Re: [PATCH 1/2] checkpolicy: Do not automatically upgrade when using "-b" flag

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Mar 11, 2021 at 4:41 PM James Carter <jwcart2@xxxxxxxxx> wrote:
>
> When reading a binary policy, do not automatically change the version
> to the max policy version supported by libsepol or, if specified, the
> value given using the "-c" flag.
>
> If the binary policy version is less than or equal to version 23
> (POLICYDB_VERSION_PERMISSIVE) than do not automatically upgrade the
> policy and if a policy version is specified by the "-c" flag, only set
> the binary policy to the specified version if it is lower than the
> current version.
>
> If the binary policy version is greater than version 23 than it should
> be set to the maximum version supported by libsepol or, if specified,
> the value given by the "-c" flag.
>
> The reason for this change is that policy versions 20
> (POLICYDB_VERSION_AVTAB) to 23 have a more primitive support for type
> attributes where the datums are not written out, but they exist in the
> type_attr_map. This means that when the binary policy is read by
> libsepol, there will be gaps in the type_val_to_struct and
> p_type_val_to_name arrays and policy rules can refer to those gaps.
> Certain libsepol functions like sepol_kernel_policydb_to_conf() and
> sepol_kernel_policydb_to_cil() do not support this behavior and need
> to be able to identify these policies. Policies before version 20 do not
> support attributes at all and can be handled by all libsepol functions.
>
> Signed-off-by: James Carter <jwcart2@xxxxxxxxx>
> ---
>  checkpolicy/checkpolicy.c | 16 +++++++++++++---
>  1 file changed, 13 insertions(+), 3 deletions(-)
>
> diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
> index 5841c5c4..e7b225b8 100644
> --- a/checkpolicy/checkpolicy.c
> +++ b/checkpolicy/checkpolicy.c
> @@ -106,7 +106,7 @@ static int handle_unknown = SEPOL_DENY_UNKNOWN;
>  static const char *txtfile = "policy.conf";
>  static const char *binfile = "policy";
>
> -unsigned int policyvers = POLICYDB_VERSION_MAX;
> +unsigned int policyvers = 0;

Hi,
This change breaks "make test" when testing secilc. This is because
secilc/Makefile uses "checkpolicy -V" to compute a policy version:

POL_VERS = $(shell $(CHECKPOLICY) -V | cut -f 1 -d ' ')

Before your patch:

$ checkpolicy -V
33 (compatibility range 33-15)

After:

$ checkpolicy -V
0 (compatibility range 33-15)

.. which makes secilc/Makefile try using "secilc -c 0 ...", which does not work.

Should "policyvers ? policyvers : POLICYDB_VERSION_MAX" also be used
when "checkpolicy -V" displays version information?

Thanks,
Nicolas

>
>  static __attribute__((__noreturn__)) void usage(const char *progname)
>  {
> @@ -588,6 +588,16 @@ int main(int argc, char **argv)
>                                 exit(1);
>                         }
>                 }
> +
> +               if (policydbp->policyvers <= POLICYDB_VERSION_PERMISSIVE) {
> +                       if (policyvers > policydbp->policyvers) {
> +                               fprintf(stderr, "Binary policies with version <= %u cannot be upgraded\n", POLICYDB_VERSION_PERMISSIVE);
> +                       } else if (policyvers) {
> +                               policydbp->policyvers = policyvers;
> +                       }
> +               } else {
> +                       policydbp->policyvers = policyvers ? policyvers : POLICYDB_VERSION_MAX;
> +               }
>         } else {
>                 if (conf) {
>                         fprintf(stderr, "Can only generate policy.conf from binary policy\n");
> @@ -629,6 +639,8 @@ int main(int argc, char **argv)
>                         policydb_destroy(policydbp);
>                         policydbp = &policydb;
>                 }
> +
> +               policydbp->policyvers = policyvers ? policyvers : POLICYDB_VERSION_MAX;
>         }
>
>         if (policydb_load_isids(&policydb, &sidtab))
> @@ -654,8 +666,6 @@ int main(int argc, char **argv)
>                         }
>                 }
>
> -               policydb.policyvers = policyvers;
> -
>                 if (!cil) {
>                         if (!conf) {
>                                 policydb.policy_type = POLICY_KERN;
> --
> 2.26.2
>




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux