diff --git a/backport-libsepol-add-missing-oom-checks.patch b/backport-libsepol-add-missing-oom-checks.patch deleted file mode 100644 index 67d7ed3..0000000 --- a/backport-libsepol-add-missing-oom-checks.patch +++ /dev/null @@ -1,112 +0,0 @@ -From 0233e4f6d59a96b759e32661a20be4bbadb374a4 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Thu, 31 Mar 2022 16:44:52 +0200 -Subject: [PATCH] libsepol: add missing oom checks -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Check return values of memory allocation functions and propagate their -failure. - -Signed-off-by: Christian Göttsche -Acked-by: James Carter ---- - libsepol/src/kernel_to_cil.c | 9 +++++++++ - libsepol/src/kernel_to_conf.c | 4 ++++ - libsepol/src/module_to_cil.c | 11 +++++++++++ - libsepol/src/policydb.c | 3 ++- - 4 files changed, 26 insertions(+), 1 deletion(-) - -diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c -index 869f69407..9128ac553 100644 ---- a/libsepol/src/kernel_to_cil.c -+++ b/libsepol/src/kernel_to_cil.c -@@ -190,6 +190,10 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr - } - if (!names) { - names = strdup("NO_IDENTIFIER"); -+ if (!names) { -+ sepol_log_err("Out of memory"); -+ goto exit; -+ } - } - if (strchr(names, ' ')) { - new_val = create_str("(%s %s (%s))", 3, op, attr1, names); -@@ -568,6 +572,11 @@ static int write_sids_to_cil(FILE *out, const char *const *sid_to_str, - } else { - snprintf(unknown, 18, "%s%u", "UNKNOWN", i); - sid = strdup(unknown); -+ if (!sid) { -+ sepol_log_err("Out of memory"); -+ rc = -1; -+ goto exit; -+ } - } - rc = strs_add_at_index(strs, sid, i); - if (rc != 0) { -diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c -index 3544f73d2..63dffd9b4 100644 ---- a/libsepol/src/kernel_to_conf.c -+++ b/libsepol/src/kernel_to_conf.c -@@ -187,6 +187,10 @@ static char *constraint_expr_to_str(struct policydb *pdb, struct constraint_expr - } - if (!names) { - names = strdup("NO_IDENTIFIER"); -+ if (!names) { -+ sepol_log_err("Out of memory"); -+ goto exit; -+ } - } - if (strchr(names, ' ')) { - new_val = create_str("%s %s { %s }", 3, attr1, op, names); -diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c -index c9e88f1e0..f2e8aff03 100644 ---- a/libsepol/src/module_to_cil.c -+++ b/libsepol/src/module_to_cil.c -@@ -393,6 +393,8 @@ static int typealias_list_create(struct policydb *pdb) - } - - typealias_lists = calloc(max_decl_id + 1, sizeof(*typealias_lists)); -+ if (!typealias_lists) -+ goto exit; - typealias_lists_len = max_decl_id + 1; - - rc = hashtab_map(pdb->p_types.table, typealiases_gather_map, pdb); -@@ -1792,6 +1794,10 @@ static int constraint_expr_to_string(struct policydb *pdb, struct constraint_exp - } - if (num_names == 0) { - names = strdup("NO_IDENTIFIER"); -+ if (!names) { -+ rc = -1; -+ goto exit; -+ } - } else { - rc = name_list_to_string(name_list, num_names, &names); - if (rc != 0) { -@@ -2556,6 +2562,11 @@ static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_ - goto exit; - } - item->sid_key = strdup(sid); -+ if (!item->sid_key) { -+ log_err("Out of memory"); -+ rc = -1; -+ goto exit; -+ } - item->next = head; - head = item; - } -diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c -index fc71463e6..5c7e35e85 100644 ---- a/libsepol/src/policydb.c -+++ b/libsepol/src/policydb.c -@@ -1252,7 +1252,8 @@ int policydb_index_others(sepol_handle_t * handle, - if (!p->type_val_to_struct) - return -1; - -- cond_init_bool_indexes(p); -+ if (cond_init_bool_indexes(p)) -+ return -1; - - for (i = SYM_ROLES; i < SYM_NUM; i++) { - free(p->sym_val_to_name[i]); diff --git a/backport-libsepol-avoid-potential-NULL-dereference-on-optional-parameter.patch b/backport-libsepol-avoid-potential-NULL-dereference-on-optional-parameter.patch deleted file mode 100644 index 2d7f041..0000000 --- a/backport-libsepol-avoid-potential-NULL-dereference-on-optional-parameter.patch +++ /dev/null @@ -1,32 +0,0 @@ -From f505a73b06302ba5e84f8c56851121d4a410c1ea Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Fri, 10 Jun 2022 17:06:23 +0200 -Subject: [PATCH] libsepol: avoid potential NULL dereference on optional - parameter -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The parameter `reason` of `context_struct_compute_av()` is optional and -can be passed in as NULL, like from `type_attribute_bounds_av()`. - -Signed-off-by: Christian Göttsche -Acked-by: James Carter ---- - libsepol/src/services.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/libsepol/src/services.c b/libsepol/src/services.c -index d7510e9da..24412d837 100644 ---- a/libsepol/src/services.c -+++ b/libsepol/src/services.c -@@ -894,7 +894,8 @@ static void type_attribute_bounds_av(context_struct_t *scontext, - /* mask violated permissions */ - avd->allowed &= ~masked; - -- *reason |= SEPOL_COMPUTEAV_BOUNDS; -+ if (reason) -+ *reason |= SEPOL_COMPUTEAV_BOUNDS; - } - - /* diff --git a/backport-libsepol-check-correct-pointer-for-oom.patch b/backport-libsepol-check-correct-pointer-for-oom.patch deleted file mode 100644 index 20f8e17..0000000 --- a/backport-libsepol-check-correct-pointer-for-oom.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 68a29c3aee60a6dd4e0d435fc10adb0f2cc1c0ef Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Fri, 8 Apr 2022 15:10:51 +0200 -Subject: [PATCH] libsepol: check correct pointer for oom -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Check the actual pointer which memory was assigned to, not its parent -array pointer. - - services.c:810:14: warning: Assigned value is garbage or undefined [core.uninitialized.Assign] - **r_buf = **new_buf; - ^ ~~~~~~~~~ - -Acked-by: James Carter -Signed-off-by: Christian Göttsche ---- - libsepol/src/services.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libsepol/src/services.c b/libsepol/src/services.c -index 47e564df4..d7510e9da 100644 ---- a/libsepol/src/services.c -+++ b/libsepol/src/services.c -@@ -803,7 +803,7 @@ static int constraint_expr_eval_reason(context_struct_t *scontext, - if (len < 0 || len >= reason_buf_len - reason_buf_used) { - new_buf_len = reason_buf_len + REASON_BUF_SIZE; - *new_buf = realloc(*r_buf, new_buf_len); -- if (!new_buf) { -+ if (!*new_buf) { - ERR(NULL, "failed to realloc reason buffer"); - goto out1; - } diff --git a/backport-libsepol-do-not-modify-policy-during-write.patch b/backport-libsepol-do-not-modify-policy-during-write.patch deleted file mode 100644 index c2f0366..0000000 --- a/backport-libsepol-do-not-modify-policy-during-write.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 2651989d3b94dd15459fbef4384f114b24850665 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Thu, 30 Jun 2022 19:03:01 +0200 -Subject: [PATCH] libsepol: do not modify policy during write -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Do not modify the in memory default_range value of a class datum while -writing a policy. - -While on it fix indentation. - -Signed-off-by: Christian Göttsche -Acked-by: James Carter ---- - libsepol/src/write.c | 16 +++++++++------- - 1 file changed, 9 insertions(+), 7 deletions(-) - -diff --git a/libsepol/src/write.c b/libsepol/src/write.c -index 48ed21ea6..a9fdf93a8 100644 ---- a/libsepol/src/write.c -+++ b/libsepol/src/write.c -@@ -1097,16 +1097,18 @@ static int class_write(hashtab_key_t key, hashtab_datum_t datum, void *ptr) - p->policyvers >= POLICYDB_VERSION_NEW_OBJECT_DEFAULTS) || - (p->policy_type == POLICY_BASE && - p->policyvers >= MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS)) { -+ char default_range = cladatum->default_range; -+ - buf[0] = cpu_to_le32(cladatum->default_user); - buf[1] = cpu_to_le32(cladatum->default_role); -- if (!glblub_version && cladatum->default_range == DEFAULT_GLBLUB) { -+ if (!glblub_version && default_range == DEFAULT_GLBLUB) { - WARN(fp->handle, -- "class %s default_range set to GLBLUB but policy version is %d (%d required), discarding", -- p->p_class_val_to_name[cladatum->s.value - 1], p->policyvers, -- p->policy_type == POLICY_KERN? POLICYDB_VERSION_GLBLUB:MOD_POLICYDB_VERSION_GLBLUB); -- cladatum->default_range = 0; -- } -- buf[2] = cpu_to_le32(cladatum->default_range); -+ "class %s default_range set to GLBLUB but policy version is %d (%d required), discarding", -+ p->p_class_val_to_name[cladatum->s.value - 1], p->policyvers, -+ p->policy_type == POLICY_KERN? POLICYDB_VERSION_GLBLUB:MOD_POLICYDB_VERSION_GLBLUB); -+ default_range = 0; -+ } -+ buf[2] = cpu_to_le32(default_range); - items = put_entry(buf, sizeof(uint32_t), 3, fp); - if (items != 3) - return POLICYDB_ERROR; diff --git a/backport-libsepol-enclose-macro-parameters-and-replacement-lists-in-parentheses.patch b/backport-libsepol-enclose-macro-parameters-and-replacement-lists-in-parentheses.patch deleted file mode 100644 index 139e209..0000000 --- a/backport-libsepol-enclose-macro-parameters-and-replacement-lists-in-parentheses.patch +++ /dev/null @@ -1,113 +0,0 @@ -From 65b3f695be306ad8f525d4db2befd55336bd0a09 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Wed, 13 Jul 2022 15:43:43 +0200 -Subject: [PATCH] libsepol: enclose macro parameters and replacement lists in - parentheses -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Signed-off-by: Christian Göttsche -Acked-by: James Carter ---- - libsepol/include/sepol/errcodes.h | 13 ++++++------- - libsepol/include/sepol/policydb/policydb.h | 10 +++++----- - libsepol/src/kernel_to_cil.c | 2 +- - libsepol/src/module_to_cil.c | 2 +- - libsepol/src/util.c | 2 +- - 5 files changed, 14 insertions(+), 15 deletions(-) - -diff --git a/libsepol/include/sepol/errcodes.h b/libsepol/include/sepol/errcodes.h -index 6e9ff3161..e5fe71e36 100644 ---- a/libsepol/include/sepol/errcodes.h -+++ b/libsepol/include/sepol/errcodes.h -@@ -16,15 +16,14 @@ extern "C" { - * codes that don't map to system error codes should be defined - * outside of the range of system error codes. - */ --#define SEPOL_ERR -1 --#define SEPOL_ENOTSUP -2 /* feature not supported in module language */ --#define SEPOL_EREQ -3 /* requirements not met */ -+#define SEPOL_ERR (-1) -+#define SEPOL_ENOTSUP (-2) /* feature not supported in module language */ -+#define SEPOL_EREQ (-3) /* requirements not met */ - - /* Error codes that map to system error codes */ --#define SEPOL_ENOMEM -ENOMEM --#define SEPOL_ERANGE -ERANGE --#define SEPOL_EEXIST -EEXIST --#define SEPOL_ENOENT -ENOENT -+#define SEPOL_ENOMEM (-ENOMEM) -+#define SEPOL_EEXIST (-EEXIST) -+#define SEPOL_ENOENT (-ENOENT) - - #ifdef __cplusplus - } -diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h -index de0068a6c..ef1a014a5 100644 ---- a/libsepol/include/sepol/policydb/policydb.h -+++ b/libsepol/include/sepol/policydb/policydb.h -@@ -251,9 +251,9 @@ typedef struct class_perm_node { - struct class_perm_node *next; - } class_perm_node_t; - --#define xperm_test(x, p) (UINT32_C(1) & (p[x >> 5] >> (x & 0x1f))) --#define xperm_set(x, p) (p[x >> 5] |= (UINT32_C(1) << (x & 0x1f))) --#define xperm_clear(x, p) (p[x >> 5] &= ~(UINT32_C(1) << (x & 0x1f))) -+#define xperm_test(x, p) (UINT32_C(1) & ((p)[(x) >> 5] >> ((x) & 0x1f))) -+#define xperm_set(x, p) ((p)[(x) >> 5] |= (UINT32_C(1) << ((x) & 0x1f))) -+#define xperm_clear(x, p) ((p)[(x) >> 5] &= ~(UINT32_C(1) << ((x) & 0x1f))) - #define