Re: [PATCH] libsepol: Populate and use policy name

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 31 Jan 2022 at 02:04, Thiébaud Weksteen <tweek@xxxxxxxxxx> wrote:
>
> When an assertion fails, the error message refers to a generic
> "policy.conf" file. When parsing a policy in checkpolicy, populate its
> name using the original filename (source_filename is still build using
> the #line directives within the policy).
>
> Signed-off-by: Thiébaud Weksteen <tweek@xxxxxxxxxx>
> ---
>  checkpolicy/parse_util.c |  1 +
>  libsepol/src/assertion.c | 20 ++++++++++++++------
>  libsepol/src/expand.c    |  3 +++
>  3 files changed, 18 insertions(+), 6 deletions(-)
>
> diff --git a/checkpolicy/parse_util.c b/checkpolicy/parse_util.c
> index 8c1f393c..f2d1e04d 100644
> --- a/checkpolicy/parse_util.c
> +++ b/checkpolicy/parse_util.c
> @@ -47,6 +47,7 @@ int read_source_policy(policydb_t * p, const char *file, const char *progname)
>         }
>
>         policydbp = p;
> +       policydbp->name = strdup(file);
>         mlspol = p->mls;
>
>         init_parser(1);
> diff --git a/libsepol/src/assertion.c b/libsepol/src/assertion.c
> index dd2749a0..74f6d9c0 100644
> --- a/libsepol/src/assertion.c
> +++ b/libsepol/src/assertion.c
> @@ -36,13 +36,21 @@ struct avtab_match_args {
>         unsigned long errors;
>  };
>
> +static const char* policy_name(policydb_t *p) {
> +       const char *policy_file = "policy.conf";
> +       if (p->name) {
> +               policy_file = p->name;
> +       }
> +       return policy_file;
> +}
> +
>  static void report_failure(sepol_handle_t *handle, policydb_t *p, const avrule_t *avrule,
>                            unsigned int stype, unsigned int ttype,
>                            const class_perm_node_t *curperm, uint32_t perms)
>  {
>         if (avrule->source_filename) {
> -               ERR(handle, "neverallow on line %lu of %s (or line %lu of policy.conf) violated by allow %s %s:%s {%s };",
> -                   avrule->source_line, avrule->source_filename, avrule->line,
> +               ERR(handle, "neverallow on line %lu of %s (or line %lu of %s) violated by allow %s %s:%s {%s };",
> +                   avrule->source_line, avrule->source_filename, avrule->line, policy_name(p),
>                     p->p_type_val_to_name[stype],
>                     p->p_type_val_to_name[ttype],
>                     p->p_class_val_to_name[curperm->tclass - 1],
> @@ -173,9 +181,9 @@ static int report_assertion_extended_permissions(sepol_handle_t *handle,
>                                 /* failure on the extended permission check_extended_permissions */
>                                 if (rc) {
>                                         extended_permissions_violated(&error, avrule->xperms, xperms);
> -                                       ERR(handle, "neverallowxperm on line %lu of %s (or line %lu of policy.conf) violated by\n"
> +                                       ERR(handle, "neverallowxperm on line %lu of %s (or line %lu of %s) violated by\n"
>                                                         "allowxperm %s %s:%s %s;",
> -                                                       avrule->source_line, avrule->source_filename, avrule->line,
> +                                                       avrule->source_line, avrule->source_filename, avrule->line, policy_name(p),
>                                                         p->p_type_val_to_name[i],
>                                                         p->p_type_val_to_name[j],
>                                                         p->p_class_val_to_name[curperm->tclass - 1],
> @@ -190,9 +198,9 @@ static int report_assertion_extended_permissions(sepol_handle_t *handle,
>
>         /* failure on the regular permissions */
>         if (rc) {
> -               ERR(handle, "neverallowxperm on line %lu of %s (or line %lu of policy.conf) violated by\n"
> +               ERR(handle, "neverallowxperm on line %lu of %s (or line %lu of %s) violated by\n"
>                                 "allow %s %s:%s {%s };",
> -                               avrule->source_line, avrule->source_filename, avrule->line,
> +                               avrule->source_line, avrule->source_filename, avrule->line, policy_name(p),
>                                 p->p_type_val_to_name[stype],
>                                 p->p_type_val_to_name[ttype],
>                                 p->p_class_val_to_name[curperm->tclass - 1],
> diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
> index 8667f2ed..7da51a40 100644
> --- a/libsepol/src/expand.c
> +++ b/libsepol/src/expand.c
> @@ -2970,6 +2970,9 @@ int expand_module(sepol_handle_t * handle,
>
>         state.out->policy_type = POLICY_KERN;
>         state.out->policyvers = POLICYDB_VERSION_MAX;
> +       if (state.base->name) {
> +               state.out->name = strdup(state.base->name);
> +       }
>
>         /* Copy mls state from base to out */
>         out->mls = base->mls;
> --
> 2.35.0.rc2.247.g8bbb082509-goog
>

This seems to create a leak:

==17394==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 20 byte(s) in 1 object(s) allocated from:
    #0 0x5c179628aab3 in strdup (./checkpolicy/checkmodule+0x13dab3)
    #1 0x5c17962eeab1 in read_source_policy ./checkpolicy/parse_util.c:53:20
    #2 0x5c1796309a4f in main ./checkpolicy/checkmodule.c:279:7
    #3 0x7fba24eae1c9 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: 20 byte(s) leaked in 1 allocation(s).

fixed by

diff --git a/checkpolicy/module_compiler.c b/checkpolicy/module_compiler.c
index fcbc0eb8..ba80894a 100644
--- a/checkpolicy/module_compiler.c
+++ b/checkpolicy/module_compiler.c
@@ -99,6 +99,7 @@ int define_policy(int pass, int module_header_given)
                               yyerror("no module name");
                               return -1;
                       }
+                       free(policydbp->name);
                       policydbp->name = id;
                       if ((policydbp->version =
                            queue_remove(id_queue)) == NULL) {




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux