Re: [PATCH userspace 1/2] libsepol: stop translating deprecated intial SIDs to strings

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, Jun 12, 2023 at 5:50 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
>
> Many of the initial SIDs are no longer used by the kernel, so
> translating them to the legacy names doesn't bring much value. Clear the
> legacy names from the table and let the code translate them to the
> fallback "unknown" names instead.
>
> Note that this only affects the generated text output when converting
> policies from binary to text form. The text policy languages let the
> policy define its own names for the initial SIDs based on the order in
> which they are declared, so the table is never used to convert from name
> to SID. Thus this is just a cosmetic change and has no functional
> impact.
>
> Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>

For these two patches:
Acked-by: James Carter <jwcart2@xxxxxxxxx>

> ---
>  libsepol/src/kernel_to_cil.c    |  4 ++--
>  libsepol/src/kernel_to_common.h | 36 ++++++++++++++++-----------------
>  libsepol/src/kernel_to_conf.c   |  4 ++--
>  libsepol/src/module_to_cil.c    |  2 +-
>  4 files changed, 23 insertions(+), 23 deletions(-)
>
> diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
> index e9cd89c2..bd04c087 100644
> --- a/libsepol/src/kernel_to_cil.c
> +++ b/libsepol/src/kernel_to_cil.c
> @@ -567,7 +567,7 @@ static int write_sids_to_cil(FILE *out, const char *const *sid_to_str,
>
>         for (isid = isids; isid != NULL; isid = isid->next) {
>                 i = isid->sid[0];
> -               if (i < num_sids) {
> +               if (i < num_sids && sid_to_str[i]) {
>                         sid = (char *)sid_to_str[i];
>                 } else {
>                         snprintf(unknown, 18, "%s%u", "UNKNOWN", i);
> @@ -2577,7 +2577,7 @@ static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const
>
>         for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) {
>                 i = isid->sid[0];
> -               if (i < num_sids) {
> +               if (i < num_sids && sid_to_str[i]) {
>                         sid = (char *)sid_to_str[i];
>                 } else {
>                         snprintf(unknown, 18, "%s%u", "UNKNOWN", i);
> diff --git a/libsepol/src/kernel_to_common.h b/libsepol/src/kernel_to_common.h
> index 159c4289..6073ff3a 100644
> --- a/libsepol/src/kernel_to_common.h
> +++ b/libsepol/src/kernel_to_common.h
> @@ -13,33 +13,33 @@
>  // initial sid names aren't actually stored in the pp files, need to a have
>  // a mapping, taken from the linux kernel
>  static const char * const selinux_sid_to_str[] = {
> -       "null",
> +       NULL,
>         "kernel",
>         "security",
>         "unlabeled",
> -       "fs",
> +       NULL,
>         "file",
> -       "file_labels",
> -       "init",
> +       NULL,
> +       NULL,
>         "any_socket",
>         "port",
>         "netif",
>         "netmsg",
>         "node",
> -       "igmp_packet",
> -       "icmp_socket",
> -       "tcp_socket",
> -       "sysctl_modprobe",
> -       "sysctl",
> -       "sysctl_fs",
> -       "sysctl_kernel",
> -       "sysctl_net",
> -       "sysctl_net_unix",
> -       "sysctl_vm",
> -       "sysctl_dev",
> -       "kmod",
> -       "policy",
> -       "scmp_packet",
> +       NULL,
> +       NULL,
> +       NULL,
> +       NULL,
> +       NULL,
> +       NULL,
> +       NULL,
> +       NULL,
> +       NULL,
> +       NULL,
> +       NULL,
> +       NULL,
> +       NULL,
> +       NULL,
>         "devnull",
>  };
>
> diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
> index c48a7114..3be87184 100644
> --- a/libsepol/src/kernel_to_conf.c
> +++ b/libsepol/src/kernel_to_conf.c
> @@ -464,7 +464,7 @@ static int write_sids_to_conf(FILE *out, const char *const *sid_to_str,
>
>         for (isid = isids; isid != NULL; isid = isid->next) {
>                 i = isid->sid[0];
> -               if (i < num_sids) {
> +               if (i < num_sids && sid_to_str[i]) {
>                         sid = (char *)sid_to_str[i];
>                 } else {
>                         snprintf(unknown, sizeof(unknown), "%s%u", "UNKNOWN", i);
> @@ -2445,7 +2445,7 @@ static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, cons
>
>         for (isid = pdb->ocontexts[0]; isid != NULL; isid = isid->next) {
>                 i = isid->sid[0];
> -               if (i < num_sids) {
> +               if (i < num_sids && sid_to_str[i]) {
>                         sid = (char *)sid_to_str[i];
>                 } else {
>                         snprintf(unknown, sizeof(unknown), "%s%u", "UNKNOWN", i);
> diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
> index e7bc6ee6..a46775ca 100644
> --- a/libsepol/src/module_to_cil.c
> +++ b/libsepol/src/module_to_cil.c
> @@ -2549,7 +2549,7 @@ static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_
>
>         for (isid = isids; isid != NULL; isid = isid->next) {
>                 i = isid->sid[0];
> -               if (i < num_sids) {
> +               if (i < num_sids && sid_to_string[i]) {
>                         sid = (char*)sid_to_string[i];
>                 } else {
>                         snprintf(unknown, 18, "%s%u", "UNKNOWN", i);
> --
> 2.40.1
>
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux