* [PATCH 1/2] Modify audit2why analyze function to use loaded policy
@ 2016-06-03 15:09 Joshua Brindle
2016-06-03 15:09 ` [PATCH 2/2] Correctly detect unknown classes in sepol_string_to_security_class Joshua Brindle
2016-06-20 20:33 ` [PATCH 1/2] Modify audit2why analyze function to use loaded policy Stephen Smalley
0 siblings, 2 replies; 7+ messages in thread
From: Joshua Brindle @ 2016-06-03 15:09 UTC (permalink / raw)
To: selinux
Class and perms should come from the policy being used for analysis,
not the system policy so use sepol_ interfaces
Change-Id: Ia0590ed2514249fd98810a8d4fe87f8bf5280561
Signed-off-by: Joshua Brindle <brindle@quarksecurity.com>
---
libselinux/src/audit2why.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/libselinux/src/audit2why.c b/libselinux/src/audit2why.c
index 12745b3..abe1701 100644
--- a/libselinux/src/audit2why.c
+++ b/libselinux/src/audit2why.c
@@ -343,8 +343,8 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args
if (rc < 0)
RETURN(BADTCON)
- tclass = string_to_security_class(tclassstr);
- if (!tclass)
+ rc = sepol_string_to_security_class(tclassstr, &tclass);
+ if (rc < 0)
RETURN(BADTCLASS)
/* Convert the permission list to an AV. */
@@ -365,8 +365,8 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args
permstr = PyString_AsString( strObj );
#endif
- perm = string_to_av_perm(tclass, permstr);
- if (!perm)
+ rc = sepol_string_to_av_perm(tclass, permstr, &perm);
+ if (rc < 0)
RETURN(BADPERM)
av |= perm;
--
2.1.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 2/2] Correctly detect unknown classes in sepol_string_to_security_class
2016-06-03 15:09 [PATCH 1/2] Modify audit2why analyze function to use loaded policy Joshua Brindle
@ 2016-06-03 15:09 ` Joshua Brindle
2016-06-03 15:17 ` [PATCH] " Joshua Brindle
2016-06-20 20:33 ` [PATCH 1/2] Modify audit2why analyze function to use loaded policy Stephen Smalley
1 sibling, 1 reply; 7+ messages in thread
From: Joshua Brindle @ 2016-06-03 15:09 UTC (permalink / raw)
To: selinux
Bail before running off the end of the class index
Change-Id: I47c4eaac3c7d789f8d85047e34e37e3f0bb38b3a
Signed-off-by: Joshua Brindle <brindle@quarksecurity.com>
---
libsepol/src/services.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libsepol/src/services.c b/libsepol/src/services.c
index d64a8e8..8679545 100644
--- a/libsepol/src/services.c
+++ b/libsepol/src/services.c
@@ -1155,7 +1155,7 @@ int hidden sepol_string_to_security_class(const char *class_name,
char *class = NULL;
sepol_security_class_t id;
- for (id = 1;; id++) {
+ for (id = 1; id < policydb->p_classes.nprim; id++) {
class = policydb->p_class_val_to_name[id - 1];
if (class == NULL) {
ERR(NULL, "could not convert %s to class id", class_name);
@@ -1166,6 +1166,8 @@ int hidden sepol_string_to_security_class(const char *class_name,
return STATUS_SUCCESS;
}
}
+ ERR(NULL, "unrecognized class %s", class_name);
+ return -EINVAL;
}
/*
--
2.1.0
^ permalink raw reply related [flat|nested] 7+ messages in thread* [PATCH] Correctly detect unknown classes in sepol_string_to_security_class
2016-06-03 15:09 ` [PATCH 2/2] Correctly detect unknown classes in sepol_string_to_security_class Joshua Brindle
@ 2016-06-03 15:17 ` Joshua Brindle
2016-06-03 15:18 ` Joshua Brindle
2016-06-20 20:34 ` Stephen Smalley
0 siblings, 2 replies; 7+ messages in thread
From: Joshua Brindle @ 2016-06-03 15:17 UTC (permalink / raw)
To: selinux
Bail before running off the end of the class index
Change-Id: I47c4eaac3c7d789f8d85047e34e37e3f0bb38b3a
Signed-off-by: Joshua Brindle <brindle@quarksecurity.com>
---
libsepol/src/services.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libsepol/src/services.c b/libsepol/src/services.c
index d64a8e8..665fcaa 100644
--- a/libsepol/src/services.c
+++ b/libsepol/src/services.c
@@ -1155,7 +1155,7 @@ int hidden sepol_string_to_security_class(const char *class_name,
char *class = NULL;
sepol_security_class_t id;
- for (id = 1;; id++) {
+ for (id = 1; id <= policydb->p_classes.nprim; id++) {
