek commit 3c16aaefbfbd Author: Ondrej Mosnacek Date: Wed Nov 11 17:23:38 2020 +0100 selinux(8): mark up SELINUX values Mark up the possible values of SELINUX (disabled, permissive, enforcing) for better readability. Signed-off-by: Ondrej Mosnacek commit 3de445af0bcb Author: Ondrej Mosnacek Date: Mon Nov 2 10:43:10 2020 +0100 ci: bump Fedora image version to 33 The testsuite will soon be switching to testing multiple filesystems, which exposes a bug in F32 image's kernel. Since Fedora 33 has been released recently and the testsuite runs just fine on it, just bump the image version to avoid the bug. This commit also fixes the script to read out the Fedora image version from environment variables instead of using hard-coded values. Signed-off-by: Ondrej Mosnacek commit ce46daab7cc9 Author: Vit Mojzis Date: Fri Oct 30 17:42:17 2020 +0100 libsemanage/genhomedircon: check usepasswd Only add user homedir contexts when usepasswd = True Resolves: # grep usepasswd /etc/selinux/semanage.conf usepasswd=False # useradd -Z unconfined_u -d /tmp test # matchpathcon /tmp /tmp unconfined_u:object_r:user_home_dir_t:s0 Signed-off-by: Vit Mojzis commit c2a58cc52574 Author: Björn Bidar Date: Mon Oct 12 19:07:22 2020 +0300 libselinux: LABEL_BACKEND_ANDROID add option to enable Add option to just enable the android label backend without disabling anything else eg. using ANDROID_HOST. Enable by default when using ANDROID_HOST. Signed-off-by: Björn Bidar commit 4dd74ded5b70 Author: Ondrej Mosnacek Date: Fri Oct 30 20:56:54 2020 +0100 ci: use parallel build Pass -j$(nproc) to all make invocations to make the CI run a little faster. Signed-off-by: Ondrej Mosnacek Acked-by: William Roberts commit 2d353bd5850a Author: James Carter Date: Tue Oct 20 09:28:56 2020 -0400 libsepol/cil: Give error for more than one true or false block Both tunableif and booleanif use conditional blocks (either true or false). No ordering is imposed, so a false block can be first (or even the only) block. Checks are made to ensure that the first and second (if it exists) blocks are either true or false, but no checks are made to ensure that there is only one true and/or one false block. If there are more than one true or false block, only the first will be used and the other will be ignored. Create a function, cil_verify_conditional_blocks(), that gives an error along with a message if more than one true or false block is specified and call that function when building tunableif and booleanif blocks in the AST. Signed-off-by: James Carter Acked-by: Ondrej Mosnacek commit db0f2f382e31 Author: Björn Bidar Date: Mon Oct 12 17:46:16 2020 +0300 libselinux: Add build option to disable X11 backend Signed-off-by: Björn Bidar commit 6ebb35d261ea Author: Petr Lautrbach Date: Fri Oct 9 15:00:52 2020 +0200 libsemanage: Bump libsemanage.so version Previous commits removed some symbols and broke ABI, therefore we need to change SONAME. See the following quotes from distribution guidelines: https://www.debian.org/doc/debian-policy/ch-sharedlibs.html#run-time-shared-libraries Every time the shared library ABI changes in a way that may break binaries linked against older versions of the shared library, the SONAME of the library and the corresponding name for the binary package containing the runtime shared library should change. https://docs.fedoraproject.org/en-US/packaging-guidelines/#_downstream_so_name_versioning When new versions of the library are released, you should use an ABI comparison tool to check for ABI differences in the built shared libraries. If it detects any incompatibilities, bump the n number by one. Signed-off-by: Petr Lautrbach commit c08b73d7183e Author: Petr Lautrbach Date: Fri Oct 9 15:00:51 2020 +0200 libsemanage: Drop deprecated functions semanage_module_enable() and semanage_module_disable() were deprecated by commit 9fbc6d14418f ("libsemanage: add back original module enable/disable functions for ABI compatability") in 2014 in order to preserve ABI compatibility. As we the libsemanage ABI is changed by the previous commit, it makes sense to drop them completely. Signed-off-by: Petr Lautrbach commit b46406de8a93 Author: Petr Lautrbach Date: Fri Oct 9 15:00:50 2020 +0200 libsemanage: Remove legacy and duplicate symbols Versioned duplicate symbols cause problems for LTO. These symbols were introduced during the CIL integration several releases ago and were only consumed by other SELinux userspace components. Related: https://github.com/SELinuxProject/selinux/issues/245 Signed-off-by: Petr Lautrbach commit 4a142ac46a11 Author: Petr Lautrbach Date: Fri Oct 9 15:00:49 2020 +0200 libsepol: Bump libsepol.so version Previous commits removed some symbols and broke ABI, therefore we need to change SONAME. See the following quotes from distribution guidelines: https://www.debian.org/doc/debian-policy/ch-sharedlibs.html#run-time-shared-libraries Every time the shared library ABI changes in a way that may break binaries linked against older versions of the shared library, the SONAME of the library and the corresponding name for the binary package containing the runtime shared library should change. https://docs.fedoraproject.org/en-US/packaging-guidelines/#_downstream_so_name_versioning When new versions of the library are released, you should use an ABI comparison tool to check for ABI differences in the built shared libraries. If it detects any incompatibilities, bump the n number by one. Signed-off-by: Petr Lautrbach commit 506c7b95b802 Author: Petr Lautrbach Date: Fri Oct 9 15:00:48 2020 +0200 libsepol: Drop deprecated functions These functions were converted to no-op by commit c3f9492d7ff0 ("selinux: Remove legacy local boolean and user code") and left in libsepol/src/deprecated_functions.c to preserve API/ABI. As we change libsepol ABI dropping duplicate symbols it's time to drop these functions too. Signed-off-by: Petr Lautrbach commit ae58e84b4fd8 Author: Petr Lautrbach Date: Fri Oct 9 15:00:47 2020 +0200 libsepol: Get rid of the old and duplicated symbols Versioned duplicate symbols cause problems for LTO. These symbols were introduced during the CIL integration several releases ago and were only consumed by other SELinux userspace components. Fixes: https://github.com/SELinuxProject/selinux/issues/245 Signed-off-by: Petr Lautrbach commit c97d63c6b40c Author: Nicolas Iooss Date: Sat Oct 3 15:56:58 2020 +0200 libsepol: silence potential NULL pointer dereference warning When find_avtab_node() is called with key->specified & AVTAB_XPERMS and xperms=NULL, xperms is being dereferenced. This is detected as a "NULL pointer dereference issue" by static analyzers. Even though it does not make much sense to call find_avtab_node() in a way which triggers the NULL pointer dereference issue, static analyzers have a hard time with calls such as: node = find_avtab_node(handle, avtab, &avkey, cond, NULL); ... where xperms=NULL. So, make the function report an error instead of crashing. Here is an example of report from clang's static analyzer: https://558-118970575-gh.circle-artifacts.com/0/output-scan-build/2020-10-02-065849-6375-1/report-d86a57.html#EndPath Signed-off-by: Nicolas Iooss commit 64387cb37379 Author: Nicolas Iooss Date: Sat Oct 3 15:34:19 2020 +0200 libsepol: drop confusing BUG_ON macro Contrary to Linux kernel, BUG_ON() does not halt the execution, in libsepol/src/services.c. Instead it displays an error message and continues the execution. This means that this code does not prevent an out-of-bound write from happening: case CEXPR_AND: BUG_ON(sp < 1); sp--; s[sp] &= s[sp + 1]; Use if(...){BUG();rc=-EINVAL;goto out;} constructions instead, to make sure that the array access is always in-bound. This issue has been found using clang's static analyzer: https://558-118970575-gh.circle-artifacts.com/0/output-scan-build/2020-10-02-065849-6375-1/report-50a861.html#EndPath Signed-off-by: Nicolas Iooss commit 521e6a2f478a Author: Nicolas Iooss Date: Sat Oct 3 15:19:08 2020 +0200 libsepol/cil: fix signed overflow caused by using (1 << 31) - 1 When compiling SELinux userspace tools with -ftrapv (this option generates traps for signed overflow on addition, subtraction, multiplication operations, instead of silently wrapping around), semodule crashes when running the tests from scripts/ci/fedora-test-runner.sh in a Fedora 32 virtual machine: [root@localhost selinux-testsuite]# make test make -C policy load make[1]: Entering directory '/root/selinux-testsuite/policy' # Test for "expand-check = 0" in /etc/selinux/semanage.conf # General policy build make[2]: Entering directory '/root/selinux-testsuite/policy/test_policy' Compiling targeted test_policy module Creating targeted test_policy.pp policy package rm tmp/test_policy.mod.fc make[2]: Leaving directory '/root/selinux-testsuite/policy/test_policy' # General policy load domain_fd_use --> off /usr/sbin/semodule -i test_policy/test_policy.pp test_mlsconstrain.cil test_overlay_defaultrange.cil test_add_levels.cil test_glblub.cil make[1]: *** [Makefile:174: load] Aborted (core dumped) Using "coredumpctl gdb" leads to the following strack trace: (gdb) bt #0 0x00007f608fe4fa25 in raise () from /lib64/libc.so.6 #1 0x00007f608fe38895 in abort () from /lib64/libc.so.6 #2 0x00007f6090028aca in __addvsi3.cold () from /lib64/libsepol.so.1 #3 0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0) at ../cil/src/cil_binary.c:1551 #4 0x00007f60900970dd in __cil_permx_bitmap_to_sepol_xperms_list (xperms=0xb650a30, xperms_list=0x7ffce2653b18) at ../cil/src/cil_binary.c:1596 #5 0x00007f6090097286 in __cil_avrulex_ioctl_to_policydb (k=0xb8ec200 "@\023\214\022\006", datum=0xb650a30, args=0x239a640) at ../cil/src/cil_binary.c:1649 #6 0x00007f609003f1e5 in hashtab_map (h=0x41f8710, apply=0x7f60900971da <__cil_avrulex_ioctl_to_policydb>, args=0x239a640) at hashtab.c:234 #7 0x00007f609009ea19 in cil_binary_create_allocated_pdb (db=0x2394f10, policydb=0x239a640) at ../cil/src/cil_binary.c:4969 #8 0x00007f609009d19d in cil_binary_create (db=0x2394f10, policydb=0x7ffce2653d30) at ../cil/src/cil_binary.c:4329 #9 0x00007f609008ec23 in cil_build_policydb_create_pdb (db=0x2394f10, sepol_db=0x7ffce2653d30) at ../cil/src/cil.c:631 #10 0x00007f608fff4bf3 in semanage_direct_commit () from /lib64/libsemanage.so.1 #11 0x00007f608fff9fae in semanage_commit () from /lib64/libsemanage.so.1 #12 0x0000000000403e2b in main (argc=7, argv=0x7ffce2655058) at semodule.c:753 (gdb) f 3 #3 0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0) at ../cil/src/cil_binary.c:1551 1551 xperms->perms[i] |= XPERM_SETBITS(h) - XPERM_SETBITS(low); A signed integer overflow therefore occurs in XPERM_SETBITS(h): #define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1) This macro is expanded with h=31, so "(1 << 31) - 1" is computed: * (1 << 31) = -0x80000000 is the lowest signed 32-bit integer value * (1 << 31) - 1 overflows the capacity of a signed 32-bit integer and results in 0x7fffffff (which is unsigned) Using unsigned integers (with "1U") fixes the crash, as (1U << 31) = 0x80000000U has no overflowing issues. Signed-off-by: Nicolas Iooss Acked-by: Petr Lautrbach commit d23342a9de2c Author: Nicolas Iooss Date: Sun Oct 4 16:03:39 2020 +0200 libselinux: convert matchpathcon to selabel_lookup() Function matchpathcon() is deprecated in favor of selabel_lookup() but program "matchpathcon" is much easier to use than "selabel_loopkup" to find the file context which would be applied to some files and directories. More precisely: matchpathcon /path/to/my/file is easier to type and remember than: selabel_lookup -b file -k /path/to/my/file It also allows performing multiple context searches in one command, where selabel_lookup cannot use multiple -k options. Migrate matchpathcon to the preferred API. Signed-off-by: Nicolas Iooss Acked-by: Petr Lautrbach commit e8bcdb84dc09 Author: Dominick Grift Date: Tue Sep 8 10:53:29 2020 +0200 cil_network_labeling_statements: fixes nodecon examples The order of the subnet and netmask is wrong and also the value of netmask is wrong for single address subnet Use an ipaddr reserved for documentation: https://tools.ietf.org/html/rfc5737 Add ipv6 example: https://tools.ietf.org/html/rfc3849 Signed-off-by: Dominick Grift commit eefa5511ddfa Author: Dominick Grift Date: Sat Sep 12 15:14:11 2020 +0200 cil_access_vector_rules: allowx, auditallowx and dontauditx fixes allowx requires a equivalent "allow ioctl" rule to be present auditallowx requires a equivalent "auditallow" ioctl rule to be present dontauditx requires atleast one equivalent "allowx" rule to be present (can be a random irrelevant ioctlcmd) Signed-off-by: Dominick Grift commit a152653b9a43 Author: James Carter Date: Tue Sep 15 14:48:06 2020 -0400 libsepol/cil: Fix neverallow checking involving classmaps When classmaps used in a neverallow were being expanded during CIL neverallow checking, an empty classmapping in the list of classmappings for a classmap would cause the classmap expansion to stop and the rest of the classmapping of the classmap to be ignored. This would mean that not all of the classes and permissions associated with the classmap would be used to check for a neverallow violation. Do not end the expansion of a classmap when one classmapping is empty. Reported-by: Jonathan Hettwer Signed-off-by: James Carter Acked-by: Stephen Smalley commit 7ef5b1854f75 Author: Chris PeBenito Date: Tue Sep 15 13:33:32 2020 -0400 libselinux: Change userspace AVC setenforce and policy load messages to audit format. Signed-off-by: Chris PeBenito Acked-by: Stephen Smalley commit f5d644c7e633 Author: Chris PeBenito Date: Tue Sep 15 13:33:31 2020 -0400 libselinux: Add additional log callback details in man page for auditing. Add additional information about the log callback message types. Indicate which types could be audited and the relevant audit record types for them. Signed-off-by: Chris PeBenito Acked-by: Stephen Smalley commit 075f9cfe7a01 Author: Chris PeBenito Date: Fri Sep 11 15:56:14 2020 -0400 libselinux: Fix selabel_lookup() for the root dir. 9e4480b921bb ("Remove trailing slash on selabel_file lookups.") introduced a bug which turns the root directory lookup "/" into an empty string. Signed-off-by: Chris PeBenito Acked-by: Stephen Smalley commit 734e4beb55cb Author: James Carter Date: Wed Sep 9 16:57:02 2020 -0400 libsepol/cil: Validate conditional expressions before adding to binary policy CIL was not correctly determining the depth of conditional expressions which prevented it from giving an error when the max depth was exceeded. This allowed invalid policy binaries to be created. Validate the conditional expression using the same logic that is used when evaluating a conditional expression. This includes checking the depth of the expression. Signed-off-by: James Carter Acked-by: Stephen Smalley commit 685f577aa01e Author: James Carter Date: Wed Sep 9 16:57:12 2020 -0400 libsepol/cil: Validate constraint expressions before adding to binary policy CIL was not correctly determining the depth of constraint expressions which prevented it from giving an error when the max depth was exceeded. This allowed invalid policy binaries with constraint expressions exceeding the max depth to be created. Validate the constraint expression using the same logic that is used when reading the binary policy. This includes checking the depth of the the expression. Reported-by: Jonathan Hettwer Signed-off-by: James Carter Acked-by: Stephen Smalley commit 8bc865e1fe8f Author: Dominick Grift Date: Tue Sep 1 18:16:41 2020 +0200 newrole: support cross-compilation with PAM and audit Compilation of newrole with PAM and audit support currently requires that you have the respective headers installed on the host. Instead make the header location customizable to accomodate cross-compilation. Signed-off-by: Dominick Grift Acked-by: Stephen Smalley commit a4149e0eab50 Author: Chris PeBenito Date: Thu Aug 27 08:58:39 2020 -0400 libselinux: Add new log callback levels for enforcing and policy load notices. This will enable userspace object managers to send proper audits for policy loads and setenforce messages generated by the userspace AVC code. Signed-off-by: Chris PeBenito Acked-by: Stephen Smalley commit a63f93d83b57 Author: Christian Göttsche Date: Tue Aug 25 17:32:05 2020 +0200 libselinux: initialize last_policyload in selinux_status_open() If not initialized to the current policyload count, an enforcing change will trigger policyload-callbacks in selinux_status_updated(). Signed-off-by: Christian Göttsche Acked-by: Stephen Smalley commit ef902db9c842 Author: Christian Göttsche Date: Tue Aug 25 17:32:04 2020 +0200 libselinux: safely access shared memory in selinux_status_updated() Access the shared nenory safe in regard to consistent view of the SELinux kernel status page - not in regard to thread-safety. Signed-off-by: Christian Göttsche Acked-by: Stephen Smalley commit 9e4480b921bb Author: Chris PeBenito Date: Mon Aug 24 09:44:16 2020 -0400 libselinux: Remove trailing slash on selabel_file lookups. Having a trailing slash on a file lookup, e.g. "/some/path/", can cause a different result, for example, when file contexts are written to have the directory have a different label than the contents. This is inconsistent with normal Linux behaviors where trailing slashes are ignored. Many callers already strip the trailing slash before the lookup or users revise the file contexts to work around this. This fixes it comprehensively. v2: fix length issues Signed-off-by: Chris PeBenito Acked-by: Stephen Smalley commit 21fb5f20da22 Author: Christian Göttsche Date: Thu Aug 20 17:15:51 2020 +0200 libselinux: use full argument specifiers for security_check_context in man page The argument for security_check_context(_raw) is defined as `const char *`. Say so in the man page. Signed-off-by: Christian Göttsche Acked-by: Stephen Smalley commit 2a60de8eca6b Author: Christian Göttsche Date: Wed Aug 19 17:05:34 2020 +0200 sepolgen: sort extended rules like normal ones Currently: #============= sshd_t ============== #!!!! This avc is allowed in the current policy #!!!! This av rule may have been overridden by an extended permission av rule allow sshd_t ptmx_t:chr_file ioctl; #!!!! This avc is allowed in the current policy #!!!! This av rule may have been overridden by an extended permission av rule allow sshd_t sshd_devpts_t:chr_file ioctl; #!!!! This avc is allowed in the current policy #!!!! This av rule may have been overridden by an extended permission av rule allow sshd_t user_devpts_t:chr_file ioctl; #============= user_t ============== #!!!! This avc is allowed in the current policy #!!!! This av rule may have been overridden by an extended permission av rule allow user_t devtty_t:chr_file ioctl; #!!!! This avc is allowed in the current policy #!!!! This av rule may have been overridden by an extended permission av rule allow user_t user_devpts_t:chr_file ioctl; allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 }; allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401; allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e }; allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 }; allowxperm user_t devtty_t:chr_file ioctl 0x4b33; Changed: #============= sshd_t ============== #!!!! This avc is allowed in the current policy #!!!! This av rule may have been overridden by an extended permission av rule allow sshd_t ptmx_t:chr_file ioctl; allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 }; #!!!! This avc is allowed in the current policy #!!!! This av rule may have been overridden by an extended permission av rule allow sshd_t sshd_devpts_t:chr_file ioctl; allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401; #!!!! This avc is allowed in the current policy #!!!! This av rule may have been overridden by an extended permission av rule allow sshd_t user_devpts_t:chr_file ioctl; allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e }; #============= user_t ============== #!!!! This avc is allowed in the current policy #!!!! This av rule may have been overridden by an extended permission av rule allow user_t devtty_t:chr_file ioctl; allowxperm user_t devtty_t:chr_file ioctl 0x4b33; #!!!! This avc is allowed in the current policy #!!!! This av rule may have been overridden by an extended permission av rule allow user_t user_devpts_t:chr_file ioctl; allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 }; Signed-off-by: Christian Göttsche Acked-by: Stephen Smalley commit 9e239e55692b Author: Christian Göttsche Date: Wed Aug 19 17:05:33 2020 +0200 sepolgen: print extended permissions in hexadecimal All tools like ausearch(8) or sesearch(1) and online documentation[1] use hexadecimal values for extended permissions. Hence use them, e.g. for audit2allow output, as well. [1]: https://github.com/strace/strace/blob/master/linux/64/ioctls_inc.h Signed-off-by: Christian Göttsche Acked-by: Stephen Smalley commit e7abd802d4d8 Author: Stephen Smalley Date: Thu Aug 6 10:46:38 2020 -0400 libselinux: fix build order We need to install the include files before we try to build the source. Otherwise, make DESTDIR=~/obj install can fail if there are older headers under /usr/include. Signed-off-by: Stephen Smalley commit ba2d6c10635a Author: bauen1 Date: Thu Aug 6 16:48:36 2020 +0200 fixfiles: correctly restore context of mountpoints By bind mounting every filesystem we want to relabel we can access all files without anything hidden due to active mounts. This comes at the cost of user experience, because setfiles only displays the percentage if no path is given or the path is / Signed-off-by: Jonathan Hettwer Acked-by: Stephen Smalley commit 9e9b8103400b Author: Dominick Grift Date: Wed Aug 5 21:48:23 2020 +0200 secilc/docs: document expandtypeattribute This was added for Androids Treble in 2017. Signed-off-by: Dominick Grift Acked-by: James Carter commit 071264c6c4ef Author: William Roberts Date: Tue Aug 11 09:42:20 2020 -0500 ci: fix stall on git log -1 git log -1 may use a pager to output long messages, and when the pager is invoked, leads to stalls on the ci system waiting for user input. Use --oneline to print the short part of the commit message and the digest. This information is for debug/informational purposes only, so truncating the output is sufficient. Reported-by: Stephen Smalley Signed-off-by: William Roberts commit 05bdc03130d7 Author: Mike Palmiotto Date: Wed Aug 5 15:43:12 2020 -0400 libselinux: use kernel status page by default Commit bc2a8f418e3b ("libselinux: add selinux_status_* interfaces for /selinux/status") introduced the sestatus mechanism, which allows for mmap()'ing of the kernel status page as a replacement for avc_netlink. The mechanism was initially intended for userspace object managers that were calculating access decisions within their application and did not rely on the libselinux AVC implementation. In order to properly make use of sestatus within avc_has_perm(), the status mechanism needs to properly set avc internals during status events; else, avc_enforcing is never updated upon sestatus changes. This commit gets rid of the default avc_netlink_open() in avc_init_internal(), replacing it with selinux_status_open(). In the event that the kernel status page cannot be mapped, the netlink fallback will be used. By default, avc_has_perm_noaudit() and selinux_check_access() will now attempt to read the kernel status page, which removes a system call from two critical code paths. Since the AVC thread create/stop callbacks were intended to avoid a system call in the critical code path, they no longer need to be created by default. In the event that the kernel status page is successfully mapped, threads will not be created. Threads will still be created/stopped for the sestatus fallback codepaths. Userspace object managers that still need a netlink socket can call avc_netlink_acquire_fd() to open and/or obtain one. Update the manpage to reflect the new avc_netlink_acquire_fd() functionality. Signed-off-by: Mike Palmiotto Acked-by: Stephen Smalley commit 91cc86d44ea9 Author: William Roberts Date: Mon Aug 3 10:14:28 2020 -0500 scripts/ci: license as MIT License the ci scripts with a permissive, OSI approved license, such as MIT. Signed-off-by: William Roberts [omosnace: removed the dummy copyright header from LICENSE] Signed-off-by: Ondrej Mosnacek commit 8206b8cb0039 Author: Ondrej Mosnacek Date: Fri Jul 31 13:10:35 2020 +0200 libsepol: implement POLICYDB_VERSION_COMP_FTRANS Implement a new, more space-efficient form of storing filename transitions in the binary policy. The internal structures have already been converted to this new representation; this patch just implements reading/writing an equivalent representation from/to the binary policy. This new format reduces the size of Fedora policy from 7.6 MB to only 3.3 MB (with policy optimization enabled in both cases). With the unconfined module disabled, the size is reduced from 3.3 MB to 2.4 MB. Signed-off-by: Ondrej Mosnacek commit 42ae834a7428 Author: Ondrej Mosnacek Date: Fri Jul 31 13:10:34 2020 +0200 libsepol,checkpolicy: optimize storage of filename transitions In preparation to support a new policy format with a more optimal representation of filename transition rules, this patch applies an equivalent change from kernel commit c3a276111ea2 ("selinux: optimize storage of filename transitions"). See the kernel commit's description [1] for the rationale behind this representation. This change doesn't bring any measurable difference of policy build performance (semodule -B) on Fedora. [1] https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git/commit/?id=c3a276111ea2572399281988b3129683e2a6b60b Signed-off-by: Ondrej Mosnacek commit 9e2b8c61bfd2 Author: Laurent Bigonville Date: Thu Jul 16 14:22:13 2020 +0200 restorecond: Set X-GNOME-HiddenUnderSystemd=true in restorecond.desktop file This completely inactivate the .desktop file incase the user session is managed by systemd as restorecond also provide a service file Signed-off-by: Laurent Bigonville commit ccd973f721c4 Author: W. Michael Petullo Date: Thu Jul 16 15:29:20 2020 -0500 python/audit2allow: add #include to sepolgen-ifgen-attr-helper.c I found that building on OpenWrt/musl failed with: sepolgen-ifgen-attr-helper.c:152:16: error: 'PATH_MAX' undeclared ... Musl is less "generous" than glibc in recursively including header files, and I suspect this is the reason for this error. Explicitly including limits.h fixes the problem. Signed-off-by: W. Michael Petullo commit fbe1e526dc01 Author: bauen1 Date: Thu Jul 9 10:36:36 2020 +0200 Update the cil docs to match the current behaviour. Some features where dropped or change since the docs were last updated. Signed-off-by: Jonathan Hettwer Acked-by: James Carter