On Tue, Jul 25, 2017 at 12:14 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> Ensure that genheaders fails with an error if too many permissions
> are defined in a class to fit within an access vector. This is similar
> to a check performed by checkpolicy when compiling the policy.
>
> Also, fix the suffix on the permission constants generated by this program.
>
> Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
> ---
> scripts/selinux/genheaders/genheaders.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
Merged, thanks.
> diff --git a/scripts/selinux/genheaders/genheaders.c b/scripts/selinux/genheaders/genheaders.c
> index 6a24569..672b069 100644
> --- a/scripts/selinux/genheaders/genheaders.c
> +++ b/scripts/selinux/genheaders/genheaders.c
> @@ -129,11 +129,16 @@ int main(int argc, char *argv[])
> for (i = 0; secclass_map[i].name; i++) {
> struct security_class_mapping *map = &secclass_map[i];
> for (j = 0; map->perms[j]; j++) {
> + if (j >= 32) {
> + fprintf(stderr, "Too many permissions to fit into an access vector at (%s, %s).\n",
> + map->name, map->perms[j]);
> + exit(5);
> + }
> fprintf(fout, "#define %s__%s", map->name,
> map->perms[j]);
> for (k = 0; k < max(1, 40 - strlen(map->name) - strlen(map->perms[j])); k++)
> fprintf(fout, " ");
> - fprintf(fout, "0x%08xUL\n", (1<<j));
> + fprintf(fout, "0x%08xU\n", (1<<j));
> }
> }
>
> --
> 2.9.4
>
--
paul moore
www.paul-moore.com
