From patchwork Thu Oct 11 12:35:48 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Carter X-Patchwork-Id: 10636613 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 93DBD5CAF for ; Thu, 11 Oct 2018 12:37:38 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8861F2B2F8 for ; Thu, 11 Oct 2018 12:37:38 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7A07C2B45D; Thu, 11 Oct 2018 12:37:38 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from USFB19PA13.eemsg.mail.mil (uphb19pa10.eemsg.mail.mil [214.24.26.84]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA256 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 71C962B2F8 for ; Thu, 11 Oct 2018 12:37:37 +0000 (UTC) X-EEMSG-check-008: 202772345|USFB19PA13_EEMSG_MP9.csd.disa.mil Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.3]) by USFB19PA13.eemsg.mail.mil with ESMTP; 11 Oct 2018 12:37:35 +0000 X-IronPort-AV: E=Sophos;i="5.54,368,1534809600"; d="scan'208";a="19290138" IronPort-PHdr: 9a23:XIQ+8hLfuGQ8BQctIdmcpTZWNBhigK39O0sv0rFitYgTKv/7rarrMEGX3/hxlliBBdydt6obzbKO+4nbGkU4qa6bt34DdJEeHzQksu4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1Ov71GonPhMiryuy+4ZLebxlKiTanfb9+MAi9oBnMuMURnYZsMLs6xAHTontPdeRWxGdoKkyWkh3h+Mq+/4Nt/jpJtf45+MFOTav1f6IjTbxFFzsmKHw65NfqtRbYUwSC4GYXX3gMnRpJBwjF6wz6Xov0vyDnuOdxxDWWMMvrRr86QzSi67pgRgHuhikJKjU19HjbhtJsgK5eph+quh5xzJPOYIyNNPRwYK3Tc9AdS2VDUMZfSjRBD4GhY4YBAOUOIelWoJfmp1YVsRuzBxOhCP/1xzNUmHP727Ax3eQ7EQHB2QwtB9YAv27RrNrrL6cZTP64w7PSzTXfcfxWwyr25Y/KchEvvf6DR6hwcdbPxUQ0CwPEjkmfqYziPz+P0OQNqHKU4/BvVeKolW4qsgd8qSWsyMc0koTFm40Yx1/e+Sh53Yo5P8O0RUFlbdK+DZddsTyROZFsTcM4WW5ovT43yrgBuZGmYicH0I8nxxvDa/yfdIiI/w7jWP6RIThmgHJlf6qyhwqo/ki6y+38S9K03ExWritFjtbMtncN2wbV6sebUfty4l2t2TOO1wDX8u1EIEY0mrTHK5M537I9mZUevV7DEyPrgkn6kqCbels+9uS18+jnZ6/ppp6YN496kAH+NaEul9SkAesmNggOXm6b+fmz1bH65kL5R6hKjvsqnabHq5DXPtgbp66lDA9V1YYv8RC/Dyy839gCknkHK0xFdAqdj4f1I1HOPOz4DfCnjlSulzdrwerJPqHhAprXKHjOi7XhfbF7605Z0gUz1sxf6IxOCrEaOv7zXVXxtNPABB8jLwO02/rnCMl61o4GW2KPALWWP7/RsV+T4eIvJeiMZJEOtTbzL/gl+vHvgmQkmV8bYampwIEbaHeiHvRpO0+Ze2bjgs8dEWcWuQozVPTqh0OZXjFNYXayXr485jYgBYKnE4jMWJ6ijKaG3CehEZ1cfnpGBUyUEXf0a4WEXO8BZz+VIs9nlDwLSKauS4sg1Ry1rgD11aBnLu3O9i0fr5Lj28B/5/fPmhEq6Tx0E8Od3nmDTmF1mmMIQiE53LpkrExz1FiMzK94g+ZCGtxL/fNJVQU6OoDAwOxmEdzyXRjBftiRQla8XtqmGS0xTs42w9IWYEZyAdaijhfe3yexAL8ajb+LBJsp8q7G2HjxPcl9wW7c1KY9l1kmXtdPNWq+i6Fl6gfTHY/JnFuDl6uxb6sTwCvN+H2EzWqUs0FSSBRwXrndXXADekvWqsz06V/YQL+qF7snKRdByM6FKqZRcd3mkVRGS+nlONTCYmK+gX28BRCWybOQdIDqYXkS3D3BCEgYlAAe5WyGOhUjCSq6rGLeCTNvGUjpY0zy7el0sGm7QVMszwGWc01h0KK4+gUbhfyGTPMTxa4EtTw6qzVyG1a80dfWBMCGpwZ7eqVTf8896k9d1W3Frwx9IoCgL6d6i18QaQt3u1/u2AttCoVbisUqsm0lzBBpJqKF1VNNbTSY3Yr/OrfPMGn94Aiva7LK2lHZyNuW/KYP6PA8q1r9pwGkDVAt/Gt909lSyXec4Y/KDAUKW5LrTkk37wR6p63dYiQl+ozUyWdjMbOvvzDe3NIpAfcqxQy7f9dDKq+EEhH9E9ECDci0NOMqg0Spbg4DPO1K6q40Pt+pd+eB2K6xJupvgDKmjWNB4IByyU+M8yt8SujS0JYfxPGUxAyHVy3zjF25qMD4hZhEZS0OHmq40SXkAI9RZrZufYoSEmehPcm3xtR4h57wVH9V70WjB0sH2M+veBqdc0f90RdW1UsJvXytgTG4wCBskzE1sqqf2zTDw/7ldBoDPm5EWnNigkvrIYm6lN0aR1WoYBQylBe/4kb63adbrrxlL2bPWUdIYzT2L2Z6X6uzqLWCZdVP5YgrsSpJVuS8elaaRaDhoxcA1CPjBWRezighdz62opX5gwB6iGWFIXZrtnXZZMVwygnH5NPGQ/5RwiQJRDNjhDnKHVizIcOp/c6Om5fYteC+SnihWYFNfinlyoOAriS76nNwDR25gf+zhsXtERIm3i/jy9lqSSLIoQ7iYontyqu3Kvxnfk91C1/88cZ6HJ9xkpcojpEKxXcanomV/WYAkWrrKdVUw7/+bH4WSDEXwt7V/Ajk1FRtLn2TwYL1THKdwtFuZ9OieGMZxjo979xWCKeT9LFEnit0ol6mog/KZPh9mTkdyfUw534Gn+EJuA0tziCDDbwIG0lXIzDsnQyS79+itKVXeHqvcb+o2Upwh9+hCq2CogZZWHvidJctAzJ/7sJlMF3WyH3z8IbkeNvOYt0Pqh2YiRDAj/JaKJgpjPoFmTJnOX7hvX0i0+M7iAZh3ZW+vIeZN2Vt4Li2DQRDOz3zecwT5irtgrpEkcaOwY+jBJNhFSsXXJHwV/KnDCoStej7NwaJCDA8pG2bFqTCEg+E8khmqW7PE5ewN3yMPnYW0dBiSAOaJExFjwAeRC86kYIhFgC22Mzhd1906SsK6VL/rhtMy/loNwXkUmvFvwendCs7RIKELBVI6gFC5kHVMdGR7+9oAy5Z/oehrBGWKmCBaQVHF30JWleDB1DlJLWu4sPA8+eADOqkM/TOeamOqfBZV/qQ3p2v04Rm/zGKNsiUI3ZtEeY02ktZUnB/AcjZnC8PSyMPnSLXc8GbvAu8+jFwrs2n8vTrWALu5ZOIC7tWMNVv5w65jLyGN+6RmCZ5MyhX2okLxX/Sx7gVxEQShD12dzmxDbQAsjbAQ7zImqBNFR4bajhzOdBQ760mxAlNONXbisvx1rFikvE6FU1JVVv7msGmfcYKOX2yNEvbBEaXM7SLPTvLzN/tbqO4UrBQj+JUtwasuTmBFU/jJTeDlzjzWxCpL+5MkDmRPAZCt4GlbhZtFW/jQcr8ahKlK994kyc5wacoiXPKLmMTKjl8c1lQob2X4yNYmu9/FHJB73Z/K+mLhTqZ5fHCKpkKqftrHjh0l+VC7Xsn0bRV8iBES+FumCbJtNFuuUumku6Byzp8ThVBtitLhJiKvUV+OaTV7J9AVmjY/BgV92WfFwwKp8d5Ct3oo61Qzt/PlLjtJzdE8tPU+tARB8fSKMKaKnYhNgDpGDHMBgsfUTGrLX3fh1BakPyK7X2asJw6qpnqmJoTRb5WT0A6FvQfCkt5BtMCO4t3UikikbGFkM4C/WC+owXJRMVGopDHUeqfDujzJzacirlEYQcIza7jIIQNKIL7wU1ia1h9nITMAUbQW85CojF5ZA8uvEpN6GR+TnE020/9dgOt4XoTFfmonh42igpzevki9Dbs4lgtPVXGvi0wn1ctmd/9mzCebCbxLLusXYFREyf7rUwxMpLnTAlrdQKymExlNDHDR7JXlbRtbntkiA7GtptJAPJcQ7BEbAUWxf6Je/UiyU5cpTm/xU9b+evFDoNvmxA0fp6qtH9PwR9sbMArKqzKP6pG1EJQh6KUsi+vzOAxzxcUJ1wR/2OKZC4IpEsIO6E8Jyqu/+xj9QyCmzxHeGgXT/Qku+9k+FkhNuqH1C/vz7lDKkWtOOOFNKOZp3LMlciWTVMszkkIjVVK/aBq0cc/dEqZT1wgzLmLGBsVLsfNNQZVb85W9HjSYymOq/nNzoxpMIW9DOzoSvWOtKkMiEK+AAkpB5gM7tgGHpS0ykHXN93nLLkexhg2+ATrPk+KDOpXdxKPkTcHpc6/zJt23YlSJjEdHWt9Pj+t5rbSvAMqhuSMXMsuaHcAQoQELm42WNG9myNBsXVMFiW40uIYyAiH7j/zvCfQASL9b9V9evibewlgCNas+TUw66K2k0LY8o3CJ2HmMtRvotrP5vkAp5aEFfxUUbh9s0HTm4RDSX2lSWjPHsKxJ5j3dokjcMf0Bmy8UlOhlzI/V93xM8q1LqiUnQHoQp5ZsJGc3DAnL8C9DD8fGxB0p+EN/698YAoDY50gYRH2qws+Lau/IByD0tWvRWatJiFaT/5FzeW1f7ZX1TYjbvemyHs8SZE31/O48VQQRJEMlB3exu2uZ4hfUSjyBnxSYB/DpSwnmGh9Luwy2PswwAvUsVkANDCGbPBpaGtBv9wnGVOePXB2BXEiS1+ak4XD/ham36oO8CtFg9ZUzepFvWD8vp/Yfj2hQ7GkpovOsyU+d9gmv7N+PpH5LsuAqpzegiTVTIPMvQ2dTC66C/1al8BeICJCWvZIn30qOc0duYda7EoxTsY+K6VUCKgivbCmcz1kDTQdzSUBTYOPwCQCgvug27vdjhqQbIktPwEFsJpYhtsQSDJ5YiQbpKC/TYrWjHOERnINIAgN8QRG/BgAmZNofuD5/IrIS4dByyZNo/JoSCTEC4Vo+kDgSmGRnFj4UumunPKv3QJO1vLjyN0bVAR4CUhHyOZcjlEoJ61vK6kMoo7KtSeFelj0vG3x1OerJkRdxMPPelLkC4rFsHbzXTcH+X0IX4NPzm/QFYgKmQpjdKkrvElMIJyhekvm+zwk3ZpmEKelWs2w2lYlqWoGRz2wHNpfCuFmt1bXVyN5Y5yxr5XlIZpSSHdK+JKBs1dZjFltMymhxJpeMc5N+DkMXCNLoTqHotu/U8hD2dJyD58QI9dwp3b9F7lCOJiKuXE2vabvynDB8TAmrFi63CmzG7O/T+9B/W0RAAMpJ2qEqkkoEuQj7Hzf8kzXvVBy5OdbAaKDjUNvrzZhBppOHCpG1Wi5L1RvS3lLq+paKLnUc8xYR/k9exqvNgcjGvE4xEOJ/Ft7nXHjbyx1rAta9DjXXxMoWikNnrfthToep9mlOT8bTpJFdjAhYDnFKg2FgyBXvRBfa05wV5AfHNlF56kR3ZFI8craVUasNSYFUQRkNgI8yvdflEhDsECCdSDcCwqoe+zPvQdsfceNts6pMej2/BtaioP9ru807aIDR2epmQe1W9DRs5f8tsGWtkuJbKr4Nuq8YXndTDjDkx+9nrIkD5jQ8CjVLgVbN5d7yX0+YZjiEm7HJxJGKLwHJ0BDT6B1dc1GovxGZ89jYKsJ/bRtBheHSx70FoygsuRJLlHJRTvENyWB6Ou/oYDN4rPBVejsfMuMx2zIQ6hvJJd19SH7G6v20Y9Z4kf22/Zs+VlgRlfaKC2Bt8ruJh8V68a+bEfiuYcpHTzOCpdqjHXt3l1Ad9YQQyCy65sYyYhZ6XjqRuJ600jzrPVS+KN56Ykz+L1m1cC0KrrMJvtArE9nGB+UBh9w+Zk3B2h/XW9RaPcLKPjNZaQZkdzuq+fvGqwP8hKV5/BWadvJJkHGgMm/CSiQSQdakwcFqD4aKBac1vGelq9sU8mlufT22kIj4li5NB4Gz6ph5YSa9aqSou/YcR/RwaIDWqjwScP5tq4stF+K5f04iL4OfXR4YwumEOcBUc4dwn3vzbswwSItFMPDGKng+OVYWnI8kT/hlIpxH1IMGvMbBbCL55hRnn8km+zFMd0baq9ClXqUFR6/C7MM1HGl5S2WIGljnxHP3Ar9QWy27FDsqy93XzHAz9D5kkpaTrO3H1tdXzK1OU9ktzOCJAjotN33uaQz9k05LmzktNaQlGS8ObJXHsv/JMefISk1v18XkpwxRsK11oAfBNW9Ic0d8HdgYfvC82mriTNOo79bh4rC5cGY4vTXHWe6gK2csLiNwC1YxWU5vVE48dCsLPbO58eFQ/6wzWYeUz9/uxfdXx6ysrHbrU4bOUKF0EfPg4ELMMtW3X8m2UH6/uQjRsw89BlGHIbae/wCvSzzOCfzwVuHbNI3Ui6e0jVJEVLxFVl1A7M82GX2vMLIiXjc4VsoSZdsd0b/nxx4E504KV4x6FgQ2icDFAkNaROYDLGvHknlL5ELVUsEaRSBwre6fL073UttzbOz/OXTd/BzB7IRNvZBiQ6DhENUFYwQsa0CW798YFtd9KnLpgj+FYjoQeXpmWA3Nf2vTcBQ6doZuGc64gajWxqg7o9O77gFh5CMd65EeYbDsdt97kdm4D4PczJCgAJ7jxynS+wco/rj4tfDupqy9umuTLotR/kQ9xUsCWV+l4HwgFE/rt7JzOpcT4zViZjl8A9TOXKKv5za0xZkI+oUN42rZKpg92kAJyUGIHIOOcSZZuIk4y9pKjrT/EBCAsIQatMEJsrChx5bhlfvWL5N6srRAkWYBJtrd8A082r3zyg48Z89Uubm9T+3KonT71VMP/NYkCVsj8nPpOkPzvrUDygb+36ZawJ6wima0ZmCF+7w/fmQyNHTT14GGzQ5XJtdJDqD/wynQfG4lIvoUgOS9MDzhJM+dESNRn2+hqgFtbxMEeFYgCXhwjdeDpz1h+6Ss9e06mtYrF5HEIFo4hDeBaVfOIl7ORT/lsm2SUh8Bjf/dNvSdhUwpOqc3v0M7PlmN0vieY8bJQoJy7D/6XpSVAtuUr/2vk2CUOIXftRmTe3LrnFP5YJnMa8PM0CXpIb2oTdQtFA2HAgpZacrrjxUc0nBgAxYVqXvtb4elAQcS995uE5LGWK2Im4+4STIVbgGxJWWXecY9jSVU7wmTUplKGV9Tgmz1ZEofKGmzt5dtWYTvCp4reNi+DV8WBam8XnuuKkEwy560K2pvzUG/3peR6ORlDmeWgYL9+gDkapJUyWq0le7enRWKdGq7Q== X-IPAS-Result: A2B9AAAkQ79b/wHyM5BiGwEBAQEDAQEBBwMBAQGBVAMBAQELAYFZKoFlKIxqi1dMAQEBAQEBBoIviAaOFIFiKRMBiRchNwoNAQMBAQEBAQECAWwogjYkgmADAwECJBMUIAsDAwkBAUAICAMBLRURDgsFGASCQD+BdQ2nGzOEd4RihyWEIIEQgQeBEoJdB4R5ARIBhXcCgSgBjQpAjx0GA5BJCxeQEZdqImRxKwgCGClKgR6BToImF440U3sBAYkmgj4BAQ Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 11 Oct 2018 12:37:33 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w9BCbWgq028240; Thu, 11 Oct 2018 08:37:33 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id w9BCZOTv030960 for ; Thu, 11 Oct 2018 08:35:24 -0400 Received: from moss-lions.infosec.tycho.ncsc.mil (moss-lions [192.168.25.4]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w9BCZNWr028160; Thu, 11 Oct 2018 08:35:23 -0400 From: James Carter To: selinux@vger.kernel.org Date: Thu, 11 Oct 2018 08:35:48 -0400 Message-Id: <20181011123549.14875-4-jwcart2@tycho.nsa.gov> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181011123549.14875-1-jwcart2@tycho.nsa.gov> References: <20181011123549.14875-1-jwcart2@tycho.nsa.gov> Subject: [PATCH 3/4] libsepol: Check that initial sid indexes are within the valid range X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: selinux@tycho.nsa.gov MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP When writing CIL from a policy module or when writing CIL or policy.conf from a kernel binary policy, check that the initial sid index is within the valid range of the selinux_sid_to_str[] array (or xen_sid_to_str[] array for a XEN policy). If it is not, then create a unique name ("UNKNOWN"+index) for the initial sid. Signed-off-by: James Carter --- libsepol/src/kernel_to_cil.c | 42 +++++++++++++++++++++++++-------- libsepol/src/kernel_to_common.h | 4 ++++ libsepol/src/kernel_to_conf.c | 42 +++++++++++++++++++++++++-------- libsepol/src/module_to_cil.c | 25 ++++++++++++++------ 4 files changed, 86 insertions(+), 27 deletions(-) diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c index c2a733ee..d173144e 100644 --- a/libsepol/src/kernel_to_cil.c +++ b/libsepol/src/kernel_to_cil.c @@ -529,23 +529,31 @@ exit: return rc; } -static int write_sids_to_cil(FILE *out, const char *const *sid_to_str, struct ocontext *isids) +static int write_sids_to_cil(FILE *out, const char *const *sid_to_str, + unsigned num_sids, struct ocontext *isids) { struct ocontext *isid; struct strs *strs; char *sid; char *prev; + char unknown[17]; unsigned i; int rc; - rc = strs_init(&strs, SECINITSID_NUM+1); + rc = strs_init(&strs, num_sids+1); if (rc != 0) { goto exit; } for (isid = isids; isid != NULL; isid = isid->next) { i = isid->sid[0]; - rc = strs_add_at_index(strs, (char *)sid_to_str[i], i); + if (i < num_sids) { + sid = (char *)sid_to_str[i]; + } else { + snprintf(unknown, 17, "%s%u", "UNKNOWN", i); + sid = strdup(unknown); + } + rc = strs_add_at_index(strs, sid, i); if (rc != 0) { goto exit; } @@ -577,6 +585,10 @@ static int write_sids_to_cil(FILE *out, const char *const *sid_to_str, struct oc sepol_printf(out, "))\n"); exit: + for (i=num_sids; itarget_platform == SEPOL_TARGET_SELINUX) { - rc = write_sids_to_cil(out, selinux_sid_to_str, pdb->ocontexts[0]); + rc = write_sids_to_cil(out, selinux_sid_to_str, SELINUX_SID_SZ, + pdb->ocontexts[0]); } else if (pdb->target_platform == SEPOL_TARGET_XEN) { - rc = write_sids_to_cil(out, xen_sid_to_str, pdb->ocontexts[0]); + rc = write_sids_to_cil(out, xen_sid_to_str, XEN_SID_SZ, + pdb->ocontexts[0]); } else { sepol_log_err("Unknown target platform: %i", pdb->target_platform); rc = -1; @@ -2479,11 +2493,12 @@ exit: return ctx; } -static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const char *const *sid_to_str) +static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const char *const *sid_to_str, unsigned num_sids) { struct ocontext *isid; struct strs *strs; - const char *sid; + char *sid; + char unknown[17]; char *ctx, *rule; unsigned i; int rc = -1; @@ -2495,7 +2510,13 @@ static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) { i = isid->sid[0]; - sid = sid_to_str[i]; + if (i < num_sids) { + sid = (char *)sid_to_str[i]; + } else { + snprintf(unknown, 17, "%s%u", "UNKNOWN", i); + sid = unknown; + } + ctx = context_to_str(pdb, &isid->context[0]); if (!ctx) { rc = -1; @@ -2531,7 +2552,8 @@ exit: static int write_selinux_isid_rules_to_cil(FILE *out, struct policydb *pdb) { - return write_sid_context_rules_to_cil(out, pdb, selinux_sid_to_str); + return write_sid_context_rules_to_cil(out, pdb, selinux_sid_to_str, + SELINUX_SID_SZ); } static int write_selinux_fsuse_rules_to_cil(FILE *out, struct policydb *pdb) @@ -2884,7 +2906,7 @@ exit: static int write_xen_isid_rules_to_cil(FILE *out, struct policydb *pdb) { - return write_sid_context_rules_to_cil(out, pdb, xen_sid_to_str); + return write_sid_context_rules_to_cil(out, pdb, xen_sid_to_str, XEN_SID_SZ); } static int write_xen_pirq_rules_to_cil(FILE *out, struct policydb *pdb) diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h index 7c5edbd6..dacfe97e 100644 --- a/libsepol/src/kernel_to_common.h +++ b/libsepol/src/kernel_to_common.h @@ -43,6 +43,8 @@ static const char * const selinux_sid_to_str[] = { "devnull", }; +#define SELINUX_SID_SZ (sizeof(selinux_sid_to_str)/sizeof(selinux_sid_to_str[0])) + static const char * const xen_sid_to_str[] = { "null", "xen", @@ -57,6 +59,8 @@ static const char * const xen_sid_to_str[] = { "device", }; +#define