On Mon, Mar 15, 2021 at 4:10 PM James Carter <jwcart2@xxxxxxxxx> wrote: > > When reading a binary policy, do not automatically change the version > to the max policy version supported by libsepol or, if specified, the > value given using the "-c" flag. > > If the binary policy version is less than or equal to version 23 > (POLICYDB_VERSION_PERMISSIVE) than do not automatically upgrade the > policy and if a policy version is specified by the "-c" flag, only set > the binary policy to the specified version if it is lower than the > current version. > > If the binary policy version is greater than version 23 than it should > be set to the maximum version supported by libsepol or, if specified, > the value given by the "-c" flag. > > The reason for this change is that policy versions 20 > (POLICYDB_VERSION_AVTAB) to 23 have a more primitive support for type > attributes where the datums are not written out, but they exist in the > type_attr_map. This means that when the binary policy is read by > libsepol, there will be gaps in the type_val_to_struct and > p_type_val_to_name arrays and policy rules can refer to those gaps. > Certain libsepol functions like sepol_kernel_policydb_to_conf() and > sepol_kernel_policydb_to_cil() do not support this behavior and need > to be able to identify these policies. Policies before version 20 do not > support attributes at all and can be handled by all libsepol functions. > > Signed-off-by: James Carter <jwcart2@xxxxxxxxx> > --- > v2 - Give the proper value when printing the compatibility range For both patches: Acked-by: Nicolas Iooss <nicolas.iooss@xxxxxxx> Thanks! Nicolas > checkpolicy/checkpolicy.c | 19 +++++++++++++++---- > 1 file changed, 15 insertions(+), 4 deletions(-) > > diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c > index 5841c5c4..acf1eac4 100644 > --- a/checkpolicy/checkpolicy.c > +++ b/checkpolicy/checkpolicy.c > @@ -106,7 +106,7 @@ static int handle_unknown = SEPOL_DENY_UNKNOWN; > static const char *txtfile = "policy.conf"; > static const char *binfile = "policy"; > > -unsigned int policyvers = POLICYDB_VERSION_MAX; > +unsigned int policyvers = 0; > > static __attribute__((__noreturn__)) void usage(const char *progname) > { > @@ -515,7 +515,8 @@ int main(int argc, char **argv) > } > > if (show_version) { > - printf("%d (compatibility range %d-%d)\n", policyvers, > + printf("%d (compatibility range %d-%d)\n", > + policyvers ? policyvers : POLICYDB_VERSION_MAX , > POLICYDB_VERSION_MAX, POLICYDB_VERSION_MIN); > exit(0); > } > @@ -588,6 +589,16 @@ int main(int argc, char **argv) > exit(1); > } > } > + > + if (policydbp->policyvers <= POLICYDB_VERSION_PERMISSIVE) { > + if (policyvers > policydbp->policyvers) { > + fprintf(stderr, "Binary policies with version <= %u cannot be upgraded\n", POLICYDB_VERSION_PERMISSIVE); > + } else if (policyvers) { > + policydbp->policyvers = policyvers; > + } > + } else { > + policydbp->policyvers = policyvers ? policyvers : POLICYDB_VERSION_MAX; > + } > } else { > if (conf) { > fprintf(stderr, "Can only generate policy.conf from binary policy\n"); > @@ -629,6 +640,8 @@ int main(int argc, char **argv) > policydb_destroy(policydbp); > policydbp = &policydb; > } > + > + policydbp->policyvers = policyvers ? policyvers : POLICYDB_VERSION_MAX; > } > > if (policydb_load_isids(&policydb, &sidtab)) > @@ -654,8 +667,6 @@ int main(int argc, char **argv) > } > } > > - policydb.policyvers = policyvers; > - > if (!cil) { > if (!conf) { > policydb.policy_type = POLICY_KERN; > -- > 2.26.2 >