EXTENDED_PERMS_LEN 8 - - typedef struct av_extended_perms { -@@ -795,9 +795,9 @@ extern int policydb_set_target_platform(policydb_t *p, int platform); - - #define policydb_has_boundary_feature(p) \ - (((p)->policy_type == POLICY_KERN \ -- && p->policyvers >= POLICYDB_VERSION_BOUNDARY) || \ -+ && (p)->policyvers >= POLICYDB_VERSION_BOUNDARY) || \ - ((p)->policy_type != POLICY_KERN \ -- && p->policyvers >= MOD_POLICYDB_VERSION_BOUNDARY)) -+ && (p)->policyvers >= MOD_POLICYDB_VERSION_BOUNDARY)) - - /* the config flags related to unknown classes/perms are bits 2 and 3 */ - #define DENY_UNKNOWN SEPOL_DENY_UNKNOWN -diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c -index 9128ac553..5a1336a33 100644 ---- a/libsepol/src/kernel_to_cil.c -+++ b/libsepol/src/kernel_to_cil.c -@@ -1626,7 +1626,7 @@ static int write_type_permissive_rules_to_cil(FILE *out, struct policydb *pdb) - return rc; - } - --#define next_bit_in_range(i, p) ((i + 1 < sizeof(p)*8) && xperm_test((i + 1), p)) -+#define next_bit_in_range(i, p) (((i) + 1 < sizeof(p)*8) && xperm_test(((i) + 1), p)) - - static char *xperms_to_str(avtab_extended_perms_t *xperms) - { -diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c -index b35bf055f..b900290a7 100644 ---- a/libsepol/src/module_to_cil.c -+++ b/libsepol/src/module_to_cil.c -@@ -624,7 +624,7 @@ static int avrule_to_cil(int indent, struct policydb *pdb, uint32_t type, const - return rc; - } - --#define next_bit_in_range(i, p) ((i + 1 < sizeof(p)*8) && xperm_test((i + 1), p)) -+#define next_bit_in_range(i, p) (((i) + 1 < sizeof(p)*8) && xperm_test(((i) + 1), p)) - - static int xperms_to_cil(const av_extended_perms_t *xperms) - { -diff --git a/libsepol/src/util.c b/libsepol/src/util.c -index 1cd1308d1..0a2edc852 100644 ---- a/libsepol/src/util.c -+++ b/libsepol/src/util.c -@@ -124,7 +124,7 @@ char *sepol_av_to_string(policydb_t * policydbp, uint32_t tclass, - return avbuf; - } - --#define next_bit_in_range(i, p) ((i + 1 < sizeof(p)*8) && xperm_test((i + 1), p)) -+#define next_bit_in_range(i, p) (((i) + 1 < sizeof(p)*8) && xperm_test(((i) + 1), p)) - - char *sepol_extended_perms_to_string(avtab_extended_perms_t *xperms) - { diff --git a/backport-libsepol-fix-missing-double-quotes-in-typetransition-CIL-rule.patch b/backport-libsepol-fix-missing-double-quotes-in-typetransition-CIL-rule.patch deleted file mode 100644 index d673654..0000000 --- a/backport-libsepol-fix-missing-double-quotes-in-typetransition-CIL-rule.patch +++ /dev/null @@ -1,30 +0,0 @@ -From eca72d8e47ac8b962f87c46aa77fb893aa0df0f8 Mon Sep 17 00:00:00 2001 -From: Juraj Marcin -Date: Thu, 25 Aug 2022 15:27:18 +0200 -Subject: [PATCH] libsepol: fix missing double quotes in typetransition CIL - rule - -CIL Reference Guide defines typetransition rule with double quotes -around object name, but those are not present in the format string. - -This patch fixes this issue, so the CIL output produced by -sepol_kernel_policydb_to_cil() is in the correct format. - -Signed-off-by: Juraj Marcin ---- - libsepol/src/kernel_to_cil.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c -index 5a1336a330..ad4121d50a 100644 ---- a/libsepol/src/kernel_to_cil.c -+++ b/libsepol/src/kernel_to_cil.c -@@ -1894,7 +1894,7 @@ static int map_filename_trans_to_str(hashtab_key_t key, void *data, void *arg) - ebitmap_for_each_positive_bit(&datum->stypes, node, bit) { - src = pdb->p_type_val_to_name[bit]; - rc = strs_create_and_add(strs, -- "(typetransition %s %s %s %s %s)", -+ "(typetransition %s %s %s \"%s\" %s)", - 5, src, tgt, class, filename, new); - if (rc) - return rc; diff --git a/backport-libsepol-rename-validate_policydb-to-policydb_validate.patch b/backport-libsepol-rename-validate_policydb-to-policydb_validate.patch deleted file mode 100644 index c35f55c..0000000 --- a/backport-libsepol-rename-validate_policydb-to-policydb_validate.