XEN_SID_SZ (sizeof(xen_sid_to_str)/sizeof(xen_sid_to_str[0])) + static const uint32_t avtab_flavors[] = { AVTAB_ALLOWED, AVTAB_AUDITALLOW, diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c index a98b5ca9..7e04a13b 100644 --- a/libsepol/src/kernel_to_conf.c +++ b/libsepol/src/kernel_to_conf.c @@ -428,22 +428,30 @@ static int write_class_decl_rules_to_conf(FILE *out, struct policydb *pdb) return 0; } -static int write_sids_to_conf(FILE *out, const char *const *sid_to_str, struct ocontext *isids) +static int write_sids_to_conf(FILE *out, const char *const *sid_to_str, + unsigned num_sids, struct ocontext *isids) { struct ocontext *isid; struct strs *strs; char *sid; + char unknown[17]; unsigned i; int rc; - rc = strs_init(&strs, SECINITSID_NUM+1); + rc = strs_init(&strs, num_sids+1); if (rc != 0) { goto exit; } for (isid = isids; isid != NULL; isid = isid->next) { i = isid->sid[0]; - rc = strs_add_at_index(strs, (char *)sid_to_str[i], i); + if (i < num_sids) { + sid = (char *)sid_to_str[i]; + } else { + snprintf(unknown, 17, "%s%u", "UNKNOWN", i); + sid = strdup(unknown); + } + rc = strs_add_at_index(strs, sid, i); if (rc != 0) { goto exit; } @@ -458,6 +466,10 @@ static int write_sids_to_conf(FILE *out, const char *const *sid_to_str, struct o } exit: + for (i=num_sids; itarget_platform == SEPOL_TARGET_SELINUX) { - rc = write_sids_to_conf(out, selinux_sid_to_str, pdb->ocontexts[0]); + rc = write_sids_to_conf(out, selinux_sid_to_str, SELINUX_SID_SZ, + pdb->ocontexts[0]); } else if (pdb->target_platform == SEPOL_TARGET_XEN) { - rc = write_sids_to_conf(out, xen_sid_to_str, pdb->ocontexts[0]); + rc = write_sids_to_conf(out, xen_sid_to_str, XEN_SID_SZ, + pdb->ocontexts[0]); } else { sepol_log_err("Unknown target platform: %i", pdb->target_platform); rc = -1; @@ -2339,11 +2353,12 @@ static char *context_to_str(struct policydb *pdb, struct context_struct *con) return ctx; } -static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, const char *const *sid_to_str) +static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, const char *const *sid_to_str, unsigned num_sids) { struct ocontext *isid; struct strs *strs; - const char *sid; + char *sid; + char unknown[17]; char *ctx, *rule; unsigned i; int rc; @@ -2355,7 +2370,13 @@ static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, cons for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) { i = isid->sid[0]; - sid = sid_to_str[i]; + if (i < num_sids) { + sid = (char *)sid_to_str[i]; + } else { + snprintf(unknown, 17, "%s%u", "UNKNOWN", i); + sid = unknown; + } + ctx = context_to_str(pdb, &isid->context[0]); if (!ctx) { rc = -1; @@ -2391,7 +2412,8 @@ exit: static int write_selinux_isid_rules_to_conf(FILE *out, struct policydb *pdb) { - return write_sid_context_rules_to_conf(out, pdb, selinux_sid_to_str); + return write_sid_context_rules_to_conf(out, pdb, selinux_sid_to_str, + SELINUX_SID_SZ); } static int write_selinux_fsuse_rules_to_conf(FILE *out, struct policydb *pdb) @@ -2745,7 +2767,7 @@ exit: static int write_xen_isid_rules_to_conf(FILE *out, struct policydb *pdb) { - return write_sid_context_rules_to_conf(out, pdb, xen_sid_to_str); + return write_sid_context_rules_to_conf(out, pdb, xen_sid_to_str, XEN_SID_SZ); } diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c index 8ab0dfce..7fc29cbd 100644 --- a/libsepol/src/module_to_cil.c +++ b/libsepol/src/module_to_cil.c @@ -2548,23 +2548,33 @@ static int context_to_cil(struct policydb *pdb, struct context_struct *con) } static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_string, - struct ocontext *isids) + unsigned num_sids, struct ocontext *isids) { int rc = -1; struct ocontext *isid; struct sid_item { - const char *sid_key; + char *sid_key; struct sid_item *next; }; struct sid_item *head = NULL; struct sid_item *item = NULL; + char *sid; + char unknown[17]; + unsigned i; for (isid = isids; isid != NULL; isid = isid->next) { - cil_println(0, "(sid %s)", sid_to_string[isid->sid[0]]); - cil_printf("(sidcontext %s ", sid_to_string[isid->sid[0]]); + i = isid->sid[0]; + if (i < num_sids) { + sid = (char*)sid_to_string[i]; + } else { + snprintf(unknown, 17, "%s%u", "UNKNOWN", i); + sid = unknown; + } + cil_println(0, "(sid %s)", sid); + cil_printf("(sidcontext %s ", sid); context_to_cil(pdb, &isid->context[0]); cil_printf(")\n"); @@ -2576,7 +2586,7 @@ static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_ rc = -1; goto exit; } - item->sid_key = sid_to_string[isid->sid[0]]; + item->sid_key = strdup(sid); item->next = head; head = item; } @@ -2595,6 +2605,7 @@ exit: while(head) { item = head; head = item->next; + free(item->sid_key); free(item); } return rc; @@ -2604,7 +2615,7 @@ static int ocontext_selinux_isid_to_cil(struct policydb *pdb, struct ocontext *i { int rc = -1; - rc = ocontext_isid_to_cil(pdb, selinux_sid_to_str, isids); + rc = ocontext_isid_to_cil(pdb, selinux_sid_to_str, SELINUX_SID_SZ, isids); if (rc != 0) { goto exit; } @@ -2833,7 +2844,7 @@ static int ocontext_xen_isid_to_cil(struct policydb *pdb, struct ocontext *isids { int rc = -1; - rc = ocontext_isid_to_cil(pdb, xen_sid_to_str, isids); + rc = ocontext_isid_to_cil(pdb, xen_sid_to_str, XEN_SID_SZ, isids); if (rc != 0) { goto exit; }