On Mon, 31 Jan 2022 at 02:04, Thiébaud Weksteen <tweek@xxxxxxxxxx> wrote:
>
> When an assertion fails, the error message refers to a generic
> "policy.conf" file. When parsing a policy in checkpolicy, populate its
> name using the original filename (source_filename is still build using
> the #line directives within the policy).
>
> Signed-off-by: Thiébaud Weksteen <tweek@xxxxxxxxxx>
> ---
> checkpolicy/parse_util.c | 1 +
> libsepol/src/assertion.c | 20 ++++++++++++++------
> libsepol/src/expand.c | 3 +++
> 3 files changed, 18 insertions(+), 6 deletions(-)
>
> diff --git a/checkpolicy/parse_util.c b/checkpolicy/parse_util.c
> index 8c1f393c..f2d1e04d 100644
> --- a/checkpolicy/parse_util.c
> +++ b/checkpolicy/parse_util.c
> @@ -47,6 +47,7 @@ int read_source_policy(policydb_t * p, const char *file, const char *progname)
> }
>
> policydbp = p;
> + policydbp->name = strdup(file);
> mlspol = p->mls;
>
> init_parser(1);
> diff --git a/libsepol/src/assertion.c b/libsepol/src/assertion.c
> index dd2749a0..74f6d9c0 100644
> --- a/libsepol/src/assertion.c
> +++ b/libsepol/src/assertion.c
> @@ -36,13 +36,21 @@ struct avtab_match_args {
> unsigned long errors;
> };
>
> +static const char* policy_name(policydb_t *p) {
> + const char *policy_file = "policy.conf";
> + if (p->name) {
> + policy_file = p->name;
> + }
> + return policy_file;
> +}
> +
> static void report_failure(sepol_handle_t *handle, policydb_t *p, const avrule_t *avrule,
> unsigned int stype, unsigned int ttype,
> const class_perm_node_t *curperm, uint32_t perms)
> {
> if (avrule->source_filename) {
> - ERR(handle, "neverallow on line %lu of %s (or line %lu of policy.conf) violated by allow %s %s:%s {%s };",
> - avrule->source_line, avrule->source_filename, avrule->line,
> + ERR(handle, "neverallow on line %lu of %s (or line %lu of %s) violated by allow %s %s:%s {%s };",
> + avrule->source_line, avrule->source_filename, avrule->line, policy_name(p),
> p->p_type_val_to_name[stype],
> p->p_type_val_to_name[ttype],
> p->p_class_val_to_name[curperm->tclass - 1],
> @@ -173,9 +181,9 @@ static int report_assertion_extended_permissions(sepol_handle_t *handle,
> /* failure on the extended permission check_extended_permissions */
> if (rc) {
> extended_permissions_violated(&error, avrule->xperms, xperms);
> - ERR(handle, "neverallowxperm on line %lu of %s (or line %lu of policy.conf) violated by\n"
> + ERR(handle, "neverallowxperm on line %lu of %s (or line %lu of %s) violated by\n"
> "allowxperm %s %s:%s %s;",
> - avrule->source_line, avrule->source_filename, avrule->line,
> + avrule->source_line, avrule->source_filename, avrule->line, policy_name(p),
> p->p_type_val_to_name[i],
> p->p_type_val_to_name[j],
> p->p_class_val_to_name[curperm->tclass - 1],
> @@ -190,9 +198,9 @@ static int report_assertion_extended_permissions(sepol_handle_t *handle,
>
> /* failure on the regular permissions */
> if (rc) {
> - ERR(handle, "neverallowxperm on line %lu of %s (or line %lu of policy.conf) violated by\n"
> + ERR(handle, "neverallowxperm on line %lu of %s (or line %lu of %s) violated by\n"
> "allow %s %s:%s {%s };",
> - avrule->source_line, avrule->source_filename, avrule->line,
> + avrule->source_line, avrule->source_filename, avrule->line, policy_name(p),
> p->p_type_val_to_name[stype],
> p->p_type_val_to_name[ttype],
> p->p_class_val_to_name[curperm->tclass - 1],
> diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
> index 8667f2ed..7da51a40 100644
> --- a/libsepol/src/expand.c
> +++ b/libsepol/src/expand.c
> @@ -2970,6 +2970,9 @@ int expand_module(sepol_handle_t * handle,
>
> state.out->policy_type = POLICY_KERN;
> state.out->policyvers = POLICYDB_VERSION_MAX;
> + if (state.base->name) {
> + state.out->name = strdup(state.base->name);
> + }
>
> /* Copy mls state from base to out */
> out->mls = base->mls;
> --
> 2.35.0.rc2.247.g8bbb082509-goog
>
This seems to create a leak:
==17394==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 20 byte(s) in 1 object(s) allocated from:
#0 0x5c179628aab3 in strdup (./checkpolicy/checkmodule+0x13dab3)
#1 0x5c17962eeab1 in read_source_policy ./checkpolicy/parse_util.c:53:20
#2 0x5c1796309a4f in main ./checkpolicy/checkmodule.c:279:7
#3 0x7fba24eae1c9 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: 20 byte(s) leaked in 1 allocation(s).
fixed by
diff --git a/checkpolicy/module_compiler.c b/checkpolicy/module_compiler.c
index fcbc0eb8..ba80894a 100644
--- a/checkpolicy/module_compiler.c
+++ b/checkpolicy/module_compiler.c
@@ -99,6 +99,7 @@ int define_policy(int pass, int module_header_given)
yyerror("no module name");
return -1;
}
+ free(policydbp->name);
policydbp->name = id;
if ((policydbp->version =
queue_remove(id_queue)) == NULL) {
