On Fri, Feb 18, 2022 at 4:15 PM James Carter <jwcart2@xxxxxxxxx> wrote:
>
> On Wed, Feb 16, 2022 at 2:27 AM Thiébaud Weksteen <tweek@xxxxxxxxxx> wrote:
> >
> > When an assertion fails, the error message refers to a generic
> > "policy.conf" file. When parsing a policy in checkpolicy, populate its
> > name using the original filename (source_filename is still build using
> > the #line directives within the policy).
> >
> > Signed-off-by: Thiébaud Weksteen <tweek@xxxxxxxxxx>
>
> Acked-by: James Carter <jwcart2@xxxxxxxxx>
>
Merged.
Thanks,
Jim
> > ---
> > v1 -> v2: Fix leak reported by Christian Göttsche
> >
> > checkpolicy/module_compiler.c | 1 +
> > checkpolicy/parse_util.c | 1 +
> > libsepol/src/assertion.c | 20 ++++++++++++++------
> > libsepol/src/expand.c | 3 +++
> > 4 files changed, 19 insertions(+), 6 deletions(-)
> >
> > diff --git a/checkpolicy/module_compiler.c b/checkpolicy/module_compiler.c
> > index 5f5b0b19..129650fa 100644
> > --- a/checkpolicy/module_compiler.c
> > +++ b/checkpolicy/module_compiler.c
> > @@ -99,6 +99,7 @@ int define_policy(int pass, int module_header_given)
> > yyerror("no module name");
> > return -1;
> > }
> > + free(policydbp->name);
> > policydbp->name = id;
> > if ((policydbp->version =
> > queue_remove(id_queue)) == NULL) {
> > diff --git a/checkpolicy/parse_util.c b/checkpolicy/parse_util.c
> > index 8c1f393c..f2d1e04d 100644
> > --- a/checkpolicy/parse_util.c
> > +++ b/checkpolicy/parse_util.c
> > @@ -47,6 +47,7 @@ int read_source_policy(policydb_t * p, const char *file, const char *progname)
> > }
> >
> > policydbp = p;
> > + policydbp->name = strdup(file);
> > mlspol = p->mls;
> >
> > init_parser(1);
> > diff --git a/libsepol/src/assertion.c b/libsepol/src/assertion.c
> > index dd2749a0..74f6d9c0 100644
> > --- a/libsepol/src/assertion.c
> > +++ b/libsepol/src/assertion.c
> > @@ -36,13 +36,21 @@ struct avtab_match_args {
> > unsigned long errors;
> > };
> >
> > +static const char* policy_name(policydb_t *p) {
> > + const char *policy_file = "policy.conf";
> > + if (p->name) {
> > + policy_file = p->name;
> > + }
> > + return policy_file;
> > +}
> > +
> > static void report_failure(sepol_handle_t *handle, policydb_t *p, const avrule_t *avrule,
> > unsigned int stype, unsigned int ttype,
> > const class_perm_node_t *curperm, uint32_t perms)
> > {
> > if (avrule->source_filename) {
> > - ERR(handle, "neverallow on line %lu of %s (or line %lu of policy.conf) violated by allow %s %s:%s {%s };",
> > - avrule->source_line, avrule->source_filename, avrule->line,
> > + ERR(handle, "neverallow on line %lu of %s (or line %lu of %s) violated by allow %s %s:%s {%s };",
> > + avrule->source_line, avrule->source_filename, avrule->line, policy_name(p),
> > p->p_type_val_to_name[stype],
> > p->p_type_val_to_name[ttype],
> > p->p_class_val_to_name[curperm->tclass - 1],
> > @@ -173,9 +181,9 @@ static int report_assertion_extended_permissions(sepol_handle_t *handle,
> > /* failure on the extended permission check_extended_permissions */
> > if (rc) {
> > extended_permissions_violated(&error, avrule->xperms, xperms);
> > - ERR(handle, "neverallowxperm on line %lu of %s (or line %lu of policy.conf) violated by\n"
> > + ERR(handle, "neverallowxperm on line %lu of %s (or line %lu of %s) violated by\n"
> > "allowxperm %s %s:%s %s;",
> > - avrule->source_line, avrule->source_filename, avrule->line,
> > + avrule->source_line, avrule->source_filename, avrule->line, policy_name(p),
> > p->p_type_val_to_name[i],
> > p->p_type_val_to_name[j],
> > p->p_class_val_to_name[curperm->tclass - 1],
> > @@ -190,9 +198,9 @@ static int report_assertion_extended_permissions(sepol_handle_t *handle,
> >
> > /* failure on the regular permissions */
> > if (rc) {
> > - ERR(handle, "neverallowxperm on line %lu of %s (or line %lu of policy.conf) violated by\n"
> > + ERR(handle, "neverallowxperm on line %lu of %s (or line %lu of %s) violated by\n"
> > "allow %s %s:%s {%s };",
> > - avrule->source_line, avrule->source_filename, avrule->line,
> > + avrule->source_line, avrule->source_filename, avrule->line, policy_name(p),
> > p->p_type_val_to_name[stype],
> > p->p_type_val_to_name[ttype],
> > p->p_class_val_to_name[curperm->tclass - 1],
> > diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
> > index 8667f2ed..7da51a40 100644
> > --- a/libsepol/src/expand.c
> > +++ b/libsepol/src/expand.c
> > @@ -2970,6 +2970,9 @@ int expand_module(sepol_handle_t * handle,
> >
> > state.out->policy_type = POLICY_KERN;
> > state.out->policyvers = POLICYDB_VERSION_MAX;
> > + if (state.base->name) {
> > + state.out->name = strdup(state.base->name);
> > + }
> >
> > /* Copy mls state from base to out */
> > out->mls = base->mls;
> > --
> > 2.35.1.265.g69c8d7142f-goog
> >
