| Message ID | 20220131010421.1960196-1-tweek@google.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | libsepol: Populate and use policy name | expand |
On Mon, 31 Jan 2022 at 02:04, Thiébaud Weksteen <tweek@google.com> wrote: > > When an assertion fails, the error message refers to a generic > "policy.conf" file. When parsing a policy in checkpolicy, populate its > name using the original filename (source_filename is still build using > the #line directives within the policy). > > Signed-off-by: Thiébaud Weksteen <tweek@google.com> > --- > checkpolicy/parse_util.c | 1 + > libsepol/src/assertion.c | 20 ++++++++++++++------ > libsepol/src/expand.c | 3 +++ > 3 files changed, 18 insertions(+), 6 deletions(-) > > diff --git a/checkpolicy/parse_util.c b/checkpolicy/parse_util.c > index 8c1f393c..f2d1e04d 100644 > --- a/checkpolicy/parse_util.c > +++ b/checkpolicy/parse_util.c > @@ -47,6 +47,7 @@ int read_source_policy(policydb_t * p, const char *file, const char *progname) > } > > policydbp = p; > + policydbp->name = strdup(file); > mlspol = p->mls; > > init_parser(1); > diff --git a/libsepol/src/assertion.c b/libsepol/src/assertion.c > index dd2749a0..74f6d9c0 100644 > --- a/libsepol/src/assertion.c > +++ b/libsepol/src/assertion.c > @@ -36,13 +36,21 @@ struct avtab_match_args { > unsigned long errors; > }; > > +static const char* policy_name(policydb_t *p) { > + const char *policy_file = "policy.conf"; > + if (p->name) { > + policy_file = p->name; > + } > + return policy_file; > +} > + > static void report_failure(sepol_handle_t *handle, policydb_t *p, const avrule_t *avrule, > unsigned int stype, unsigned int ttype, > const class_perm_node_t *curperm, uint32_t perms) > { > if (avrule->source_filename) { > - ERR(handle, "neverallow on line %lu of %s (or line %lu of policy.conf) violated by allow %s %s:%s {%s };", > - avrule->source_line, avrule->source_filename, avrule->line, > + ERR(handle, "neverallow on line %lu of %s (or line %lu of %s) violated by allow %s %s:%s {%s };", > + avrule->source_line, avrule->source_filename, avrule->line, policy_name(p), > p->p_type_val_to_name[stype], > p->p_type_val_to_name[ttype], > p->p_class_val_to_name[curperm->tclass - 1], > @@ -173,9 +181,9 @@ static int report_assertion_extended_permissions(sepol_handle_t *handle, > /* failure on the extended permission check_extended_permissions */ > if (rc) { > extended_permissions_violated(&error, avrule->xperms, xperms); > - ERR(handle, "neverallowxperm on line %lu of %s (or line %lu of policy.conf) violated by\n" > + ERR(handle, "neverallowxperm on line %lu of %s (or line %lu of %s) violated by\n" > "allowxperm %s %s:%s %s;", > - avrule->source_line, avrule->source_filename, avrule->line, > + avrule->source_line, avrule->source_filename, avrule->line, policy_name(p), > p->p_type_val_to_name[i], > p->p_type_val_to_name[j], > p->p_class_val_to_name[curperm->tclass - 1], > @@ -190,9 +198,9 @@ static int report_assertion_extended_permissions(sepol_handle_t *handle, > > /* failure on the regular permissions */ > if (rc) { > - ERR(handle, "neverallowxperm on line %lu of %s (or line %lu of policy.conf) violated by\n" > + ERR(handle, "neverallowxperm on line %lu of %s (or line %lu of %s) violated by\n" > "allow %s %s:%s {%s };", > - avrule->source_line, avrule->source_filename, avrule->line, > + avrule->source_line, avrule->source_filename, avrule->line, policy_name(p), > p->p_type_val_to_name[stype], > p->p_type_val_to_name[ttype], > p->p_class_val_to_name[curperm->tclass - 1], > diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c > index 8667f2ed..7da51a40 100644 > --- a/libsepol/src/expand.c > +++ b/libsepol/src/expand.c > @@ -2970,6 +2970,9 @@ int expand_module(sepol_handle_t * handle, > > state.out->policy_type = POLICY_KERN; > state.out->policyvers = POLICYDB_VERSION_MAX; > + if (state.base->name) { > + state.out->name = strdup(state.base->name); > + } > > /* Copy mls state from base to out */ > out->mls = base->mls; > -- > 2.35.0.rc2.247.g8bbb082509-goog > This seems to create a leak: ==17394==ERROR: LeakSanitizer: detected memory leaks Direct leak of 20 byte(s) in 1 object(s) allocated from: #0 0x5c179628aab3 in strdup (./checkpolicy/checkmodule+0x13dab3) #1 0x5c17962eeab1 in read_source_policy ./checkpolicy/parse_util.c:53:20 #2 0x5c1796309a4f in main ./checkpolicy/checkmodule.c:279:7 #3 0x7fba24eae1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 SUMMARY: AddressSanitizer: 20 byte(s) leaked in 1 allocation(s). fixed by diff --git a/checkpolicy/module_compiler.c b/checkpolicy/module_compiler.c index fcbc0eb8..ba80894a 100644 --- a/checkpolicy/module_compiler.c +++ b/checkpolicy/module_compiler.c @@ -99,6 +99,7 @@ int define_policy(int pass, int module_header_given) yyerror("no module name"); return -1; } + free(policydbp->name); policydbp->name = id; if ((policydbp->version = queue_remove(id_queue)) == NULL) {
diff --git a/checkpolicy/parse_util.c b/checkpolicy/parse_util.c index 8c1f393c..f2d1e04d 100644 --- a/checkpolicy/parse_util.c +++ b/checkpolicy/parse_util.c @@ -47,6 +47,7 @@ int read_source_policy(policydb_t * p, const char *file, const char *progname) } policydbp = p; + policydbp->name = strdup(file); mlspol = p->mls; init_parser(1); diff --git a/libsepol/src/assertion.c b/libsepol/src/assertion.c index dd2749a0..74f6d9c0 100644 --- a/libsepol/src/assertion.c +++ b/libsepol/src/assertion.c @@ -36,13 +36,21 @@ struct avtab_match_args { unsigned long errors; }; +static const char* policy_name(policydb_t *p) { + const char *policy_file = "policy.conf"; + if (p->name) { + policy_file = p->name; + } + return policy_file; +} + static void report_failure(sepol_handle_t *handle, policydb_t *p, const avrule_t *avrule, unsigned int stype, unsigned int ttype, const class_perm_node_t *curperm, uint32_t perms) { if (avrule->source_filename) { - ERR(handle, "neverallow on line %lu of %s (or line %lu of policy.conf) violated by allow %s %s:%s {%s };", - avrule->source_line, avrule->source_filename, avrule->line, + ERR(handle, "neverallow on line %lu of %s (or line %lu of %s) violated by allow %s %s:%s {%s };", + avrule->source_line, avrule->source_filename, avrule->line, policy_name(p), p->p_type_val_to_name[stype], p->p_type_val_to_name[ttype], p->p_class_val_to_name[curperm->tclass - 1], @@ -173,9 +181,9 @@ static int report_assertion_extended_permissions(sepol_handle_t *handle, /* failure on the extended permission check_extended_permissions */ if (rc) { extended_permissions_violated(&error, avrule->xperms, xperms); - ERR(handle, "neverallowxperm on line %lu of %s (or line %lu of policy.conf) violated by\n" + ERR(handle, "neverallowxperm on line %lu of %s (or line %lu of %s) violated by\n" "allowxperm %s %s:%s %s;", - avrule->source_line, avrule->source_filename, avrule->line, + avrule->source_line, avrule->source_filename, avrule->line, policy_name(p), p->p_type_val_to_name[i], p->p_type_val_to_name[j], p->p_class_val_to_name[curperm->tclass - 1], @@ -190,9 +198,9 @@ static int report_assertion_extended_permissions(sepol_handle_t *handle, /* failure on the regular permissions */ if (rc) { - ERR(handle, "neverallowxperm on line %lu of %s (or line %lu of policy.conf) violated by\n" + ERR(handle, "neverallowxperm on line %lu of %s (or line %lu of %s) violated by\n" "allow %s %s:%s {%s };", - avrule->source_line, avrule->source_filename, avrule->line, + avrule->source_line, avrule->source_filename, avrule->line, policy_name(p), p->p_type_val_to_name[stype], p->p_type_val_to_name[ttype], p->p_class_val_to_name[curperm->tclass - 1], diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c index 8667f2ed..7da51a40 100644 --- a/libsepol/src/expand.c +++ b/libsepol/src/expand.c @@ -2970,6 +2970,9 @@ int expand_module(sepol_handle_t * handle, state.out->policy_type = POLICY_KERN; state.out->policyvers = POLICYDB_VERSION_MAX; + if (state.base->name) { + state.out->name = strdup(state.base->name); + } /* Copy mls state from base to out */ out->mls = base->mls;
When an assertion fails, the error message refers to a generic "policy.conf" file. When parsing a policy in checkpolicy, populate its name using the original filename (source_filename is still build using the #line directives within the policy). Signed-off-by: Thiébaud Weksteen <tweek@google.com> --- checkpolicy/parse_util.c | 1 + libsepol/src/assertion.c | 20 ++++++++++++++------ libsepol/src/expand.c | 3 +++ 3 files changed, 18 insertions(+), 6 deletions(-)