class = policydb->p_class_val_to_name[id - 1];
if (class == NULL) {
ERR(NULL, "could not convert %s to class id", class_name);
@@ -1166,6 +1166,8 @@ int hidden sepol_string_to_security_class(const char *class_name,
return STATUS_SUCCESS;
}
}
+ ERR(NULL, "unrecognized class %s", class_name);
+ return -EINVAL;
}
/*
--
2.1.0
^ permalink raw reply related [flat|nested] 7+ messages in thread* Re: [PATCH] Correctly detect unknown classes in sepol_string_to_security_class
2016-06-03 15:17 ` [PATCH] " Joshua Brindle
@ 2016-06-03 15:18 ` Joshua Brindle
2016-06-20 20:34 ` Stephen Smalley
1 sibling, 0 replies; 7+ messages in thread
From: Joshua Brindle @ 2016-06-03 15:18 UTC (permalink / raw)
To: selinux
Joshua Brindle wrote:
> Bail before running off the end of the class index
>
This one correctly goes all the way to the end of the classes index, the
last version did not.
> Change-Id: I47c4eaac3c7d789f8d85047e34e37e3f0bb38b3a
> Signed-off-by: Joshua Brindle<brindle@quarksecurity.com>
> ---
> libsepol/src/services.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/libsepol/src/services.c b/libsepol/src/services.c
> index d64a8e8..665fcaa 100644
> --- a/libsepol/src/services.c
> +++ b/libsepol/src/services.c
> @@ -1155,7 +1155,7 @@ int hidden sepol_string_to_security_class(const char *class_name,
> char *class = NULL;
> sepol_security_class_t id;
>
> - for (id = 1;; id++) {
> + for (id = 1; id<= policydb->p_classes.nprim; id++) {
> class = policydb->p_class_val_to_name[id - 1];
> if (class == NULL) {
> ERR(NULL, "could not convert %s to class id", class_name);
> @@ -1166,6 +1166,8 @@ int hidden sepol_string_to_security_class(const char *class_name,
> return STATUS_SUCCESS;
> }
> }
> + ERR(NULL, "unrecognized class %s", class_name);
> + return -EINVAL;
> }
>
> /*
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH] Correctly detect unknown classes in sepol_string_to_security_class
2016-06-03 15:17 ` [PATCH] " Joshua Brindle
2016-06-03 15:18 ` Joshua Brindle
@ 2016-06-20 20:34 ` Stephen Smalley
2016-06-21 14:25 ` Joshua Brindle
1 sibling, 1 reply; 7+ messages in thread
From: Stephen Smalley @ 2016-06-20 20:34 UTC (permalink / raw)
To: Joshua Brindle, selinux
On 06/03/2016 11:17 AM, Joshua Brindle wrote:
> Bail before running off the end of the class index
>
> Change-Id: I47c4eaac3c7d789f8d85047e34e37e3f0bb38b3a
> Signed-off-by: Joshua Brindle <brindle@quarksecurity.com>
Applied this one and then rewrote it to use hashtab_search().
Not sure why it wasn't that way in the first place.
> ---
> libsepol/src/services.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/libsepol/src/services.c b/libsepol/src/services.c
> index d64a8e8..665fcaa 100644
> --- a/libsepol/src/services.c
> +++ b/libsepol/src/services.c
> @@ -1155,7 +1155,7 @@ int hidden sepol_string_to_security_class(const char *class_name,
> char *class = NULL;
> sepol_security_class_t id;
>
> - for (id = 1;; id++) {
> + for (id = 1; id <= policydb->p_classes.nprim; id++) {
> class = policydb->p_class_val_to_name[id - 1];
> if (class == NULL) {
> ERR(NULL, "could not convert %s to class id", class_name);
> @@ -1166,6 +1166,8 @@ int hidden sepol_string_to_security_class(const char *class_name,
> return STATUS_SUCCESS;
> }
> }
> + ERR(NULL, "unrecognized class %s", class_name);
> + return -EINVAL;
> }
>
> /*
>
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH] Correctly detect unknown classes in sepol_string_to_security_class
2016-06-20 20:34 ` Stephen Smalley
@ 2016-06-21 14:25 ` Joshua Brindle
0 siblings, 0 replies; 7+ messages in thread
From: Joshua Brindle @ 2016-06-21 14:25 UTC (permalink / raw)
To: Stephen Smalley; +Cc: selinux
Stephen Smalley wrote:
> On 06/03/2016 11:17 AM, Joshua Brindle wrote:
>> Bail before running off the end of the class index
>>
>> Change-Id: I47c4eaac3c7d789f8d85047e34e37e3f0bb38b3a
>> Signed-off-by: Joshua Brindle<brindle@quarksecurity.com>
>
> Applied this one and then rewrote it to use hashtab_search().
