On Tue, Jun 7, 2022 at 3:01 PM Christian Göttsche <cgzones@xxxxxxxxxxxxxx> wrote: > > The kernel removed [1] some unused initial SIDs. Also libsepol got > support for omitting unused ones [2]. > > Currently in traditional policy all initial SIDs have to be defined and > also the order of declarations has to follow the order of the libsepol > internal representation. Support omitting unused initial SIDs in the > traditional policy and do not require a specific order of declarations. > I think that your goal is good, but see below. > [1]: https://github.com/SELinuxProject/selinux-kernel/commit/e3e0b582c321aefd72db0e7083a0adfe285e96b5 > [2]: https://github.com/SELinuxProject/selinux/commit/8677ce5e8f592950ae6f14cea1b68a20ddc1ac25 > > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> > --- > checkpolicy/policy_define.c | 39 ++++++++++++++++++++++++------------- > 1 file changed, 26 insertions(+), 13 deletions(-) > > diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c > index 8bf36859..8f55650d 100644 > --- a/checkpolicy/policy_define.c > +++ b/checkpolicy/policy_define.c > @@ -54,6 +54,7 @@ > #include <sepol/policydb/services.h> > #include <sepol/policydb/conditional.h> > #include <sepol/policydb/hierarchy.h> > +#include <sepol/policydb/initialsids.h> > #include <sepol/policydb/polcaps.h> > #include "queue.h" > #include "checkpolicy.h" > @@ -287,6 +288,7 @@ int define_polcap(void) > int define_initial_sid(void) > { > char *id = 0; > + sepol_security_id_t sid; > ocontext_t *newc = 0, *c, *head; > > if (pass == 2) { > @@ -300,28 +302,30 @@ int define_initial_sid(void) > yyerror("no sid name for SID definition?"); > return -1; > } > - newc = (ocontext_t *) malloc(sizeof(ocontext_t)); > - if (!newc) { > - yyerror("out of memory"); > + > + sid = selinux_str_to_sid(id); > + if (sid == 0) { > + yyerror2("invalid initial SID %s", id); We can't give an error if the name is not found. In your reference [2], it is stated that unused SIDs can be renamed and it even suggests using an "unamed_" prefix. I am not sure what to suggest here. In the past, one could theoretically use any name, because all that mattered was the ordering. I doubt if there are any policies that use any other names, but I don't know. Thanks, Jim > goto bad; > } > - memset(newc, 0, sizeof(ocontext_t)); > - newc->u.name = id; > - context_init(&newc->context[0]); > - head = policydbp->ocontexts[OCON_ISID]; > > + head = policydbp->ocontexts[OCON_ISID]; > for (c = head; c; c = c->next) { > - if (!strcmp(newc->u.name, c->u.name)) { > + if (sid == c->sid[0]) { > yyerror2("duplicate initial SID %s", id); > goto bad; > } > } > > - if (head) { > - newc->sid[0] = head->sid[0] + 1; > - } else { > - newc->sid[0] = 1; > + newc = (ocontext_t *) malloc(sizeof(ocontext_t)); > + if (!newc) { > + yyerror("out of memory"); > + goto bad; > } > + memset(newc, 0, sizeof(ocontext_t)); > + newc->u.name = id; > + context_init(&newc->context[0]); > + newc->sid[0] = sid; > newc->next = head; > policydbp->ocontexts[OCON_ISID] = newc; > > @@ -4567,6 +4571,7 @@ static int parse_security_context(context_struct_t * c) > int define_initial_sid_context(void) > { > char *id; > + sepol_security_id_t sid; > ocontext_t *c, *head; > > if (pass == 1) { > @@ -4581,9 +4586,17 @@ int define_initial_sid_context(void) > yyerror("no sid name for SID context definition?"); > return -1; > } > + > + sid = selinux_str_to_sid(id); > + if (sid == 0) { > + yyerror2("invalid initial SID %s", id); > + free(id); > + return -1; > + } > + > head = policydbp->ocontexts[OCON_ISID]; > for (c = head; c; c = c->next) { > - if (!strcmp(id, c->u.name)) > + if (sid == c->sid[0]) > break; > } > > -- > 2.36.1 >
