Hello community,
here is the log from the commit of package libsepol for openSUSE:Factory checked in at 2019-03-24 14:55:21
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libsepol (Old)
and /work/SRC/openSUSE:Factory/.libsepol.new.25356 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libsepol"
Sun Mar 24 14:55:21 2019 rev:41 rq:687216 version:2.9
Changes:
--------
--- /work/SRC/openSUSE:Factory/libsepol/libsepol.changes 2018-12-19 13:23:01.953409994 +0100
+++ /work/SRC/openSUSE:Factory/.libsepol.new.25356/libsepol.changes 2019-03-24 14:55:25.735212029 +0100
@@ -1,0 +2,18 @@
+Wed Mar 20 15:12:34 UTC 2019 - jsegitz@suse.com
+
+- Update to version 2.9
+ * Add two new Xen initial SIDs
+ * Check that initial sid indexes are within the valid range
+ * Create policydb_sort_ocontexts()
+ * Eliminate initial sid string definitions in module_to_cil.c
+ * Rename kernel_to_common.c stack functions
+ * add missing ibendport port validity check
+ * destroy the copied va_list
+ * do not call malloc with 0 byte
+ * do not leak memory if list_prepend fails
+ * do not use uninitialized value for low_value
+ * fix endianity in ibpkey range checks
+ * ibpkeys.c: fix printf format string specifiers for subnet_prefix
+ * mark permissive types when loading a binary policy
+
+-------------------------------------------------------------------
Old:
----
libsepol-2.8.tar.gz
New:
----
libsepol-2.9.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libsepol.spec ++++++
--- /var/tmp/diff_new_pack.hePbmG/_old 2019-03-24 14:55:26.199211980 +0100
+++ /var/tmp/diff_new_pack.hePbmG/_new 2019-03-24 14:55:26.199211980 +0100
@@ -1,7 +1,7 @@
#
# spec file for package libsepol
#
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,13 +17,13 @@
Name: libsepol
-Version: 2.8
+Version: 2.9
Release: 0
Summary: SELinux binary policy manipulation library
License: LGPL-2.1-or-later
Group: Development/Libraries/C and C++
Url: https://github.com/SELinuxProject/selinux/wiki/Releases
-Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/%{name}-%{version}.tar.gz
+Source: https://github.com/SELinuxProject/selinux/releases/download/20190315/%{name}-%{version}.tar.gz
Source2: baselibs.conf
BuildRequires: flex
BuildRequires: pkgconfig
@@ -101,6 +101,7 @@
%defattr(-,root,root)
%{_bindir}/chkcon
%{_mandir}/man8/*.8%{ext_man}
+%{_mandir}/ru/man8/*.8%{ext_man}
%files -n libsepol1
%defattr(-,root,root)
++++++ libsepol-2.8.tar.gz -> libsepol-2.9.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.8/VERSION new/libsepol-2.9/VERSION
--- old/libsepol-2.8/VERSION 2018-05-24 20:21:09.000000000 +0200
+++ new/libsepol-2.9/VERSION 2019-03-15 11:32:30.000000000 +0100
@@ -1 +1 @@
-2.8
+2.9
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.8/cil/src/cil_binary.c new/libsepol-2.9/cil/src/cil_binary.c
--- old/libsepol-2.8/cil/src/cil_binary.c 2018-05-24 20:21:09.000000000 +0200
+++ new/libsepol-2.9/cil/src/cil_binary.c 2019-03-15 11:32:30.000000000 +0100
@@ -54,6 +54,7 @@
#include "cil_binary.h"
#include "cil_symtab.h"
#include "cil_find.h"
+#include "cil_build_ast.h"
/* There are 44000 filename_trans in current fedora policy. 1.33 times this is the recommended
* size of a hashtable. The next power of 2 of this is 2 ** 16.
@@ -930,7 +931,7 @@
exit:
level_datum_destroy(sepol_alias);
- free(sepol_level);
+ free(sepol_alias);
free(key);
return rc;
}
@@ -1763,11 +1764,13 @@
hashtab_xperms = cil_malloc(sizeof(*hashtab_xperms));
rc = ebitmap_cpy(hashtab_xperms, xperms);
if (rc != SEPOL_OK) {
+ free(hashtab_xperms);
free(avtab_key);
goto exit;
}
rc = hashtab_insert(h, (hashtab_key_t)avtab_key, hashtab_xperms);
if (rc != SEPOL_OK) {
+ free(hashtab_xperms);
free(avtab_key);
goto exit;
}
@@ -2072,6 +2075,7 @@
char *c2 = NULL;
__cil_expr_to_string_helper(curr, flavor, &c1);
for (curr = curr->next; curr; curr = curr->next) {
+ s1 = NULL;
__cil_expr_to_string_helper(curr, flavor, &s1);
cil_asprintf(&c2, "%s %s", c1, s1);
free(c1);
@@ -2157,6 +2161,7 @@
op->expr_type = COND_NEQ;
break;
default:
+ free(op);
goto exit;
}
@@ -2283,6 +2288,7 @@
cond_expr_destroy(tmp_cond->expr);
free(tmp_cond);
+ tmp_cond = NULL;
for (cb_node = node->cl_head; cb_node != NULL; cb_node = cb_node->next) {
if (cb_node->flavor == CIL_CONDBLOCK) {
@@ -2327,6 +2333,11 @@
return SEPOL_OK;
exit:
+ if (tmp_cond) {