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 938530171bcfbd0175b819eaa05960e9f4568ac0 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Thu, 21 Jul 2022 17:24:40 +0200 -Subject: [PATCH] libsepol: rename validate_policydb to policydb_validate -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Most global functions operating on a policy database use policydb as -prefix. - -Since this function is not exported there should not be any external -use. - -Signed-off-by: Christian Göttsche -Acked-by: James Carter ---- - libsepol/src/policydb.c | 2 +- - libsepol/src/policydb_validate.c | 2 +- - libsepol/src/policydb_validate.h | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c -index fc260eb66..8a65df053 100644 ---- a/libsepol/src/policydb.c -+++ b/libsepol/src/policydb.c -@@ -4570,7 +4570,7 @@ int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose) - } - } - -- if (validate_policydb(fp->handle, p)) -+ if (policydb_validate(fp->handle, p)) - goto bad; - - return POLICYDB_SUCCESS; -diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c -index 99d4eb7f6..e1dad2362 100644 ---- a/libsepol/src/policydb_validate.c -+++ b/libsepol/src/policydb_validate.c -@@ -1330,7 +1330,7 @@ static void validate_array_destroy(validate_t flavors[]) - /* - * Validate policydb - */ --int validate_policydb(sepol_handle_t *handle, policydb_t *p) -+int policydb_validate(sepol_handle_t *handle, policydb_t *p) - { - validate_t flavors[SYM_NUM] = {}; - -diff --git a/libsepol/src/policydb_validate.h b/libsepol/src/policydb_validate.h -index d9f7229bf..b7f9f1913 100644 ---- a/libsepol/src/policydb_validate.h -+++ b/libsepol/src/policydb_validate.h -@@ -4,4 +4,4 @@ - #include - - int value_isvalid(uint32_t value, uint32_t nprim); --int validate_policydb(sepol_handle_t *handle, policydb_t *p); -+int policydb_validate(sepol_handle_t *handle, policydb_t *p); diff --git a/libsepol-3.3.tar.gz b/libsepol-3.3.tar.gz deleted file mode 100644 index 5066cad..0000000 Binary files a/libsepol-3.3.tar.gz and /dev/null differ diff --git a/libsepol-3.4.tar.gz b/libsepol-3.4.tar.gz new file mode 100644 index 0000000..56a1efc Binary files /dev/null and b/libsepol-3.4.tar.gz differ diff --git a/libsepol.spec b/libsepol.spec index 3b08e22..5c3c6ee 100644 --- a/libsepol.spec +++ b/libsepol.spec @@ -1,19 +1,11 @@ Name: libsepol -Version: 3.3 -Release: 3 +Version: 3.4 +Release: 1 Summary: SELinux binary policy manipulation library License: LGPLv2+ URL: https://github.com/SELinuxProject/selinux/wiki/Releases Source0: https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{name}-%{version}.tar.gz -Patch0001: backport-libsepol-add-missing-oom-checks.patch -Patch0002: backport-libsepol-check-correct-pointer-for-oom.patch -Patch0003: backport-libsepol-avoid-potential-NULL-dereference-on-optional-parameter.patch -Patch0004: backport-libsepol-do-not-modify-policy-during-write.patch -Patch0005: backport-libsepol-enclose-macro-parameters-and-replacement-lists-in-parentheses.patch -Patch0006: backport-libsepol-rename-validate_policydb-to-policydb_validate.patch -Patch0007: backport-libsepol-fix-missing-double-quotes-in-typetransition-CIL-rule.patch - BuildRequires: gcc flex %description @@ -56,6 +48,7 @@ make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" install %defattr(-,root,root) %license COPYING %{_libdir}/libsepol.so.* +%{_bindir}/sepol_* %files devel %defattr(-,root,root) @@ -72,6 +65,9 @@ make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" install %{_mandir}/man3/* %changelog +* Sat Jan 28 2023 jinlun - 3.4-1 +- update to 3.4 + * Fri Nov 18 2022 jinlun - 3.3-3 - backport upstream patches