[RFC PATCH 3/3] checkpolicy: rework initial SID handling

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The kernel removed [1] some unused initial SIDs.  Also libsepol got
support for omitting unused ones [2].

Currently in traditional policy all initial SIDs have to be defined and
also the order of declarations has to follow the order of the libsepol
internal representation.  Support omitting unused initial SIDs in the
traditional policy and do not require a specific order of declarations.

[1]: https://github.com/SELinuxProject/selinux-kernel/commit/e3e0b582c321aefd72db0e7083a0adfe285e96b5
[2]: https://github.com/SELinuxProject/selinux/commit/8677ce5e8f592950ae6f14cea1b68a20ddc1ac25

Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
---
 checkpolicy/policy_define.c | 39 ++++++++++++++++++++++++-------------
 1 file changed, 26 insertions(+), 13 deletions(-)

diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index 8bf36859..8f55650d 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -54,6 +54,7 @@
 #include <sepol/policydb/services.h>
 #include <sepol/policydb/conditional.h>
 #include <sepol/policydb/hierarchy.h>
+#include <sepol/policydb/initialsids.h>
 #include <sepol/policydb/polcaps.h>
 #include "queue.h"
 #include "checkpolicy.h"
@@ -287,6 +288,7 @@ int define_polcap(void)
 int define_initial_sid(void)
 {
 	char *id = 0;
+	sepol_security_id_t sid;
 	ocontext_t *newc = 0, *c, *head;
 
 	if (pass == 2) {
@@ -300,28 +302,30 @@ int define_initial_sid(void)
 		yyerror("no sid name for SID definition?");
 		return -1;
 	}
-	newc = (ocontext_t *) malloc(sizeof(ocontext_t));
-	if (!newc) {
-		yyerror("out of memory");
+
+	sid = selinux_str_to_sid(id);
+	if (sid == 0) {
+		yyerror2("invalid initial SID %s", id);
 		goto bad;
 	}
-	memset(newc, 0, sizeof(ocontext_t));
-	newc->u.name = id;
-	context_init(&newc->context[0]);
-	head = policydbp->ocontexts[OCON_ISID];
 
+	head = policydbp->ocontexts[OCON_ISID];
 	for (c = head; c; c = c->next) {
-		if (!strcmp(newc->u.name, c->u.name)) {
+		if (sid == c->sid[0]) {
 			yyerror2("duplicate initial SID %s", id);
 			goto bad;
 		}
 	}
 
-	if (head) {
-		newc->sid[0] = head->sid[0] + 1;
-	} else {
-		newc->sid[0] = 1;
+	newc = (ocontext_t *) malloc(sizeof(ocontext_t));
+	if (!newc) {
+		yyerror("out of memory");
+		goto bad;
 	}
+	memset(newc, 0, sizeof(ocontext_t));
+	newc->u.name = id;
+	context_init(&newc->context[0]);
+	newc->sid[0] = sid;
 	newc->next = head;
 	policydbp->ocontexts[OCON_ISID] = newc;
 
@@ -4567,6 +4571,7 @@ static int parse_security_context(context_struct_t * c)
 int define_initial_sid_context(void)
 {
 	char *id;
+	sepol_security_id_t sid;
 	ocontext_t *c, *head;
 
 	if (pass == 1) {
@@ -4581,9 +4586,17 @@ int define_initial_sid_context(void)
 		yyerror("no sid name for SID context definition?");
 		return -1;
 	}
+
+	sid = selinux_str_to_sid(id);
+	if (sid == 0) {
+		yyerror2("invalid initial SID %s", id);
+		free(id);
+		return -1;
+	}
+
 	head = policydbp->ocontexts[OCON_ISID];
 	for (c = head; c; c = c->next) {
-		if (!strcmp(id, c->u.name))
+		if (sid == c->sid[0])
 			break;
 	}
 
-- 
2.36.1




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux