Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

semodule utils #392

Closed
wants to merge 44 commits into from
Closed

semodule utils #392

Changes from 1 commit
Commits
Show all changes
44 commits
Select commit Hold shift + click to select a range
d95bc8b
libselinux: migrating hashtab from policycoreutils
Mar 8, 2023
4a42050
libselinux: adapting hashtab to libselinux
Mar 8, 2023
2c7b71d
libselinux: performance optimization for duplicate detection
Mar 8, 2023
2d5f97b
checkpolicy: drop unused token CLONE
cgzones May 12, 2023
c646f39
checkpolicy: reject condition with bool and tunable in expression
cgzones May 12, 2023
00728e1
checkpolicy: only set declared permission bits for wildcards
cgzones May 12, 2023
f5d664e
libsepol: dump non-mls validatetrans rules as such
cgzones May 12, 2023
45a4fc7
libsepol: validate some object contexts
cgzones May 12, 2023
4cf3760
libsepol: validate old style range trans classes
cgzones May 12, 2023
ac015a3
libsepol: validate: check low category is not bigger than high
cgzones May 12, 2023
4ba8f7c
libsepol: validate: reject XEN policy with xperm rules
cgzones May 12, 2023
cae65d9
libsepol: expand: skip invalid cat
cgzones May 12, 2023
808a43a
libsepol: drop message for uncommon error cases
cgzones Jun 2, 2023
b041ecc
libsepol: drop duplicate newline in sepol_log_err() calls
cgzones Jun 2, 2023
5c35a7b
libsepol: replace sepol_log_err() by ERR()
cgzones Jun 2, 2023
30fe0f1
libsepol: replace log_err() by ERR()
cgzones Jun 2, 2023
5045368
dismod: add --help option
masatake May 31, 2023
5b1a2f1
dismod: delete an unnecessary empty line
masatake May 31, 2023
d1a9cdd
dismod: handle EOF in user interaction
masatake May 31, 2023
df0b192
dismod: add --actions option for non-interactive use
masatake May 31, 2023
e867c95
policycoreutils: Add examples to man pages
vmojzis Jun 1, 2023
0b1cb09
python/sepolicy: Improve man pages
vmojzis Jun 1, 2023
535dc24
sandbox: Add examples to man pages
vmojzis Jun 1, 2023
966de0c
checkpolicy: Add examples to man pages
vmojzis Jun 1, 2023
d596efb
libselinux: Add examples to man pages
vmojzis Jun 1, 2023
6360af7
sepolicy: clarify manual page of sepolicy interface
topimiettinen Jun 4, 2023
f78eea5
dispol: add --help option
masatake Jun 8, 2023
eeb0a75
dispol: delete an unnecessary empty line
masatake Jun 8, 2023
f8a076f
dispol: handle EOF in user interaction
masatake Jun 8, 2023
666a7df
dispol: add --actions option for non-interactive use
masatake Jun 8, 2023
391cf12
python/sepolicy: Fix template for confined user policy modules
vmojzis Jun 1, 2023
48306c4
python/sepolicy: Add/remove user even when SELinux is disabled
vmojzis May 29, 2023
55b75a2
libsepol: stop translating deprecated intial SIDs to strings
WOnder93 Jun 12, 2023
02e471f
libsepol: add support for the new "init" initial SID
WOnder93 Jun 12, 2023
b87724c
checkpolicy: add option to skip checking neverallow rules
cgzones May 12, 2023
4c06922
checkpolicy/dismod: misc improvements
cgzones May 12, 2023
6e077ba
dismod: print the policy version only in interactive mode
masatake Jun 14, 2023
b3788b9
dismod, dispol: reduce the messages in batch mode
masatake Jun 14, 2023
d8edd36
libselinux: add check for calloc in check_booleans
Jun 18, 2023
1a29c28
python/sepolicy: Fix get_os_version except clause
jefferyto Jun 19, 2023
1a78f40
semodule_expand: update
cgzones May 12, 2023
f258445
semodule_link: update
cgzones May 12, 2023
84f786b
semodule_package: update
cgzones May 12, 2023
7d5efdc
semodule_unpackage: update
cgzones May 12, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
Prev Previous commit
Next Next commit
checkpolicy: reject condition with bool and tunable in expression 
If tunables are not preserved (the mode unconditionally used by
checkpolicy) an expression must not consist of booleans and tunables,
since such expressions are not supported during expansion (see expand.c:
discard_tunables()).

Signed-off-by: Christian Göttsche <[email protected]>
Acked-by: James Carter <[email protected]>
  • Loading branch information
@cgzones @jwcart2
cgzones authored and jwcart2 committed Jun 5, 2023
commit c646f3904db80a5dea109764b69b252f8df4bb86
17 changes: 16 additions & 1 deletion checkpolicy/policy_define.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3964,8 +3964,9 @@ uintptr_t define_cexpr(uint32_t expr_type, uintptr_t arg1, uintptr_t arg2)
int define_conditional(cond_expr_t * expr, avrule_t * t, avrule_t * f)
{
cond_expr_t *e;
int depth;
int depth, booleans, tunables;
cond_node_t cn, *cn_old;
const cond_bool_datum_t *bool_var;

/* expression cannot be NULL */
if (!expr) {
Expand All @@ -3990,6 +3991,8 @@ int define_conditional(cond_expr_t * expr, avrule_t * t, avrule_t * f)

/* verify expression */
depth = -1;
booleans = 0;
tunables = 0;
for (e = expr; e; e = e->next) {
switch (e->expr_type) {
case COND_NOT:
Expand Down Expand Up @@ -4018,6 +4021,14 @@ int define_conditional(cond_expr_t * expr, avrule_t * t, avrule_t * f)
return -1;
}
depth++;

bool_var = policydbp->bool_val_to_struct[e->boolean - 1];
if (bool_var->flags & COND_BOOL_FLAGS_TUNABLE) {
tunables = 1;
} else {
booleans = 1;
}

break;
default:
yyerror("illegal conditional expression");
Expand All @@ -4028,6 +4039,10 @@ int define_conditional(cond_expr_t * expr, avrule_t * t, avrule_t * f)
yyerror("illegal conditional expression");
return -1;
}
if (booleans && tunables) {
yyerror("illegal conditional expression; Contains boolean and tunable");
return -1;
}

/* use tmp conditional node to partially build new node */
memset(&cn, 0, sizeof(cn));
Expand Down