[PATCH] libsepol: Fix erroneous genfscon asterisks

selinux.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] libsepol: Fix erroneous genfscon asterisks
@ 2025-08-13  5:25 Inseob Kim
  2025-08-14 16:48 ` James Carter
  0 siblings, 1 reply; 2+ messages in thread
From: Inseob Kim @ 2025-08-13  5:25 UTC (permalink / raw)
  To: selinux; +Cc: takayas, tweek, Inseob Kim

When genfs_seclabel_wildcard is on, extra asterisks are added to keep
semantics of genfscon entries. That needs to be removed when converting
the policy to CIL or conf, but genfscon_to_cil is missing it.

Signed-off-by: Inseob Kim <inseob@google.com>
---
 libsepol/src/module_to_cil.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index b4439b27..8647d928 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -2987,10 +2987,22 @@ static int genfscon_to_cil(struct policydb *pdb)
 	struct genfs *genfs;
 	struct ocontext *ocon;
 	uint32_t sclass;
+	char *name;
+	int wildcard = ebitmap_get_bit(&pdb->policycaps, POLICYDB_CAP_GENFS_SECLABEL_WILDCARD);
+	size_t name_len;
 
 	for (genfs = pdb->genfs; genfs != NULL; genfs = genfs->next) {
 		for (ocon = genfs->head; ocon != NULL; ocon = ocon->next) {
 			sclass = ocon->v.sclass;
+			name = ocon->u.name;
+			name_len = strlen(name);
+			if (wildcard) {
+				if (name_len == 0 || name[name_len - 1] != '*') {
+					ERR(NULL, "genfscon path must end with '*' when genfs_seclabel_wildcard");
+					return -1;
+				}
+				--name_len;
+			}
 			if (sclass) {
 				const char *file_type;
 				const char *class_name = pdb->p_class_val_to_name[sclass-1];
@@ -3011,9 +3023,10 @@ static int genfscon_to_cil(struct policydb *pdb)
 				} else {
 					return -1;
 				}
-				cil_printf("(genfscon %s \"%s\" %s ", genfs->fstype, ocon->u.name, file_type);
+				cil_printf("(genfscon %s \"%.*s\" %s ", genfs->fstype, (int)name_len, name,
+				           file_type);
 			} else {
-				cil_printf("(genfscon %s \"%s\" ", genfs->fstype, ocon->u.name);
+				cil_printf("(genfscon %s \"%.*s\" ", genfs->fstype, (int)name_len, name);
 			}
 			context_to_cil(pdb, &ocon->context[0]);
 			cil_printf(")\n");
-- 
2.51.0.rc0.205.g4a044479a3-goog


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] libsepol: Fix erroneous genfscon asterisks
  2025-08-13  5:25 [PATCH] libsepol: Fix erroneous genfscon asterisks Inseob Kim
@ 2025-08-14 16:48 ` James Carter
  0 siblings, 0 replies; 2+ messages in thread
From: James Carter @ 2025-08-14 16:48 UTC (permalink / raw)
  To: Inseob Kim; +Cc: selinux, takayas, tweek

On Wed, Aug 13, 2025 at 1:26 AM Inseob Kim <inseob@google.com> wrote:
>
> When genfs_seclabel_wildcard is on, extra asterisks are added to keep
> semantics of genfscon entries. That needs to be removed when converting
> the policy to CIL or conf, but genfscon_to_cil is missing it.
>
> Signed-off-by: Inseob Kim <inseob@google.com>

Acked-by: James Carter <jwcart2@gmail.com>

> ---
>  libsepol/src/module_to_cil.c | 17 +++++++++++++++--
>  1 file changed, 15 insertions(+), 2 deletions(-)
>
> diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
> index b4439b27..8647d928 100644
> --- a/libsepol/src/module_to_cil.c
> +++ b/libsepol/src/module_to_cil.c
> @@ -2987,10 +2987,22 @@ static int genfscon_to_cil(struct policydb *pdb)
>         struct genfs *genfs;
>         struct ocontext *ocon;
>         uint32_t sclass;
> +       char *name;
> +       int wildcard = ebitmap_get_bit(&pdb->policycaps, POLICYDB_CAP_GENFS_SECLABEL_WILDCARD);
> +       size_t name_len;
>
>         for (genfs = pdb->genfs; genfs != NULL; genfs = genfs->next) {
>                 for (ocon = genfs->head; ocon != NULL; ocon = ocon->next) {
>                         sclass = ocon->v.sclass;
> +                       name = ocon->u.name;
> +                       name_len = strlen(name);
> +                       if (wildcard) {
> +                               if (name_len == 0 || name[name_len - 1] != '*') {
> +                                       ERR(NULL, "genfscon path must end with '*' when genfs_seclabel_wildcard");
> +                                       return -1;
> +                               }
> +                               --name_len;
> +                       }
>                         if (sclass) {
>                                 const char *file_type;
>                                 const char *class_name = pdb->p_class_val_to_name[sclass-1];
> @@ -3011,9 +3023,10 @@ static int genfscon_to_cil(struct policydb *pdb)
>                                 } else {
>                                         return -1;
>                                 }
> -                               cil_printf("(genfscon %s \"%s\" %s ", genfs->fstype, ocon->u.name, file_type);
> +                               cil_printf("(genfscon %s \"%.*s\" %s ", genfs->fstype, (int)name_len, name,
> +                                          file_type);
>                         } else {
> -                               cil_printf("(genfscon %s \"%s\" ", genfs->fstype, ocon->u.name);
> +                               cil_printf("(genfscon %s \"%.*s\" ", genfs->fstype, (int)name_len, name);
>                         }
>                         context_to_cil(pdb, &ocon->context[0]);
>                         cil_printf(")\n");
> --
> 2.51.0.rc0.205.g4a044479a3-goog
>
>

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2025-08-14 16:48 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-08-13  5:25 [PATCH] libsepol: Fix erroneous genfscon asterisks Inseob Kim
2025-08-14 16:48 ` James Carter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).