From patchwork Mon Apr 8 15:07:59 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 13621268 X-Patchwork-Delegate: plautrba@redhat.com Received: from server02.seltendoof.de (server02.seltendoof.de [168.119.48.163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9CC0748CC7 for ; Mon, 8 Apr 2024 15:08:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=168.119.48.163 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712588891; cv=none; b=toioEKLYfkF9CMKVkFuSaCfZfDvBZjsCgN+ikicgb4GyxfEKyqtA0eeyEx+fvRutcR1z/TNHUbxz16UVU6xg/Li0k/gDHEFB2FlKfCqi9vvCr7pwWPOin4Zok4pIJCU+4SqUUHHGkNnwmyd08mTUHrVtDX/MkFYwRA36m69M+5o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712588891; c=relaxed/simple; bh=rvc2n53Q9u8avd7FglJiyqYsIMI+LXK/3nGHZxrKxyc=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type; b=f41RD6EPznu/JY9opdfNiA+yyskydMqDkKWCrg7nwiUb6kTv4yp9j5OZZi+n/WBxP11N13io9+XOTBD3d6GG1hYd9VT4B2856DE5PkNtyn2bPRDu8xmrJEybWf334UMYDhGLfJU8lea2YBWYLFz3TY+6guUFmYX+wuKhBVWD4TI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=seltendoof.de; spf=pass smtp.mailfrom=seltendoof.de; dkim=pass (2048-bit key) header.d=seltendoof.de header.i=@seltendoof.de header.b=ErzeCRjm; arc=none smtp.client-ip=168.119.48.163 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=seltendoof.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=seltendoof.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=seltendoof.de header.i=@seltendoof.de header.b="ErzeCRjm" From: =?utf-8?q?Christian_G=C3=B6ttsche?= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seltendoof.de; s=2023072701; t=1712588886; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=baz5kBzFZKl2Gx0rInlqv4wkZqBnW3ystGCITxn4qtg=; b=ErzeCRjmzgLgY/mWgndC8nf3NqjAihgPOu3zsH7Oppi9idXVYZQvV359pWTb1SzqZBTMWP 8p4lLqqQFg/cXmzLEttKzrRT+sbQKug2+Jz7rYJ27M33QBG4FOEdiuJBPGJR8Ky+yuAouG diFzJUIpXKm6w0QJqHFxJ0pvWZFSPNDoDArcNJkWOvLw0wC+zcRQC49Dbs9y1lZ06a4Wpm oBGvdWS4FNEiuuSThbbsDrsW/FymeK/AdDrmwqZPCSXhvifZ/ScbpRzkAMqEthmqmcBpRS ONRzr5FaJR3gyk+6Dd1kJlA37kFKCS3LXexjwfq0wuGswo3wixGPBXeJ47XlOQ== To: selinux@vger.kernel.org Cc: =?utf-8?q?Christian_G=C3=B6ttsche?= Subject: [PATCH 1/4] libsepol: improve policy lookup failure message Date: Mon, 8 Apr 2024 17:07:59 +0200 Message-ID: <20240408150802.63941-1-cgoettsche@seltendoof.de> Reply-To: cgzones@googlemail.com Precedence: bulk X-Mailing-List: selinux@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Christian Göttsche If a policy version cannot be found include the policy target, and a module prefix for non kernel policies in the message. Signed-off-by: Christian Göttsche Acked-by: James Carter --- libsepol/src/write.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libsepol/src/write.c b/libsepol/src/write.c index 283d11c8..2fcc1701 100644 --- a/libsepol/src/write.c +++ b/libsepol/src/write.c @@ -2252,8 +2252,10 @@ int policydb_write(policydb_t * p, struct policy_file *fp) info = policydb_lookup_compat(p->policyvers, p->policy_type, p->target_platform); if (!info) { - ERR(fp->handle, "compatibility lookup failed for policy " - "version %d", p->policyvers); + ERR(fp->handle, "compatibility lookup failed for %s%s policy version %d", + p->target_platform == SEPOL_TARGET_SELINUX ? "selinux" : "xen", + p->policy_type == POLICY_KERN ? "" : " module", + p->policyvers); return POLICYDB_ERROR; } From patchwork Mon Apr 8 15:08:00 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 13621269 X-Patchwork-Delegate: plautrba@redhat.com Received: from server02.seltendoof.de (server02.seltendoof.de [168.119.48.163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9CBD741C6C for ; Mon, 8 Apr 2024 15:08:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=168.119.48.163 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712588892; cv=none; b=BBDTXLcKrEcm8quWXv1+LeL3hQhkmSiJmIdkGqp3OQ1WE7hsKnvg0RllteUrWEf9OJTAOcps54LhuKDmpCm+cCbQfkbTXJsoGP5lWuKnj9M0oWiIdPRiTuuGgBCkEt9FYIKDGujk3LsC99aveuVOyPlug9G5Viv77aphXPJ33LM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712588892; c=relaxed/simple; bh=I5evE4bW+qAyAf846OfiJcppIA5WRn0Mqt7mUMeOSA8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=MrB6CqWmElTdaiwo95cPCe+BpAenRRJhCNzCVIWUvC1/Xa8G6hpqjEfkhbfWk80gFwqBkQ/sYeVPib4wXjhSHOc6ePXrIuImWghPvWblA1YATsh2MCjPuVW/d4zzi1Jv7zUkC3BEzfrYMkGLMbAJhyyUxEaY/6nFIy6lTzkVx6Y= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=seltendoof.de; spf=pass smtp.mailfrom=seltendoof.de; dkim=pass (2048-bit key) header.d=seltendoof.de header.i=@seltendoof.de header.b=cxfsRNIn; arc=none smtp.client-ip=168.119.48.163 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=seltendoof.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=seltendoof.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=seltendoof.de header.i=@seltendoof.de header.b="cxfsRNIn" From: =?utf-8?q?Christian_G=C3=B6ttsche?= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seltendoof.de; s=2023072701; t=1712588887; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=czm1vMHORwPbQZM/KP5ZfCDFTklC7RmW4Nf6/flp/BI=; b=cxfsRNInl3H2B1l5dUL8XDKcDA8zfsLRH6x6Ri1/oUkq/ZViKyFxg9lGr9Bt2TSg6XjFmV yUiTLtHQBMTg1ZIWuqOTQ8NPg0ysiUDHvtopEwX2RSC+m0DrI6XcphY9FkV0QcuN47Hm19 W7Txkp/TWWCKocOBK6BLK8knE0QhhYOKXlh6q+cXHmpYO0xOfR1TUfJ9cDRI3Aq7V/lu+S JR0kkGcWaf+Sb51D0c0V8I8Ays4Iu9B6SfDAsaQ5oLdHUCjvGu70JVYDC46DfpxpBgKLEe ObAKJZZaS3PNvGdDr17QTVB8cOSKEXMvwHGgU9OM9AL8vl3u2ucHiOoKHWA9/A== To: selinux@vger.kernel.org Cc: =?utf-8?q?Christian_G=C3=B6ttsche?= Subject: [PATCH 2/4] checkpolicy/tests: add test for splitting xperm rule Date: Mon, 8 Apr 2024 17:08:00 +0200 Message-ID: <20240408150802.63941-2-cgoettsche@seltendoof.de> In-Reply-To: <20240408150802.63941-1-cgoettsche@seltendoof.de> References: <20240408150802.63941-1-cgoettsche@seltendoof.de> Reply-To: cgzones@googlemail.com Precedence: bulk X-Mailing-List: selinux@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Christian Göttsche An extended permission rule statement might get split into multiple access vector rules, due to size limitations. Signed-off-by: Christian Göttsche --- checkpolicy/tests/policy_allonce.conf | 2 +- checkpolicy/tests/policy_allonce.expected.conf | 4 +++- checkpolicy/tests/policy_allonce.expected_opt.conf | 4 +++- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/checkpolicy/tests/policy_allonce.conf b/checkpolicy/tests/policy_allonce.conf index 34e6402d..54a4c811 100644 --- a/checkpolicy/tests/policy_allonce.conf +++ b/checkpolicy/tests/policy_allonce.conf @@ -36,7 +36,7 @@ allow TYPE1 self : CLASS1 { PERM1 }; auditallow { TYPE1 TYPE2 } TYPE3 : CLASS1 { PERM1 }; dontaudit TYPE1 { TYPE2 TYPE3 } : CLASS3 { PERM1 CPERM1 }; neverallow TYPE1 TYPE2 : { CLASS2 CLASS3 } { CPERM1 }; -allowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x1; +allowxperm TYPE1 TYPE2 : CLASS1 ioctl { 0x456-0x5678 }; auditallowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x2; dontauditxperm TYPE1 TYPE2 : CLASS1 ioctl 0x3; neverallowxperm TYPE1 TYPE2 : CLASS1 ioctl 0x4; diff --git a/checkpolicy/tests/policy_allonce.expected.conf b/checkpolicy/tests/policy_allonce.expected.conf index 63739e1f..aff6bfa3 100644 --- a/checkpolicy/tests/policy_allonce.expected.conf +++ b/checkpolicy/tests/policy_allonce.expected.conf @@ -34,7 +34,9 @@ auditallow TYPE1 TYPE3:CLASS1 { PERM1 }; auditallow TYPE2 TYPE3:CLASS1 { PERM1 }; dontaudit TYPE1 TYPE2:CLASS3 { CPERM1 PERM1 }; dontaudit TYPE1 TYPE3:CLASS3 { CPERM1 PERM1 }; -allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x1 }; +allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x456-0x4ff }; +allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x500-0x55ff }; +allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x5600-0x5678 }; auditallowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x2 }; dontauditxperm TYPE1 TYPE2:CLASS1 ioctl { 0x3 }; type_transition TYPE1 TYPE2:CLASS1 TYPE3; diff --git a/checkpolicy/tests/policy_allonce.expected_opt.conf b/checkpolicy/tests/policy_allonce.expected_opt.conf index 1c969961..335486d1 100644 --- a/checkpolicy/tests/policy_allonce.expected_opt.conf +++ b/checkpolicy/tests/policy_allonce.expected_opt.conf @@ -34,7 +34,9 @@ auditallow TYPE1 TYPE3:CLASS1 { PERM1 }; auditallow TYPE2 TYPE3:CLASS1 { PERM1 }; dontaudit TYPE1 TYPE2:CLASS3 { CPERM1 PERM1 }; dontaudit TYPE1 TYPE3:CLASS3 { CPERM1 PERM1 }; -allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x1 }; +allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x456-0x4ff }; +allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x500-0x55ff }; +allowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x5600-0x5678 }; auditallowxperm TYPE1 TYPE2:CLASS1 ioctl { 0x2 }; dontauditxperm TYPE1 TYPE2:CLASS1 ioctl { 0x3 }; type_transition TYPE1 TYPE2:CLASS1 TYPE3; From patchwork Mon Apr 8 15:08:01 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 13621267 X-Patchwork-Delegate: plautrba@redhat.com Received: from server02.seltendoof.de (server02.seltendoof.de [168.119.48.163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4B19613F43C for ; Mon, 8 Apr 2024 15:08:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=168.119.48.163 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712588892; cv=none; b=JnJrjS4kU4x3TLTpY9IwzujLS7mEQPZPZf36+wLTCJgmhDD+j31p30GifsgXkL+pvUONquT4DpqejEEUy/LOF67/1ZpZHH4G11wndXblgMA3Bu0DxO556kcvMobxpCwC6zhlnf4wJ72aEV3ncD4cn8XzSC+PesY8NcAo2vMdxQI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712588892; c=relaxed/simple; bh=noGWYRH5yHLmCesg7SRF4cEjrbCtBs5cPClwGC/uark=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=T46k44Ae6ZLTXyt0/DOyiiiSOFVs2NzJJi3EEWvmME9tGyzFIAKxEk0Tf0uc0kffP4yEBFNg+3U6PMWYXMZ3vgmsFmfdddynH5cD5pD7dWDtJn/9SRgeslkRIaX1bJn/4QGX6fvX2DIqQ4Kq14hWXHws2Yn8vytmANV9DiDIyF0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=seltendoof.de; spf=pass smtp.mailfrom=seltendoof.de; dkim=pass (2048-bit key) header.d=seltendoof.de header.i=@seltendoof.de header.b=coIeJs9Z; arc=none smtp.client-ip=168.119.48.163 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=seltendoof.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=seltendoof.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=seltendoof.de header.i=@seltendoof.de header.b="coIeJs9Z" From: =?utf-8?q?Christian_G=C3=B6ttsche?= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seltendoof.de; s=2023072701; t=1712588888; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=CRibdGMLlrMAUqYnRQbm/JB8dJS9+JcGQuUDjZQDGTs=; b=coIeJs9ZOpxPLn4l83U3sxa+v5vcbfXZaVibGg6bPhHVfSqlOUluh+EAwqnaINL9YkSZBI NmfrYektXDAcrY6fZJAiT0ab9GiqwPUe0vwbJitFcbe09I7svF0BxQZnvhrNzqrMgPLoVK pEL6W3U5CQedvsC7znIPFSXSQQ3INCqag6WDMvQb7UyYl9Unq5HPf9NuM0ls2RovIpVHCW dCs2ekaP8PdaV09SryYXgA55KCLp6xgNZYNbqb+Msm/nNH63WY7Yb7SzfL6pnIc53KafKs m7p6/ifEsGSm36QJAKusmjCMK2luazFI6LkVTxPQImxdfJOD1YASk8j3ldn50A== To: selinux@vger.kernel.org Cc: =?utf-8?q?Christian_G=C3=B6ttsche?= Subject: [PATCH 3/4] checkpolicy: declare file local variable static Date: Mon, 8 Apr 2024 17:08:01 +0200 Message-ID: <20240408150802.63941-3-cgoettsche@seltendoof.de> In-Reply-To: <20240408150802.63941-1-cgoettsche@seltendoof.de> References: <20240408150802.63941-1-cgoettsche@seltendoof.de> Reply-To: cgzones@googlemail.com Precedence: bulk X-Mailing-List: selinux@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Christian Göttsche The variable policy_type used by checkmodule is only used inside of checkmodule.c. Signed-off-by: Christian Göttsche --- checkpolicy/checkmodule.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checkpolicy/checkmodule.c b/checkpolicy/checkmodule.c index 14e6c891..e7869bf1 100644 --- a/checkpolicy/checkmodule.c +++ b/checkpolicy/checkmodule.c @@ -43,7 +43,7 @@ static int handle_unknown = SEPOL_DENY_UNKNOWN; static const char *txtfile = "policy.conf"; static const char *binfile = "policy"; -unsigned int policy_type = POLICY_BASE; +static unsigned int policy_type = POLICY_BASE; unsigned int policyvers = MOD_POLICYDB_VERSION_MAX; static int read_binary_policy(policydb_t * p, const char *file, const char *progname) From patchwork Mon Apr 8 15:08:02 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Christian_G=C3=B6ttsche?= X-Patchwork-Id: 13621270 X-Patchwork-Delegate: plautrba@redhat.com Received: from server02.seltendoof.de (server02.seltendoof.de [168.119.48.163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7525B13F43D for ; Mon, 8 Apr 2024 15:08:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=168.119.48.163 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712588893; cv=none; b=CUdM6G39ij7nMzmGbJaZ5h+RBbAN9efkHtUmj1Rw6j1Hkwf8vs8oQ6vZ+x2UbwRIVTizniLTvx4rC1mA6ZvMGXyYTj6yPuf2lIErIBf5kx6oHcyWkSDxB+rQ/PooVdtGdOtZy1SXZf5RvM0K1oH1eWFpVVme2UGFua0W8kMP2/s= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712588893; c=relaxed/simple; bh=Ux+mPHOtdH8WKMjBPqlJF4B+lwegfXi7TLWX8ZREtHw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=Ty/xg9jrIzjXf1VG+X2X1NG71C4VvRZ+bvGouFqDoPzZt4Y9nysHVUAaLkqGzzspms5De/JEaHaRAuqXa0V/hshad2+3O/VbCuWL5sjMNucfU8Mm4yjZhb636R8wMGyV0k0H5wtqmwMDv1M94EbA0fZbHJ63Bn73HFXbprFxoMU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=seltendoof.de; spf=pass smtp.mailfrom=seltendoof.de; dkim=pass (2048-bit key) header.d=seltendoof.de header.i=@seltendoof.de header.b=iZiNQKLx; arc=none smtp.client-ip=168.119.48.163 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=seltendoof.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=seltendoof.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=seltendoof.de header.i=@seltendoof.de header.b="iZiNQKLx" From: =?utf-8?q?Christian_G=C3=B6ttsche?= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seltendoof.de; s=2023072701; t=1712588888; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=hj0VZRJRb9k6Yl4YusnT4TJZdF3lWGGzMxJHiX0+bz4=; b=iZiNQKLxLnELoipvXoKehIL96W5Ox/7BXc6QgE3xYMpgILI3najqNcSvhFiMbYCC5NEZge mp/XASXoQjMo8Qw4P8Aq1M7DYgRsVP3s/wRG66bSw8smquDC7gochWfsDQL31Qw6CbvPj9 D0Iv5QbgMFZgRquGszqrBNT7yUHoagFtOb4/cxqrSNA7qK4TUKy3QJiPuJJwyO0jMteVMM 1YpvjT77oTc3ub+hEqrZPGvLLq2yi+rFKxZfnezqNADmDG2lw6+CMBSKfmKrHXsRBlHjeK WfawAwMOKwhbIMlfqufKiPcIlNspMQKtf3cnBCyiwJEkvfOcO/C3vR8iaRaAOw== To: selinux@vger.kernel.org Cc: =?utf-8?q?Christian_G=C3=B6ttsche?= Subject: [PATCH 4/4] checkpolicy: drop global policyvers variable Date: Mon, 8 Apr 2024 17:08:02 +0200 Message-ID: <20240408150802.63941-4-cgoettsche@seltendoof.de> In-Reply-To: <20240408150802.63941-1-cgoettsche@seltendoof.de> References: <20240408150802.63941-1-cgoettsche@seltendoof.de> Reply-To: cgzones@googlemail.com Precedence: bulk X-Mailing-List: selinux@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Christian Göttsche Drop the global variable policyvers. The variable is only used within checkpolicy.c and checkmodule.c, but never in any shared code. Since the variable declaration is the only content of checkpolicy.h drop it. Also set the policy version before calls to read_source_policy(), so the parser can access the requested version for checks this way. Signed-off-by: Christian Göttsche --- checkpolicy/checkmodule.c | 11 +++++------ checkpolicy/checkpolicy.c | 8 +++----- checkpolicy/checkpolicy.h | 6 ------ checkpolicy/fuzz/checkpolicy-fuzzer.c | 1 + checkpolicy/policy_define.c | 1 - checkpolicy/policy_parse.y | 1 - 6 files changed, 9 insertions(+), 19 deletions(-) delete mode 100644 checkpolicy/checkpolicy.h diff --git a/checkpolicy/checkmodule.c b/checkpolicy/checkmodule.c index e7869bf1..2d6f2399 100644 --- a/checkpolicy/checkmodule.c +++ b/checkpolicy/checkmodule.c @@ -31,7 +31,6 @@ #include #include "queue.h" -#include "checkpolicy.h" #include "parse_util.h" static sidtab_t sidtab; @@ -43,9 +42,6 @@ static int handle_unknown = SEPOL_DENY_UNKNOWN; static const char *txtfile = "policy.conf"; static const char *binfile = "policy"; -static unsigned int policy_type = POLICY_BASE; -unsigned int policyvers = MOD_POLICYDB_VERSION_MAX; - static int read_binary_policy(policydb_t * p, const char *file, const char *progname) { int fd; @@ -107,7 +103,7 @@ static int read_binary_policy(policydb_t * p, const char *file, const char *prog return 0; } -static int write_binary_policy(policydb_t * p, FILE *outfp) +static int write_binary_policy(policydb_t * p, FILE *outfp, unsigned int policy_type, unsigned int policyvers) { struct policy_file pf; @@ -150,6 +146,8 @@ int main(int argc, char **argv) { const char *file = txtfile, *outfile = NULL; unsigned int binary = 0, cil = 0, disable_neverallow = 0; + unsigned int policy_type = POLICY_BASE; + unsigned int policyvers = MOD_POLICYDB_VERSION_MAX; int ch; int show_version = 0; policydb_t modpolicydb; @@ -279,6 +277,7 @@ int main(int argc, char **argv) modpolicydb.policy_type = policy_type; modpolicydb.mls = mlspol; modpolicydb.handle_unknown = handle_unknown; + modpolicydb.policyvers = policyvers; if (read_source_policy(&modpolicydb, file, argv[0]) == -1) { exit(1); @@ -343,7 +342,7 @@ int main(int argc, char **argv) } if (!cil) { - if (write_binary_policy(&modpolicydb, outfp) != 0) { + if (write_binary_policy(&modpolicydb, outfp, policy_type, policyvers) != 0) { fprintf(stderr, "%s: error writing %s\n", argv[0], outfile); exit(1); } diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c index d7cafaa4..ede2b6ad 100644 --- a/checkpolicy/checkpolicy.c +++ b/checkpolicy/checkpolicy.c @@ -89,7 +89,6 @@ #include #include "queue.h" -#include "checkpolicy.h" #include "parse_util.h" static policydb_t policydb; @@ -103,8 +102,6 @@ static int handle_unknown = SEPOL_DENY_UNKNOWN; static const char *txtfile = "policy.conf"; static const char *binfile = "policy"; -unsigned int policyvers = 0; - static __attribute__((__noreturn__)) void usage(const char *progname) { printf @@ -395,6 +392,7 @@ int main(int argc, char **argv) unsigned int binary = 0, debug = 0, sort = 0, cil = 0, conf = 0, optimize = 0, disable_neverallow = 0; struct val_to_name v; int ret, ch, fd, target = SEPOL_TARGET_SELINUX; + unsigned int policyvers = 0; unsigned int nel, uret; struct stat sb; void *map; @@ -613,6 +611,7 @@ int main(int argc, char **argv) /* Let sepol know if we are dealing with MLS support */ parse_policy.mls = mlspol; parse_policy.handle_unknown = handle_unknown; + parse_policy.policyvers = policyvers ? policyvers : POLICYDB_VERSION_MAX; policydbp = &parse_policy; @@ -637,11 +636,10 @@ int main(int argc, char **argv) fprintf(stderr, "Error while expanding policy\n"); exit(1); } + policydb.policyvers = policyvers ? policyvers : POLICYDB_VERSION_MAX; policydb_destroy(policydbp); policydbp = &policydb; } - - policydbp->policyvers = policyvers ? policyvers : POLICYDB_VERSION_MAX; } if (policydb_load_isids(&policydb, &sidtab)) diff --git a/checkpolicy/checkpolicy.h b/checkpolicy/checkpolicy.h deleted file mode 100644 index f127687e..00000000 --- a/checkpolicy/checkpolicy.h +++ /dev/null @@ -1,6 +0,0 @@ -#ifndef _CHECKPOLICY_H_ -#define _CHECKPOLICY_H_ - -extern unsigned int policyvers; - -#endif diff --git a/checkpolicy/fuzz/checkpolicy-fuzzer.c b/checkpolicy/fuzz/checkpolicy-fuzzer.c index 6c5ce02f..ddb43260 100644 --- a/checkpolicy/fuzz/checkpolicy-fuzzer.c +++ b/checkpolicy/fuzz/checkpolicy-fuzzer.c @@ -200,6 +200,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) parsepolicydb.policy_type = POLICY_BASE; parsepolicydb.mls = mls; parsepolicydb.handle_unknown = DENY_UNKNOWN; + parsepolicydb.policyvers = policyvers; policydb_set_target_platform(&parsepolicydb, platform); if (read_source_policy(&parsepolicydb, data, size)) diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c index 1c019a3b..aa2ac2e6 100644 --- a/checkpolicy/policy_define.c +++ b/checkpolicy/policy_define.c @@ -55,7 +55,6 @@ #include #include #include "queue.h" -#include "checkpolicy.h" #include "module_compiler.h" #include "policy_define.h" diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y index 1b275ebc..c57a988a 100644 --- a/checkpolicy/policy_parse.y +++ b/checkpolicy/policy_parse.y @@ -49,7 +49,6 @@ #include #include #include "queue.h" -#include "checkpolicy.h" #include "module_compiler.h" #include "policy_define.h"