| Message ID | 20170725161412.969-1-sds@tycho.nsa.gov (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
On Tue, Jul 25, 2017 at 12:14 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote: > Ensure that genheaders fails with an error if too many permissions > are defined in a class to fit within an access vector. This is similar > to a check performed by checkpolicy when compiling the policy. > > Also, fix the suffix on the permission constants generated by this program. > > Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> > --- > scripts/selinux/genheaders/genheaders.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) Merged, thanks. > diff --git a/scripts/selinux/genheaders/genheaders.c b/scripts/selinux/genheaders/genheaders.c > index 6a24569..672b069 100644 > --- a/scripts/selinux/genheaders/genheaders.c > +++ b/scripts/selinux/genheaders/genheaders.c > @@ -129,11 +129,16 @@ int main(int argc, char *argv[]) > for (i = 0; secclass_map[i].name; i++) { > struct security_class_mapping *map = &secclass_map[i]; > for (j = 0; map->perms[j]; j++) { > + if (j >= 32) { > + fprintf(stderr, "Too many permissions to fit into an access vector at (%s, %s).\n", > + map->name, map->perms[j]); > + exit(5); > + } > fprintf(fout, "#define %s__%s", map->name, > map->perms[j]); > for (k = 0; k < max(1, 40 - strlen(map->name) - strlen(map->perms[j])); k++) > fprintf(fout, " "); > - fprintf(fout, "0x%08xUL\n", (1<<j)); > + fprintf(fout, "0x%08xU\n", (1<<j)); > } > } > > -- > 2.9.4 >
diff --git a/scripts/selinux/genheaders/genheaders.c b/scripts/selinux/genheaders/genheaders.c index 6a24569..672b069 100644 --- a/scripts/selinux/genheaders/genheaders.c +++ b/scripts/selinux/genheaders/genheaders.c @@ -129,11 +129,16 @@ int main(int argc, char *argv[]) for (i = 0; secclass_map[i].name; i++) { struct security_class_mapping *map = &secclass_map[i]; for (j = 0; map->perms[j]; j++) { + if (j >= 32) { + fprintf(stderr, "Too many permissions to fit into an access vector at (%s, %s).\n", + map->name, map->perms[j]); + exit(5); + } fprintf(fout, "#define %s__%s", map->name, map->perms[j]); for (k = 0; k < max(1, 40 - strlen(map->name) - strlen(map->perms[j])); k++) fprintf(fout, " "); - fprintf(fout, "0x%08xUL\n", (1<<j)); + fprintf(fout, "0x%08xU\n", (1<<j)); } }
Ensure that genheaders fails with an error if too many permissions are defined in a class to fit within an access vector. This is similar to a check performed by checkpolicy when compiling the policy. Also, fix the suffix on the permission constants generated by this program. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> --- scripts/selinux/genheaders/genheaders.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)