On Mon, Mar 15, 2021 at 10:10 PM Nicolas Iooss <nicolas.iooss@xxxxxxx> wrote:
>
> On Mon, Mar 15, 2021 at 4:10 PM James Carter <jwcart2@xxxxxxxxx> wrote:
> >
> > When reading a binary policy, do not automatically change the version
> > to the max policy version supported by libsepol or, if specified, the
> > value given using the "-c" flag.
> >
> > If the binary policy version is less than or equal to version 23
> > (POLICYDB_VERSION_PERMISSIVE) than do not automatically upgrade the
> > policy and if a policy version is specified by the "-c" flag, only set
> > the binary policy to the specified version if it is lower than the
> > current version.
> >
> > If the binary policy version is greater than version 23 than it should
> > be set to the maximum version supported by libsepol or, if specified,
> > the value given by the "-c" flag.
> >
> > The reason for this change is that policy versions 20
> > (POLICYDB_VERSION_AVTAB) to 23 have a more primitive support for type
> > attributes where the datums are not written out, but they exist in the
> > type_attr_map. This means that when the binary policy is read by
> > libsepol, there will be gaps in the type_val_to_struct and
> > p_type_val_to_name arrays and policy rules can refer to those gaps.
> > Certain libsepol functions like sepol_kernel_policydb_to_conf() and
> > sepol_kernel_policydb_to_cil() do not support this behavior and need
> > to be able to identify these policies. Policies before version 20 do not
> > support attributes at all and can be handled by all libsepol functions.
> >
> > Signed-off-by: James Carter <jwcart2@xxxxxxxxx>
> > ---
> > v2 - Give the proper value when printing the compatibility range
>
> For both patches:
> Acked-by: Nicolas Iooss <nicolas.iooss@xxxxxxx>
Merged.
Thanks!
Nicolas
> > checkpolicy/checkpolicy.c | 19 +++++++++++++++----
> > 1 file changed, 15 insertions(+), 4 deletions(-)
> >
> > diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
> > index 5841c5c4..acf1eac4 100644
> > --- a/checkpolicy/checkpolicy.c
> > +++ b/checkpolicy/checkpolicy.c
> > @@ -106,7 +106,7 @@ static int handle_unknown = SEPOL_DENY_UNKNOWN;
> > static const char *txtfile = "policy.conf";
> > static const char *binfile = "policy";
> >
> > -unsigned int policyvers = POLICYDB_VERSION_MAX;
> > +unsigned int policyvers = 0;
> >
> > static __attribute__((__noreturn__)) void usage(const char *progname)
> > {
> > @@ -515,7 +515,8 @@ int main(int argc, char **argv)
> > }
> >
> > if (show_version) {
> > - printf("%d (compatibility range %d-%d)\n", policyvers,
> > + printf("%d (compatibility range %d-%d)\n",
> > + policyvers ? policyvers : POLICYDB_VERSION_MAX ,
> > POLICYDB_VERSION_MAX, POLICYDB_VERSION_MIN);
> > exit(0);
> > }
> > @@ -588,6 +589,16 @@ int main(int argc, char **argv)
> > exit(1);
> > }
> > }
> > +
> > + if (policydbp->policyvers <= POLICYDB_VERSION_PERMISSIVE) {
> > + if (policyvers > policydbp->policyvers) {
> > + fprintf(stderr, "Binary policies with version <= %u cannot be upgraded\n", POLICYDB_VERSION_PERMISSIVE);
> > + } else if (policyvers) {
> > + policydbp->policyvers = policyvers;
> > + }
> > + } else {
> > + policydbp->policyvers = policyvers ? policyvers : POLICYDB_VERSION_MAX;
> > + }
> > } else {
> > if (conf) {
> > fprintf(stderr, "Can only generate policy.conf from binary policy\n");
> > @@ -629,6 +640,8 @@ int main(int argc, char **argv)
> > policydb_destroy(policydbp);
> > policydbp = &policydb;
> > }
> > +
> > + policydbp->policyvers = policyvers ? policyvers : POLICYDB_VERSION_MAX;
> > }
> >
> > if (policydb_load_isids(&policydb, &sidtab))
> > @@ -654,8 +667,6 @@ int main(int argc, char **argv)
> > }
> > }
> >
> > - policydb.policyvers = policyvers;
> > -
> > if (!cil) {
> > if (!conf) {
> > policydb.policy_type = POLICY_KERN;
> > --
> > 2.26.2
> >
