From 3a48e0a688602ae67d5cbc717fed683b398d177f Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Mar 21 2018 15:07:12 +0000 Subject: libsepol-2.7-6 - Prevent freeing unitialized value in ibendport handling - Add support for the SCTP portcon keyword - Export sepol_polcap_getnum/name functions --- diff --git a/libsepol-fedora.patch b/libsepol-fedora.patch index bb93f61..7603f3c 100644 --- a/libsepol-fedora.patch +++ b/libsepol-fedora.patch @@ -11,10 +11,18 @@ index 86117f2..f8cfc3b 100644 extern void cil_set_preserve_tunables(cil_db_t *db, int preserve_tunables); extern int cil_set_handle_unknown(cil_db_t *db, int handle_unknown); diff --git libsepol-2.7/cil/src/cil.c libsepol-2.7/cil/src/cil.c -index c02a41a..5a64c2b 100644 +index c02a41a..2a7ec06 100644 --- libsepol-2.7/cil/src/cil.c +++ libsepol-2.7/cil/src/cil.c -@@ -1691,6 +1691,11 @@ void cil_set_mls(struct cil_db *db, int mls) +@@ -109,6 +109,7 @@ static void cil_init_keys(void) + CIL_KEY_UDP = cil_strpool_add("udp"); + CIL_KEY_TCP = cil_strpool_add("tcp"); + CIL_KEY_DCCP = cil_strpool_add("dccp"); ++ CIL_KEY_SCTP = cil_strpool_add("sctp"); + CIL_KEY_AUDITALLOW = cil_strpool_add("auditallow"); + CIL_KEY_TUNABLEIF = cil_strpool_add("tunableif"); + CIL_KEY_ALLOW = cil_strpool_add("allow"); +@@ -1691,6 +1692,11 @@ void cil_set_mls(struct cil_db *db, int mls) db->mls = mls; } @@ -26,7 +34,7 @@ index c02a41a..5a64c2b 100644 void cil_set_target_platform(struct cil_db *db, int target_platform) { db->target_platform = target_platform; -@@ -2059,6 +2064,7 @@ void cil_typeattribute_init(struct cil_typeattribute **attr) +@@ -2059,6 +2065,7 @@ void cil_typeattribute_init(struct cil_typeattribute **attr) (*attr)->expr_list = NULL; (*attr)->types = NULL; (*attr)->used = CIL_FALSE; @@ -35,10 +43,20 @@ index c02a41a..5a64c2b 100644 void cil_typeattributeset_init(struct cil_typeattributeset **attrset) diff --git libsepol-2.7/cil/src/cil_binary.c libsepol-2.7/cil/src/cil_binary.c -index c0ca60f..431cd9c 100644 +index c0ca60f..0cc6eeb 100644 --- libsepol-2.7/cil/src/cil_binary.c +++ libsepol-2.7/cil/src/cil_binary.c -@@ -567,7 +567,7 @@ int cil_typeattribute_to_policydb(policydb_t *pdb, struct cil_typeattribute *cil +@@ -34,6 +34,9 @@ + #ifndef IPPROTO_DCCP + #define IPPROTO_DCCP 33 + #endif ++#ifndef IPPROTO_SCTP ++#define IPPROTO_SCTP 132 ++#endif + + #include + #include +@@ -567,7 +570,7 @@ int cil_typeattribute_to_policydb(policydb_t *pdb, struct cil_typeattribute *cil char *key = NULL; type_datum_t *sepol_attr = NULL; @@ -47,7 +65,7 @@ index c0ca60f..431cd9c 100644 return SEPOL_OK; } -@@ -632,7 +632,7 @@ int cil_typeattribute_to_bitmap(policydb_t *pdb, const struct cil_db *db, struct +@@ -632,7 +635,7 @@ int cil_typeattribute_to_bitmap(policydb_t *pdb, const struct cil_db *db, struct ebitmap_node_t *tnode; unsigned int i; @@ -56,7 +74,7 @@ index c0ca60f..431cd9c 100644 return SEPOL_OK; } -@@ -1442,7 +1442,7 @@ static int __cil_should_expand_attribute( const struct cil_db *db, struct cil_sy +@@ -1442,7 +1445,7 @@ static int __cil_should_expand_attribute( const struct cil_db *db, struct cil_sy attr = (struct cil_typeattribute *)datum; @@ -65,7 +83,7 @@ index c0ca60f..431cd9c 100644 } int __cil_avrule_to_avtab(policydb_t *pdb, const struct cil_db *db, struct cil_avrule *cil_avrule, cond_node_t *cond_node, enum cil_flavor cond_flavor) -@@ -2525,7 +2525,7 @@ int __cil_constrain_expr_datum_to_sepol_expr(policydb_t *pdb, const struct cil_d +@@ -2525,7 +2528,7 @@ int __cil_constrain_expr_datum_to_sepol_expr(policydb_t *pdb, const struct cil_d if (rc != SEPOL_OK) { if (FLAVOR(item->data) == CIL_TYPEATTRIBUTE) { struct cil_typeattribute *attr = item->data; @@ -74,8 +92,18 @@ index c0ca60f..431cd9c 100644 rc = 0; } } +@@ -3272,6 +3275,9 @@ int cil_portcon_to_policydb(policydb_t *pdb, struct cil_sort *portcons) + case CIL_PROTOCOL_DCCP: + new_ocon->u.port.protocol = IPPROTO_DCCP; + break; ++ case CIL_PROTOCOL_SCTP: ++ new_ocon->u.port.protocol = IPPROTO_SCTP; ++ break; + default: + /* should not get here */ + rc = SEPOL_ERR; diff --git libsepol-2.7/cil/src/cil_build_ast.c libsepol-2.7/cil/src/cil_build_ast.c -index 04492e5..e84336b 100644 +index 04492e5..b90b0f6 100644 --- libsepol-2.7/cil/src/cil_build_ast.c +++ libsepol-2.7/cil/src/cil_build_ast.c @@ -82,10 +82,33 @@ exit: @@ -147,11 +175,28 @@ index 04492e5..e84336b 100644 } } +@@ -4371,6 +4405,8 @@ int cil_gen_portcon(struct cil_db *db, struct cil_tree_node *parse_current, stru + portcon->proto = CIL_PROTOCOL_TCP; + } else if (proto == CIL_KEY_DCCP) { + portcon->proto = CIL_PROTOCOL_DCCP; ++ } else if (proto == CIL_KEY_SCTP) { ++ portcon->proto = CIL_PROTOCOL_SCTP; + } else { + cil_log(CIL_ERR, "Invalid protocol\n"); + rc = SEPOL_ERR; diff --git libsepol-2.7/cil/src/cil_internal.h libsepol-2.7/cil/src/cil_internal.h -index 6d6a7d9..8393e39 100644 +index 6d6a7d9..6ff3228 100644 --- libsepol-2.7/cil/src/cil_internal.h +++ libsepol-2.7/cil/src/cil_internal.h -@@ -316,6 +316,7 @@ struct cil_db { +@@ -103,6 +103,7 @@ char *CIL_KEY_STAR; + char *CIL_KEY_TCP; + char *CIL_KEY_UDP; + char *CIL_KEY_DCCP; ++char *CIL_KEY_SCTP; + char *CIL_KEY_AUDITALLOW; + char *CIL_KEY_TUNABLEIF; + char *CIL_KEY_ALLOW; +@@ -316,6 +317,7 @@ struct cil_db { int preserve_tunables; int handle_unknown; int mls; @@ -159,7 +204,7 @@ index 6d6a7d9..8393e39 100644 int target_platform; int policy_version; }; -@@ -530,6 +531,7 @@ struct cil_typeattribute { +@@ -530,6 +532,7 @@ struct cil_typeattribute { struct cil_list *expr_list; ebitmap_t *types; int used; // whether or not this attribute was used in a binary policy rule @@ -167,8 +212,18 @@ index 6d6a7d9..8393e39 100644 }; struct cil_typeattributeset { +@@ -738,7 +741,8 @@ struct cil_filecon { + enum cil_protocol { + CIL_PROTOCOL_UDP = 1, + CIL_PROTOCOL_TCP, +- CIL_PROTOCOL_DCCP ++ CIL_PROTOCOL_DCCP, ++ CIL_PROTOCOL_SCTP + }; + + struct cil_ibpkeycon { diff --git libsepol-2.7/cil/src/cil_policy.c libsepol-2.7/cil/src/cil_policy.c -index 729b6e0..99eb53c 100644 +index 729b6e0..5edab5e 100644 --- libsepol-2.7/cil/src/cil_policy.c +++ libsepol-2.7/cil/src/cil_policy.c @@ -775,7 +775,7 @@ static void cil_classes_to_policy(FILE *out, struct cil_list *classorder) @@ -189,6 +244,15 @@ index 729b6e0..99eb53c 100644 continue; if (ebitmap_get_bit(attribute->types, type->value)) { if (first) { +@@ -1757,6 +1757,8 @@ static void cil_portcons_to_policy(FILE *out, struct cil_sort *portcons, int mls + fprintf(out, "tcp "); + } else if (portcon->proto == CIL_PROTOCOL_DCCP) { + fprintf(out, "dccp "); ++ } else if (portcon->proto == CIL_PROTOCOL_SCTP) { ++ fprintf(out, "sctp "); + } + if (portcon->port_low == portcon->port_high) { + fprintf(out, "%d ", portcon->port_low); diff --git libsepol-2.7/cil/src/cil_post.c libsepol-2.7/cil/src/cil_post.c index ad073e8..a212245 100644 --- libsepol-2.7/cil/src/cil_post.c @@ -296,7 +360,7 @@ index b1396d2..97d4c4b 100644 pthread_mutex_unlock(&cil_strpool_mutex); } diff --git libsepol-2.7/cil/src/cil_tree.c libsepol-2.7/cil/src/cil_tree.c -index d36401b..b394a9d 100644 +index d36401b..2abbb96 100644 --- libsepol-2.7/cil/src/cil_tree.c +++ libsepol-2.7/cil/src/cil_tree.c @@ -503,15 +503,19 @@ exit: @@ -322,6 +386,15 @@ index d36401b..b394a9d 100644 cil_log(CIL_INFO, "%s)", expr_str); free(expr_str); } +@@ -1432,6 +1436,8 @@ void cil_tree_print_node(struct cil_tree_node *node) + cil_log(CIL_INFO, " tcp"); + } else if (portcon->proto == CIL_PROTOCOL_DCCP) { + cil_log(CIL_INFO, " dccp"); ++ } else if (portcon->proto == CIL_PROTOCOL_SCTP) { ++ cil_log(CIL_INFO, " sctp"); + } + cil_log(CIL_INFO, " (%d %d)", portcon->port_low, portcon->port_high); + diff --git libsepol-2.7/include/Makefile libsepol-2.7/include/Makefile index 56b7a11..1ad4eca 100644 --- libsepol-2.7/include/Makefile @@ -470,6 +543,18 @@ index 68b5ad4..8b9ddca 100644 /* FLASK */ +diff --git libsepol-2.7/include/sepol/port_record.h libsepol-2.7/include/sepol/port_record.h +index df04ea0..77149cf 100644 +--- libsepol-2.7/include/sepol/port_record.h ++++ libsepol-2.7/include/sepol/port_record.h +@@ -16,6 +16,7 @@ typedef struct sepol_port_key sepol_port_key_t; + #define SEPOL_PROTO_UDP 0 + #define SEPOL_PROTO_TCP 1 + #define SEPOL_PROTO_DCCP 2 ++#define SEPOL_PROTO_SCTP 3 + + /* Key */ + extern int sepol_port_compare(const sepol_port_t * port, diff --git libsepol-2.7/man/Makefile libsepol-2.7/man/Makefile index 1192433..9b75454 100644 --- libsepol-2.7/man/Makefile @@ -610,11 +695,50 @@ index ec49c15..f5407ab 100644 /* * Updated : Karl MacMillan +diff --git libsepol-2.7/src/ibendport_record.c libsepol-2.7/src/ibendport_record.c +index 912aeb5..bc56f09 100644 +--- libsepol-2.7/src/ibendport_record.c ++++ libsepol-2.7/src/ibendport_record.c +@@ -32,14 +32,11 @@ struct sepol_ibendport_key { + int sepol_ibendport_alloc_ibdev_name(sepol_handle_t *handle, + char **ibdev_name) + { +- char *tmp_ibdev_name = NULL; +- +- tmp_ibdev_name = calloc(1, IB_DEVICE_NAME_MAX); ++ *ibdev_name = calloc(1, IB_DEVICE_NAME_MAX); + +- if (!tmp_ibdev_name) ++ if (!*ibdev_name) + goto omem; + +- *ibdev_name = tmp_ibdev_name; + return STATUS_SUCCESS; + + omem: diff --git libsepol-2.7/src/kernel_to_cil.c libsepol-2.7/src/kernel_to_cil.c -index f1905a9..0055c23 100644 +index f1905a9..b1eb66d 100644 --- libsepol-2.7/src/kernel_to_cil.c +++ libsepol-2.7/src/kernel_to_cil.c -@@ -2788,7 +2788,7 @@ static int write_selinux_ibpkey_rules_to_cil(FILE *out, struct policydb *pdb) +@@ -12,6 +12,9 @@ + #ifndef IPPROTO_DCCP + #define IPPROTO_DCCP 33 + #endif ++#ifndef IPPROTO_SCTP ++#define IPPROTO_SCTP 132 ++#endif + + #include + #include +@@ -2631,6 +2634,7 @@ static int write_selinux_port_rules_to_cil(FILE *out, struct policydb *pdb) + case IPPROTO_TCP: protocol = "tcp"; break; + case IPPROTO_UDP: protocol = "udp"; break; + case IPPROTO_DCCP: protocol = "dccp"; break; ++ case IPPROTO_SCTP: protocol = "sctp"; break; + default: + sepol_log_err("Unknown portcon protocol: %i", portcon->u.port.protocol); + rc = -1; +@@ -2788,7 +2792,7 @@ static int write_selinux_ibpkey_rules_to_cil(FILE *out, struct policydb *pdb) { struct ocontext *ibpkeycon; char subnet_prefix_str[INET6_ADDRSTRLEN]; @@ -623,11 +747,43 @@ index f1905a9..0055c23 100644 uint16_t low; uint16_t high; char low_high_str[44]; /* 2^64 <= 20 digits so "(low high)" <= 44 chars */ +diff --git libsepol-2.7/src/kernel_to_common.c libsepol-2.7/src/kernel_to_common.c +index 01ffc8f..342bc3c 100644 +--- libsepol-2.7/src/kernel_to_common.c ++++ libsepol-2.7/src/kernel_to_common.c +@@ -10,6 +10,9 @@ + #ifndef IPPROTO_DCCP + #define IPPROTO_DCCP 33 + #endif ++#ifndef IPPROTO_SCTP ++#define IPPROTO_SCTP 132 ++#endif + + #include + #include diff --git libsepol-2.7/src/kernel_to_conf.c libsepol-2.7/src/kernel_to_conf.c -index a74873f..95aa92f 100644 +index a74873f..9540520 100644 --- libsepol-2.7/src/kernel_to_conf.c +++ libsepol-2.7/src/kernel_to_conf.c -@@ -2649,7 +2649,7 @@ static int write_selinux_ibpkey_rules_to_conf(FILE *out, struct policydb *pdb) +@@ -11,6 +11,9 @@ + #ifndef IPPROTO_DCCP + #define IPPROTO_DCCP 33 + #endif ++#ifndef IPPROTO_SCTP ++#define IPPROTO_SCTP 132 ++#endif + + #include + #include +@@ -2491,6 +2494,7 @@ static int write_selinux_port_rules_to_conf(FILE *out, struct policydb *pdb) + case IPPROTO_TCP: protocol = "tcp"; break; + case IPPROTO_UDP: protocol = "udp"; break; + case IPPROTO_DCCP: protocol = "dccp"; break; ++ case IPPROTO_SCTP: protocol = "sctp"; break; + default: + sepol_log_err("Unknown portcon protocol: %i", portcon->u.port.protocol); + rc = -1; +@@ -2649,7 +2653,7 @@ static int write_selinux_ibpkey_rules_to_conf(FILE *out, struct policydb *pdb) { struct ocontext *ibpkeycon; char subnet_prefix_str[INET6_ADDRSTRLEN]; @@ -637,10 +793,10 @@ index a74873f..95aa92f 100644 uint16_t high; char low_high_str[44]; /* 2^64 <= 20 digits so "low-high" <= 44 chars */ diff --git libsepol-2.7/src/libsepol.map.in libsepol-2.7/src/libsepol.map.in -index dd1fec2..2a9996f 100644 +index dd1fec2..d879016 100644 --- libsepol-2.7/src/libsepol.map.in +++ libsepol-2.7/src/libsepol.map.in -@@ -49,6 +49,7 @@ LIBSEPOL_1.1 { +@@ -49,10 +49,13 @@ LIBSEPOL_1.1 { cil_set_mls; cil_set_attrs_expand_generated; cil_set_attrs_expand_size; @@ -648,6 +804,12 @@ index dd1fec2..2a9996f 100644 cil_write_policy_conf; sepol_ppfile_to_module_package; sepol_module_package_to_cil; + sepol_module_policydb_to_cil; + sepol_kernel_policydb_to_cil; + sepol_kernel_policydb_to_conf; ++ sepol_polcap_getnum; ++ sepol_polcap_getname; + } LIBSEPOL_1.0; diff --git libsepol-2.7/src/libsepol.pc.in libsepol-2.7/src/libsepol.pc.in index e52f589..f807fec 100644 --- libsepol-2.7/src/libsepol.pc.in @@ -681,10 +843,28 @@ index 98da3d3..5ca3cd5 100644 * * Support for enhanced MLS infrastructure. diff --git libsepol-2.7/src/module_to_cil.c libsepol-2.7/src/module_to_cil.c -index 619a48f..15b58a7 100644 +index 619a48f..5b8ed19 100644 --- libsepol-2.7/src/module_to_cil.c +++ libsepol-2.7/src/module_to_cil.c -@@ -2687,7 +2687,7 @@ static int ocontext_selinux_ibpkey_to_cil(struct policydb *pdb, +@@ -30,6 +30,9 @@ + #ifndef IPPROTO_DCCP + #define IPPROTO_DCCP 33 + #endif ++#ifndef IPPROTO_SCTP ++#define IPPROTO_SCTP 132 ++#endif + #include + #include + #include +@@ -2656,6 +2659,7 @@ static int ocontext_selinux_port_to_cil(struct policydb *pdb, struct ocontext *p + case IPPROTO_TCP: protocol = "tcp"; break; + case IPPROTO_UDP: protocol = "udp"; break; + case IPPROTO_DCCP: protocol = "dccp"; break; ++ case IPPROTO_SCTP: protocol = "sctp"; break; + default: + log_err("Unknown portcon protocol: %i", portcon->u.port.protocol); + rc = -1; +@@ -2687,7 +2691,7 @@ static int ocontext_selinux_ibpkey_to_cil(struct policydb *pdb, int rc = -1; struct ocontext *ibpkeycon; char subnet_prefix_str[INET6_ADDRSTRLEN]; @@ -713,6 +893,51 @@ index 691101e..c752123 100644 free(ctmp); } } +diff --git libsepol-2.7/src/port_record.c libsepol-2.7/src/port_record.c +index ed9093b..15fb198 100644 +--- libsepol-2.7/src/port_record.c ++++ libsepol-2.7/src/port_record.c +@@ -186,6 +186,8 @@ const char *sepol_port_get_proto_str(int proto) + return "tcp"; + case SEPOL_PROTO_DCCP: + return "dccp"; ++ case SEPOL_PROTO_SCTP: ++ return "sctp"; + default: + return "???"; + } +diff --git libsepol-2.7/src/ports.c libsepol-2.7/src/ports.c +index 62ec602..cc55863 100644 +--- libsepol-2.7/src/ports.c ++++ libsepol-2.7/src/ports.c +@@ -2,6 +2,9 @@ + #ifndef IPPROTO_DCCP + #define IPPROTO_DCCP 33 + #endif ++#ifndef IPPROTO_SCTP ++#define IPPROTO_SCTP 132 ++#endif + #include + + #include "debug.h" +@@ -21,6 +24,8 @@ static inline int sepol2ipproto(sepol_handle_t * handle, int proto) + return IPPROTO_UDP; + case SEPOL_PROTO_DCCP: + return IPPROTO_DCCP; ++ case SEPOL_PROTO_SCTP: ++ return IPPROTO_SCTP; + default: + ERR(handle, "unsupported protocol %u", proto); + return STATUS_ERR; +@@ -37,6 +42,8 @@ static inline int ipproto2sepol(sepol_handle_t * handle, int proto) + return SEPOL_PROTO_UDP; + case IPPROTO_DCCP: + return SEPOL_PROTO_DCCP; ++ case IPPROTO_SCTP: ++ return SEPOL_PROTO_SCTP; + default: + ERR(handle, "invalid protocol %u " "found in policy", proto); + return STATUS_ERR; diff --git libsepol-2.7/src/services.c libsepol-2.7/src/services.c index 10338a6..d40793e 100644 --- libsepol-2.7/src/services.c diff --git a/libsepol.spec b/libsepol.spec index 9fa673e..091843a 100644 --- a/libsepol.spec +++ b/libsepol.spec @@ -1,13 +1,13 @@ Summary: SELinux binary policy manipulation library Name: libsepol Version: 2.7 -Release: 5%{?dist} +Release: 6%{?dist} License: LGPLv2+ Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804/libsepol-2.7.tar.gz # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh # run: # $ VERSION=2.7 ./make-fedora-selinux-patch.sh libsepol -# HEAD https://github.com/fedora-selinux/selinux/commit/4e253a0231ca085df03b55c4c0490ad6a0e261eb +# HEAD https://github.com/fedora-selinux/selinux/commit/0a28664012ec7383cf5cbdef4ad2dbedf1f70707 Patch1: libsepol-fedora.patch URL: https://github.com/SELinuxProject/selinux/wiki BuildRequires: gcc @@ -97,6 +97,11 @@ exit 0 %{_libdir}/libsepol.so.1 %changelog +* Wed Mar 21 2018 Petr Lautrbach - 2.7-6 +- Prevent freeing unitialized value in ibendport handling +- Add support for the SCTP portcon keyword +- Export sepol_polcap_getnum/name functions + * Tue Mar 13 2018 Petr Lautrbach - 2.7-5 - cil: Create new keep field for type attribute sets - build: follow standard semantics for DESTDIR and PREFIX