> Not sure why it wasn't that way in the first place.
Thank you, that was a much better fix that I should have noticed...
>
>> ---
>> libsepol/src/services.c | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/libsepol/src/services.c b/libsepol/src/services.c
>> index d64a8e8..665fcaa 100644
>> --- a/libsepol/src/services.c
>> +++ b/libsepol/src/services.c
>> @@ -1155,7 +1155,7 @@ int hidden sepol_string_to_security_class(const char *class_name,
>> char *class = NULL;
>> sepol_security_class_t id;
>>
>> - for (id = 1;; id++) {
>> + for (id = 1; id<= policydb->p_classes.nprim; id++) {
>> class = policydb->p_class_val_to_name[id - 1];
>> if (class == NULL) {
>> ERR(NULL, "could not convert %s to class id", class_name);
>> @@ -1166,6 +1166,8 @@ int hidden sepol_string_to_security_class(const char *class_name,
>> return STATUS_SUCCESS;
>> }
>> }
>> + ERR(NULL, "unrecognized class %s", class_name);
>> + return -EINVAL;
>> }
>>
>> /*
>>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/2] Modify audit2why analyze function to use loaded policy
2016-06-03 15:09 [PATCH 1/2] Modify audit2why analyze function to use loaded policy Joshua Brindle
2016-06-03 15:09 ` [PATCH 2/2] Correctly detect unknown classes in sepol_string_to_security_class Joshua Brindle
@ 2016-06-20 20:33 ` Stephen Smalley
1 sibling, 0 replies; 7+ messages in thread
From: Stephen Smalley @ 2016-06-20 20:33 UTC (permalink / raw)
To: Joshua Brindle, selinux
On 06/03/2016 11:09 AM, Joshua Brindle wrote:
> Class and perms should come from the policy being used for analysis,
> not the system policy so use sepol_ interfaces
>
> Change-Id: Ia0590ed2514249fd98810a8d4fe87f8bf5280561
> Signed-off-by: Joshua Brindle <brindle@quarksecurity.com>
> ---
> libselinux/src/audit2why.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
Thanks, applied.
>
> diff --git a/libselinux/src/audit2why.c b/libselinux/src/audit2why.c
> index 12745b3..abe1701 100644
> --- a/libselinux/src/audit2why.c
> +++ b/libselinux/src/audit2why.c
> @@ -343,8 +343,8 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args
> if (rc < 0)
> RETURN(BADTCON)
>
> - tclass = string_to_security_class(tclassstr);
> - if (!tclass)
> + rc = sepol_string_to_security_class(tclassstr, &tclass);
> + if (rc < 0)
> RETURN(BADTCLASS)
>
> /* Convert the permission list to an AV. */
> @@ -365,8 +365,8 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args
> permstr = PyString_AsString( strObj );
> #endif
>
> - perm = string_to_av_perm(tclass, permstr);
> - if (!perm)
> + rc = sepol_string_to_av_perm(tclass, permstr, &perm);
> + if (rc < 0)
> RETURN(BADPERM)
>
> av |= perm;
>
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2016-06-21 14:25 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-06-03 15:09 [PATCH 1/2] Modify audit2why analyze function to use loaded policy Joshua Brindle
2016-06-03 15:09 ` [PATCH 2/2] Correctly detect unknown classes in sepol_string_to_security_class Joshua Brindle
2016-06-03 15:17 ` [PATCH] " Joshua Brindle
2016-06-03 15:18 ` Joshua Brindle
2016-06-20 20:34 ` Stephen Smalley
2016-06-21 14:25 ` Joshua Brindle
2016-06-20 20:33 ` [PATCH 1/2] Modify audit2why analyze function to use loaded policy Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.