+ if (tmp_cond->expr)
+ cond_expr_destroy(tmp_cond->expr);
+ free(tmp_cond);
+ }
return rc;
}
@@ -4797,6 +4808,7 @@
return cp_list;
exit:
+ cil_destroy_classperms(cp);
cil_log(CIL_ERR,"Failed to create CIL class-permissions from sepol values\n");
return NULL;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.8/cil/src/cil_resolve_ast.c new/libsepol-2.9/cil/src/cil_resolve_ast.c
--- old/libsepol-2.8/cil/src/cil_resolve_ast.c 2018-05-24 20:21:09.000000000 +0200
+++ new/libsepol-2.9/cil/src/cil_resolve_ast.c 2019-03-15 11:32:30.000000000 +0100
@@ -1535,6 +1535,7 @@
return SEPOL_OK;
exit:
+ cil_list_destroy(&new, CIL_FALSE);
return rc;
}
@@ -1591,6 +1592,7 @@
return SEPOL_OK;
exit:
+ cil_list_destroy(&new, CIL_FALSE);
return rc;
}
@@ -1624,6 +1626,7 @@
return SEPOL_OK;
exit:
+ cil_list_destroy(&new, CIL_FALSE);
return rc;
}
@@ -2853,6 +2856,7 @@
rc = cil_fill_cats(pc, &catset->cats);
if (rc != SEPOL_OK) {
cil_destroy_catset(catset);
+ cil_destroy_args(new_arg);
goto exit;
}
cil_tree_node_init(&cat_node);
@@ -2877,6 +2881,7 @@
if (rc != SEPOL_OK) {
cil_log(CIL_ERR, "Failed to create anonymous level, rc: %d\n", rc);
cil_destroy_level(level);
+ cil_destroy_args(new_arg);
goto exit;
}
cil_tree_node_init(&lvl_node);
@@ -2901,6 +2906,7 @@
if (rc != SEPOL_OK) {
cil_log(CIL_ERR, "Failed to create anonymous levelrange, rc: %d\n", rc);
cil_destroy_levelrange(range);
+ cil_destroy_args(new_arg);
goto exit;
}
cil_tree_node_init(&range_node);
@@ -2923,8 +2929,9 @@
rc = cil_fill_ipaddr(pc->cl_head, ipaddr);
if (rc != SEPOL_OK) {
- cil_log(CIL_ERR, "Failed to create anonymous ip address, rc; %d\n", rc);
+ cil_log(CIL_ERR, "Failed to create anonymous ip address, rc: %d\n", rc);
cil_destroy_ipaddr(ipaddr);
+ cil_destroy_args(new_arg);
goto exit;
}
cil_tree_node_init(&addr_node);
@@ -2955,6 +2962,7 @@
if (rc != SEPOL_OK) {
cil_log(CIL_ERR, "Failed to create anonymous classpermission\n");
cil_destroy_classpermission(cp);
+ cil_destroy_args(new_arg);
goto exit;
}
cil_tree_node_init(&cp_node);
@@ -2970,6 +2978,7 @@
default:
cil_log(CIL_ERR, "Unexpected flavor: %d\n",
(((struct cil_param*)item->data)->flavor));
+ cil_destroy_args(new_arg);
rc = SEPOL_ERR;
goto exit;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.8/cil/src/cil_symtab.c new/libsepol-2.9/cil/src/cil_symtab.c
--- old/libsepol-2.8/cil/src/cil_symtab.c 2018-05-24 20:21:09.000000000 +0200
+++ new/libsepol-2.9/cil/src/cil_symtab.c 2019-03-15 11:32:30.000000000 +0100
@@ -185,6 +185,7 @@
ckey->key2 == curr->ckey->key2 &&
ckey->key3 == curr->ckey->key3 &&
ckey->key4 == curr->ckey->key4) {
+ free(node);
return SEPOL_EEXIST;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.8/cil/src/cil_tree.c new/libsepol-2.9/cil/src/cil_tree.c
--- old/libsepol-2.8/cil/src/cil_tree.c 2018-05-24 20:21:09.000000000 +0200
+++ new/libsepol-2.9/cil/src/cil_tree.c 2019-03-15 11:32:30.000000000 +0100
@@ -512,7 +512,7 @@
} else {
rc = cil_expr_to_string(str_expr, &expr_str);
}
- if (rc < 0) {
+ if (rc != SEPOL_OK) {
cil_log(CIL_INFO, "ERROR)");
return;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.8/include/sepol/errcodes.h new/libsepol-2.9/include/sepol/errcodes.h
--- old/libsepol-2.8/include/sepol/errcodes.h 2018-05-24 20:21:09.000000000 +0200
+++ new/libsepol-2.9/include/sepol/errcodes.h 2019-03-15 11:32:30.000000000 +0100
@@ -12,7 +12,7 @@
#define SEPOL_OK 0
/* These first error codes are defined for compatibility with
- * previous version of libsepol. In the future, custome error
+ * previous version of libsepol. In the future, custom error
* codes that don't map to system error codes should be defined
* outside of the range of system error codes.
*/
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.8/include/sepol/policydb/policydb.h new/libsepol-2.9/include/sepol/policydb/policydb.h
--- old/libsepol-2.8/include/sepol/policydb/policydb.h 2018-05-24 20:21:09.000000000 +0200
+++ new/libsepol-2.9/include/sepol/policydb/policydb.h 2019-03-15 11:32:30.000000000 +0100
@@ -640,6 +640,8 @@
extern int policydb_load_isids(policydb_t * p, sidtab_t * s);
+extern int policydb_sort_ocontexts(policydb_t *p);
+
/* Deprecated */
extern int policydb_context_isvalid(const policydb_t * p,
const context_struct_t * c);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.8/man/Makefile new/libsepol-2.9/man/Makefile
--- old/libsepol-2.8/man/Makefile 2018-05-24 20:21:09.000000000 +0200
+++ new/libsepol-2.9/man/Makefile 2019-03-15 11:32:30.000000000 +0100
@@ -1,7 +1,11 @@
# Installation directories.
+LINGUAS ?= ru
PREFIX ?= /usr
-MAN8DIR ?= $(PREFIX)/share/man/man8
-MAN3DIR ?= $(PREFIX)/share/man/man3
+MANDIR ?= $(PREFIX)/share/man
+MAN3SUBDIR ?= man3
+MAN8SUBDIR ?= man8
+MAN3DIR ?= $(MANDIR)/$(MAN3SUBDIR)
+MAN8DIR ?= $(MANDIR)/$(MAN8SUBDIR)
all:
@@ -10,4 +14,13 @@
mkdir -p $(DESTDIR)$(MAN8DIR)
install -m 644 man3/*.3 $(DESTDIR)$(MAN3DIR)
install -m 644 man8/*.8 $(DESTDIR)$(MAN8DIR)
-
+ for lang in $(LINGUAS) ; do \
+ if [ -e $${lang}/man3 ] ; then \
+ mkdir -p $(DESTDIR)$(MANDIR)/$${lang}/$(MAN3SUBDIR) ; \
+ install -m 644 $${lang}/man3/*.3 $(DESTDIR)$(MANDIR)/$${lang}/$(MAN3SUBDIR) ; \
+ fi ; \
+ if [ -e $${lang}/man8 ] ; then \
+ mkdir -p $(DESTDIR)$(MANDIR)/$${lang}/$(MAN8SUBDIR) ; \
+ install -m 644 $${lang}/man8/*.8 $(DESTDIR)$(MANDIR)/$${lang}/$(MAN8SUBDIR) ; \
+ fi ; \
+ done
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.8/man/ru/man8/chkcon.8 new/libsepol-2.9/man/ru/man8/chkcon.8
--- old/libsepol-2.8/man/ru/man8/chkcon.8 1970-01-01 01:00:00.000000000 +0100
+++ new/libsepol-2.9/man/ru/man8/chkcon.8 2019-03-15 11:32:30.000000000 +0100
@@ -0,0 +1,39 @@
+.\" Hey, Emacs! This is an -*- nroff -*- source file.
+.\" Copyright (c) 1997 Manoj Srivastava
+.\"
+.\" This is free documentation; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License as
+.\" published by the Free Software Foundation; either version 2 of
+.\" the License, or (at your option) any later version.
+.\"
+.\" The GNU General Public License's references to "object code"
+.\" and "executables" are to be interpreted as the output of any
+.\" document formatting or typesetting system, including
+.\" intermediate and printed output.
+.\"
+.\" This manual is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public
+.\" License along with this manual; if not, write to the Free
+.\" Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,
+.\" USA.
+.\"
+.TH CHKCON 8 "12 марта 2005" "SELinux" "Документация по командной строке SELinux"
+.SH ИМЯ
+chkcon \- определить, является ли контекст безопасности действительным для конкретной двоичной политики
+.SH ОБЗОР
+chkcon policy_file context
+.SH ОПИСАНИЕ
+Эта утилита проверяет контекст безопасности (его строковое представление), заданный аргументом
+.I context,
+относительно данных конфигурации, прочтённых из файла двоичного представления базы данных политик, заданного аргументом
+.I policy_file.
+.SH ФАЙЛЫ
+policy file
+.SH АВТОРЫ
+Эта страница руководства (и только она) была написана Manoj
+Srivastava .
+Перевод на русский язык выполнила Герасименко Олеся .
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.8/src/expand.c new/libsepol-2.9/src/expand.c
--- old/libsepol-2.8/src/expand.c 2018-05-24 20:21:09.000000000 +0200
+++ new/libsepol-2.9/src/expand.c 2019-03-15 11:32:30.000000000 +0100
@@ -1451,6 +1451,7 @@
new_trans->name = strdup(cur_rule->name);
if (!new_trans->name) {
ERR(state->handle, "Out of memory!");
+ free(new_trans);
return -1;
}
new_trans->stype = i + 1;
@@ -1460,6 +1461,8 @@
otype = calloc(1, sizeof(*otype));
if (!otype) {
ERR(state->handle, "Out of memory!");
+ free(new_trans->name);
+ free(new_trans);
return -1;
}
otype->otype = mapped_otype;
@@ -1469,6 +1472,9 @@
otype);
if (rc) {
ERR(state->handle, "Out of memory!");
+ free(otype);
+ free(new_trans->name);
+ free(new_trans);
return -1;
}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.8/src/ibpkeys.c new/libsepol-2.9/src/ibpkeys.c
--- old/libsepol-2.8/src/ibpkeys.c 2018-05-24 20:21:09.000000000 +0200
+++ new/libsepol-2.9/src/ibpkeys.c 2019-03-15 11:32:30.000000000 +0100
@@ -1,5 +1,6 @@
#include
#include
+#include
#include "debug.h"
#include "context.h"
@@ -176,7 +177,7 @@
return STATUS_SUCCESS;
err:
- ERR(handle, "could not query ibpkey subnet prefix: %#lx range %u - %u exists",
+ ERR(handle, "could not query ibpkey subnet prefix: %#" PRIx64 " range %u - %u exists",
subnet_prefix, low, high);
return STATUS_ERR;
}
@@ -203,7 +204,7 @@
return STATUS_SUCCESS;
err:
- ERR(handle, "could not load ibpkey subnet prefix: %#lx range %u - %u exists",
+ ERR(handle, "could not load ibpkey subnet prefix: %#" PRIx64 " range %u - %u exists",
subnet_prefix, low, high);
if (ibpkey) {
context_destroy(&ibpkey->context[0]);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.8/src/kernel_to_cil.c new/libsepol-2.9/src/kernel_to_cil.c
--- old/libsepol-2.8/src/kernel_to_cil.c 2018-05-24 20:21:09.000000000 +0200
+++ new/libsepol-2.9/src/kernel_to_cil.c 2019-03-15 11:32:30.000000000 +0100
@@ -36,7 +36,7 @@
char *str = NULL;
int rc;
- rc = stack_init(&stack);
+ rc = strs_stack_init(&stack);
if (rc != 0) {
goto exit;
}
@@ -65,13 +65,13 @@
}
if (num_params == 2) {
- val2 = stack_pop(stack);
+ val2 = strs_stack_pop(stack);
if (!val2) {
sepol_log_err("Invalid conditional expression");
goto exit;
}
}
- val1 = stack_pop(stack);
+ val1 = strs_stack_pop(stack);
if (!val1) {
