Update to checkpolicy 2.2. Requires libsepol 2.2.
Update to current upstream checkpolicy release.
Includes memory leak fixes, improved handling of
filename-based type transitions, and support for latest
kernel policy version.
Change-Id: Idabd3e4d50777c6691cb0d74b4e28f4fe06bef35
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
diff --git a/ChangeLog b/ChangeLog
index 7dc7d76..0c76070 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2.2 2013-10-30
+ * Fix hyphen usage in man pages from Laurent Bigonville.
+ * handle-unknown / -U required argument fix from Laurent Bigonville.
+ * Support overriding Makefile PATH and LIBDIR from Laurent Bigonville.
+ * Support space and : in filenames from Dan Walsh.
+
+2.1.12 2013-02-01
+ * Fix errors found by coverity
+ * implement default type policy syntax
+ * Free allocated memory when clean up / exit.
+
2.1.11 2012-09-13
* fd leak reading policy
* check return code on ebitmap_set_bit
diff --git a/VERSION b/VERSION
index a39c0b7..8bbe6cf 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.1.11
+2.2
diff --git a/checkmodule.8 b/checkmodule.8
index 40f73c5..2a7ab5c 100644
--- a/checkmodule.8
+++ b/checkmodule.8
@@ -3,7 +3,7 @@
checkmodule \- SELinux policy module compiler
.SH SYNOPSIS
.B checkmodule
-.I "[-h] [-b] [-m] [-M] [-U handle_unknown ] [-V] [-o output_file] [input_file]"
+.I "[\-h] [\-b] [\-m] [\-M] [\-U handle_unknown ] [\-V] [\-o output_file] [input_file]"
.SH "DESCRIPTION"
This manual page describes the
.BR checkmodule
@@ -12,7 +12,7 @@
.B checkmodule
is a program that checks and compiles a SELinux security policy module
into a binary representation. It can generate either a base policy
-module (default) or a non-base policy module (-m option); typically,
+module (default) or a non-base policy module (\-m option); typically,
you would build a non-base policy module to add to an existing module
store that already has a base module provided by the base policy. Use
semodule_package to combine this module with its optional file
@@ -48,7 +48,7 @@
.SH EXAMPLE
.nf
# Build a MLS/MCS-enabled non-base policy module.
-$ checkmodule -M -m httpd.te -o httpd.mod
+$ checkmodule \-M \-m httpd.te \-o httpd.mod
.fi
.SH "SEE ALSO"
diff --git a/checkmodule.c b/checkmodule.c
index cb58cf0..41ebab5 100644
--- a/checkmodule.c
+++ b/checkmodule.c
@@ -171,7 +171,7 @@
{"output", required_argument, NULL, 'o'},
{"binary", no_argument, NULL, 'b'},
{"version", no_argument, NULL, 'V'},
- {"handle-unknown", optional_argument, NULL, 'U'},
+ {"handle-unknown", required_argument, NULL, 'U'},
{"mls", no_argument, NULL, 'M'},
{NULL, 0, NULL, 0}
};
diff --git a/checkpolicy.8 b/checkpolicy.8
index 6826938..0086bdc 100644
--- a/checkpolicy.8
+++ b/checkpolicy.8
@@ -3,7 +3,7 @@
checkpolicy \- SELinux policy compiler
.SH SYNOPSIS
.B checkpolicy
-.I "[-b] [-d] [-M] [-c policyvers] [-o output_file] [input_file]"
+.I "[\-b] [\-d] [\-M] [\-c policyvers] [\-o output_file] [input_file]"
.br
.SH "DESCRIPTION"
This manual page describes the
@@ -14,7 +14,7 @@
is a program that checks and compiles a SELinux security policy configuration
into a binary representation that can be loaded into the kernel. If no
input file name is specified, checkpolicy will attempt to read from
-policy.conf or policy, depending on whether the -b flag is specified.
+policy.conf or policy, depending on whether the \-b flag is specified.
.SH OPTIONS
.TP
diff --git a/checkpolicy.c b/checkpolicy.c
index 544f235..292f568 100644
--- a/checkpolicy.c
+++ b/checkpolicy.c
@@ -402,7 +402,7 @@
{"binary", no_argument, NULL, 'b'},
{"debug", no_argument, NULL, 'd'},
{"version", no_argument, NULL, 'V'},
- {"handle-unknown", optional_argument, NULL, 'U'},
+ {"handle-unknown", required_argument, NULL, 'U'},
{"mls", no_argument, NULL, 'M'},
{"help", no_argument, NULL, 'h'},
{NULL, 0, NULL, 0}
diff --git a/policy_define.c b/policy_define.c
index 8af6141..e9ed4b4 100644
--- a/policy_define.c
+++ b/policy_define.c
@@ -415,6 +415,38 @@
return 0;
}
+int define_default_type(int which)
+{
+ char *id;
+ class_datum_t *cladatum;
+
+ if (pass == 1) {
+ while ((id = queue_remove(id_queue)))
+ free(id);
+ return 0;
+ }
+
+ while ((id = queue_remove(id_queue))) {
+ if (!is_id_in_scope(SYM_CLASSES, id)) {
+ yyerror2("class %s is not within scope", id);
+ return -1;
+ }
+ cladatum = hashtab_search(policydbp->p_classes.table, id);
+ if (!cladatum) {
+ yyerror2("unknown class %s", id);
+ return -1;
+ }
+ if (cladatum->default_type && cladatum->default_type != which) {
+ yyerror2("conflicting default type information for class %s", id);
+ return -1;
+ }
+ cladatum->default_type = which;
+ free(id);
+ }
+
+ return 0;
+}
+
int define_default_range(int which)
{
char *id;
@@ -2772,6 +2804,7 @@
node = malloc(sizeof(struct constraint_node));
if (!node) {
yyerror("out of memory");
+ free(node);
return -1;
}
memset(node, 0, sizeof(constraint_node_t));
@@ -3075,13 +3108,11 @@
ebitmap_destroy(&negset);
return (uintptr_t) expr;
default:
- yyerror("invalid constraint expression");
- constraint_expr_destroy(expr);
- return 0;
+ break;
}
yyerror("invalid constraint expression");
- free(expr);
+ constraint_expr_destroy(expr);
return 0;
}
@@ -4641,7 +4672,10 @@
goto out;
}
- ebitmap_set_bit(&rule->tclasses, cladatum->s.value - 1, TRUE);
+ if (ebitmap_set_bit(&rule->tclasses, cladatum->s.value - 1, TRUE)) {
+ yyerror("out of memory");
+ goto out;
+ }
}
id = (char *)queue_remove(id_queue);
diff --git a/policy_define.h b/policy_define.h
index ccbe56f..8bfd8f6 100644
--- a/policy_define.h
+++ b/policy_define.h
@@ -26,6 +26,7 @@
int define_class(void);
int define_default_user(int which);
int define_default_role(int which);
+int define_default_type(int which);
int define_default_range(int which);
int define_common_perms(void);
int define_compute_type(int which);
diff --git a/policy_parse.y b/policy_parse.y
index d92cc32..b40f413 100644
--- a/policy_parse.y
+++ b/policy_parse.y
@@ -143,7 +143,7 @@
%token POLICYCAP
%token PERMISSIVE
%token FILESYSTEM
-%token DEFAULT_USER DEFAULT_ROLE DEFAULT_RANGE
+%token DEFAULT_USER DEFAULT_ROLE DEFAULT_TYPE DEFAULT_RANGE
%token LOW_HIGH LOW HIGH
%left OR
@@ -202,9 +202,11 @@
;
default_rules : default_user_def
| default_role_def
+ | default_type_def
| default_range_def
| default_rules default_user_def
| default_rules default_role_def
+ | default_rules default_type_def
| default_rules default_range_def
;
default_user_def : DEFAULT_USER names SOURCE ';'
@@ -217,6 +219,11 @@
| DEFAULT_ROLE names TARGET ';'
{if (define_default_role(DEFAULT_TARGET)) return -1; }
;
+default_type_def : DEFAULT_TYPE names SOURCE ';'
+ {if (define_default_type(DEFAULT_SOURCE)) return -1; }
+ | DEFAULT_TYPE names TARGET ';'
+ {if (define_default_type(DEFAULT_TARGET)) return -1; }
+ ;
default_range_def : DEFAULT_RANGE names SOURCE LOW ';'
{if (define_default_range(DEFAULT_SOURCE_LOW)) return -1; }
| DEFAULT_RANGE names SOURCE HIGH ';'
diff --git a/policy_scan.l b/policy_scan.l
index 62d03f0..ab046cc 100644
--- a/policy_scan.l
+++ b/policy_scan.l
@@ -229,6 +229,8 @@
DEFAULT_USER { return(DEFAULT_USER); }
default_role |
DEFAULT_ROLE { return(DEFAULT_ROLE); }
+default_type |
+DEFAULT_TYPE { return(DEFAULT_TYPE); }
default_range |
DEFAULT_RANGE { return(DEFAULT_RANGE); }
low-high |
@@ -238,7 +240,7 @@
low |
LOW { return(LOW); }
"/"({alnum}|[_\.\-/])* { return(PATH); }
-\"({alnum}|[_\.\-\+\~])+\" { return(FILENAME); }
+\"({alnum}|[_\.\-\+\~\: ])+\" { return(FILENAME); }
{letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))* { return(IDENTIFIER); }
{alnum}*{letter}{alnum}* { return(FILESYSTEM); }
{digit}+|0x{hexval}+ { return(NUMBER); }
diff --git a/test/Makefile b/test/Makefile
index 0731e89..63b4d24 100644
--- a/test/Makefile
+++ b/test/Makefile
@@ -3,7 +3,7 @@
#
PREFIX ?= $(DESTDIR)/usr
BINDIR=$(PREFIX)/bin
-LIBDIR=$(PREFIX)/lib
+LIBDIR ?= $(PREFIX)/lib
INCLUDEDIR ?= $(PREFIX)/include
CFLAGS ?= -g -Wall -W -Werror -O2 -pipe
diff --git a/test/dismod.c b/test/dismod.c
index 6a951f6..96ef047 100644
--- a/test/dismod.c
+++ b/test/dismod.c
@@ -844,7 +844,10 @@
/* read the binary policy */
fprintf(out_fp, "Reading policy...\n");
- policydb_init(&policydb);
+ if (policydb_init(&policydb)) {
+ fprintf(stderr, "%s: Out of memory!\n", __FUNCTION__);
+ exit(1);
+ }
if (read_policy(argv[1], &policydb)) {
fprintf(stderr,
"%s: error(s) encountered while loading policy\n",
