openSUSE Commits
Threads by month
- ----- 2024 -----
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
July 2024
- 1 participants
- 1520 discussions
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openCryptoki for openSUSE:Factory checked in at 2024-07-12 17:04:51
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openCryptoki (Old)
and /work/SRC/openSUSE:Factory/.openCryptoki.new.17339 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openCryptoki"
Fri Jul 12 17:04:51 2024 rev:74 rq:1187028 version:3.23.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/openCryptoki/openCryptoki.changes 2024-07-11 20:33:52.206376872 +0200
+++ /work/SRC/openSUSE:Factory/.openCryptoki.new.17339/openCryptoki.changes 2024-07-12 17:05:11.413324663 +0200
@@ -16 +16 @@
- * Updates to harden against RSA timing attacks
+ * Updates to harden against RSA timing attacks (bsc#1219217)
@@ -71 +71,2 @@
-- Updated package to openCryptoki 3.20 (jsc#PED-2870)
+- Updated package to openCryptoki 3.20 (bsc#1207760,
+ jsc#PED-3376, jsc#PED-2870, jsc#PED-2869 )
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package gnome-latex for openSUSE:Factory checked in at 2024-07-12 17:04:52
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/gnome-latex (Old)
and /work/SRC/openSUSE:Factory/.gnome-latex.new.17339 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gnome-latex"
Fri Jul 12 17:04:52 2024 rev:13 rq:1186974 version:3.46.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/gnome-latex/gnome-latex.changes 2023-09-20 13:24:06.739731632 +0200
+++ /work/SRC/openSUSE:Factory/.gnome-latex.new.17339/gnome-latex.changes 2024-07-12 17:05:12.201353616 +0200
@@ -1,0 +2,5 @@
+Thu Jul 11 18:15:11 UTC 2024 - Bjørn Lie <bjorn.lie(a)gmail.com>
+
+- Trigger Vala compilation during build, for GCC 14 compatibility.
+
+-------------------------------------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ gnome-latex.spec ++++++
--- /var/tmp/diff_new_pack.MYEnRR/_old 2024-07-12 17:05:12.785375074 +0200
+++ /var/tmp/diff_new_pack.MYEnRR/_new 2024-07-12 17:05:12.789375220 +0200
@@ -64,11 +64,13 @@
%prep
%autosetup -p1
+find -name '*.vala' -exec touch {} \;
%build
autoreconf -fiv
%configure \
--enable-gtk-doc \
+ --enable-vala \
%{nil}
%make_build
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python313 for openSUSE:Factory checked in at 2024-07-12 17:04:41
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python313 (Old)
and /work/SRC/openSUSE:Factory/.python313.new.17339 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python313"
Fri Jul 12 17:04:41 2024 rev:2 rq:1186945 version:3.13.0~b3
Changes:
--------
--- /work/SRC/openSUSE:Factory/python313/python313.changes 2024-07-05 19:52:52.690037063 +0200
+++ /work/SRC/openSUSE:Factory/.python313.new.17339/python313.changes 2024-07-12 17:04:56.896791301 +0200
@@ -1,0 +2,6 @@
+Thu Jul 4 16:04:05 UTC 2024 - Matej Cepl <mcepl(a)cepl.eu>
+
+- Stop using %%defattr, it seems to be breaking proper executable
+ attributes on /usr/bin/ scripts (bsc#1227378).
+
+-------------------------------------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python313.spec ++++++
--- /var/tmp/diff_new_pack.EnLkh8/_old 2024-07-12 17:04:57.792824222 +0200
+++ /var/tmp/diff_new_pack.EnLkh8/_new 2024-07-12 17:04:57.796824370 +0200
@@ -667,6 +667,7 @@
)
# keep just idle3.X
+ls -l %{buildroot}%{_bindir}/
rm %{buildroot}%{_bindir}/idle3
# install idle icons
@@ -786,23 +787,19 @@
%if %{with general}
%files -n %{python_pkg_name}-tk
-%defattr(644, root, root, 755)
%{sitedir}/tkinter
%{dynlib _tkinter}
%files -n %{python_pkg_name}-curses
-%defattr(644, root, root, 755)
%{sitedir}/curses
%{dynlib _curses}
%files -n %{python_pkg_name}-dbm
-%defattr(644, root, root, 755)
%{sitedir}/dbm
%{dynlib _dbm}
%{dynlib _gdbm}
%files -n %{python_pkg_name}
-%defattr(644, root, root, 755)
%dir %{sitedir}
%dir %{sitedir}/lib-dynload
%{sitedir}/sqlite3
@@ -810,7 +807,6 @@
%{dynlib _sqlite3}
%files -n %{python_pkg_name}-idle
-%defattr(644, root, root, 755)
%{sitedir}/idlelib
%dir %{_sysconfdir}/idle%{python_version}
%config %{_sysconfdir}/idle%{python_version}/*
@@ -847,16 +843,13 @@
%postun -n libpython%{so_version} -p /sbin/ldconfig
%files -n libpython%{so_version}
-%defattr(644, root,root)
%{_libdir}/libpython%{python_abi}.so.%{so_major}.%{so_minor}
%files -n %{python_pkg_name}-tools
-%defattr(644, root, root, 755)
%{sitedir}/turtledemo
%doc %{_docdir}/%{name}/Tools
%files -n %{python_pkg_name}-devel
-%defattr(644, root, root, 755)
%{_libdir}/libpython%{python_abi}.so
%if %{primary_interpreter}
%{_libdir}/libpython3.so
@@ -864,7 +857,6 @@
%{_libdir}/pkgconfig/*
%{_includedir}/python%{python_abi}
%{sitedir}/config-%{python_abi}-*
-%defattr(755, root, root)
%{_bindir}/python%{python_abi}-config
%if %{primary_interpreter}
%{_bindir}/python3-config
@@ -877,7 +869,6 @@
%{_datadir}/gdb/auto-load/%{_libdir}/libpython%{python_abi}.so.%{so_major}.%{so_minor}-gdb.py
%files -n %{python_pkg_name}-testsuite
-%defattr(644, root, root, 755)
%{sitedir}/test
# %%{sitedir}/*/test
# %%{sitedir}/*/tests
@@ -898,7 +889,6 @@
%dir %{sitedir}/tkinter
%files -n %{python_pkg_name}-base
-%defattr(644, root, root, 755)
# docs
%dir %{_docdir}/%{name}
%doc %{_docdir}/%{name}/README.rst
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package orthanc-python for openSUSE:Factory checked in at 2024-07-12 17:04:40
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/orthanc-python (Old)
and /work/SRC/openSUSE:Factory/.orthanc-python.new.17339 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "orthanc-python"
Fri Jul 12 17:04:40 2024 rev:9 rq:1186932 version:4.3
Changes:
--------
--- /work/SRC/openSUSE:Factory/orthanc-python/orthanc-python.changes 2024-05-27 12:01:30.854366189 +0200
+++ /work/SRC/openSUSE:Factory/.orthanc-python.new.17339/orthanc-python.changes 2024-07-12 17:04:55.964757056 +0200
@@ -1,0 +2,10 @@
+Mon Jul 8 14:30:52 UTC 2024 - Axel Braun <axel.braun(a)gmx.de>
+
+- version 4.3
+ * Created Python documentation for the Orthanc interface, check out "orthanc.pyi"
+ * Added option "AllowThreads" to release the GIL during the call to the native SDK functions
+ * Code model is now generated by the "orthanc-java" project
+ * Added Windows builder for Python 3.12
+ * Licensing information is now compliant with the FSFE REUSE specification
+
+-------------------------------------------------------------------
Old:
----
OrthancPython-4.2.tar.gz
New:
----
OrthancPython-4.3.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ orthanc-python.spec ++++++
--- /var/tmp/diff_new_pack.BfjImr/_old 2024-07-12 17:04:56.636781747 +0200
+++ /var/tmp/diff_new_pack.BfjImr/_new 2024-07-12 17:04:56.636781747 +0200
@@ -19,7 +19,7 @@
%{?sle15_python_module_pythons}
Name: orthanc-python
-Version: 4.2
+Version: 4.3
Release: 0
Summary: Python plugin for Orthanc
License: AGPL-3.0-or-later
++++++ OrthancPython-4.2.tar.gz -> OrthancPython-4.3.tar.gz ++++++
++++ 24912 lines of diff (skipped)
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package mercurial-extension-hg-git for openSUSE:Factory checked in at 2024-07-12 17:04:38
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/mercurial-extension-hg-git (Old)
and /work/SRC/openSUSE:Factory/.mercurial-extension-hg-git.new.17339 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mercurial-extension-hg-git"
Fri Jul 12 17:04:38 2024 rev:15 rq:1186936 version:1.1.3
Changes:
--------
--- /work/SRC/openSUSE:Factory/mercurial-extension-hg-git/mercurial-extension-hg-git.changes 2024-06-24 20:57:44.926053817 +0200
+++ /work/SRC/openSUSE:Factory/.mercurial-extension-hg-git.new.17339/mercurial-extension-hg-git.changes 2024-07-12 17:04:54.860716492 +0200
@@ -1,0 +2,11 @@
+Thu Jul 11 18:32:08 UTC 2024 - Lukas Müller <expeehaa(a)outlook.com>
+
+- Update to version 1.1.3.
+ * Mark Dulwich 0.22.0 and 0.22.1 as unsupported. The compatibility hack didn't work in practice.
+ * Mark Mercurial 6.8 as tested and supported.
+- Changes from version 1.1.2:
+ * Always advance draft phase, even if pulling from an explicit URL that isn't a named path.
+ * Always save Git tags into the local, cached Git repository.
+ * Add support for Dulwich 0.22.
+
+-------------------------------------------------------------------
Old:
----
hg-git-1.1.1.tar.gz
New:
----
hg_git-1.1.3.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ mercurial-extension-hg-git.spec ++++++
--- /var/tmp/diff_new_pack.oWlkC3/_old 2024-07-12 17:04:55.568742506 +0200
+++ /var/tmp/diff_new_pack.oWlkC3/_new 2024-07-12 17:04:55.572742653 +0200
@@ -37,13 +37,13 @@
%endif
Name: mercurial-extension-hg-git
-Version: 1.1.1
+Version: 1.1.3
Release: 0
Summary: Hg-Git Mercurial plugin
License: GPL-2.0-only
Group: Development/Tools/Version Control
URL: http://foss.heptapod.net/mercurial/hg-git
-Source0: https://files.pythonhosted.org/packages/source/h/hg-git/hg-git-%{version}.t…
+Source0: https://files.pythonhosted.org/packages/source/h/hg-git/hg_git-%{version}.t…
Source90: tests.blacklist
BuildRequires: %{mercurial_python}
BuildRequires: %{mercurial_python}-dulwich >= 0.19.3
@@ -77,7 +77,7 @@
The Hg-Git plugin can convert commits/changesets losslessly from one system to another, so you can push via a Mercurial repository and another Hg client can pull it and their changeset node ids will be identical - Mercurial data does not get lost in translation. It is intended that Hg users may wish to use this to collaborate even if no Git users are involved in the project, and it may even provide some advantages if you’re using Bookmarks.
%prep
-%setup -q -n hg-git-%{version}
+%setup -q -n hg_git-%{version}
%build
%pyproject_wheel
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package cilium-cli for openSUSE:Factory checked in at 2024-07-12 17:04:31
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cilium-cli (Old)
and /work/SRC/openSUSE:Factory/.cilium-cli.new.17339 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cilium-cli"
Fri Jul 12 17:04:31 2024 rev:71 rq:1186942 version:0.16.13
Changes:
--------
--- /work/SRC/openSUSE:Factory/cilium-cli/cilium-cli.changes 2024-07-11 20:30:21.842672992 +0200
+++ /work/SRC/openSUSE:Factory/.cilium-cli.new.17339/cilium-cli.changes 2024-07-12 17:04:49.416516463 +0200
@@ -1,0 +2,17 @@
+Thu Jul 11 18:44:15 UTC 2024 - opensuse_buildservice(a)ojkastl.de
+
+- Update to version 0.16.13:
+ * Prepare for v0.16.13 release
+ * chore(deps): update actions/setup-go action to v5.0.2
+ * fix(deps): update module helm.sh/helm/v3 to v3.15.3
+ * clustermesh: fix deprecated cloud internal LoadBalancer
+ annotations
+ * clustermesh: explicitly validate service type, and forbid
+ ClusterIP
+ * clustermesh: fix remote clusters configuration reset upon
+ deactivation
+ * Add --disable-check flag to upgrade command
+ * connectivity: Add Port Range Tests
+ * Update stable release to v0.16.12
+
+-------------------------------------------------------------------
Old:
----
cilium-cli-0.16.12.obscpio
New:
----
cilium-cli-0.16.13.obscpio
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ cilium-cli.spec ++++++
--- /var/tmp/diff_new_pack.5zhLuy/_old 2024-07-12 17:04:53.080651090 +0200
+++ /var/tmp/diff_new_pack.5zhLuy/_new 2024-07-12 17:04:53.100651825 +0200
@@ -21,7 +21,7 @@
%define executable_name cilium
Name: cilium-cli
-Version: 0.16.12
+Version: 0.16.13
Release: 0
Summary: CLI to install, manage & troubleshoot Kubernetes clusters running Cilium
License: Apache-2.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.5zhLuy/_old 2024-07-12 17:04:53.372661819 +0200
+++ /var/tmp/diff_new_pack.5zhLuy/_new 2024-07-12 17:04:53.412663288 +0200
@@ -3,7 +3,7 @@
<param name="url">https://github.com/cilium/cilium-cli</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
- <param name="revision">v0.16.12</param>
+ <param name="revision">v0.16.13</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">enable</param>
<param name="versionrewrite-pattern">v(.*)</param>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.5zhLuy/_old 2024-07-12 17:04:53.592669902 +0200
+++ /var/tmp/diff_new_pack.5zhLuy/_new 2024-07-12 17:04:53.628671225 +0200
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://github.com/cilium/cilium-cli</param>
- <param name="changesrevision">9fffebfb38ad7ff1f80f1c1a366ec87730683bb4</param></service></servicedata>
+ <param name="changesrevision">1afb3ff7eb6ace8ab5f8d4d844afe02e2018bb4e</param></service></servicedata>
(No newline at EOF)
++++++ cilium-cli-0.16.12.obscpio -> cilium-cli-0.16.13.obscpio ++++++
/work/SRC/openSUSE:Factory/cilium-cli/cilium-cli-0.16.12.obscpio /work/SRC/openSUSE:Factory/.cilium-cli.new.17339/cilium-cli-0.16.13.obscpio differ: char 49, line 1
++++++ cilium-cli.obsinfo ++++++
--- /var/tmp/diff_new_pack.5zhLuy/_old 2024-07-12 17:04:54.020685628 +0200
+++ /var/tmp/diff_new_pack.5zhLuy/_new 2024-07-12 17:04:54.056686951 +0200
@@ -1,5 +1,5 @@
name: cilium-cli
-version: 0.16.12
-mtime: 1720570547
-commit: 9fffebfb38ad7ff1f80f1c1a366ec87730683bb4
+version: 0.16.13
+mtime: 1720721123
+commit: 1afb3ff7eb6ace8ab5f8d4d844afe02e2018bb4e
++++++ vendor.tar.gz ++++++
/work/SRC/openSUSE:Factory/cilium-cli/vendor.tar.gz /work/SRC/openSUSE:Factory/.cilium-cli.new.17339/vendor.tar.gz differ: char 5, line 1
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package haproxy for openSUSE:Factory checked in at 2024-07-12 17:04:30
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/haproxy (Old)
and /work/SRC/openSUSE:Factory/.haproxy.new.17339 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "haproxy"
Fri Jul 12 17:04:30 2024 rev:146 rq:1186896 version:3.0.3+git0.95a607c4b
Changes:
--------
--- /work/SRC/openSUSE:Factory/haproxy/haproxy.changes 2024-06-27 16:04:37.901541702 +0200
+++ /work/SRC/openSUSE:Factory/.haproxy.new.17339/haproxy.changes 2024-07-12 17:04:45.652378163 +0200
@@ -1,0 +2,55 @@
+Thu Jul 11 14:57:46 UTC 2024 - Marcus Rueckert <mrueckert(a)suse.de>
+
+- refreshed patches:
+ haproxy-1.6.0-makefile_lib.patch
+ haproxy-1.6.0-sec-options.patch
+
+-------------------------------------------------------------------
+Thu Jul 11 14:56:11 UTC 2024 - mrueckert(a)suse.de
+
+- Update to version 3.0.3+git0.95a607c4b:
+ * [RELEASE] Released version 3.0.3
+ * BUG/MEDIUM: bwlim: Be sure to never set the analyze expiration date in past
+ * DEV: flags/quic: decode quic_conn flags
+ * BUG/MEDIUM: spoe: Be sure to create a SPOE applet if none on the current thread
+ * BUG/MEDIUM: h1: Reject empty Transfer-encoding header
+ * BUG/MINOR: h1: Reject empty coding name as last transfer-encoding value
+ * BUG/MINOR: h1: Fail to parse empty transfer coding names
+ * BUG/MINOR: jwt: fix variable initialisation
+ * Revert "MEDIUM: init: set default for fd_hard_limit via DEFAULT_MAXFD"
+ * BUG/MEDIUM: peers: Fix crash when syncing learn state of a peer without appctx
+ * DOC: configuration: update maxconn description
+ * MEDIUM: init: set default for fd_hard_limit via DEFAULT_MAXFD
+ * BUG/MINOR: jwt: don't try to load files with HMAC algorithm
+ * BUG/MEDIUM: server: fix race on server_atomic_sync()
+ * DOC: configuration: more details about the master-worker mode
+ * BUG/MEDIUM: hlua/cli: Fix lua CLI commands to work with applet's buffers
+ * BUG/MINOR: promex: Remove Help prefix repeated twice for each metric
+ * BUG/MEDIUM: quic: fix possible exit from qc_check_dcid() without unlocking
+ * BUG/MINOR: quic: fix race-condition on trace for CID retrieval
+ * BUG/MINOR: quic: fix race condition in qc_check_dcid()
+ * BUG/MEDIUM: quic: fix race-condition in quic_get_cid_tid()
+ * BUG/MEDIUM: h3: ensure the ":scheme" pseudo header is totally valid
+ * BUG/MEDIUM: h3: ensure the ":method" pseudo header is totally valid
+ * BUG/MEDIUM: server/dns: prevent DOWN/UP flap upon resolution timeout or error
+ * MINOR: activity: make the memory profiling hash size configurable at build time
+ * BUG/MINOR: server: fix first server template name lookup UAF
+ * DOC: configuration: add details about crt-store in bind "crt" keyword
+ * BUG/MEDIUM: stick-table: Decrement the ref count inside lock to kill a session
+ * BUG/MINOR: hlua: report proper context upon error in hlua_cli_io_handler_fct()
+ * DEV: flags/show-fd-to-flags: adapt to recent versions
+ * BUG/MINOR: quic: fix BUG_ON() on Tx pkt alloc failure
+ * BUG/MINOR: h3: fix BUG_ON() crash on control stream alloc failure
+ * BUG/MINOR: mux-quic: fix crash on qcs SD alloc failure
+ * BUG/MINOR: h3: fix crash on STOP_SENDING receive after GOAWAY emission
+ * DOC: api/event_hdl: small updates, fix an example and add some precisions
+ * SCRIPTS: git-show-backports: do not truncate git-show output
+ * BUG/MAJOR: quic: fix padding with short packets
+ * DOC: management: document ptr lookup for table commands
+ * DOC: configuration: fix alphabetical order of bind options
+ * BUG/MEDIUM: proxy: fix email-alert invalid free
+ * REGTESTS: ssl: fix some regtests 'feature cmd' start condition
+ * DEBUG: hlua: distinguish burst timeout errors from exec timeout errors
+ * BUG/MINOR: log: fix broken '+bin' logformat node option
+
+-------------------------------------------------------------------
Old:
----
haproxy-3.0.2+git0.a45a8e623.tar.gz
New:
----
haproxy-3.0.3+git0.95a607c4b.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ haproxy.spec ++++++
--- /var/tmp/diff_new_pack.DJzPhS/_old 2024-07-12 17:04:46.632414171 +0200
+++ /var/tmp/diff_new_pack.DJzPhS/_new 2024-07-12 17:04:46.632414171 +0200
@@ -53,7 +53,7 @@
%endif
Name: haproxy
-Version: 3.0.2+git0.a45a8e623
+Version: 3.0.3+git0.95a607c4b
Release: 0
#
#
++++++ _service ++++++
--- /var/tmp/diff_new_pack.DJzPhS/_old 2024-07-12 17:04:46.668415494 +0200
+++ /var/tmp/diff_new_pack.DJzPhS/_new 2024-07-12 17:04:46.672415641 +0200
@@ -6,7 +6,7 @@
<param name="versionformat">@PARENT_TAG@+git@TAG_OFFSET@.%h</param>
<param name="versionrewrite-pattern">v(.*)</param>
<param name="versionrewrite-replacement">\1</param>
- <param name="revision">v3.0.2</param>
+ <param name="revision">v3.0.3</param>
<param name="changesgenerate">enable</param>
</service>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.DJzPhS/_old 2024-07-12 17:04:46.700416669 +0200
+++ /var/tmp/diff_new_pack.DJzPhS/_new 2024-07-12 17:04:46.704416816 +0200
@@ -1,7 +1,7 @@
<servicedata>
<service name="tar_scm">
<param name="url">http://git.haproxy.org/git/haproxy-3.0.git/</param>
- <param name="changesrevision">a45a8e6235853e787e59b13f07355f4729ae3c8e</param>
+ <param name="changesrevision">95a607c4b3af09be2a495b9c2872ea252ccff603</param>
</service>
</servicedata>
(No newline at EOF)
++++++ haproxy-1.6.0-makefile_lib.patch ++++++
--- /var/tmp/diff_new_pack.DJzPhS/_old 2024-07-12 17:04:46.716417257 +0200
+++ /var/tmp/diff_new_pack.DJzPhS/_new 2024-07-12 17:04:46.720417404 +0200
@@ -1,8 +1,8 @@
-Index: haproxy-2.8/Makefile
+Index: haproxy-3.0/Makefile
===================================================================
---- haproxy-2.8.orig/Makefile
-+++ haproxy-2.8/Makefile
-@@ -750,7 +750,7 @@ ifneq ($(USE_PCRE)$(USE_STATIC_PCRE)$(US
+--- haproxy-3.0.orig/Makefile
++++ haproxy-3.0/Makefile
+@@ -784,7 +784,7 @@ ifneq ($(USE_PCRE:0=)$(USE_STATIC_PCRE:0
PCREDIR := $(shell $(PCRE_CONFIG) --prefix 2>/dev/null || echo /usr/local)
ifneq ($(PCREDIR),)
PCRE_INC := $(PCREDIR)/include
@@ -11,7 +11,7 @@
endif
PCRE_CFLAGS := $(if $(PCRE_INC),-I$(PCRE_INC))
-@@ -768,7 +768,7 @@ ifneq ($(USE_PCRE2)$(USE_STATIC_PCRE2)$(
+@@ -802,7 +802,7 @@ ifneq ($(USE_PCRE2:0=)$(USE_STATIC_PCRE2
PCRE2DIR := $(shell $(PCRE2_CONFIG) --prefix 2>/dev/null || echo /usr/local)
ifneq ($(PCRE2DIR),)
PCRE2_INC := $(PCRE2DIR)/include
++++++ haproxy-1.6.0-sec-options.patch ++++++
--- /var/tmp/diff_new_pack.DJzPhS/_old 2024-07-12 17:04:46.732417845 +0200
+++ /var/tmp/diff_new_pack.DJzPhS/_new 2024-07-12 17:04:46.736417992 +0200
@@ -4,11 +4,11 @@
SUSE: Makefile sec options
-Index: haproxy-2.8/Makefile
+Index: haproxy-3.0/Makefile
===================================================================
---- haproxy-2.8.orig/Makefile
-+++ haproxy-2.8/Makefile
-@@ -849,6 +849,35 @@ ifneq ($(TRACE),)
+--- haproxy-3.0.orig/Makefile
++++ haproxy-3.0/Makefile
+@@ -887,6 +887,35 @@ ifneq ($(TRACE),)
COPTS += -finstrument-functions
endif
++++++ haproxy-3.0.2+git0.a45a8e623.tar.gz -> haproxy-3.0.3+git0.95a607c4b.tar.gz ++++++
++++ 1809 lines of diff (skipped)
++++++ series ++++++
--- /var/tmp/diff_new_pack.DJzPhS/_old 2024-07-12 17:04:47.552447975 +0200
+++ /var/tmp/diff_new_pack.DJzPhS/_new 2024-07-12 17:04:47.556448122 +0200
@@ -1,4 +1,5 @@
haproxy-1.6.0_config_haproxy_user.patch
haproxy-1.6.0-makefile_lib.patch
haproxy-1.6.0-sec-options.patch
+haproxy-service.patch
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libselinux for openSUSE:Factory checked in at 2024-07-12 17:04:25
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libselinux (Old)
and /work/SRC/openSUSE:Factory/.libselinux.new.17339 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libselinux"
Fri Jul 12 17:04:25 2024 rev:79 rq:1186963 version:3.7
Changes:
--------
--- /work/SRC/openSUSE:Factory/libselinux/libselinux-bindings.changes 2024-01-08 23:43:50.099198946 +0100
+++ /work/SRC/openSUSE:Factory/.libselinux.new.17339/libselinux-bindings.changes 2024-07-12 17:04:35.948021609 +0200
@@ -1,0 +2,22 @@
+Mon Jul 1 07:53:14 UTC 2024 - Cathy Hu <cathy.hu(a)suse.com>
+
+- Update to version 3.7
+ https://github.com/SELinuxProject/selinux/releases/tag/3.7
+ * User-visible changes
+ * libselinux/utils/selabel_digest: drop unsupported option -d
+ * libselinux/utils: improve compute_av output
+ * libselinux: fail selabel_open(3) on invalid option
+ * Improved man pages
+ * Improvements
+ * libselinux, libsepol: Add CFLAGS and LDFLAGS to Makefile checks
+ * libselinux: enable usage with pedantic UB sanitizers
+ * libselinux: support huge passwd/group entries
+ * Bugfixes:
+ * libselinux/utils/selabel_digest: avoid buffer overflow
+ * libselinux: avoid pointer dereference before check
+ * libselinux/utils/selabel_digest: pass BASEONLY only for file backend
+ * libselinux: free empty scandir(3) result
+ * libselinux: free data on selabel open failure
+ * libselinux: use reentrant strtok_r(3)
+
+-------------------------------------------------------------------
--- /work/SRC/openSUSE:Factory/libselinux/libselinux.changes 2024-01-08 23:43:50.139200400 +0100
+++ /work/SRC/openSUSE:Factory/.libselinux.new.17339/libselinux.changes 2024-07-12 17:04:36.052025431 +0200
@@ -1,0 +2,29 @@
+Thu Jul 11 19:47:41 UTC 2024 - Cathy Hu <cathy.hu(a)suse.com>
+
+- Fix segfault caused by upstream changes in selabel_open():
+ libselinux-set-free-d-data-to-NULL.patch
+ Can be removed once it is upstream.
+
+-------------------------------------------------------------------
+Mon Jul 1 07:53:14 UTC 2024 - Cathy Hu <cathy.hu(a)suse.com>
+
+- Update to version 3.7
+ https://github.com/SELinuxProject/selinux/releases/tag/3.7
+ * User-visible changes
+ * libselinux/utils/selabel_digest: drop unsupported option -d
+ * libselinux/utils: improve compute_av output
+ * libselinux: fail selabel_open(3) on invalid option
+ * Improved man pages
+ * Improvements
+ * libselinux, libsepol: Add CFLAGS and LDFLAGS to Makefile checks
+ * libselinux: enable usage with pedantic UB sanitizers
+ * libselinux: support huge passwd/group entries
+ * Bugfixes:
+ * libselinux/utils/selabel_digest: avoid buffer overflow
+ * libselinux: avoid pointer dereference before check
+ * libselinux/utils/selabel_digest: pass BASEONLY only for file backend
+ * libselinux: free empty scandir(3) result
+ * libselinux: free data on selabel open failure
+ * libselinux: use reentrant strtok_r(3)
+
+-------------------------------------------------------------------
Old:
----
libselinux-3.6.tar.gz
libselinux-3.6.tar.gz.asc
New:
----
libselinux-3.7.tar.gz
libselinux-3.7.tar.gz.asc
libselinux-set-free-d-data-to-NULL.patch
BETA DEBUG BEGIN:
New:/work/SRC/openSUSE:Factory/.libselinux.new.17339/libselinux.changes-- Fix segfault caused by upstream changes in selabel_open():
/work/SRC/openSUSE:Factory/.libselinux.new.17339/libselinux.changes: libselinux-set-free-d-data-to-NULL.patch
/work/SRC/openSUSE:Factory/.libselinux.new.17339/libselinux.changes- Can be removed once it is upstream.
BETA DEBUG END:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libselinux-bindings.spec ++++++
--- /var/tmp/diff_new_pack.BzdPd8/_old 2024-07-12 17:04:36.964058940 +0200
+++ /var/tmp/diff_new_pack.BzdPd8/_new 2024-07-12 17:04:36.964058940 +0200
@@ -1,7 +1,7 @@
#
# spec file for package libselinux-bindings
#
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -18,10 +18,10 @@
%{?sle15allpythons}
%define python_subpackage_only 1
-%define libsepol_ver 3.6
+%define libsepol_ver 3.7
%define upname libselinux
Name: libselinux-bindings
-Version: 3.6
+Version: 3.7
Release: 0
Summary: SELinux runtime library and utilities
License: SUSE-Public-Domain
++++++ libselinux.spec ++++++
--- /var/tmp/diff_new_pack.BzdPd8/_old 2024-07-12 17:04:36.996060116 +0200
+++ /var/tmp/diff_new_pack.BzdPd8/_new 2024-07-12 17:04:37.000060263 +0200
@@ -1,7 +1,7 @@
#
# spec file for package libselinux
#
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -16,9 +16,9 @@
#
-%define libsepol_ver 3.6
+%define libsepol_ver 3.7
Name: libselinux
-Version: 3.6
+Version: 3.7
Release: 0
Summary: SELinux runtime library and utilities
License: SUSE-Public-Domain
@@ -36,6 +36,9 @@
# Make linking working even when default pkg-config doesn’t provide -lpython<ver>
Patch6: python3.8-compat.patch
Patch7: swig4_moduleimport.patch
+# Fixes segfault in 3.7, please remove once this is upstream:
+# https://lore.kernel.org/selinux/CAP+JOzQCu0srfss921Ew42oHxsaqRYGiTs56_h9j2Y…
+Patch8: libselinux-set-free-d-data-to-NULL.patch
BuildRequires: fdupes
BuildRequires: libsepol-devel >= %{libsepol_ver}
BuildRequires: libsepol-devel-static >= %{libsepol_ver}
++++++ libselinux-3.6.tar.gz -> libselinux-3.7.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/VERSION new/libselinux-3.7/VERSION
--- old/libselinux-3.6/VERSION 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/VERSION 2024-06-26 17:30:41.000000000 +0200
@@ -1 +1 @@
-3.6
+3.7
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/include/selinux/avc.h new/libselinux-3.7/include/selinux/avc.h
--- old/libselinux-3.6/include/selinux/avc.h 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/include/selinux/avc.h 2024-06-26 17:30:41.000000000 +0200
@@ -215,7 +215,7 @@
* is set to "avc" and any callbacks desired should be specified via
* selinux_set_callback(). Available options are listed above.
*/
-extern int avc_open(struct selinux_opt *opts, unsigned nopts);
+extern int avc_open(const struct selinux_opt *opts, unsigned nopts);
/**
* avc_cleanup - Remove unused SIDs and AVC entries.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/include/selinux/selinux.h new/libselinux-3.7/include/selinux/selinux.h
--- old/libselinux-3.6/include/selinux/selinux.h 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/include/selinux/selinux.h 2024-06-26 17:30:41.000000000 +0200
@@ -413,7 +413,7 @@
* starting at 1, and have one security_class_mapping structure entry
* per define.
*/
-extern int selinux_set_mapping(struct security_class_mapping *map);
+extern int selinux_set_mapping(const struct security_class_mapping *map);
/* Common helpers */
@@ -443,7 +443,11 @@
/* Set the function used by matchpathcon_init when displaying
errors about the file_contexts configuration. If not set,
then this defaults to fprintf(stderr, fmt, ...). */
-extern void set_matchpathcon_printf(void (*f) (const char *fmt, ...));
+extern void set_matchpathcon_printf(void
+#ifdef __GNUC__
+ __attribute__ ((format(printf, 1, 2)))
+#endif
+ (*f) (const char *fmt, ...));
/* Set the function used by matchpathcon_init when checking the
validity of a context in the file contexts configuration. If not set,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/man/man3/avc_context_to_sid.3 new/libselinux-3.7/man/man3/avc_context_to_sid.3
--- old/libselinux-3.6/man/man3/avc_context_to_sid.3 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/man/man3/avc_context_to_sid.3 2024-06-26 17:30:41.000000000 +0200
@@ -10,7 +10,7 @@
.br
.B #include <selinux/avc.h>
.sp
-.BI "int avc_context_to_sid(char *" ctx ", security_id_t *" sid ");"
+.BI "int avc_context_to_sid(const char *" ctx ", security_id_t *" sid ");"
.sp
.BI "int avc_sid_to_context(security_id_t " sid ", char **" ctx ");"
.sp
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/man/man3/avc_open.3 new/libselinux-3.7/man/man3/avc_open.3
--- old/libselinux-3.6/man/man3/avc_open.3 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/man/man3/avc_open.3 2024-06-26 17:30:41.000000000 +0200
@@ -10,7 +10,7 @@
.br
.B #include <selinux/avc.h>
.sp
-.BI "int avc_open(struct selinux_opt *" options ", unsigned " nopt ");"
+.BI "int avc_open(const struct selinux_opt *" options ", unsigned " nopt ");"
.sp
.BI "void avc_destroy(void);"
.sp
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/man/man3/getfscreatecon.3 new/libselinux-3.7/man/man3/getfscreatecon.3
--- old/libselinux-3.6/man/man3/getfscreatecon.3 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/man/man3/getfscreatecon.3 2024-06-26 17:30:41.000000000 +0200
@@ -9,9 +9,9 @@
.sp
.BI "int getfscreatecon_raw(char **" con );
.sp
-.BI "int setfscreatecon(char *" context );
+.BI "int setfscreatecon(const char *" context );
.sp
-.BI "int setfscreatecon_raw(char *" context );
+.BI "int setfscreatecon_raw(const char *" context );
.
.SH "DESCRIPTION"
.BR getfscreatecon ()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/man/man3/getkeycreatecon.3 new/libselinux-3.7/man/man3/getkeycreatecon.3
--- old/libselinux-3.6/man/man3/getkeycreatecon.3 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/man/man3/getkeycreatecon.3 2024-06-26 17:30:41.000000000 +0200
@@ -9,9 +9,9 @@
.sp
.BI "int getkeycreatecon_raw(char **" con );
.sp
-.BI "int setkeycreatecon(char *" context );
+.BI "int setkeycreatecon(const char *" context );
.sp
-.BI "int setkeycreatecon_raw(char *" context );
+.BI "int setkeycreatecon_raw(const char *" context );
.
.SH "DESCRIPTION"
.BR getkeycreatecon ()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/man/man3/getsockcreatecon.3 new/libselinux-3.7/man/man3/getsockcreatecon.3
--- old/libselinux-3.6/man/man3/getsockcreatecon.3 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/man/man3/getsockcreatecon.3 2024-06-26 17:30:41.000000000 +0200
@@ -9,9 +9,9 @@
.sp
.BI "int getsockcreatecon_raw(char **" con );
.sp
-.BI "int setsockcreatecon(char *" context );
+.BI "int setsockcreatecon(const char *" context );
.sp
-.BI "int setsockcreatecon_raw(char *" context );
+.BI "int setsockcreatecon_raw(const char *" context );
.
.SH "DESCRIPTION"
.BR getsockcreatecon ()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/man/man3/init_selinuxmnt.3 new/libselinux-3.7/man/man3/init_selinuxmnt.3
--- old/libselinux-3.6/man/man3/init_selinuxmnt.3 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/man/man3/init_selinuxmnt.3 2024-06-26 17:30:41.000000000 +0200
@@ -7,7 +7,7 @@
.sp
.BI "static void fini_selinuxmnt(void);"
.sp
-.BI "void set_selinuxmnt(char *" mnt ");"
+.BI "void set_selinuxmnt(const char *" mnt ");"
.
.SH "DESCRIPTION"
.BR init_selinuxmnt ()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/man/man3/is_context_customizable.3 new/libselinux-3.7/man/man3/is_context_customizable.3
--- old/libselinux-3.6/man/man3/is_context_customizable.3 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/man/man3/is_context_customizable.3 2024-06-26 17:30:41.000000000 +0200
@@ -5,7 +5,7 @@
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.sp
-.BI "int is_context_customizable(char *" scon );
+.BI "int is_context_customizable(const char *" scon );
.
.SH "DESCRIPTION"
This function checks whether the type of scon is in the
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/man/man3/is_selinux_enabled.3 new/libselinux-3.7/man/man3/is_selinux_enabled.3
--- old/libselinux-3.6/man/man3/is_selinux_enabled.3 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/man/man3/is_selinux_enabled.3 2024-06-26 17:30:41.000000000 +0200
@@ -8,9 +8,9 @@
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.sp
-.B int is_selinux_enabled();
+.B int is_selinux_enabled(void);
.sp
-.B int is_selinux_mls_enabled();
+.B int is_selinux_mls_enabled(void);
.
.SH "DESCRIPTION"
.BR is_selinux_enabled ()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/man/man3/security_policyvers.3 new/libselinux-3.7/man/man3/security_policyvers.3
--- old/libselinux-3.6/man/man3/security_policyvers.3 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/man/man3/security_policyvers.3 2024-06-26 17:30:41.000000000 +0200
@@ -4,7 +4,7 @@
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.sp
-.B int security_policyvers();
+.B int security_policyvers(void);
.
.SH "DESCRIPTION"
.BR security_policyvers ()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/man/man3/security_validatetrans.3 new/libselinux-3.7/man/man3/security_validatetrans.3
--- old/libselinux-3.6/man/man3/security_validatetrans.3 1970-01-01 01:00:00.000000000 +0100
+++ new/libselinux-3.7/man/man3/security_validatetrans.3 2024-06-26 17:30:41.000000000 +0200
@@ -0,0 +1 @@
+.so man3/security_compute_av.3
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/man/man3/security_validatetrans.c new/libselinux-3.7/man/man3/security_validatetrans.c
--- old/libselinux-3.6/man/man3/security_validatetrans.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/man/man3/security_validatetrans.c 1970-01-01 01:00:00.000000000 +0100
@@ -1 +0,0 @@
-.so man3/security_compute_av.3
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/man/man3/security_validatetrans_raw.3 new/libselinux-3.7/man/man3/security_validatetrans_raw.3
--- old/libselinux-3.6/man/man3/security_validatetrans_raw.3 1970-01-01 01:00:00.000000000 +0100
+++ new/libselinux-3.7/man/man3/security_validatetrans_raw.3 2024-06-26 17:30:41.000000000 +0200
@@ -0,0 +1 @@
+.so man3/security_compute_av.3
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/man/man3/security_validatetrans_raw.c new/libselinux-3.7/man/man3/security_validatetrans_raw.c
--- old/libselinux-3.6/man/man3/security_validatetrans_raw.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/man/man3/security_validatetrans_raw.c 1970-01-01 01:00:00.000000000 +0100
@@ -1 +0,0 @@
-.so man3/security_compute_av.3
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/man/man3/selabel_lookup.3 new/libselinux-3.7/man/man3/selabel_lookup.3
--- old/libselinux-3.6/man/man3/selabel_lookup.3 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/man/man3/selabel_lookup.3 2024-06-26 17:30:41.000000000 +0200
@@ -64,7 +64,8 @@
.I key
and/or
.I type
-inputs are invalid, or the context being returned failed validation.
+inputs are invalid, or the context being returned failed validation, or a
+regular expression in the database failed to compile.
.TP
.B ENOMEM
An attempt to allocate memory failed.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/man/man3/selabel_lookup_best_match.3 new/libselinux-3.7/man/man3/selabel_lookup_best_match.3
--- old/libselinux-3.6/man/man3/selabel_lookup_best_match.3 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/man/man3/selabel_lookup_best_match.3 2024-06-26 17:30:41.000000000 +0200
@@ -78,7 +78,8 @@
.I key
and/or
.I type
-inputs are invalid, or the context being returned failed validation.
+inputs are invalid, or the context being returned failed validation, or a
+regular expression in the database failed to compile.
.TP
.B ENOMEM
An attempt to allocate memory failed.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/man/man3/selinux_check_securetty_context.3 new/libselinux-3.7/man/man3/selinux_check_securetty_context.3
--- old/libselinux-3.6/man/man3/selinux_check_securetty_context.3 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/man/man3/selinux_check_securetty_context.3 2024-06-26 17:30:41.000000000 +0200
@@ -5,12 +5,12 @@
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.sp
-.BI "int selinux_check_securetty_context(char *" tty_context );
+.BI "int selinux_check_securetty_context(const char *" tty_context );
.
.SH "DESCRIPTION"
.BR selinux_check_securetty_context ()
returns 0 if tty_context is a securetty context,
-returns < 0 otherwise.
+returns < 0 otherwise.
.
.SH "SEE ALSO"
.BR selinux "(8)"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/man/man3/selinux_raw_context_to_color.3 new/libselinux-3.7/man/man3/selinux_raw_context_to_color.3
--- old/libselinux-3.6/man/man3/selinux_raw_context_to_color.3 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/man/man3/selinux_raw_context_to_color.3 2024-06-26 17:30:41.000000000 +0200
@@ -5,7 +5,7 @@
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.sp
-.BI "int selinux_raw_context_to_color(char *" raw ", "
+.BI "int selinux_raw_context_to_color(const char *" raw ", "
.RS
.BI "char **" color_str ");"
.RE
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/man/man3/selinux_set_mapping.3 new/libselinux-3.7/man/man3/selinux_set_mapping.3
--- old/libselinux-3.6/man/man3/selinux_set_mapping.3 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/man/man3/selinux_set_mapping.3 2024-06-26 17:30:41.000000000 +0200
@@ -15,7 +15,7 @@
};
.fi
.sp
-.BI "int selinux_set_mapping(struct security_class_mapping *" map ");"
+.BI "int selinux_set_mapping(const struct security_class_mapping *" map ");"
.
.SH "DESCRIPTION"
.BR selinux_set_mapping ()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/src/Makefile new/libselinux-3.7/src/Makefile
--- old/libselinux-3.6/src/Makefile 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/src/Makefile 2024-06-26 17:30:41.000000000 +0200
@@ -104,13 +104,13 @@
# check for strlcpy(3) availability
H := \#
-ifeq (yes,$(shell printf '${H}include <string.h>\nint main(void){char*d,*s;strlcpy(d, s, 0);return 0;}' | $(CC) -x c -o /dev/null - >/dev/null 2>&1 && echo yes))
+ifeq (yes,$(shell printf '${H}include <string.h>\nint main(void){char d[2];const char *s="a";return (size_t)strlcpy(d,s,sizeof(d))>=sizeof(d);}' | $(CC) $(CFLAGS) $(LDFLAGS) -x c -o /dev/null - >/dev/null 2>&1 && echo yes))
override CFLAGS += -DHAVE_STRLCPY
endif
# check for reallocarray(3) availability
H := \#
-ifeq (yes,$(shell printf '${H}include <stdlib.h>\nint main(void){reallocarray(NULL, 0, 0);return 0;}' | $(CC) -x c -o /dev/null - >/dev/null 2>&1 && echo yes))
+ifeq (yes,$(shell printf '${H}include <stdlib.h>\nint main(void){return reallocarray(NULL,0,0)==NULL;}' | $(CC) $(CFLAGS) $(LDFLAGS) -x c -o /dev/null - >/dev/null 2>&1 && echo yes))
override CFLAGS += -DHAVE_REALLOCARRAY
endif
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/src/audit2why.c new/libselinux-3.7/src/audit2why.c
--- old/libselinux-3.6/src/audit2why.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/src/audit2why.c 2024-06-26 17:30:41.000000000 +0200
@@ -148,7 +148,7 @@
sepol_bool_free(boolean);
if (fcnt > 0) {
- *bools = calloc(sizeof(struct boolean_t), fcnt + 1);
+ *bools = calloc(fcnt + 1, sizeof(struct boolean_t));
if (!*bools) {
PyErr_SetString( PyExc_MemoryError, "Out of memory\n");
free(foundlist);
@@ -226,7 +226,7 @@
return 1;
}
- avc = calloc(sizeof(struct avc_t), 1);
+ avc = calloc(1, sizeof(struct avc_t));
if (!avc) {
PyErr_SetString( PyExc_MemoryError, "Out of memory\n");
fclose(fp);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/src/avc.c new/libselinux-3.7/src/avc.c
--- old/libselinux-3.6/src/avc.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/src/avc.c 2024-06-26 17:30:41.000000000 +0200
@@ -225,17 +225,19 @@
return rc;
}
-int avc_open(struct selinux_opt *opts, unsigned nopts)
+int avc_open(const struct selinux_opt *opts, unsigned nopts)
{
avc_setenforce = 0;
- while (nopts--)
+ while (nopts) {
+ nopts--;
switch(opts[nopts].type) {
case AVC_OPT_SETENFORCE:
avc_setenforce = 1;
avc_enforcing = !!opts[nopts].value;
break;
}
+ }
return avc_init_internal("avc", NULL, NULL, NULL, NULL);
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/src/avc_sidtab.c new/libselinux-3.7/src/avc_sidtab.c
--- old/libselinux-3.6/src/avc_sidtab.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/src/avc_sidtab.c 2024-06-26 17:30:41.000000000 +0200
@@ -13,6 +13,7 @@
#include "avc_sidtab.h"
#include "avc_internal.h"
+ignore_unsigned_overflow_
static inline unsigned sidtab_hash(const char * key)
{
unsigned int hash = 5381;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/src/booleans.c new/libselinux-3.7/src/booleans.c
--- old/libselinux-3.6/src/booleans.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/src/booleans.c 2024-06-26 17:30:41.000000000 +0200
@@ -53,7 +53,11 @@
snprintf(path, sizeof path, "%s%s", selinux_mnt, SELINUX_BOOL_DIR);
*len = scandir(path, &namelist, &filename_select, alphasort);
- if (*len <= 0) {
+ if (*len < 0) {
+ return -1;
+ }
+ if (*len == 0) {
+ free(namelist);
errno = ENOENT;
return -1;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/src/get_context_list.c new/libselinux-3.7/src/get_context_list.c
--- old/libselinux-3.6/src/get_context_list.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/src/get_context_list.c 2024-06-26 17:30:41.000000000 +0200
@@ -7,7 +7,9 @@
#include <string.h>
#include <ctype.h>
#include <pwd.h>
+
#include "selinux_internal.h"
+#include "callbacks.h"
#include "context_internal.h"
#include "get_context_list_internal.h"
@@ -128,7 +130,7 @@
}
static int get_context_user(FILE * fp,
- const char * fromcon,
+ context_t fromcon,
const char * user,
char ***reachable,
unsigned int *nreachable)
@@ -144,7 +146,6 @@
char **new_reachable = NULL;
char *usercon_str;
const char *usercon_str2;
- context_t con;
context_t usercon;
int rc;
@@ -153,14 +154,10 @@
/* Extract the role and type of the fromcon for matching.
User identity and MLS range can be variable. */
- con = context_new(fromcon);
- if (!con)
- return -1;
- fromrole = context_role_get(con);
- fromtype = context_type_get(con);
- fromlevel = context_range_get(con);
+ fromrole = context_role_get(fromcon);
+ fromtype = context_type_get(fromcon);
+ fromlevel = context_range_get(fromcon);
if (!fromrole || !fromtype) {
- context_free(con);
return -1;
}
@@ -224,7 +221,7 @@
/* Check whether a new context is valid */
if (SIZE_MAX - user_len < strlen(start) + 2) {
- fprintf(stderr, "%s: one of partial contexts is too big\n", __FUNCTION__);
+ selinux_log(SELINUX_ERROR, "%s: one of partial contexts is too big\n", __FUNCTION__);
errno = EINVAL;
rc = -1;
goto out;
@@ -245,7 +242,7 @@
rc = -1;
goto out;
}
- fprintf(stderr,
+ selinux_log(SELINUX_ERROR,
"%s: can't create a context from %s, skipping\n",
__FUNCTION__, usercon_str);
free(usercon_str);
@@ -294,7 +291,6 @@
rc = 0;
out:
- context_free(con);
free(line);
return rc;
}
@@ -416,6 +412,7 @@
char *fname = NULL;
size_t fname_len;
const char *user_contexts_path = selinux_user_contexts_path();
+ context_t con = NULL;
if (!fromcon) {
/* Get the current context and use it for the starting context */
@@ -425,6 +422,10 @@
fromcon = backup_fromcon;
}
+ con = context_new(fromcon);
+ if (!con)
+ goto failsafe;
+
/* Determine the ordering to apply from the optional per-user config
and from the global config. */
fname_len = strlen(user_contexts_path) + strlen(user) + 2;
@@ -435,11 +436,11 @@
fp = fopen(fname, "re");
if (fp) {
__fsetlocking(fp, FSETLOCKING_BYCALLER);
- rc = get_context_user(fp, fromcon, user, &reachable, &nreachable);
+ rc = get_context_user(fp, con, user, &reachable, &nreachable);
fclose(fp);
if (rc < 0 && errno != ENOENT) {
- fprintf(stderr,
+ selinux_log(SELINUX_ERROR,
"%s: error in processing configuration file %s\n",
__FUNCTION__, fname);
/* Fall through, try global config */
@@ -449,10 +450,10 @@
fp = fopen(selinux_default_context_path(), "re");
if (fp) {
__fsetlocking(fp, FSETLOCKING_BYCALLER);
- rc = get_context_user(fp, fromcon, user, &reachable, &nreachable);
+ rc = get_context_user(fp, con, user, &reachable, &nreachable);
fclose(fp);
if (rc < 0 && errno != ENOENT) {
- fprintf(stderr,
+ selinux_log(SELINUX_ERROR,
"%s: error in processing configuration file %s\n",
__FUNCTION__, selinux_default_context_path());
/* Fall through */
@@ -470,6 +471,7 @@
else
freeconary(reachable);
+ context_free(con);
freecon(backup_fromcon);
return rc;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/src/is_customizable_type.c new/libselinux-3.7/src/is_customizable_type.c
--- old/libselinux-3.6/src/is_customizable_type.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/src/is_customizable_type.c 2024-06-26 17:30:41.000000000 +0200
@@ -39,9 +39,7 @@
}
if (ctr) {
- list =
- (char **) calloc(sizeof(char *),
- ctr + 1);
+ list = calloc(ctr + 1, sizeof(char *));
if (list) {
i = 0;
while (fgets_unlocked(buf, selinux_page_size, fp)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/src/label.c new/libselinux-3.7/src/label.c
--- old/libselinux-3.6/src/label.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/src/label.c 2024-06-26 17:30:41.000000000 +0200
@@ -60,9 +60,10 @@
{
struct selabel_digest *digest = NULL;
- while (n--) {
+ while (n) {
+ n--;
if (opts[n].type == SELABEL_OPT_DIGEST &&
- opts[n].value == (char *)1) {
+ !!opts[n].value) {
digest = calloc(1, sizeof(*digest));
if (!digest)
goto err;
@@ -112,9 +113,11 @@
static inline int selabel_is_validate_set(const struct selinux_opt *opts,
unsigned n)
{
- while (n--)
+ while (n) {
+ n--;
if (opts[n].type == SELABEL_OPT_VALIDATE)
return !!opts[n].value;
+ }
return 0;
}
@@ -222,10 +225,7 @@
rec->digest = selabel_is_digest_set(opts, nopts);
if ((*initfuncs[backend])(rec, opts, nopts)) {
- if (rec->digest)
- selabel_digest_fini(rec->digest);
- free(rec->spec_file);
- free(rec);
+ selabel_close(rec);
rec = NULL;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/src/label_backends_android.c new/libselinux-3.7/src/label_backends_android.c
--- old/libselinux-3.6/src/label_backends_android.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/src/label_backends_android.c 2024-06-26 17:30:41.000000000 +0200
@@ -152,12 +152,21 @@
struct stat sb;
/* Process arguments */
- while (n--)
+ while (n) {
+ n--;
switch (opts[n].type) {
case SELABEL_OPT_PATH:
path = opts[n].value;
break;
+ case SELABEL_OPT_UNUSED:
+ case SELABEL_OPT_VALIDATE:
+ case SELABEL_OPT_DIGEST:
+ break;
+ default:
+ errno = EINVAL;
+ return -1;
}
+ }
if (!path)
return -1;
@@ -237,6 +246,9 @@
struct spec *spec;
unsigned int i;
+ if (!data)
+ return;
+
for (i = 0; i < data->nspec; i++) {
spec = &data->spec_arr[i];
free(spec->property_key);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/src/label_db.c new/libselinux-3.7/src/label_db.c
--- old/libselinux-3.6/src/label_db.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/src/label_db.c 2024-06-26 17:30:41.000000000 +0200
@@ -178,6 +178,9 @@
spec_t *spec;
unsigned int i;
+ if (!catalog)
+ return;
+
for (i = 0; i < catalog->nspec; i++) {
spec = &catalog->specs[i];
free(spec->key);
@@ -263,11 +266,20 @@
* the default one. If RDBMS is not SE-PostgreSQL, it may need to
* specify an explicit specfile for database objects.
*/
- while (nopts--) {
+ while (nopts) {
+ nopts--;
switch (opts[nopts].type) {
case SELABEL_OPT_PATH:
path = opts[nopts].value;
break;
+ case SELABEL_OPT_UNUSED:
+ case SELABEL_OPT_VALIDATE:
+ case SELABEL_OPT_DIGEST:
+ break;
+ default:
+ free(catalog);
+ errno = EINVAL;
+ return NULL;
}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/src/label_file.c new/libselinux-3.7/src/label_file.c
--- old/libselinux-3.6/src/label_file.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/src/label_file.c 2024-06-26 17:30:41.000000000 +0200
@@ -68,7 +68,7 @@
/*
* hash calculation and key comparison of hash table
*/
-
+ignore_unsigned_overflow_
static unsigned int symhash(hashtab_t h, const_hashtab_key_t key)
{
const struct chkdups_key *k = (const struct chkdups_key *)key;
@@ -801,7 +801,8 @@
int status = -1, baseonly = 0;
/* Process arguments */
- while (n--)
+ while (n) {
+ n--;
switch(opts[n].type) {
case SELABEL_OPT_PATH:
path = opts[n].value;
@@ -812,7 +813,15 @@
case SELABEL_OPT_BASEONLY:
baseonly = !!opts[n].value;
break;
+ case SELABEL_OPT_UNUSED:
+ case SELABEL_OPT_VALIDATE:
+ case SELABEL_OPT_DIGEST:
+ break;
+ default:
+ errno = EINVAL;
+ return -1;
}
+ }
#if !defined(BUILD_HOST) && !defined(ANDROID)
char subs_file[PATH_MAX + 1];
@@ -895,6 +904,9 @@
struct stem *stem;
unsigned int i;
+ if (!data)
+ return;
+
selabel_subs_fini(data->subs);
selabel_subs_fini(data->dist_subs);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/src/label_media.c new/libselinux-3.7/src/label_media.c
--- old/libselinux-3.6/src/label_media.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/src/label_media.c 2024-06-26 17:30:41.000000000 +0200
@@ -80,12 +80,21 @@
struct stat sb;
/* Process arguments */
- while (n--)
+ while (n) {
+ n--;
switch(opts[n].type) {
case SELABEL_OPT_PATH:
path = opts[n].value;
break;
+ case SELABEL_OPT_UNUSED:
+ case SELABEL_OPT_VALIDATE:
+ case SELABEL_OPT_DIGEST:
+ break;
+ default:
+ errno = EINVAL;
+ return -1;
}
+}
/* Open the specification file. */
if (!path)
@@ -155,9 +164,14 @@
static void close(struct selabel_handle *rec)
{
struct saved_data *data = (struct saved_data *)rec->data;
- struct spec *spec, *spec_arr = data->spec_arr;
+ struct spec *spec, *spec_arr;
unsigned int i;
+ if (!data)
+ return;
+
+ spec_arr = data->spec_arr;
+
for (i = 0; i < data->nspec; i++) {
spec = &spec_arr[i];
free(spec->key);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/src/label_x.c new/libselinux-3.7/src/label_x.c
--- old/libselinux-3.6/src/label_x.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/src/label_x.c 2024-06-26 17:30:41.000000000 +0200
@@ -107,12 +107,21 @@
struct stat sb;
/* Process arguments */
- while (n--)
+ while (n) {
+ n--;
switch(opts[n].type) {
case SELABEL_OPT_PATH:
path = opts[n].value;
break;
+ case SELABEL_OPT_UNUSED:
+ case SELABEL_OPT_VALIDATE:
+ case SELABEL_OPT_DIGEST:
+ break;
+ default:
+ errno = EINVAL;
+ return -1;
}
+ }
/* Open the specification file. */
if (!path)
@@ -182,9 +191,14 @@
static void close(struct selabel_handle *rec)
{
struct saved_data *data = (struct saved_data *)rec->data;
- struct spec *spec, *spec_arr = data->spec_arr;
+ struct spec *spec, *spec_arr;
unsigned int i;
+ if (!data)
+ return;
+
+ spec_arr = data->spec_arr;
+
for (i = 0; i < data->nspec; i++) {
spec = &spec_arr[i];
free(spec->key);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/src/mapping.c new/libselinux-3.7/src/mapping.c
--- old/libselinux-3.6/src/mapping.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/src/mapping.c 2024-06-26 17:30:41.000000000 +0200
@@ -31,7 +31,7 @@
*/
int
-selinux_set_mapping(struct security_class_mapping *map)
+selinux_set_mapping(const struct security_class_mapping *map)
{
size_t size = sizeof(struct selinux_mapping);
security_class_t i, j;
@@ -64,7 +64,7 @@
/* Store the raw class and permission values */
j = 0;
while (map[j].name) {
- struct security_class_mapping *p_in = map + (j++);
+ const struct security_class_mapping *p_in = map + (j++);
struct selinux_mapping *p_out = current_mapping + j;
p_out->value = string_to_security_class(p_in->name);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/src/selinux_internal.h new/libselinux-3.7/src/selinux_internal.h
--- old/libselinux-3.6/src/selinux_internal.h 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/src/selinux_internal.h 2024-06-26 17:30:41.000000000 +0200
@@ -102,4 +102,15 @@
void *reallocarray(void *ptr, size_t nmemb, size_t size);
#endif
+/* Use to ignore intentional unsigned under- and overflows while running under UBSAN. */
+#if defined(__clang__) && defined(__clang_major__) && (__clang_major__ >= 4)
+#if (__clang_major__ >= 12)
+#define ignore_unsigned_overflow_ __attribute__((no_sanitize("unsigned-integer-overflow", "unsigned-shift-base")))
+#else
+#define ignore_unsigned_overflow_ __attribute__((no_sanitize("unsigned-integer-overflow")))
+#endif
+#else
+#define ignore_unsigned_overflow_
+#endif
+
#endif /* SELINUX_INTERNAL_H_ */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/src/selinux_restorecon.c new/libselinux-3.7/src/selinux_restorecon.c
--- old/libselinux-3.6/src/selinux_restorecon.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/src/selinux_restorecon.c 2024-06-26 17:30:41.000000000 +0200
@@ -243,7 +243,7 @@
int index = 0, found = 0;
uint64_t nfile = 0;
char *mount_info[4];
- char *buf = NULL, *item;
+ char *buf = NULL, *item, *saveptr;
/* Check to see if the kernel supports seclabel */
if (uname(&uts) == 0 && strverscmp(uts.release, "2.6.30") < 0)
@@ -258,13 +258,14 @@
while (getline(&buf, &len, fp) != -1) {
found = 0;
index = 0;
- item = strtok(buf, " ");
+ saveptr = NULL;
+ item = strtok_r(buf, " ", &saveptr);
while (item != NULL) {
mount_info[index] = item;
index++;
if (index == 4)
break;
- item = strtok(NULL, " ");
+ item = strtok_r(NULL, " ", &saveptr);
}
if (index < 4) {
selinux_log(SELINUX_ERROR,
@@ -276,14 +277,15 @@
/* Remove pre-existing entry */
remove_exclude(mount_info[1]);
- item = strtok(mount_info[3], ",");
+ saveptr = NULL;
+ item = strtok_r(mount_info[3], ",", &saveptr);
while (item != NULL) {
if (strcmp(item, "seclabel") == 0) {
found = 1;
nfile += file_system_count(mount_info[1]);
break;
}
- item = strtok(NULL, ",");
+ item = strtok_r(NULL, ",", &saveptr);
}
/* Exclude mount points without the seclabel option */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/src/setup.py new/libselinux-3.7/src/setup.py
--- old/libselinux-3.6/src/setup.py 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/src/setup.py 2024-06-26 17:30:41.000000000 +0200
@@ -4,7 +4,7 @@
setup(
name="selinux",
- version="3.6",
+ version="3.7",
description="SELinux python 3 bindings",
author="SELinux Project",
author_email="selinux(a)vger.kernel.org",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/src/seusers.c new/libselinux-3.7/src/seusers.c
--- old/libselinux-3.6/src/seusers.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/src/seusers.c 2024-06-26 17:30:41.000000000 +0200
@@ -6,9 +6,13 @@
#include <stdio_ext.h>
#include <ctype.h>
#include <errno.h>
+#include <limits.h>
+
#include <selinux/selinux.h>
#include <selinux/context.h>
+
#include "selinux_internal.h"
+#include "callbacks.h"
/* Process line from seusers.conf and split into its fields.
Returns 0 on success, -1 on comments, and -2 on error. */
@@ -95,17 +99,32 @@
static gid_t get_default_gid(const char *name) {
struct passwd pwstorage, *pwent = NULL;
- gid_t gid = -1;
+ gid_t gid = (gid_t)-1;
/* Allocate space for the getpwnam_r buffer */
+ char *rbuf = NULL;
long rbuflen = sysconf(_SC_GETPW_R_SIZE_MAX);
- if (rbuflen <= 0) return -1;
- char *rbuf = malloc(rbuflen);
- if (rbuf == NULL) return -1;
-
- int retval = getpwnam_r(name, &pwstorage, rbuf, rbuflen, &pwent);
- if (retval == 0 && pwent) {
- gid = pwent->pw_gid;
+ if (rbuflen <= 0)
+ rbuflen = 1024;
+
+ for (;;) {
+ int rc;
+
+ rbuf = malloc(rbuflen);
+ if (rbuf == NULL)
+ break;
+
+ rc = getpwnam_r(name, &pwstorage, rbuf, rbuflen, &pwent);
+ if (rc == ERANGE && rbuflen < LONG_MAX / 2) {
+ free(rbuf);
+ rbuflen *= 2;
+ continue;
+ }
+ if (rc == 0 && pwent)
+ gid = pwent->pw_gid;
+
+ break;
}
+
free(rbuf);
return gid;
}
@@ -118,7 +137,7 @@
long rbuflen = sysconf(_SC_GETGR_R_SIZE_MAX);
if (rbuflen <= 0)
- return 0;
+ rbuflen = 1024;
char *rbuf;
while(1) {
@@ -127,7 +146,7 @@
return 0;
int retval = getgrnam_r(group, &gbuf, rbuf,
rbuflen, &grent);
- if ( retval == ERANGE )
+ if (retval == ERANGE && rbuflen < LONG_MAX / 2)
{
free(rbuf);
rbuflen = rbuflen * 2;
@@ -197,8 +216,8 @@
if (rc == -1)
continue; /* comment, skip */
if (rc == -2) {
- fprintf(stderr, "%s: error on line %lu, skipping...\n",
- selinux_usersconf_path(), lineno);
+ selinux_log(SELINUX_ERROR, "%s: error on line %lu, skipping...\n",
+ selinux_usersconf_path(), lineno);
continue;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/src/sha1.c new/libselinux-3.7/src/sha1.c
--- old/libselinux-3.6/src/sha1.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/src/sha1.c 2024-06-26 17:30:41.000000000 +0200
@@ -26,6 +26,8 @@
#include "sha1.h"
#include <memory.h>
+#include "selinux_internal.h"
+
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// TYPES
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
@@ -62,6 +64,7 @@
//
// Hash a single 512-bit block. This is the core of the algorithm
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+ignore_unsigned_overflow_
static
void
TransformFunction
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/src/stringrep.c new/libselinux-3.7/src/stringrep.c
--- old/libselinux-3.6/src/stringrep.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/src/stringrep.c 2024-06-26 17:30:41.000000000 +0200
@@ -337,13 +337,15 @@
printf(" {");
- while (av) {
+ for (;;) {
if (av & bit) {
permstr = security_av_perm_to_string(tclass, bit);
if (!permstr)
break;
printf(" %s", permstr);
av &= ~bit;
+ if (!av)
+ break;
}
bit <<= 1;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/utils/compute_av.c new/libselinux-3.7/utils/compute_av.c
--- old/libselinux-3.6/utils/compute_av.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/utils/compute_av.c 2024-06-26 17:30:41.000000000 +0200
@@ -44,10 +44,14 @@
print_access_vector(tclass, avd.allowed);
printf("\n");
- if (avd.decided != ~0U) {
+ if (~avd.decided) {
printf("decided=");
print_access_vector(tclass, avd.decided);
printf("\n");
+
+ printf("undecided=");
+ print_access_vector(tclass, ~avd.decided);
+ printf("\n");
}
if (avd.auditallow) {
@@ -56,10 +60,14 @@
printf("\n");
}
- if (avd.auditdeny != ~0U) {
- printf("auditdeny");
+ if (~avd.auditdeny) {
+ printf("auditdeny=");
print_access_vector(tclass, avd.auditdeny);
printf("\n");
+
+ printf("dontaudit=");
+ print_access_vector(tclass, ~avd.auditdeny);
+ printf("\n");
}
exit(EXIT_SUCCESS);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/utils/getconlist.c new/libselinux-3.7/utils/getconlist.c
--- old/libselinux-3.6/utils/getconlist.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/utils/getconlist.c 2024-06-26 17:30:41.000000000 +0200
@@ -19,8 +19,9 @@
int main(int argc, char **argv)
{
- char **list, *cur_context = NULL;
- char *user = NULL, *level = NULL;
+ char **list;
+ const char *cur_context, *user;
+ char *cur_con = NULL, *level = NULL;
int ret, i, opt;
while ((opt = getopt(argc, argv, "l:")) > 0) {
@@ -54,11 +55,12 @@
/* If a context wasn't passed, use the current context. */
if (((argc - optind) < 2)) {
- if (getcon(&cur_context) < 0) {
+ if (getcon(&cur_con) < 0) {
fprintf(stderr, "Couldn't get current context: %s\n", strerror(errno));
free(level);
return 2;
}
+ cur_context = cur_con;
} else {
cur_context = argv[optind + 1];
if (security_check_context(cur_context) != 0) {
@@ -82,10 +84,12 @@
} else {
fprintf(stderr, "get_ordered_context_list%s failure: %d(%s)\n",
level ? "_with_level" : "", errno, strerror(errno));
+ free(cur_con);
free(level);
return 4;
}
+ free(cur_con);
free(level);
return 0;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/utils/getdefaultcon.c new/libselinux-3.7/utils/getdefaultcon.c
--- old/libselinux-3.6/utils/getdefaultcon.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/utils/getdefaultcon.c 2024-06-26 17:30:41.000000000 +0200
@@ -19,8 +19,9 @@
int main(int argc, char **argv)
{
- char * usercon = NULL, *cur_context = NULL;
- char *user = NULL, *level = NULL, *role=NULL, *seuser=NULL, *dlevel=NULL;
+ const char *cur_context, *user;
+ char *usercon = NULL, *cur_con = NULL;
+ char *level = NULL, *role=NULL, *seuser=NULL, *dlevel=NULL;
char *service = NULL;
int ret, opt;
int verbose = 0;
@@ -54,6 +55,9 @@
if (!is_selinux_enabled()) {
fprintf(stderr,
"%s may be used only on a SELinux kernel.\n", argv[0]);
+ free(level);
+ free(role);
+ free(service);
return 1;
}
@@ -61,15 +65,23 @@
/* If a context wasn't passed, use the current context. */
if ((argc - optind) < 2) {
- if (getcon(&cur_context) < 0) {
+ if (getcon(&cur_con) < 0) {
fprintf(stderr, "%s: couldn't get current context: %s\n", argv[0], strerror(errno));
+ free(level);
+ free(role);
+ free(service);
return 2;
}
+ cur_context = cur_con;
} else
cur_context = argv[optind + 1];
if (security_check_context(cur_context)) {
fprintf(stderr, "%s: invalid from context '%s'\n", argv[0], cur_context);
+ free(cur_con);
+ free(level);
+ free(role);
+ free(service);
return 3;
}
@@ -101,6 +113,8 @@
if (level != dlevel) free(level);
free(dlevel);
free(usercon);
+ free(cur_con);
+ free(service);
return ret >= 0;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/utils/sefcontext_compile.c new/libselinux-3.7/utils/sefcontext_compile.c
--- old/libselinux-3.6/utils/sefcontext_compile.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/utils/sefcontext_compile.c 2024-06-26 17:30:41.000000000 +0200
@@ -189,7 +189,7 @@
if (len != 1)
goto err;
- /* original context strin (including nul) */
+ /* original context string (including nul) */
len = fwrite(context, sizeof(char), to_write, bin_file);
if (len != to_write)
goto err;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/utils/selabel_digest.c new/libselinux-3.7/utils/selabel_digest.c
--- old/libselinux-3.6/utils/selabel_digest.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/utils/selabel_digest.c 2024-06-26 17:30:41.000000000 +0200
@@ -6,12 +6,10 @@
#include <selinux/selinux.h>
#include <selinux/label.h>
-static size_t digest_len;
-
static __attribute__ ((__noreturn__)) void usage(const char *progname)
{
fprintf(stderr,
- "usage: %s -b backend [-d] [-v] [-B] [-i] [-f file]\n\n"
+ "usage: %s -b backend [-v] [-B] [-i] [-f file]\n\n"
"Where:\n\t"
"-b The backend - \"file\", \"media\", \"x\", \"db\" or "
"\"prop\"\n\t"
@@ -25,11 +23,11 @@
exit(1);
}
-static int run_check_digest(char *cmd, char *selabel_digest)
+static int run_check_digest(const char *cmd, const char *selabel_digest, size_t digest_len)
{
FILE *fp;
char files_digest[128];
- char *files_ptr;
+ const char *files_ptr;
int rc = 0;
fp = popen(cmd, "r");
@@ -64,17 +62,17 @@
char *baseonly = NULL, *file = NULL, *digest = (char *)1;
char **specfiles = NULL;
unsigned char *sha1_digest = NULL;
- size_t i, num_specfiles;
+ size_t digest_len, i, num_specfiles;
char cmd_buf[4096];
char *cmd_ptr;
- char *sha1_buf;
+ char *sha1_buf = NULL;
struct selabel_handle *hnd;
struct selinux_opt selabel_option[] = {
{ SELABEL_OPT_PATH, file },
- { SELABEL_OPT_BASEONLY, baseonly },
- { SELABEL_OPT_DIGEST, digest }
+ { SELABEL_OPT_DIGEST, digest },
+ { SELABEL_OPT_BASEONLY, baseonly }
};
if (argc < 3)
@@ -121,10 +119,10 @@
memset(cmd_buf, 0, sizeof(cmd_buf));
selabel_option[0].value = file;
- selabel_option[1].value = baseonly;
- selabel_option[2].value = digest;
+ selabel_option[1].value = digest;
+ selabel_option[2].value = baseonly;
- hnd = selabel_open(backend, selabel_option, 3);
+ hnd = selabel_open(backend, selabel_option, backend == SELABEL_CTX_FILE ? 3 : 2);
if (!hnd) {
switch (errno) {
case EOVERFLOW:
@@ -169,23 +167,50 @@
printf("calculated using the following specfile(s):\n");
if (specfiles) {
- cmd_ptr = &cmd_buf[0];
- sprintf(cmd_ptr, "/usr/bin/cat ");
- cmd_ptr = &cmd_buf[0] + strlen(cmd_buf);
+ size_t cmd_rem = sizeof(cmd_buf);
+ int ret;
+
+ if (validate) {
+ cmd_ptr = &cmd_buf[0];
+ ret = snprintf(cmd_ptr, cmd_rem, "/usr/bin/cat ");
+ if (ret < 0 || (size_t)ret >= cmd_rem) {
+ fprintf(stderr, "Could not format validate command\n");
+ rc = -1;
+ goto err;
+ }
+ cmd_ptr += ret;
+ cmd_rem -= ret;
+ }
for (i = 0; i < num_specfiles; i++) {
- sprintf(cmd_ptr, "%s ", specfiles[i]);
- cmd_ptr += strlen(specfiles[i]) + 1;
+ if (validate) {
+ ret = snprintf(cmd_ptr, cmd_rem, "%s ", specfiles[i]);
+ if (ret < 0 || (size_t)ret >= cmd_rem) {
+ fprintf(stderr, "Could not format validate command\n");
+ rc = -1;
+ goto err;
+ }
+ cmd_ptr += ret;
+ cmd_rem -= ret;
+ }
+
printf("%s\n", specfiles[i]);
}
- sprintf(cmd_ptr, "| /usr/bin/openssl dgst -sha1 -hex");
- if (validate)
- rc = run_check_digest(cmd_buf, sha1_buf);
+ if (validate) {
+ ret = snprintf(cmd_ptr, cmd_rem, "| /usr/bin/openssl dgst -sha1 -hex");
+ if (ret < 0 || (size_t)ret >= cmd_rem) {
+ fprintf(stderr, "Could not format validate command\n");
+ rc = -1;
+ goto err;
+ }
+
+ rc = run_check_digest(cmd_buf, sha1_buf, digest_len);
+ }
}
- free(sha1_buf);
err:
+ free(sha1_buf);
selabel_close(hnd);
return rc;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libselinux-3.6/utils/selinuxexeccon.c new/libselinux-3.7/utils/selinuxexeccon.c
--- old/libselinux-3.6/utils/selinuxexeccon.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libselinux-3.7/utils/selinuxexeccon.c 2024-06-26 17:30:41.000000000 +0200
@@ -45,6 +45,7 @@
con = strdup(argv[2]);
if (security_check_context(con)) {
fprintf(stderr, "%s: invalid from context '%s'\n", argv[0], con);
+ free(con);
return -1;
}
}
++++++ libselinux-set-free-d-data-to-NULL.patch ++++++
Index: libselinux-3.7/src/label_backends_android.c
===================================================================
--- libselinux-3.7.orig/src/label_backends_android.c
+++ libselinux-3.7/src/label_backends_android.c
@@ -260,6 +260,7 @@ static void closef(struct selabel_handle
free(data->spec_arr);
free(data);
+ rec->data = NULL;
}
static struct selabel_lookup_rec *property_lookup(struct selabel_handle *rec,
Index: libselinux-3.7/src/label_file.c
===================================================================
--- libselinux-3.7.orig/src/label_file.c
+++ libselinux-3.7/src/label_file.c
@@ -942,6 +942,7 @@ static void closef(struct selabel_handle
free(last_area);
}
free(data);
+ rec->data = NULL;
}
// Finds all the matches of |key| in the given context. Returns the result in
Index: libselinux-3.7/src/label_media.c
===================================================================
--- libselinux-3.7.orig/src/label_media.c
+++ libselinux-3.7/src/label_media.c
@@ -183,6 +183,7 @@ static void close(struct selabel_handle
free(spec_arr);
free(data);
+ rec->data = NULL;
}
static struct selabel_lookup_rec *lookup(struct selabel_handle *rec,
Index: libselinux-3.7/src/label_x.c
===================================================================
--- libselinux-3.7.orig/src/label_x.c
+++ libselinux-3.7/src/label_x.c
@@ -210,6 +210,7 @@ static void close(struct selabel_handle
free(spec_arr);
free(data);
+ rec->data = NULL;
}
static struct selabel_lookup_rec *lookup(struct selabel_handle *rec,
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package mcstrans for openSUSE:Factory checked in at 2024-07-12 17:04:23
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/mcstrans (Old)
and /work/SRC/openSUSE:Factory/.mcstrans.new.17339 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mcstrans"
Fri Jul 12 17:04:23 2024 rev:34 rq:1185749 version:3.7
Changes:
--------
--- /work/SRC/openSUSE:Factory/mcstrans/mcstrans.changes 2024-01-08 23:43:55.931410794 +0100
+++ /work/SRC/openSUSE:Factory/.mcstrans.new.17339/mcstrans.changes 2024-07-12 17:04:29.707792333 +0200
@@ -1,0 +2,10 @@
+Mon Jul 1 08:04:02 UTC 2024 - Cathy Hu <cathy.hu(a)suse.com>
+
+- Update to version 3.7
+ https://github.com/SELinuxProject/selinux/releases/tag/3.7
+ * Bugfixes:
+ * mcstrans: free constraint in error branch
+ * mcstrans: ensure transitivity in compare functions
+ * mcstrans: check memory allocations
+
+-------------------------------------------------------------------
Old:
----
mcstrans-3.6.tar.gz
mcstrans-3.6.tar.gz.asc
New:
----
mcstrans-3.7.tar.gz
mcstrans-3.7.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ mcstrans.spec ++++++
--- /var/tmp/diff_new_pack.zkrbm5/_old 2024-07-12 17:04:32.075879341 +0200
+++ /var/tmp/diff_new_pack.zkrbm5/_new 2024-07-12 17:04:32.079879487 +0200
@@ -1,7 +1,7 @@
#
# spec file for package mcstrans
#
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
Name: mcstrans
-Version: 3.6
+Version: 3.7
Release: 0
Summary: SELinux Translation Daemon
License: GPL-2.0-or-later
++++++ mcstrans-3.6.tar.gz -> mcstrans-3.7.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mcstrans-3.6/VERSION new/mcstrans-3.7/VERSION
--- old/mcstrans-3.6/VERSION 2023-12-13 15:46:22.000000000 +0100
+++ new/mcstrans-3.7/VERSION 2024-06-26 17:30:41.000000000 +0200
@@ -1 +1 @@
-3.6
+3.7
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mcstrans-3.6/src/mcstrans.c new/mcstrans-3.7/src/mcstrans.c
--- old/mcstrans-3.6/src/mcstrans.c 2023-12-13 15:46:22.000000000 +0100
+++ new/mcstrans-3.7/src/mcstrans.c 2024-06-26 17:30:41.000000000 +0200
@@ -477,6 +477,7 @@
}
if (asprintf(&constraint->text, "%s%c%s", raw, op, tok) < 0) {
log_error("asprintf failed %s", strerror(errno));
+ free(constraint);
return -1;
}
constraint->op = op;
@@ -952,9 +953,13 @@
return trans;
}
+#define spaceship_cmp(a, b) (((a) > (b)) - ((a) < (b)))
+
static int
string_size(const void *p1, const void *p2) {
- return strlen(*(char **)p2) - strlen(*(char **)p1);
+ size_t len1 = strlen(*(const char *const *)p2);
+ size_t len2 = strlen(*(const char *const *)p1);
+ return spaceship_cmp(len1, len2);
}
static int
@@ -965,7 +970,7 @@
int w2_len=strlen(w2->text);
if (w1_len == w2_len)
return strcmp(w1->text, w2->text);
- return (w2_len - w1_len);
+ return spaceship_cmp(w2_len, w1_len);
}
static void
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mcstrans-3.6/src/mls_level.c new/mcstrans-3.7/src/mls_level.c
--- old/mcstrans-3.6/src/mls_level.c 2023-12-13 15:46:22.000000000 +0100
+++ new/mcstrans-3.7/src/mls_level.c 2024-06-26 17:30:41.000000000 +0200
@@ -13,6 +13,8 @@
}
l = (mls_level_t *) calloc(1, sizeof(mls_level_t));
+ if (!l)
+ return NULL;
/* Extract low sensitivity. */
scontextp = p = mls_context;
@@ -124,6 +126,9 @@
if (len == 0)
return NULL;
char *result = (char *)malloc(len + 1);
+ if (!result)
+ return NULL;
+
char *p = result;
p += sprintf(p, "s%d", l->sens);
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package libsepol for openSUSE:Factory checked in at 2024-07-12 17:04:21
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libsepol (Old)
and /work/SRC/openSUSE:Factory/.libsepol.new.17339 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libsepol"
Fri Jul 12 17:04:21 2024 rev:56 rq:1185748 version:3.7
Changes:
--------
--- /work/SRC/openSUSE:Factory/libsepol/libsepol.changes 2024-01-08 23:43:53.115308503 +0100
+++ /work/SRC/openSUSE:Factory/.libsepol.new.17339/libsepol.changes 2024-07-12 17:04:26.547676225 +0200
@@ -1,0 +2,24 @@
+Mon Jul 1 08:01:08 UTC 2024 - Cathy Hu <cathy.hu(a)suse.com>
+
+- Update to version 3.7
+ https://github.com/SELinuxProject/selinux/releases/tag/3.7
+ * User-visible changes:
+ * libsepol: improve policy lookup failure message
+ * libsepol: include prefix for module policy versions
+ * libsepol: validate type-attribute-map for old policies
+ * libsepol: only exempt gaps checking for kernel policies
+ * Bugfixes:
+ * libsepol/src/Makefile: fix reallocarray detection
+ * libsepol/cil: Fix detected RESOURCE_LEAK (CWE-772)
+ * libsepol: ensure transitivity in compare functions
+ * oss-fuzz fixes:
+ * libsepol: check scope permissions refer to valid class
+ * libsepol: validate attribute-type maps
+ * libsepol: reject self flag in type rules in old policies
+ * libsepol: validate class permissions
+ * libsepol: validate access vector permissions
+ * libsepol: reject MLS support in pre-MLS policies
+ * libsepol: Fix buffer overflow when using sepol_av_to_string()
+ * libsepol: Use a dynamic buffer in sepol_av_to_string()
+
+-------------------------------------------------------------------
Old:
----
libsepol-3.6.tar.gz
libsepol-3.6.tar.gz.asc
New:
----
libsepol-3.7.tar.gz
libsepol-3.7.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libsepol.spec ++++++
--- /var/tmp/diff_new_pack.v3mzoy/_old 2024-07-12 17:04:29.323778224 +0200
+++ /var/tmp/diff_new_pack.v3mzoy/_new 2024-07-12 17:04:29.327778371 +0200
@@ -1,7 +1,7 @@
#
# spec file for package libsepol
#
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -19,7 +19,7 @@
%define libname libsepol2
Name: libsepol
-Version: 3.6
+Version: 3.7
Release: 0
Summary: SELinux binary policy manipulation library
License: LGPL-2.1-or-later
++++++ libsepol-3.6.tar.gz -> libsepol-3.7.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-3.6/VERSION new/libsepol-3.7/VERSION
--- old/libsepol-3.6/VERSION 2023-12-13 15:46:22.000000000 +0100
+++ new/libsepol-3.7/VERSION 2024-06-26 17:30:41.000000000 +0200
@@ -1 +1 @@
-3.6
+3.7
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-3.6/cil/src/cil_binary.c new/libsepol-3.7/cil/src/cil_binary.c
--- old/libsepol-3.6/cil/src/cil_binary.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libsepol-3.7/cil/src/cil_binary.c 2024-06-26 17:30:41.000000000 +0200
@@ -904,10 +904,10 @@
rc = mls_level_cpy(mls_level, sepol_level->level);
if (rc != SEPOL_OK) {
+ free(mls_level);
goto exit;
}
sepol_alias->level = mls_level;
- sepol_alias->defined = 1;
sepol_alias->isalias = 1;
return SEPOL_OK;
@@ -3163,8 +3163,6 @@
}
}
- sepol_level->defined = 1;
-
return SEPOL_OK;
exit:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-3.6/cil/src/cil_post.c new/libsepol-3.7/cil/src/cil_post.c
--- old/libsepol-3.6/cil/src/cil_post.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libsepol-3.7/cil/src/cil_post.c 2024-06-26 17:30:41.000000000 +0200
@@ -52,6 +52,8 @@
#define GEN_REQUIRE_ATTR "cil_gen_require" /* Also in libsepol/src/module_to_cil.c */
#define TYPEATTR_INFIX "_typeattr_" /* Also in libsepol/src/module_to_cil.c */
+#define spaceship_cmp(a, b) (((a) > (b)) - ((a) < (b)))
+
struct fc_data {
unsigned int meta;
size_t stem_len;
@@ -263,8 +265,8 @@
if (rc)
return rc;
- rc = (aibpkeycon->pkey_high - aibpkeycon->pkey_low)
- - (bibpkeycon->pkey_high - bibpkeycon->pkey_low);
+ rc = spaceship_cmp(aibpkeycon->pkey_high - aibpkeycon->pkey_low,
+ bibpkeycon->pkey_high - bibpkeycon->pkey_low);
if (rc == 0) {
if (aibpkeycon->pkey_low < bibpkeycon->pkey_low)
rc = -1;
@@ -281,8 +283,8 @@
struct cil_portcon *aportcon = *(struct cil_portcon**)a;
struct cil_portcon *bportcon = *(struct cil_portcon**)b;
- rc = (aportcon->port_high - aportcon->port_low)
- - (bportcon->port_high - bportcon->port_low);
+ rc = spaceship_cmp(aportcon->port_high - aportcon->port_low,
+ bportcon->port_high - bportcon->port_low);
if (rc == 0) {
if (aportcon->port_low < bportcon->port_low) {
rc = -1;
@@ -394,8 +396,8 @@
struct cil_iomemcon *aiomemcon = *(struct cil_iomemcon**)a;
struct cil_iomemcon *biomemcon = *(struct cil_iomemcon**)b;
- rc = (aiomemcon->iomem_high - aiomemcon->iomem_low)
- - (biomemcon->iomem_high - biomemcon->iomem_low);
+ rc = spaceship_cmp(aiomemcon->iomem_high - aiomemcon->iomem_low,
+ biomemcon->iomem_high - biomemcon->iomem_low);
if (rc == 0) {
if (aiomemcon->iomem_low < biomemcon->iomem_low) {
rc = -1;
@@ -413,8 +415,8 @@
struct cil_ioportcon *aioportcon = *(struct cil_ioportcon**)a;
struct cil_ioportcon *bioportcon = *(struct cil_ioportcon**)b;
- rc = (aioportcon->ioport_high - aioportcon->ioport_low)
- - (bioportcon->ioport_high - bioportcon->ioport_low);
+ rc = spaceship_cmp(aioportcon->ioport_high - aioportcon->ioport_low,
+ bioportcon->ioport_high - bioportcon->ioport_low);
if (rc == 0) {
if (aioportcon->ioport_low < bioportcon->ioport_low) {
rc = -1;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-3.6/cil/src/cil_verify.c new/libsepol-3.7/cil/src/cil_verify.c
--- old/libsepol-3.6/cil/src/cil_verify.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libsepol-3.7/cil/src/cil_verify.c 2024-06-26 17:30:41.000000000 +0200
@@ -1842,6 +1842,9 @@
int count2 = 0;
cil_list_init(&perm_list, CIL_MAP_PERM);
cil_symtab_map(&class->perms, __add_perm_to_list, perm_list);
+ if (class->common != NULL) {
+ cil_symtab_map(&class->common->perms, __add_perm_to_list, perm_list);
+ }
cil_list_for_each(j, perm_list) {
count2++;
struct cil_perm *perm = j->data;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-3.6/include/sepol/policydb/avrule_block.h new/libsepol-3.7/include/sepol/policydb/avrule_block.h
--- old/libsepol-3.6/include/sepol/policydb/avrule_block.h 2023-12-13 15:46:22.000000000 +0100
+++ new/libsepol-3.7/include/sepol/policydb/avrule_block.h 2024-06-26 17:30:41.000000000 +0200
@@ -35,8 +35,8 @@
extern cond_list_t *get_decl_cond_list(policydb_t * p,
avrule_decl_t * decl,
cond_list_t * cond);
-extern int is_id_enabled(char *id, policydb_t * p, int symbol_table);
-extern int is_perm_enabled(char *class_id, char *perm_id, policydb_t * p);
+extern int is_id_enabled(const char *id, const policydb_t * p, int symbol_table);
+extern int is_perm_existent(const class_datum_t *cladatum, const char *perm_id);
#ifdef __cplusplus
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-3.6/include/sepol/policydb/policydb.h new/libsepol-3.7/include/sepol/policydb/policydb.h
--- old/libsepol-3.6/include/sepol/policydb/policydb.h 2023-12-13 15:46:22.000000000 +0100
+++ new/libsepol-3.7/include/sepol/policydb/policydb.h 2024-06-26 17:30:41.000000000 +0200
@@ -217,7 +217,7 @@
typedef struct level_datum {
mls_level_t *level; /* sensitivity and associated categories */
unsigned char isalias; /* is this sensitivity an alias for another? */
- unsigned char defined;
+ unsigned char notdefined; /* Only set to non-zero in checkpolicy */
} level_datum_t;
/* Category attributes */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-3.6/include/sepol/policydb/util.h new/libsepol-3.7/include/sepol/policydb/util.h
--- old/libsepol-3.6/include/sepol/policydb/util.h 2023-12-13 15:46:22.000000000 +0100
+++ new/libsepol-3.7/include/sepol/policydb/util.h 2024-06-26 17:30:41.000000000 +0200
@@ -31,7 +31,7 @@
extern int add_i_to_a(uint32_t i, uint32_t * cnt, uint32_t ** a);
-extern char *sepol_av_to_string(policydb_t * policydbp, uint32_t tclass,
+extern char *sepol_av_to_string(const policydb_t *policydbp, sepol_security_class_t tclass,
sepol_access_vector_t av);
char *sepol_extended_perms_to_string(const avtab_extended_perms_t *xperms);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-3.6/src/Makefile new/libsepol-3.7/src/Makefile
--- old/libsepol-3.6/src/Makefile 2023-12-13 15:46:22.000000000 +0100
+++ new/libsepol-3.7/src/Makefile 2024-06-26 17:30:41.000000000 +0200
@@ -31,7 +31,7 @@
# check for reallocarray(3) availability
H := \#
-ifeq (yes,$(shell printf '${H}define _GNU_SOURCE\n${H}include <stdlib.h>\nint main(void){void*p=reallocarray(NULL, 1, sizeof(char));return 0;}' | $(CC) -x c -o /dev/null - >/dev/null 2>&1 && echo yes))
+ifeq (yes,$(shell printf '${H}include <stdlib.h>\nint main(void){return reallocarray(NULL,0,0)==NULL;}' | $(CC) $(CFLAGS) $(LDFLAGS) -x c -o /dev/null - >/dev/null 2>&1 && echo yes))
override CFLAGS += -DHAVE_REALLOCARRAY
endif
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-3.6/src/assertion.c new/libsepol-3.7/src/assertion.c
--- old/libsepol-3.6/src/assertion.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libsepol-3.7/src/assertion.c 2024-06-26 17:30:41.000000000 +0200
@@ -48,26 +48,30 @@
unsigned int stype, unsigned int ttype,
const class_perm_node_t *curperm, uint32_t perms)
{
+ char *permstr = sepol_av_to_string(p, curperm->tclass, perms);
+
if (avrule->source_filename) {
ERR(handle, "neverallow on line %lu of %s (or line %lu of %s) violated by allow %s %s:%s {%s };",
avrule->source_line, avrule->source_filename, avrule->line, policy_name(p),
p->p_type_val_to_name[stype],
p->p_type_val_to_name[ttype],
p->p_class_val_to_name[curperm->tclass - 1],
- sepol_av_to_string(p, curperm->tclass, perms));
+ permstr ?: "<format-failure>");
} else if (avrule->line) {
ERR(handle, "neverallow on line %lu violated by allow %s %s:%s {%s };",
avrule->line, p->p_type_val_to_name[stype],
p->p_type_val_to_name[ttype],
p->p_class_val_to_name[curperm->tclass - 1],
- sepol_av_to_string(p, curperm->tclass, perms));
+ permstr ?: "<format-failure>");
} else {
ERR(handle, "neverallow violated by allow %s %s:%s {%s };",
p->p_type_val_to_name[stype],
p->p_type_val_to_name[ttype],
p->p_class_val_to_name[curperm->tclass - 1],
- sepol_av_to_string(p, curperm->tclass, perms));
+ permstr ?: "<format-failure>");
}
+
+ free(permstr);
}
static int match_any_class_permissions(class_perm_node_t *cp, uint32_t class, uint32_t data)
@@ -200,13 +204,17 @@
/* failure on the regular permissions */
if (!found_xperm) {
+ char *permstr = sepol_av_to_string(p, curperm->tclass, perms);
+
ERR(handle, "neverallowxperm on line %lu of %s (or line %lu of %s) violated by\n"
"allow %s %s:%s {%s };",
avrule->source_line, avrule->source_filename, avrule->line, policy_name(p),
p->p_type_val_to_name[stype],
p->p_type_val_to_name[ttype],
p->p_class_val_to_name[curperm->tclass - 1],
- sepol_av_to_string(p, curperm->tclass, perms));
+ permstr ?: "<format-failure>");
+
+ free(permstr);
errors++;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-3.6/src/avrule_block.c new/libsepol-3.7/src/avrule_block.c
--- old/libsepol-3.6/src/avrule_block.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libsepol-3.7/src/avrule_block.c 2024-06-26 17:30:41.000000000 +0200
@@ -152,11 +152,11 @@
* marked as SCOPE_DECL, and any of its declaring block has been enabled,
* then return 1. Otherwise return 0. Can only be called after the
* decl_val_to_struct index has been created */
-int is_id_enabled(char *id, policydb_t * p, int symbol_table)
+int is_id_enabled(const char *id, const policydb_t * p, int symbol_table)
{
- scope_datum_t *scope =
+ const scope_datum_t *scope =
(scope_datum_t *) hashtab_search(p->scope[symbol_table].table, id);
- avrule_decl_t *decl;
+ const avrule_decl_t *decl;
uint32_t len;
if (scope == NULL) {
@@ -189,21 +189,13 @@
return 0;
}
-/* Check if a particular permission is present within the given class,
- * and that the class is enabled. Returns 1 if both conditions are
- * true, 0 if neither could be found or if the class id disabled. */
-int is_perm_enabled(char *class_id, char *perm_id, policydb_t * p)
+/* Check if a particular permission is present within the given class.
+ * Whether the class is enabled is NOT checked.
+ * Returns 1 if permission is present, 0 otherwise */
+int is_perm_existent(const class_datum_t *cladatum, const char *perm_id)
{
- class_datum_t *cladatum;
- perm_datum_t *perm;
- if (!is_id_enabled(class_id, p, SYM_CLASSES)) {
- return 0;
- }
- cladatum =
- (class_datum_t *) hashtab_search(p->p_classes.table, class_id);
- if (cladatum == NULL) {
- return 0;
- }
+ const perm_datum_t *perm;
+
perm = hashtab_search(cladatum->permissions.table, perm_id);
if (perm == NULL && cladatum->comdatum != 0) {
/* permission was not in this class. before giving
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-3.6/src/hashtab.c new/libsepol-3.7/src/hashtab.c
--- old/libsepol-3.6/src/hashtab.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libsepol-3.7/src/hashtab.c 2024-06-26 17:30:41.000000000 +0200
@@ -112,15 +112,17 @@
hashtab_check_resize(h);
hvalue = h->hash_value(h, key);
- prev = NULL;
- cur = h->htable[hvalue];
- while (cur && h->keycmp(h, key, cur->key) > 0) {
- prev = cur;
- cur = cur->next;
- }
- if (cur && (h->keycmp(h, key, cur->key) == 0))
- return SEPOL_EEXIST;
+ for (prev = NULL, cur = h->htable[hvalue]; cur; prev = cur, cur = cur->next) {
+ int cmp;
+
+ cmp = h->keycmp(h, key, cur->key);
+ if (cmp > 0)
+ continue;
+ if (cmp == 0)
+ return SEPOL_EEXIST;
+ break;
+ }
newnode = (hashtab_ptr_t) malloc(sizeof(hashtab_node_t));
if (newnode == NULL)
@@ -151,14 +153,19 @@
return SEPOL_ENOENT;
hvalue = h->hash_value(h, key);
- last = NULL;
- cur = h->htable[hvalue];
- while (cur != NULL && h->keycmp(h, key, cur->key) > 0) {
- last = cur;
- cur = cur->next;
+
+ for (last = NULL, cur = h->htable[hvalue]; cur; last = cur, cur = cur->next) {
+ int cmp;
+
+ cmp = h->keycmp(h, key, cur->key);
+ if (cmp > 0)
+ continue;
+ if (cmp == 0)
+ break;
+ return SEPOL_ENOENT;
}
- if (cur == NULL || (h->keycmp(h, key, cur->key) != 0))
+ if (cur == NULL)
return SEPOL_ENOENT;
if (last == NULL)
@@ -183,14 +190,18 @@
return NULL;
hvalue = h->hash_value(h, key);
- cur = h->htable[hvalue];
- while (cur != NULL && h->keycmp(h, key, cur->key) > 0)
- cur = cur->next;
+ for (cur = h->htable[hvalue]; cur; cur = cur->next) {
+ int cmp;
- if (cur == NULL || (h->keycmp(h, key, cur->key) != 0))
- return NULL;
+ cmp = h->keycmp(h, key, cur->key);
+ if (cmp > 0)
+ continue;
+ if (cmp == 0)
+ return cur->datum;
+ break;
+ }
- return cur->datum;
+ return NULL;
}
void hashtab_destroy(hashtab_t h)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-3.6/src/hierarchy.c new/libsepol-3.7/src/hierarchy.c
--- old/libsepol-3.6/src/hierarchy.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libsepol-3.7/src/hierarchy.c 2024-06-26 17:30:41.000000000 +0200
@@ -443,12 +443,15 @@
p->p_type_val_to_name[child - 1],
p->p_type_val_to_name[parent - 1]);
for (; cur; cur = cur->next) {
+ char *permstr = sepol_av_to_string(p, cur->key.target_class, cur->datum.data);
+
ERR(handle, " %s %s : %s { %s }",
p->p_type_val_to_name[cur->key.source_type - 1],
p->p_type_val_to_name[cur->key.target_type - 1],
p->p_class_val_to_name[cur->key.target_class - 1],
- sepol_av_to_string(p, cur->key.target_class,
- cur->datum.data));
+ permstr ?: "<format-failure>");
+
+ free(permstr);
}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-3.6/src/kernel_to_cil.c new/libsepol-3.7/src/kernel_to_cil.c
--- old/libsepol-3.6/src/kernel_to_cil.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libsepol-3.7/src/kernel_to_cil.c 2024-06-26 17:30:41.000000000 +0200
@@ -297,6 +297,17 @@
}
perms = sepol_av_to_string(pdb, class->s.value, curr->permissions);
+ if (!perms) {
+ ERR(NULL, "Failed to generate permission string");
+ rc = -1;
+ goto exit;
+ }
+ if (*perms == '\0') {
+ ERR(NULL, "No permissions in permission string");
+ free(perms);
+ rc = -1;
+ goto exit;
+ }
if (is_mls) {
key_word = "mlsconstrain";
@@ -307,6 +318,7 @@
}
rc = strs_create_and_add(strs, "(%s (%s (%s)) %s)", key_word, classkey, perms+1, expr);
+ free(perms);
free(expr);
if (rc != 0) {
goto exit;
@@ -1769,8 +1781,14 @@
ERR(NULL, "Failed to generate permission string");
goto exit;
}
+ if (*perms == '\0') {
+ ERR(NULL, "No permissions in permission string");
+ free(perms);
+ goto exit;
+ }
rule = create_str("(%s %s %s (%s (%s)))",
flavor, src, tgt, class, perms+1);
+ free(perms);
} else if (key->specified & AVTAB_XPERMS) {
perms = xperms_to_str(datum->xperms);
if (perms == NULL) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-3.6/src/kernel_to_common.c new/libsepol-3.7/src/kernel_to_common.c
--- old/libsepol-3.6/src/kernel_to_common.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libsepol-3.7/src/kernel_to_common.c 2024-06-26 17:30:41.000000000 +0200
@@ -503,7 +503,7 @@
if (rc)
return rc;
- return (*aa)->u.ibendport.port - (*bb)->u.ibendport.port;
+ return spaceship_cmp((*aa)->u.ibendport.port, (*bb)->u.ibendport.port);
}
static int pirq_data_cmp(const void *a, const void *b)
@@ -575,7 +575,7 @@
return 0;
}
- data = calloc(sizeof(*data), num);
+ data = calloc(num, sizeof(*data));
if (!data) {
ERR(NULL, "Out of memory");
return -1;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-3.6/src/kernel_to_conf.c new/libsepol-3.7/src/kernel_to_conf.c
--- old/libsepol-3.6/src/kernel_to_conf.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libsepol-3.7/src/kernel_to_conf.c 2024-06-26 17:30:41.000000000 +0200
@@ -292,6 +292,17 @@
}
perms = sepol_av_to_string(pdb, class->s.value, curr->permissions);
+ if (!perms) {
+ ERR(NULL, "Failed to generate permission string");
+ rc = -1;
+ goto exit;
+ }
+ if (*perms == '\0') {
+ ERR(NULL, "No permissions in permission string");
+ free(perms);
+ rc = -1;
+ goto exit;
+ }
if (strchr(perms, ' ')) {
perm_prefix = "{ ";
perm_suffix = " }";
@@ -311,6 +322,7 @@
flavor, classkey,
perm_prefix, perms+1, perm_suffix,
expr);
+ free(perms);
free(expr);
if (rc != 0) {
goto exit;
@@ -811,7 +823,7 @@
num = strs_num_items(strs);
if (num > 0) {
- sens_alias_map = calloc(sizeof(*sens_alias_map), pdb->p_levels.nprim);
+ sens_alias_map = calloc(pdb->p_levels.nprim, sizeof(*sens_alias_map));
if (!sens_alias_map) {
rc = -1;
goto exit;
@@ -942,7 +954,7 @@
num = strs_num_items(strs);
if (num > 0) {
- cat_alias_map = calloc(sizeof(*cat_alias_map), pdb->p_cats.nprim);
+ cat_alias_map = calloc(pdb->p_cats.nprim, sizeof(*cat_alias_map));
if (!cat_alias_map) {
rc = -1;
goto exit;
@@ -1682,7 +1694,7 @@
{
uint32_t data = datum->data;
type_datum_t *type;
- const char *flavor, *src, *tgt, *class, *perms, *new;
+ const char *flavor, *src, *tgt, *class, *new;
char *rule = NULL, *permstring;
switch (0xFFF & key->specified) {
@@ -1730,13 +1742,19 @@
class = pdb->p_class_val_to_name[key->target_class - 1];
if (key->specified & AVTAB_AV) {
- perms = sepol_av_to_string(pdb, key->target_class, data);
- if (perms == NULL) {
+ permstring = sepol_av_to_string(pdb, key->target_class, data);
+ if (permstring == NULL) {
ERR(NULL, "Failed to generate permission string");
goto exit;
}
+ if (*permstring == '\0') {
+ ERR(NULL, "No permissions in permission string");
+ free(permstring);
+ goto exit;
+ }
rule = create_str("%s %s %s:%s { %s };",
- flavor, src, tgt, class, perms+1);
+ flavor, src, tgt, class, permstring+1);
+ free(permstring);
} else if (key->specified & AVTAB_XPERMS) {
permstring = sepol_extended_perms_to_string(datum->xperms);
if (permstring == NULL) {
@@ -2106,7 +2124,7 @@
return 0;
}
- cond_data = calloc(sizeof(struct cond_data), num);
+ cond_data = calloc(num, sizeof(struct cond_data));
if (!cond_data) {
rc = -1;
goto exit;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-3.6/src/link.c new/libsepol-3.7/src/link.c
--- old/libsepol-3.6/src/link.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libsepol-3.7/src/link.c 2024-06-26 17:30:41.000000000 +0200
@@ -749,7 +749,7 @@
return 0;
}
-static int (*copy_callback_f[SYM_NUM]) (hashtab_key_t key,
+static int (*const copy_callback_f[SYM_NUM]) (hashtab_key_t key,
hashtab_datum_t datum, void *datap) = {
NULL, class_copy_callback, role_copy_callback, type_copy_callback,
user_copy_callback, bool_copy_callback, sens_copy_callback,
@@ -1215,7 +1215,7 @@
return -1;
}
-static int (*fix_callback_f[SYM_NUM]) (hashtab_key_t key, hashtab_datum_t datum,
+static int (*const fix_callback_f[SYM_NUM]) (hashtab_key_t key, hashtab_datum_t datum,
void *datap) = {
NULL, NULL, role_fix_callback, type_fix_callback, user_fix_callback,
NULL, NULL, NULL};
@@ -1925,7 +1925,7 @@
* Note that if a declaration had no requirement at all (e.g., an ELSE
* block) this returns 1. */
static int is_decl_requires_met(link_state_t * state,
- avrule_decl_t * decl,
+ const avrule_decl_t * decl,
struct missing_requirement *req)
{
/* (This algorithm is very unoptimized. It performs many
@@ -1933,9 +1933,9 @@
* which symbols have been verified, so that they do not need
* to be re-checked.) */
unsigned int i, j;
- ebitmap_t *bitmap;
- char *id, *perm_id;
- policydb_t *pol = state->base;
+ const ebitmap_t *bitmap;
+ const char *id, *perm_id;
+ const policydb_t *pol = state->base;
ebitmap_node_t *node;
/* check that all symbols have been satisfied */
@@ -1961,27 +1961,29 @@
}
/* check that all classes and permissions have been satisfied */
for (i = 0; i < decl->required.class_perms_len; i++) {
+ const class_datum_t *cladatum = pol->class_val_to_struct[i];
+ const scope_datum_t *scope;
+
+ bitmap = &decl->required.class_perms_map[i];
+ id = pol->p_class_val_to_name[i];
+
+
+ if (!is_id_enabled(id, state->base, SYM_CLASSES)) {
+ return 0;
+ }
+
+ scope = hashtab_search(state->base->p_classes_scope.table, id);
+ if (scope == NULL) {
+ ERR(state->handle,
+ "Could not find scope information for class %s",
+ id);
+ return -1;
+ }
- bitmap = decl->required.class_perms_map + i;
ebitmap_for_each_positive_bit(bitmap, node, j) {
struct find_perm_arg fparg;
- class_datum_t *cladatum;
uint32_t perm_value = j + 1;
int rc;
- scope_datum_t *scope;
-
- id = pol->p_class_val_to_name[i];
- cladatum = pol->class_val_to_struct[i];
-
- scope =
- hashtab_search(state->base->p_classes_scope.table,
- id);
- if (scope == NULL) {
- ERR(state->handle,
- "Could not find scope information for class %s",
- id);
- return -1;
- }
fparg.valuep = perm_value;
fparg.key = NULL;
@@ -1996,7 +1998,7 @@
perm_id = fparg.key;
assert(perm_id != NULL);
- if (!is_perm_enabled(id, perm_id, state->base)) {
+ if (!is_perm_existent(cladatum, perm_id)) {
if (req != NULL) {
req->symbol_type = SYM_CLASSES;
req->symbol_value = i + 1;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-3.6/src/module_to_cil.c new/libsepol-3.7/src/module_to_cil.c
--- old/libsepol-3.6/src/module_to_cil.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libsepol-3.7/src/module_to_cil.c 2024-06-26 17:30:41.000000000 +0200
@@ -593,10 +593,17 @@
rc = -1;
goto exit;
}
+ if (*perms == '\0') {
+ ERR(NULL, "No permissions in permission string");
+ free(perms);
+ rc = -1;
+ goto exit;
+ }
cil_println(indent, "(%s %s %s (%s (%s)))",
rule, src, tgt,
pdb->p_class_val_to_name[classperm->tclass - 1],
perms + 1);
+ free(perms);
} else {
cil_println(indent, "(%s %s %s %s %s)",
rule, src, tgt,
@@ -1680,7 +1687,7 @@
const struct class_perm_datum *aa = a;
const struct class_perm_datum *bb = b;
- return aa->val - bb->val;
+ return spaceship_cmp(aa->val, bb->val);
}
static int common_to_cil(char *key, void *data, void *UNUSED(arg))
@@ -1967,7 +1974,19 @@
if (is_constraint) {
perms = sepol_av_to_string(pdb, class->s.value, node->permissions);
+ if (perms == NULL) {
+ ERR(NULL, "Failed to generate permission string");
+ rc = -1;
+ goto exit;
+ }
+ if (*perms == '\0') {
+ ERR(NULL, "No permissions in permission string");
+ free(perms);
+ rc = -1;
+ goto exit;
+ }
cil_println(indent, "(%sconstrain (%s (%s)) %s)", mls, classkey, perms + 1, expr);
+ free(perms);
} else {
cil_println(indent, "(%svalidatetrans %s %s)", mls, classkey, expr);
}
@@ -2390,7 +2409,7 @@
static int sens_to_cil(int indent, struct policydb *pdb, struct avrule_block *UNUSED(block), struct stack *UNUSED(decl_stack), char *key, void *datum, int scope)
{
- struct level_datum *level = datum;
+ level_datum_t *level = datum;
if (scope == SCOPE_DECL) {
if (!level->isalias) {
@@ -2932,8 +2951,8 @@
int rc = -1;
int ocon;
- static int (**ocon_funcs)(struct policydb *pdb, struct ocontext *ocon);
- static int (*ocon_selinux_funcs[OCON_NUM])(struct policydb *pdb, struct ocontext *ocon) = {
+ static int (*const *ocon_funcs)(struct policydb *pdb, struct ocontext *ocon);
+ static int (*const ocon_selinux_funcs[OCON_NUM])(struct policydb *pdb, struct ocontext *ocon) = {
ocontext_selinux_isid_to_cil,
ocontext_selinux_fs_to_cil,
ocontext_selinux_port_to_cil,
@@ -2944,7 +2963,7 @@
ocontext_selinux_ibpkey_to_cil,
ocontext_selinux_ibendport_to_cil,
};
- static int (*ocon_xen_funcs[OCON_NUM])(struct policydb *pdb, struct ocontext *ocon) = {
+ static int (*const ocon_xen_funcs[OCON_NUM])(struct policydb *pdb, struct ocontext *ocon) = {
ocontext_xen_isid_to_cil,
ocontext_xen_pirq_to_cil,
ocontext_xen_ioport_to_cil,
@@ -3385,7 +3404,7 @@
}
-static int (*func_to_cil[SYM_NUM])(int indent, struct policydb *pdb, struct avrule_block *block, struct stack *decl_stack, char *key, void *datum, int scope) = {
+static int (*const func_to_cil[SYM_NUM])(int indent, struct policydb *pdb, struct avrule_block *block, struct stack *decl_stack, char *key, void *datum, int scope) = {
NULL, // commons, only stored in the global symtab, handled elsewhere
class_to_cil,
role_to_cil,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-3.6/src/policydb.c new/libsepol-3.7/src/policydb.c
--- old/libsepol-3.6/src/policydb.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libsepol-3.7/src/policydb.c 2024-06-26 17:30:41.000000000 +0200
@@ -1126,7 +1126,7 @@
return 0;
}
-static int (*index_f[SYM_NUM]) (hashtab_key_t key, hashtab_datum_t datum,
+static int (*const index_f[SYM_NUM]) (hashtab_key_t key, hashtab_datum_t datum,
void *datap) = {
common_index, class_index, role_index, type_index, user_index,
cond_index_bool, sens_index, cat_index,};
@@ -1390,8 +1390,10 @@
if (key)
free(key);
levdatum = (level_datum_t *) datum;
- mls_level_destroy(levdatum->level);
- free(levdatum->level);
+ if (!levdatum->isalias || !levdatum->notdefined) {
+ mls_level_destroy(levdatum->level);
+ free(levdatum->level);
+ }
level_datum_destroy(levdatum);
free(levdatum);
return 0;
@@ -1407,7 +1409,7 @@
return 0;
}
-static int (*destroy_f[SYM_NUM]) (hashtab_key_t key, hashtab_datum_t datum,
+static int (*const destroy_f[SYM_NUM]) (hashtab_key_t key, hashtab_datum_t datum,
void *datap) = {
common_destroy, class_destroy, role_destroy, type_destroy, user_destroy,
cond_destroy_bool, sens_destroy, cat_destroy,};
@@ -3408,7 +3410,7 @@
return -1;
}
-static int (*read_f[SYM_NUM]) (policydb_t * p, hashtab_t h,
+static int (*const read_f[SYM_NUM]) (policydb_t * p, hashtab_t h,
struct policy_file * fp) = {
common_read, class_read, role_read, type_read, user_read,
cond_read_bool, sens_read, cat_read,};
@@ -4448,7 +4450,7 @@
}
}
/* add the type itself as the degenerate case */
- if (ebitmap_set_bit(&p->type_attr_map[i], i, 1))
+ if (p->type_val_to_struct[i] && ebitmap_set_bit(&p->type_attr_map[i], i, 1))
goto bad;
if (p->type_val_to_struct[i] && p->type_val_to_struct[i]->flavor != TYPE_ATTRIB) {
if (ebitmap_set_bit(&p->attr_type_map[i], i, 1))
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-3.6/src/policydb_validate.c new/libsepol-3.7/src/policydb_validate.c
--- old/libsepol-3.6/src/policydb_validate.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libsepol-3.7/src/policydb_validate.c 2024-06-26 17:30:41.000000000 +0200
@@ -11,6 +11,7 @@
#define bool_xor(a, b) (!(a) != !(b))
#define bool_xnor(a, b) (!bool_xor(a, b))
+#define PERMISSION_MASK(nprim) ((nprim) == PERM_SYMTAB_SIZE ? (~UINT32_C(0)) : ((UINT32_C(1) << (nprim)) - 1))
typedef struct validate {
uint32_t nprim;
@@ -23,6 +24,12 @@
const policydb_t *policy;
} map_arg_t;
+typedef struct perm_arg {
+ uint32_t visited;
+ const uint32_t nprim;
+ const uint32_t inherited_nprim;
+} perm_arg_t;
+
static int create_gap_ebitmap(char **val_to_name, uint32_t nprim, ebitmap_t *gaps)
{
uint32_t i;
@@ -56,7 +63,7 @@
goto bad;
if (validate_init(&flavors[SYM_ROLES], p->p_role_val_to_name, p->p_roles.nprim))
goto bad;
- if (p->policyvers < POLICYDB_VERSION_AVTAB || p->policyvers > POLICYDB_VERSION_PERMISSIVE) {
+ if (p->policy_type != POLICY_KERN || p->policyvers < POLICYDB_VERSION_AVTAB || p->policyvers > POLICYDB_VERSION_PERMISSIVE) {
if (validate_init(&flavors[SYM_TYPES], p->p_type_val_to_name, p->p_types.nprim))
goto bad;
} else {
@@ -227,17 +234,21 @@
return -1;
}
-static int validate_constraint_nodes(sepol_handle_t *handle, unsigned int nperms, const constraint_node_t *cons, validate_t flavors[])
+static int validate_constraint_nodes(sepol_handle_t *handle, uint32_t nperms, const constraint_node_t *cons, validate_t flavors[])
{
const constraint_expr_t *cexp;
+ const int is_validatetrans = (nperms == UINT32_MAX);
int depth;
+ if (cons && nperms == 0)
+ goto bad;
+
for (; cons; cons = cons->next) {
- if (nperms == 0 && cons->permissions != 0)
+ if (is_validatetrans && cons->permissions != 0)
goto bad;
- if (nperms > 0 && cons->permissions == 0)
+ if (!is_validatetrans && cons->permissions == 0)
goto bad;
- if (nperms > 0 && nperms != PERM_SYMTAB_SIZE && cons->permissions >= (UINT32_C(1) << nperms))
+ if (!is_validatetrans && nperms != PERM_SYMTAB_SIZE && cons->permissions >= (UINT32_C(1) << nperms))
goto bad;
if (!cons->expr)
@@ -251,7 +262,7 @@
goto bad;
depth++;
- if (cexp->attr & CEXPR_XTARGET && nperms != 0)
+ if (cexp->attr & CEXPR_XTARGET && !is_validatetrans)
goto bad;
if (!(cexp->attr & CEXPR_TYPE)) {
if (validate_empty_type_set(cexp->type_names))
@@ -366,11 +377,49 @@
return -1;
}
+static int perm_visit(__attribute__((__unused__)) hashtab_key_t k, hashtab_datum_t d, void *args)
+{
+ perm_arg_t *pargs = args;
+ const perm_datum_t *perdatum = d;
+
+ if (!value_isvalid(perdatum->s.value, pargs->nprim))
+ return -1;
+
+ if (pargs->inherited_nprim != 0 && value_isvalid(perdatum->s.value, pargs->inherited_nprim))
+ return -1;
+
+ if ((UINT32_C(1) << (perdatum->s.value - 1)) & pargs->visited)
+ return -1;
+
+ pargs->visited |= (UINT32_C(1) << (perdatum->s.value - 1));
+ return 0;
+}
+
+static int validate_permission_symtab(sepol_handle_t *handle, const symtab_t *permissions, uint32_t inherited_nprim)
+{
+ /* Check each entry has a different valid value and is not overriding an inherited one */
+
+ perm_arg_t pargs = { .visited = 0, .nprim = permissions->nprim, .inherited_nprim = inherited_nprim };
+
+ if (hashtab_map(permissions->table, perm_visit, &pargs))
+ goto bad;
+
+ return 0;
+
+bad:
+ ERR(handle, "Invalid permission table");
+ return -1;
+}
+
static int validate_common_datum(sepol_handle_t *handle, const common_datum_t *common, validate_t flavors[])
{
if (validate_value(common->s.value, &flavors[SYM_COMMONS]))
goto bad;
- if (common->permissions.table->nel == 0 || common->permissions.nprim > PERM_SYMTAB_SIZE)
+ if (common->permissions.nprim == 0 || common->permissions.nprim > PERM_SYMTAB_SIZE)
+ goto bad;
+ if (common->permissions.nprim != common->permissions.table->nel)
+ goto bad;
+ if (validate_permission_symtab(handle, &common->permissions, 0))
goto bad;
return 0;
@@ -393,11 +442,17 @@
goto bad;
if (class->comdatum && validate_common_datum(handle, class->comdatum, flavors))
goto bad;
- if (class->permissions.nprim > PERM_SYMTAB_SIZE)
+ /* empty classes are permitted */
+ if (class->permissions.nprim > PERM_SYMTAB_SIZE || class->permissions.table->nel > PERM_SYMTAB_SIZE)
+ goto bad;
+ if (class->permissions.nprim !=
+ (class->permissions.table->nel + (class->comdatum ? class->comdatum->permissions.table->nel : 0)))
+ goto bad;
+ if (validate_permission_symtab(handle, &class->permissions, class->comdatum ? class->comdatum->permissions.nprim : 0))
goto bad;
if (validate_constraint_nodes(handle, class->permissions.nprim, class->constraints, flavors))
goto bad;
- if (validate_constraint_nodes(handle, 0, class->validatetrans, flavors))
+ if (validate_constraint_nodes(handle, UINT32_MAX, class->validatetrans, flavors))
goto bad;
switch (class->default_user) {
@@ -618,12 +673,37 @@
return -1;
}
-static int validate_level_datum(__attribute__ ((unused)) hashtab_key_t k, hashtab_datum_t d, void *args)
+static int validate_level_datum(sepol_handle_t *handle, const level_datum_t *level, validate_t flavors[], const policydb_t *p)
+{
+ if (level->notdefined != 0)
+ goto bad;
+
+ if (validate_mls_level(level->level, &flavors[SYM_LEVELS], &flavors[SYM_CATS]))
+ goto bad;
+
+ if (level->isalias) {
+ const mls_level_t *l1 = level->level;
+ const mls_level_t *l2;
+ const level_datum_t *actual = (level_datum_t *) hashtab_search(p->p_levels.table, p->p_sens_val_to_name[l1->sens - 1]);
+ if (!actual)
+ goto bad;
+ l2 = actual->level;
+ if (!ebitmap_cmp(&l1->cat, &l2->cat))
+ goto bad;
+ }
+
+ return 0;
+
+ bad:
+ ERR(handle, "Invalid level datum");
+ return -1;
+}
+
+static int validate_level_datum_wrapper(__attribute__ ((unused)) hashtab_key_t k, hashtab_datum_t d, void *args)
{
- level_datum_t *level = d;
- validate_t *flavors = args;
+ map_arg_t *margs = args;
- return validate_mls_level(level->level, &flavors[SYM_LEVELS], &flavors[SYM_CATS]);
+ return validate_level_datum(margs->handle, d, margs->flavors, margs->policy);
}
static int validate_mls_range(const mls_range_t *range, const validate_t *sens, const validate_t *cats)
@@ -723,7 +803,7 @@
* For policy versions between 20 and 23, attributes exist in the policy,
* but only in the type_attr_map, so all gaps must be assumed to be valid.
*/
- if (p->policyvers < POLICYDB_VERSION_AVTAB || p->policyvers > POLICYDB_VERSION_PERMISSIVE) {
+ if (p->policy_type != POLICY_KERN || p->policyvers < POLICYDB_VERSION_AVTAB || p->policyvers > POLICYDB_VERSION_PERMISSIVE) {
for (i = 0; i < p->p_types.nprim; i++) {
if (bool_xnor(p->type_val_to_struct[i], ebitmap_get_bit(&flavors[SYM_TYPES].gaps, i)))
goto bad;
@@ -774,7 +854,7 @@
if (hashtab_map(p->p_users.table, validate_user_datum_wrapper, &margs))
goto bad;
- if (p->mls && hashtab_map(p->p_levels.table, validate_level_datum, flavors))
+ if (p->mls && hashtab_map(p->p_levels.table, validate_level_datum_wrapper, &margs))
goto bad;
if (hashtab_map(p->p_cats.table, validate_datum, &flavors[SYM_CATS]))
@@ -851,6 +931,26 @@
bad:
return -1;
}
+
+static int validate_access_vector(sepol_handle_t *handle, const policydb_t *p, sepol_security_class_t tclass,
+ sepol_access_vector_t av)
+{
+ const class_datum_t *cladatum = p->class_val_to_struct[tclass - 1];
+
+ /*
+ * Check that at least one permission bit is valid.
+ * Older compilers might set invalid bits for the wildcard permission.
+ */
+ if (!(av & PERMISSION_MASK(cladatum->permissions.nprim)))
+ goto bad;
+
+ return 0;
+
+bad:
+ ERR(handle, "Invalid access vector");
+ return -1;
+}
+
static int validate_avtab_key_and_datum(avtab_key_t *k, avtab_datum_t *d, void *args)
{
map_arg_t *margs = args;
@@ -858,6 +958,16 @@
if (validate_avtab_key(k, 0, margs->policy, margs->flavors))
return -1;
+ if (k->specified & AVTAB_AV) {
+ uint32_t data = d->data;
+
+ if ((0xFFF & k->specified) == AVTAB_AUDITDENY)
+ data = ~data;
+
+ if (validate_access_vector(margs->handle, margs->policy, k->target_class, data))
+ return -1;
+ }
+
if ((k->specified & AVTAB_TYPE) && validate_simpletype(d->data, margs->policy, margs->flavors))
return -1;
@@ -890,6 +1000,15 @@
if (validate_avtab_key(key, 1, p, flavors))
goto bad;
+ if (key->specified & AVTAB_AV) {
+ uint32_t data = datum->data;
+
+ if ((0xFFF & key->specified) == AVTAB_AUDITDENY)
+ data = ~data;
+
+ if (validate_access_vector(handle, p, key->target_class, data))
+ goto bad;
+ }
if ((key->specified & AVTAB_TYPE) && validate_simpletype(datum->data, p, flavors))
goto bad;
}
@@ -957,7 +1076,12 @@
switch(avrule->flags) {
case 0:
+ break;
case RULE_SELF:
+ if (p->policyvers != POLICY_KERN &&
+ p->policyvers < MOD_POLICYDB_VERSION_SELF_TYPETRANS &&
+ (avrule->specified & AVRULE_TYPE))
+ goto bad;
break;
case RULE_NOTSELF:
switch(avrule->specified) {
@@ -1344,6 +1468,8 @@
static int validate_scope_index(sepol_handle_t *handle, const scope_index_t *scope_index, validate_t flavors[])
{
+ uint32_t i;
+
if (!ebitmap_is_empty(&scope_index->scope[SYM_COMMONS]))
goto bad;
if (validate_ebitmap(&scope_index->p_classes_scope, &flavors[SYM_CLASSES]))
@@ -1360,8 +1486,10 @@
goto bad;
if (validate_ebitmap(&scope_index->p_cat_scope, &flavors[SYM_CATS]))
goto bad;
- if (scope_index->class_perms_len > flavors[SYM_CLASSES].nprim)
- goto bad;
+
+ for (i = 0; i < scope_index->class_perms_len; i++)
+ if (validate_value(i + 1, &flavors[SYM_CLASSES]))
+ goto bad;
return 0;
@@ -1384,8 +1512,16 @@
goto bad;
/* currently only the RULE_SELF flag can be set */
- if ((filename_trans->flags & ~RULE_SELF) != 0)
+ switch (filename_trans->flags) {
+ case 0:
+ break;
+ case RULE_SELF:
+ if (p->policyvers != POLICY_KERN && p->policyvers < MOD_POLICYDB_VERSION_SELF_TYPETRANS)
+ goto bad;
+ break;
+ default:
goto bad;
+ }
}
return 0;
@@ -1523,17 +1659,41 @@
return -1;
}
+static int validate_attrtype_map(sepol_handle_t *handle, const policydb_t *p, validate_t flavors[])
+{
+ const ebitmap_t *maps = p->attr_type_map;
+ uint32_t i;
+
+ if (p->policy_type == POLICY_KERN) {
+ for (i = 0; i < p->p_types.nprim; i++) {
+ if (validate_ebitmap(&maps[i], &flavors[SYM_TYPES]))
+ goto bad;
+ }
+ } else if (maps)
+ goto bad;
+
+ return 0;
+
+bad:
+ ERR(handle, "Invalid attr type map");
+ return -1;
+}
+
static int validate_properties(sepol_handle_t *handle, const policydb_t *p)
{
switch (p->policy_type) {
case POLICY_KERN:
if (p->policyvers < POLICYDB_VERSION_MIN || p->policyvers > POLICYDB_VERSION_MAX)
goto bad;
+ if (p->mls && p->policyvers < POLICYDB_VERSION_MLS)
+ goto bad;
break;
case POLICY_BASE:
case POLICY_MOD:
if (p->policyvers < MOD_POLICYDB_VERSION_MIN || p->policyvers > MOD_POLICYDB_VERSION_MAX)
goto bad;
+ if (p->mls && p->policyvers < MOD_POLICYDB_VERSION_MLS)
+ goto bad;
break;
default:
goto bad;
@@ -1652,10 +1812,11 @@
if (validate_range_transitions(handle, p, flavors))
goto bad;
- if (p->policyvers >= POLICYDB_VERSION_AVTAB) {
- if (validate_typeattr_map(handle, p, flavors))
- goto bad;
- }
+ if (validate_typeattr_map(handle, p, flavors))
+ goto bad;
+
+ if (validate_attrtype_map(handle, p, flavors))
+ goto bad;
validate_array_destroy(flavors);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-3.6/src/services.c new/libsepol-3.7/src/services.c
--- old/libsepol-3.6/src/services.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libsepol-3.7/src/services.c 2024-06-26 17:30:41.000000000 +0200
@@ -347,9 +347,11 @@
p += len;
buf_used += len;
if (state_num < 2) {
+ char *permstr = sepol_av_to_string(policydb, tclass, constraint->permissions);
+
len = snprintf(p, class_buf_len - buf_used, "{%s } (",
- sepol_av_to_string(policydb, tclass,
- constraint->permissions));
+ permstr ?: "<format-failure>");
+ free(permstr);
} else {
len = snprintf(p, class_buf_len - buf_used, "(");
}
@@ -1237,7 +1239,25 @@
const char *sepol_av_perm_to_string(sepol_security_class_t tclass,
sepol_access_vector_t av)
{
- return sepol_av_to_string(policydb, tclass, av);
+ static char avbuf[1024];
+ char *avstr = sepol_av_to_string(policydb, tclass, av);
+ size_t len;
+
+ memset(avbuf, 0, sizeof(avbuf));
+
+ if (avstr) {
+ len = strlen(avstr);
+ if (len < sizeof(avbuf)) {
+ strcpy(avbuf, avstr);
+ } else {
+ sprintf(avbuf, "<access-vector overflowed buffer>");
+ }
+ free(avstr);
+ } else {
+ sprintf(avbuf, "<format-failure>");
+ }
+
+ return avbuf;
}
/*
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-3.6/src/util.c new/libsepol-3.7/src/util.c
--- old/libsepol-3.6/src/util.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libsepol-3.7/src/util.c 2024-06-26 17:30:41.000000000 +0200
@@ -32,7 +32,7 @@
struct val_to_name {
unsigned int val;
- char *name;
+ const char *name;
};
/* Add an unsigned integer to a dynamically reallocated array. *cnt
@@ -82,20 +82,27 @@
return 0;
}
-char *sepol_av_to_string(policydb_t * policydbp, uint32_t tclass,
+char *sepol_av_to_string(const policydb_t *policydbp, sepol_security_class_t tclass,
sepol_access_vector_t av)
{
struct val_to_name v;
- static char avbuf[1024];
- class_datum_t *cladatum;
- char *perm = NULL, *p;
- unsigned int i;
+ const class_datum_t *cladatum = policydbp->class_val_to_struct[tclass - 1];
+ uint32_t i;
int rc;
- int avlen = 0, len;
+ char *buffer = NULL, *p;
+ int len;
+ size_t remaining, size = 64;
+
+retry:
+ if (__builtin_mul_overflow(size, 2, &size))
+ goto err;
+ p = realloc(buffer, size);
+ if (!p)
+ goto err;
+ *p = '\0'; /* Just in case there are no permissions */
+ buffer = p;
+ remaining = size;
- memset(avbuf, 0, sizeof avbuf);
- cladatum = policydbp->class_val_to_struct[tclass - 1];
- p = avbuf;
for (i = 0; i < cladatum->permissions.nprim; i++) {
if (av & (UINT32_C(1) << i)) {
v.val = i + 1;
@@ -106,22 +113,23 @@
permissions.table, perm_name,
&v);
}
- if (rc)
- perm = v.name;
- if (perm) {
- len =
- snprintf(p, sizeof(avbuf) - avlen, " %s",
- perm);
- if (len < 0
- || (size_t) len >= (sizeof(avbuf) - avlen))
- return NULL;
+ if (rc == 1) {
+ len = snprintf(p, remaining, " %s", v.name);
+ if (len < 0)
+ goto err;
+ if ((size_t) len >= remaining)
+ goto retry;
p += len;
- avlen += len;
+ remaining -= len;
}
}
}
- return avbuf;
+ return buffer;
+
+err:
+ free(buffer);
+ return NULL;
}
#define next_bit_in_range(i, p) (((i) + 1 < sizeof(p)*8) && xperm_test(((i) + 1), p))
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-3.6/src/write.c new/libsepol-3.7/src/write.c
--- old/libsepol-3.6/src/write.c 2023-12-13 15:46:22.000000000 +0100
+++ new/libsepol-3.7/src/write.c 2024-06-26 17:30:41.000000000 +0200
@@ -1103,8 +1103,10 @@
buf[1] = cpu_to_le32(cladatum->default_role);
if (!glblub_version && default_range == DEFAULT_GLBLUB) {
WARN(fp->handle,
- "class %s default_range set to GLBLUB but policy version is %d (%d required), discarding",
- p->p_class_val_to_name[cladatum->s.value - 1], p->policyvers,
+ "class %s default_range set to GLBLUB but %spolicy version is %d (%d required), discarding",
+ p->p_class_val_to_name[cladatum->s.value - 1],
+ p->policy_type == POLICY_KERN ? "" : "module ",
+ p->policyvers,
p->policy_type == POLICY_KERN? POLICYDB_VERSION_GLBLUB:MOD_POLICYDB_VERSION_GLBLUB);
default_range = 0;
}
@@ -1342,7 +1344,7 @@
return POLICYDB_SUCCESS;
}
-static int (*write_f[SYM_NUM]) (hashtab_key_t key, hashtab_datum_t datum,
+static int (*const write_f[SYM_NUM]) (hashtab_key_t key, hashtab_datum_t datum,
void *datap) = {
common_write, class_write, role_write, type_write, user_write,
cond_write_bool, sens_write, cat_write,};
@@ -2219,7 +2221,8 @@
p->policy_type == POLICY_BASE) ||
(p->policyvers < MOD_POLICYDB_VERSION_MLS &&
p->policy_type == POLICY_MOD)) {
- ERR(fp->handle, "policy version %d cannot support MLS",
+ ERR(fp->handle, "%spolicy version %d cannot support MLS",
+ p->policy_type == POLICY_KERN ? "" : "module ",
p->policyvers);
return POLICYDB_ERROR;
}
@@ -2252,8 +2255,10 @@
info = policydb_lookup_compat(p->policyvers, p->policy_type,
p->target_platform);
if (!info) {
- ERR(fp->handle, "compatibility lookup failed for policy "
- "version %d", p->policyvers);
+ ERR(fp->handle, "compatibility lookup failed for %s%s policy version %d",
+ p->target_platform == SEPOL_TARGET_SELINUX ? "selinux" : "xen",
+ p->policy_type == POLICY_KERN ? "" : " module",
+ p->policyvers);
return POLICYDB_ERROR;
}
1
0