sepol_log_err("Invalid conditional expression");
free(val2);
@@ -89,29 +89,29 @@
sepol_log_err("Invalid conditional expression");
goto exit;
}
- rc = stack_push(stack, new_val);
+ rc = strs_stack_push(stack, new_val);
if (rc != 0) {
sepol_log_err("Out of memory");
goto exit;
}
}
- new_val = stack_pop(stack);
- if (!new_val || !stack_empty(stack)) {
+ new_val = strs_stack_pop(stack);
+ if (!new_val || !strs_stack_empty(stack)) {
sepol_log_err("Invalid conditional expression");
goto exit;
}
str = new_val;
- stack_destroy(&stack);
+ strs_stack_destroy(&stack);
return str;
exit:
- while ((new_val = stack_pop(stack)) != NULL) {
+ while ((new_val = strs_stack_pop(stack)) != NULL) {
free(new_val);
}
- stack_destroy(&stack);
+ strs_stack_destroy(&stack);
return NULL;
}
@@ -127,7 +127,7 @@
*use_mls = 0;
- rc = stack_init(&stack);
+ rc = strs_stack_init(&stack);
if (rc != 0) {
goto exit;
}
@@ -208,13 +208,13 @@
}
if (num_params == 2) {
- val2 = stack_pop(stack);
+ val2 = strs_stack_pop(stack);
if (!val2) {
sepol_log_err("Invalid constraint expression");
goto exit;
}
}
- val1 = stack_pop(stack);
+ val1 = strs_stack_pop(stack);
if (!val1) {
sepol_log_err("Invalid constraint expression");
goto exit;
@@ -231,30 +231,30 @@
if (!new_val) {
goto exit;
}
- rc = stack_push(stack, new_val);
+ rc = strs_stack_push(stack, new_val);
if (rc != 0) {
sepol_log_err("Out of memory");
goto exit;
}
}
- new_val = stack_pop(stack);
- if (!new_val || !stack_empty(stack)) {
+ new_val = strs_stack_pop(stack);
+ if (!new_val || !strs_stack_empty(stack)) {
sepol_log_err("Invalid constraint expression");
goto exit;
}
str = new_val;
- stack_destroy(&stack);
+ strs_stack_destroy(&stack);
return str;
exit:
- while ((new_val = stack_pop(stack)) != NULL) {
+ while ((new_val = strs_stack_pop(stack)) != NULL) {
free(new_val);
}
- stack_destroy(&stack);
+ strs_stack_destroy(&stack);
return NULL;
}
@@ -529,23 +529,31 @@
return rc;
}
-static int write_sids_to_cil(FILE *out, const char *const *sid_to_str, struct ocontext *isids)
+static int write_sids_to_cil(FILE *out, const char *const *sid_to_str,
+ unsigned num_sids, struct ocontext *isids)
{
struct ocontext *isid;
struct strs *strs;
char *sid;
char *prev;
+ char unknown[18];
unsigned i;
int rc;
- rc = strs_init(&strs, SECINITSID_NUM+1);
+ rc = strs_init(&strs, num_sids+1);
if (rc != 0) {
goto exit;
}
for (isid = isids; isid != NULL; isid = isid->next) {
i = isid->sid[0];
- rc = strs_add_at_index(strs, (char *)sid_to_str[i], i);
+ if (i < num_sids) {
+ sid = (char *)sid_to_str[i];
+ } else {
+ snprintf(unknown, 18, "%s%u", "UNKNOWN", i);
+ sid = strdup(unknown);
+ }
+ rc = strs_add_at_index(strs, sid, i);
if (rc != 0) {
goto exit;
}
@@ -577,6 +585,10 @@
sepol_printf(out, "))\n");
exit:
+ for (i=num_sids; itarget_platform == SEPOL_TARGET_SELINUX) {
- rc = write_sids_to_cil(out, selinux_sid_to_str, pdb->ocontexts[0]);
+ rc = write_sids_to_cil(out, selinux_sid_to_str, SELINUX_SID_SZ,
+ pdb->ocontexts[0]);
} else if (pdb->target_platform == SEPOL_TARGET_XEN) {
- rc = write_sids_to_cil(out, xen_sid_to_str, pdb->ocontexts[0]);
+ rc = write_sids_to_cil(out, xen_sid_to_str, XEN_SID_SZ,
+ pdb->ocontexts[0]);
} else {
sepol_log_err("Unknown target platform: %i", pdb->target_platform);
rc = -1;
@@ -1520,9 +1534,9 @@
static int write_type_permissive_rules_to_cil(FILE *out, struct policydb *pdb)
{
- type_datum_t *type;
struct strs *strs;
char *name;
+ struct ebitmap_node *node;
unsigned i, num;
int rc = 0;
@@ -1531,13 +1545,11 @@
goto exit;
}
- for (i=0; i < pdb->p_types.nprim; i++) {
- type = pdb->type_val_to_struct[i];
- if (type->flavor == TYPE_TYPE && (type->flags & TYPE_FLAGS_PERMISSIVE)) {
- rc = strs_add(strs, pdb->p_type_val_to_name[i]);
- if (rc != 0) {
- goto exit;
- }
+ ebitmap_for_each_bit(&pdb->permissive_map, node, i) {
+ if (!ebitmap_get_bit(&pdb->permissive_map, i)) continue;
+ rc = strs_add(strs, pdb->p_type_val_to_name[i-1]);
+ if (rc != 0) {
+ goto exit;
}
}
@@ -1602,8 +1614,8 @@
if (xperms->specified & AVTAB_XPERMS_IOCTLFUNCTION) {
value = xperms->driver<<8 | bit;
- low_value = xperms->driver<<8 | low_bit;
if (in_range) {
+ low_value = xperms->driver<<8 | low_bit;
len = snprintf(p, remaining, " (range 0x%hx 0x%hx)", low_value, value);
in_range = 0;
} else {
@@ -1611,8 +1623,8 @@
}
} else if (xperms->specified & AVTAB_XPERMS_IOCTLDRIVER) {
value = bit << 8;
- low_value = low_bit << 8;
if (in_range) {
+ low_value = low_bit << 8;
len = snprintf(p, remaining, " (range 0x%hx 0x%hx)", low_value, (uint16_t) (value|0xff));
in_range = 0;
} else {
@@ -2019,6 +2031,8 @@
return 0;
exit:
+ strs_free_all(strs);
+ strs_destroy(&strs);
return rc;
}
@@ -2479,11 +2493,12 @@
return ctx;
}
-static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const char *const *sid_to_str)
+static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const char *const *sid_to_str, unsigned num_sids)
{
struct ocontext *isid;
struct strs *strs;
- const char *sid;
+ char *sid;
+ char unknown[18];
char *ctx, *rule;
unsigned i;
int rc = -1;
@@ -2495,7 +2510,13 @@
for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) {
i = isid->sid[0];
- sid = sid_to_str[i];
+ if (i < num_sids) {
+ sid = (char *)sid_to_str[i];
+ } else {
+ snprintf(unknown, 18, "%s%u", "UNKNOWN", i);
+ sid = unknown;
+ }
+
ctx = context_to_str(pdb, &isid->context[0]);
if (!ctx) {
rc = -1;
@@ -2531,7 +2552,8 @@
static int write_selinux_isid_rules_to_cil(FILE *out, struct policydb *pdb)
{
- return write_sid_context_rules_to_cil(out, pdb, selinux_sid_to_str);
+ return write_sid_context_rules_to_cil(out, pdb, selinux_sid_to_str,
+ SELINUX_SID_SZ);
}
static int write_selinux_fsuse_rules_to_cil(FILE *out, struct policydb *pdb)
@@ -2884,7 +2906,7 @@
static int write_xen_isid_rules_to_cil(FILE *out, struct policydb *pdb)
{
- return write_sid_context_rules_to_cil(out, pdb, xen_sid_to_str);
+ return write_sid_context_rules_to_cil(out, pdb, xen_sid_to_str, XEN_SID_SZ);
}
static int write_xen_pirq_rules_to_cil(FILE *out, struct policydb *pdb)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.8/src/kernel_to_common.c new/libsepol-2.9/src/kernel_to_common.c
--- old/libsepol-2.8/src/kernel_to_common.c 2018-05-24 20:21:09.000000000 +0200
+++ new/libsepol-2.9/src/kernel_to_common.c 2019-03-15 11:32:30.000000000 +0100
@@ -80,10 +80,13 @@
goto exit;
}
+ va_end(vargs2);
+
return str;
exit:
free(str);
+ va_end(vargs2);
return NULL;
}
@@ -397,27 +400,27 @@
return str;
}
-int stack_init(struct strs **stack)
+int strs_stack_init(struct strs **stack)
{
return strs_init(stack, STACK_SIZE);
}
-void stack_destroy(struct strs **stack)
+void strs_stack_destroy(struct strs **stack)
{
return strs_destroy(stack);
}
-int stack_push(struct strs *stack, char *s)
+int strs_stack_push(struct strs *stack, char *s)
{
return strs_add(stack, s);
}
-char *stack_pop(struct strs *stack)
+char *strs_stack_pop(struct strs *stack)
{
return strs_remove_last(stack);
}
-int stack_empty(struct strs *stack)
+int strs_stack_empty(struct strs *stack)
{
return strs_num_items(stack) == 0;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.8/src/kernel_to_common.h new/libsepol-2.9/src/kernel_to_common.h
--- old/libsepol-2.8/src/kernel_to_common.h 2018-05-24 20:21:09.000000000 +0200
+++ new/libsepol-2.9/src/kernel_to_common.h 2019-03-15 11:32:30.000000000 +0100
@@ -43,6 +43,8 @@
"devnull",
};
+#define SELINUX_SID_SZ (sizeof(selinux_sid_to_str)/sizeof(selinux_sid_to_str[0]))
+
static const char * const xen_sid_to_str[] = {
"null",
"xen",
@@ -55,8 +57,12 @@
"iomem",
"irq",
"device",
+ "domU",
+ "domDM",
};
+#define XEN_SID_SZ (sizeof(xen_sid_to_str)/sizeof(xen_sid_to_str[0]))
+
static const uint32_t avtab_flavors[] = {
AVTAB_ALLOWED,
AVTAB_AUDITALLOW,
@@ -105,10 +111,10 @@
int ebitmap_to_strs(struct ebitmap *map, struct strs *strs, char **val_to_name);
char *ebitmap_to_str(struct ebitmap *map, char **val_to_name, int sort);
-int stack_init(struct strs **stack);
-void stack_destroy(struct strs **stack);
-int stack_push(struct strs *stack, char *s);
-char *stack_pop(struct strs *stack);
-int stack_empty(struct strs *stack);
+int strs_stack_init(struct strs **stack);
+void strs_stack_destroy(struct strs **stack);
+int strs_stack_push(struct strs *stack, char *s);
+char *strs_stack_pop(struct strs *stack);
+int strs_stack_empty(struct strs *stack);
int sort_ocontexts(struct policydb *pdb);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.8/src/kernel_to_conf.c new/libsepol-2.9/src/kernel_to_conf.c
--- old/libsepol-2.8/src/kernel_to_conf.c 2018-05-24 20:21:09.000000000 +0200
+++ new/libsepol-2.9/src/kernel_to_conf.c 2019-03-15 11:32:30.000000000 +0100
@@ -35,7 +35,7 @@
char *str = NULL;
int rc;
- rc = stack_init(&stack);
+ rc = strs_stack_init(&stack);
if (rc != 0) {
goto exit;
}
@@ -63,13 +63,13 @@
}
if (num_params == 2) {
- val2 = stack_pop(stack);
+ val2 = strs_stack_pop(stack);
if (!val2) {
sepol_log_err("Invalid conditional expression");
goto exit;
}
}
- val1 = stack_pop(stack);
+ val1 = strs_stack_pop(stack);
if (!val1) {
sepol_log_err("Invalid conditional expression");
free(val2);
@@ -87,29 +87,29 @@
sepol_log_err("Invalid conditional expression");
goto exit;
}
- rc = stack_push(stack, new_val);
+ rc = strs_stack_push(stack, new_val);
if (rc != 0) {
sepol_log_err("Out of memory");
goto exit;
}
}
- new_val = stack_pop(stack);
- if (!new_val || !stack_empty(stack)) {
+ new_val = strs_stack_pop(stack);
+ if (!new_val || !strs_stack_empty(stack)) {
sepol_log_err("Invalid conditional expression");
goto exit;
}
str = new_val;
- stack_destroy(&stack);
+ strs_stack_destroy(&stack);
return str;
exit:
- while ((new_val = stack_pop(stack)) != NULL) {
+ while ((new_val = strs_stack_pop(stack)) != NULL) {
free(new_val);
}
- stack_destroy(&stack);
+ strs_stack_destroy(&stack);
return NULL;
}
@@ -125,7 +125,7 @@
*use_mls = 0;
- rc = stack_init(&stack);
+ rc = strs_stack_init(&stack);
if (rc != 0) {
goto exit;
}
@@ -204,13 +204,13 @@
}
if (num_params == 2) {
- val2 = stack_pop(stack);
+ val2 = strs_stack_pop(stack);
if (!val2) {
sepol_log_err("Invalid constraint expression");
goto exit;
}
}
- val1 = stack_pop(stack);
+ val1 = strs_stack_pop(stack);
if (!val1) {
sepol_log_err("Invalid constraint expression");
goto exit;
@@ -227,30 +227,30 @@
if (!new_val) {
goto exit;
}
- rc = stack_push(stack, new_val);
+ rc = strs_stack_push(stack, new_val);
if (rc != 0) {
sepol_log_err("Out of memory");
goto exit;
}
}
- new_val = stack_pop(stack);
- if (!new_val || !stack_empty(stack)) {
+ new_val = strs_stack_pop(stack);
+ if (!new_val || !strs_stack_empty(stack)) {
sepol_log_err("Invalid constraint expression");
goto exit;
}
str = new_val;
- stack_destroy(&stack);
+ strs_stack_destroy(&stack);
return str;
exit:
- while ((new_val = stack_pop(stack)) != NULL) {
+ while ((new_val = strs_stack_pop(stack)) != NULL) {
free(new_val);
}
- stack_destroy(&stack);
+ strs_stack_destroy(&stack);
return NULL;
}
@@ -428,22 +428,30 @@
return 0;
}
-static int write_sids_to_conf(FILE *out, const char *const *sid_to_str, struct ocontext *isids)
+static int write_sids_to_conf(FILE *out, const char *const *sid_to_str,
+ unsigned num_sids, struct ocontext *isids)
{
struct ocontext *isid;
struct strs *strs;
char *sid;
+ char unknown[18];
unsigned i;
int rc;
- rc = strs_init(&strs, SECINITSID_NUM+1);
+ rc = strs_init(&strs, num_sids+1);
if (rc != 0) {
goto exit;
}
for (isid = isids; isid != NULL; isid = isid->next) {
i = isid->sid[0];
- rc = strs_add_at_index(strs, (char *)sid_to_str[i], i);
+ if (i < num_sids) {
+ sid = (char *)sid_to_str[i];
+ } else {
+ snprintf(unknown, 18, "%s%u", "UNKNOWN", i);
+ sid = strdup(unknown);
+ }
+ rc = strs_add_at_index(strs, sid, i);
if (rc != 0) {
goto exit;
}
@@ -458,6 +466,10 @@
}
exit:
+ for (i=num_sids; itarget_platform == SEPOL_TARGET_SELINUX) {
- rc = write_sids_to_conf(out, selinux_sid_to_str, pdb->ocontexts[0]);
+ rc = write_sids_to_conf(out, selinux_sid_to_str, SELINUX_SID_SZ,
+ pdb->ocontexts[0]);
} else if (pdb->target_platform == SEPOL_TARGET_XEN) {
- rc = write_sids_to_conf(out, xen_sid_to_str, pdb->ocontexts[0]);
+ rc = write_sids_to_conf(out, xen_sid_to_str, XEN_SID_SZ,
+ pdb->ocontexts[0]);
} else {
sepol_log_err("Unknown target platform: %i", pdb->target_platform);
rc = -1;
@@ -1565,9 +1579,9 @@
static int write_type_permissive_rules_to_conf(FILE *out, struct policydb *pdb)
{
- type_datum_t *type;
struct strs *strs;
char *name;
+ struct ebitmap_node *node;
unsigned i, num;
int rc = 0;
@@ -1576,13 +1590,11 @@
goto exit;
}
- for (i=0; i < pdb->p_types.nprim; i++) {
- type = pdb->type_val_to_struct[i];
- if (type->flavor == TYPE_TYPE && (type->flags & TYPE_FLAGS_PERMISSIVE)) {
- rc = strs_add(strs, pdb->p_type_val_to_name[i]);
- if (rc != 0) {
- goto exit;
- }
+ ebitmap_for_each_bit(&pdb->permissive_map, node, i) {
+ if (!ebitmap_get_bit(&pdb->permissive_map, i)) continue;
+ rc = strs_add(strs, pdb->p_type_val_to_name[i-1]);
+ if (rc != 0) {
+ goto exit;
}
}
@@ -1987,6 +1999,8 @@
return 0;
exit:
+ strs_free_all(strs);
+ strs_destroy(&strs);
return rc;
}
@@ -2339,11 +2353,12 @@
return ctx;
}
-static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, const char *const *sid_to_str)
+static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, const char *const *sid_to_str, unsigned num_sids)
{
struct ocontext *isid;
struct strs *strs;
- const char *sid;
+ char *sid;
+ char unknown[18];
char *ctx, *rule;
unsigned i;
int rc;
@@ -2355,7 +2370,13 @@
for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) {
i = isid->sid[0];
- sid = sid_to_str[i];
+ if (i < num_sids) {
+ sid = (char *)sid_to_str[i];
+ } else {
+ snprintf(unknown, 18, "%s%u", "UNKNOWN", i);
+ sid = unknown;
+ }
+
ctx = context_to_str(pdb, &isid->context[0]);
if (!ctx) {
rc = -1;
@@ -2391,7 +2412,8 @@
static int write_selinux_isid_rules_to_conf(FILE *out, struct policydb *pdb)
{
- return write_sid_context_rules_to_conf(out, pdb, selinux_sid_to_str);
+ return write_sid_context_rules_to_conf(out, pdb, selinux_sid_to_str,
+ SELINUX_SID_SZ);
}
static int write_selinux_fsuse_rules_to_conf(FILE *out, struct policydb *pdb)
@@ -2745,7 +2767,7 @@
static int write_xen_isid_rules_to_conf(FILE *out, struct policydb *pdb)
{
- return write_sid_context_rules_to_conf(out, pdb, xen_sid_to_str);
+ return write_sid_context_rules_to_conf(out, pdb, xen_sid_to_str, XEN_SID_SZ);
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.8/src/module_to_cil.c new/libsepol-2.9/src/module_to_cil.c
--- old/libsepol-2.8/src/module_to_cil.c 2018-05-24 20:21:09.000000000 +0200
+++ new/libsepol-2.9/src/module_to_cil.c 2019-03-15 11:32:30.000000000 +0100
@@ -52,6 +52,7 @@
#include
#include
+#include "kernel_to_common.h"
#include "private.h"
#ifdef __GNUC__
@@ -298,6 +299,8 @@
role_node->role = role;
rc = list_prepend((struct list *)args, role_node);
+ if (rc != 0)
+ free(role_node);
return rc;
}
@@ -344,6 +347,11 @@
goto exit;
}
}
+ /* As typealias_lists[scope_id] does not hold the
+ * ownership of its items (typealias_list_destroy does
+ * not free the list items), "key" does not need to be
+ * strdup'ed before it is inserted in the list.
+ */
list_prepend(typealias_lists[scope_id], key);
}
}
@@ -647,8 +655,8 @@
if (xperms->specified & AVTAB_XPERMS_IOCTLFUNCTION) {
value = xperms->driver<<8 | bit;
- low_value = xperms->driver<<8 | low_bit;
if (in_range) {
+ low_value = xperms->driver<<8 | low_bit;
cil_printf("(range 0x%hx 0x%hx)", low_value, value);
in_range = 0;
} else {
@@ -656,8 +664,8 @@
}
} else if (xperms->specified & AVTAB_XPERMS_IOCTLDRIVER) {
value = bit << 8;
- low_value = low_bit << 8;
if (in_range) {
+ low_value = low_bit << 8;
cil_printf("(range 0x%hx 0x%hx)", low_value, (uint16_t) (value|0xff));
in_range = 0;
} else {
@@ -1002,6 +1010,12 @@
}
}
+ if (!num) {
+ *names = NULL;
+ *num_names = 0;
+ goto exit;
+ }
+
name_arr = malloc(sizeof(*name_arr) * num);
if (name_arr == NULL) {
log_err("Out of memory");
@@ -1092,7 +1106,6 @@
goto exit;
}
- curr = role_list->head;
for (curr = role_list->head; curr != NULL; curr = curr->next) {
role_node = curr->data;
if (!is_id_in_ancestor_scope(pdb, decl_stack, role_node->role_name, SYM_ROLES)) {
@@ -1284,7 +1297,6 @@
rc = -1;
goto exit;
}
- num_params = 0;
} else {
switch(curr->expr_type) {
case COND_NOT: op = "not"; break;
@@ -1824,8 +1836,6 @@
free(names);
names = NULL;
}
-
- num_params = 0;
} else {
switch (expr->expr_type) {
case CEXPR_NOT: op = "not"; break;
@@ -2537,23 +2547,34 @@
return 0;
}
-static int ocontext_isid_to_cil(struct policydb *pdb, const char **sid_to_string, struct ocontext *isids)
+static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_string,
+ unsigned num_sids, struct ocontext *isids)
{
int rc = -1;
struct ocontext *isid;
struct sid_item {
- const char *sid_key;
+ char *sid_key;
struct sid_item *next;
};
struct sid_item *head = NULL;
struct sid_item *item = NULL;
+ char *sid;
+ char unknown[18];
+ unsigned i;
for (isid = isids; isid != NULL; isid = isid->next) {
- cil_println(0, "(sid %s)", sid_to_string[isid->sid[0]]);
- cil_printf("(sidcontext %s ", sid_to_string[isid->sid[0]]);
+ i = isid->sid[0];
+ if (i < num_sids) {
+ sid = (char*)sid_to_string[i];
+ } else {
+ snprintf(unknown, 18, "%s%u", "UNKNOWN", i);
+ sid = unknown;
+ }
+ cil_println(0, "(sid %s)", sid);
+ cil_printf("(sidcontext %s ", sid);
context_to_cil(pdb, &isid->context[0]);
cil_printf(")\n");
@@ -2565,7 +2586,7 @@
rc = -1;
goto exit;
}
- item->sid_key = sid_to_string[isid->sid[0]];
+ item->sid_key = strdup(sid);
item->next = head;
head = item;
}
@@ -2584,6 +2605,7 @@
while(head) {
item = head;
head = item->next;
+ free(item->sid_key);
free(item);
}
return rc;
@@ -2593,41 +2615,7 @@
{
int rc = -1;
- // initial sid names aren't actually stored in the pp files, need to a have
- // a mapping, taken from the linux kernel
- static const char *selinux_sid_to_string[] = {
- "null",
- "kernel",
- "security",
- "unlabeled",
- "fs",
- "file",
- "file_labels",
- "init",
- "any_socket",
- "port",
- "netif",
- "netmsg",
- "node",
- "igmp_packet",
- "icmp_socket",
- "tcp_socket",
- "sysctl_modprobe",
- "sysctl",
- "sysctl_fs",
- "sysctl_kernel",
- "sysctl_net",
- "sysctl_net_unix",
- "sysctl_vm",
- "sysctl_dev",
- "kmod",
- "policy",
- "scmp_packet",
- "devnull",
- NULL
- };
-
- rc = ocontext_isid_to_cil(pdb, selinux_sid_to_string, isids);
+ rc = ocontext_isid_to_cil(pdb, selinux_sid_to_str, SELINUX_SID_SZ, isids);
if (rc != 0) {
goto exit;
}
@@ -2856,24 +2844,7 @@
{
int rc = -1;
- // initial sid names aren't actually stored in the pp files, need to a have
- // a mapping, taken from the xen kernel
- static const char *xen_sid_to_string[] = {
- "null",
- "xen",
- "dom0",
- "domio",
- "domxen",
- "unlabeled",
- "security",
- "ioport",
- "iomem",
- "irq",
- "device",
- NULL,
- };
-
- rc = ocontext_isid_to_cil(pdb, xen_sid_to_string, isids);
+ rc = ocontext_isid_to_cil(pdb, xen_sid_to_str, XEN_SID_SZ, isids);
if (rc != 0) {
goto exit;
}
@@ -4223,7 +4194,6 @@
int sepol_ppfile_to_module_package(FILE *fp, struct sepol_module_package **mod_pkg)
{
int rc = -1;
- FILE *f = NULL;
struct sepol_policy_file *pf = NULL;
struct sepol_module_package *pkg = NULL;
char *data = NULL;
@@ -4275,9 +4245,6 @@
free(data);
sepol_policy_file_free(pf);
- if (f != NULL) {
- fclose(f);
- }
if (rc != 0) {
sepol_module_package_free(pkg);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.8/src/node_record.c new/libsepol-2.9/src/node_record.c
--- old/libsepol-2.8/src/node_record.c 2018-05-24 20:21:09.000000000 +0200
+++ new/libsepol-2.9/src/node_record.c 2019-03-15 11:32:30.000000000 +0100
@@ -83,7 +83,7 @@
}
/* Allocates a sufficiently large buffer (addr, addr_sz)
- * according the the protocol */
+ * according to the protocol */
static int node_alloc_addr(sepol_handle_t * handle,
int proto, char **addr, size_t * addr_sz)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.8/src/policydb.c new/libsepol-2.9/src/policydb.c
--- old/libsepol-2.8/src/policydb.c 2018-05-24 20:21:09.000000000 +0200
+++ new/libsepol-2.9/src/policydb.c 2019-03-15 11:32:30.000000000 +0100
@@ -51,6 +51,7 @@
#include
#include
+#include "kernel_to_common.h"
#include "private.h"
#include "debug.h"
#include "mls.h"
@@ -2827,22 +2828,35 @@
(&c->context[1], p, fp))
return -1;
break;
- case OCON_IBPKEY:
+ case OCON_IBPKEY: {
+ uint32_t pkey_lo, pkey_hi;
+
rc = next_entry(buf, fp, sizeof(uint32_t) * 4);
- if (rc < 0 || buf[2] > 0xffff || buf[3] > 0xffff)
+ if (rc < 0)
return -1;
+ pkey_lo = le32_to_cpu(buf[2]);
+ pkey_hi = le32_to_cpu(buf[3]);
+
+ if (pkey_lo > UINT16_MAX || pkey_hi > UINT16_MAX)
+ return -1;
+
+ c->u.ibpkey.low_pkey = pkey_lo;
+ c->u.ibpkey.high_pkey = pkey_hi;
+
+ /* we want c->u.ibpkey.subnet_prefix in network
+ * (big-endian) order, just memcpy it */
memcpy(&c->u.ibpkey.subnet_prefix, buf,
sizeof(c->u.ibpkey.subnet_prefix));
- c->u.ibpkey.low_pkey = le32_to_cpu(buf[2]);
- c->u.ibpkey.high_pkey = le32_to_cpu(buf[3]);
-
if (context_read_and_validate
(&c->context[0], p, fp))
return -1;
break;
- case OCON_IBENDPORT:
+ }
+ case OCON_IBENDPORT: {
+ uint32_t port;
+
rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
if (rc < 0)
return -1;
@@ -2850,6 +2864,10 @@
if (len == 0 || len > IB_DEVICE_NAME_MAX - 1)
return -1;
+ port = le32_to_cpu(buf[1]);
+ if (port > UINT8_MAX || port == 0)
+ return -1;
+
c->u.ibendport.dev_name = malloc(len + 1);
if (!c->u.ibendport.dev_name)
return -1;
@@ -2857,11 +2875,12 @@
if (rc < 0)
return -1;
c->u.ibendport.dev_name[len] = 0;
- c->u.ibendport.port = le32_to_cpu(buf[1]);
+ c->u.ibendport.port = port;
if (context_read_and_validate
(&c->context[0], p, fp))
return -1;
break;
+ }
case OCON_PORT:
rc = next_entry(buf, fp, sizeof(uint32_t) * 3);
if (rc < 0)
@@ -4301,3 +4320,7 @@
return 0;
}
+int policydb_sort_ocontexts(policydb_t *p)
+{
+ return sort_ocontexts(p);
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.8/src/util.c new/libsepol-2.9/src/util.c
--- old/libsepol-2.8/src/util.c 2018-05-24 20:21:09.000000000 +0200
+++ new/libsepol-2.9/src/util.c 2019-03-15 11:32:30.000000000 +0100
@@ -159,16 +159,16 @@
if (xperms->specified & AVTAB_XPERMS_IOCTLFUNCTION) {
value = xperms->driver<<8 | bit;
- low_value = xperms->driver<<8 | low_bit;
if (in_range) {
+ low_value = xperms->driver<<8 | low_bit;
len = snprintf(p, sizeof(xpermsbuf) - xpermslen, "0x%hx-0x%hx ", low_value, value);
} else {
len = snprintf(p, sizeof(xpermsbuf) - xpermslen, "0x%hx ", value);
}
} else if (xperms->specified & AVTAB_XPERMS_IOCTLDRIVER) {
value = bit << 8;
- low_value = low_bit << 8;
if (in_range) {
+ low_value = low_bit << 8;
len = snprintf(p, sizeof(xpermsbuf) - xpermslen, "0x%hx-0x%hx ", low_value, (uint16_t) (value|0xff));
} else {
len = snprintf(p, sizeof(xpermsbuf) - xpermslen, "0x%hx-0x%hx ", value, (uint16_t) (value|0xff));
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libsepol-2.8/tests/test-downgrade.c new/libsepol-2.9/tests/test-downgrade.c
--- old/libsepol-2.8/tests/test-downgrade.c 2018-05-24 20:21:09.000000000 +0200
+++ new/libsepol-2.9/tests/test-downgrade.c 2019-03-15 11:32:30.000000000 +0100
@@ -210,7 +210,6 @@
if ((in_fp = fopen(path, "rb")) == NULL) {
fprintf(stderr, "Unable to open %s: %s\n", path,
strerror(errno));
- sepol_handle_destroy(f.handle);
return -1;
}
@@ -220,7 +219,6 @@
f.fp = in_fp;
rc = policydb_read(p, &f, 0);
- sepol_handle_destroy(f.handle);
fclose(in_fp);
return rc;
}
@@ -256,7 +254,7 @@
if ((out_fp = fopen(path, "w" )) == NULL) {
fprintf(stderr, "Unable to open %s: %s\n", path,
strerror(errno));
- sepol_handle_destroy(f.handle);
+ sepol_handle_destroy(handle);
return -1;
}