开源软件构建与测试

Changes of Revision 2

_service:tar_scm:checkpolicy.spec Changed

@@ -1,10 +1,13 @@
 Name:          checkpolicy
-Version:       3.3
-Release:       1
+Version:       3.4
+Release:       2
 Summary:       SELinux policy compiler
 License:       GPLv2
 URL:           https://github.com/SELinuxProject/selinux
-Source0:       https://github.com/SELinuxProject/selinux/releases/download/3.3/checkpolicy-3.3.tar.gz
+Source0:       https://github.com/SELinuxProject/selinux/releases/download/%{version}/checkpolicy-%{version}.tar.gz
+
+Patch0:        backport-checkpolicy-Improve-error-message-for-type-bounds.patch
+Patch1:        backport-checkpolicy-delete-invalid-spaces.patch
 
 BuildRequires: gcc byacc bison flex flex-static libsepol-static >= %{version} libselinux-devel >= %{version}
 
@@ -54,6 +57,12 @@
 %{_mandir}/*/*
 
 %changelog
+* Fri Mar 10 2023 zhangchenfeng <zhangchenfeng1@huawei.com> - 3.4-2
+- backport upstrem bugfix
+
+* Thu Feb 2 2023 zhangguangzhi <zhangguangzhi3@huawei.com> - 3.4-1
+- update version to 3.4
+
 * Tue Jan 18 2022 yixiangzhike <yixiangzhike007@163.com> - 3.3-1
 - update to 3.3

_service:tar_scm:backport-checkpolicy-Improve-error-message-for-type-bounds.patch Added

@@ -0,0 +1,32 @@
+From 1d33c911f514449bbc8cab71332752c22561b911 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Thu, 24 Nov 2022 17:31:52 +0100
+Subject: PATCH checkpolicy: Improve error message for type bounds
+
+Make the error message consistent with other occurrences of the
+same issue:
+https://github.com/SELinuxProject/selinux/blob/master/checkpolicy/module_compiler.c#L243
+https://github.com/SELinuxProject/selinux/blob/master/checkpolicy/module_compiler.c#L488
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ policy_define.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy_define.c b/policy_define.c
+index 41e44631..86d57017 100644
+--- a/policy_define.c
++++ b/policy_define.c
+@@ -1416,7 +1416,7 @@ static int define_typebounds_helper(char *bounds_id, char *type_id)
+ 	if (!type->bounds)
+ 		type->bounds = bounds->s.value;
+ 	else if (type->bounds != bounds->s.value) {
+-		yyerror2("type %s has inconsistent master {%s,%s}",
++		yyerror2("type %s has inconsistent bounds %s/%s",
+ 			 type_id,
+ 			 policydbp->p_type_val_to_nametype->bounds - 1,
+ 			 policydbp->p_type_val_to_namebounds->s.value - 1);
+-- 
+2.39.2.windows.1
+

_service:tar_scm:backport-checkpolicy-delete-invalid-spaces.patch Added

@@ -0,0 +1,60 @@
+From 27e1c7c8e90b98da53bfcce291b03d8f2f0f0b4d Mon Sep 17 00:00:00 2001
+From: lujiev <572084868@qq.com>
+Date: Thu, 27 Oct 2022 16:02:18 +0800
+Subject: PATCH checkpolicy: delete invalid spaces
+
+Closes: https://github.com/SELinuxProject/selinux/pull/372
+Signed-off-by: lujiev <572084868@qq.com>
+Acked-by: Jason Zaman <jason@perfinion.com>
+---
+ policy_define.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/policy_define.c b/policy_define.c
+index 86d57017..c2ae7fe5 100644
+--- a/policy_define.c
++++ b/policy_define.c
+@@ -2208,7 +2208,7 @@ static int avrule_ioctl_partialdriver(struct av_ioctl_range_list *rangelist,
+ 	xperms = calloc(1, sizeof(av_extended_perms_t));
+ 	if (!xperms) {
+ 		yyerror("out of memory");
+-		return - 1;
++		return -1;
+ 	}
+ 
+ 	r = rangelist;
+@@ -2245,7 +2245,7 @@ static int avrule_ioctl_completedriver(struct av_ioctl_range_list *rangelist,
+ 	xperms = calloc(1, sizeof(av_extended_perms_t));
+ 	if (!xperms) {
+ 		yyerror("out of memory");
+-		return - 1;
++		return -1;
+ 	}
+ 
+ 	r = rangelist;
+@@ -2289,7 +2289,7 @@ static int avrule_ioctl_func(struct av_ioctl_range_list *rangelist,
+ 	xperms = calloc(1, sizeof(av_extended_perms_t));
+ 	if (!xperms) {
+ 		yyerror("out of memory");
+-		return - 1;
++		return -1;
+ 	}
+ 
+ 	r = rangelist;
+@@ -2352,11 +2352,11 @@ static int avrule_cpy(avrule_t *dest, const avrule_t *src)
+ 	dest->flags = src->flags;
+ 	if (type_set_cpy(&dest->stypes, &src->stypes)) {
+ 		yyerror("out of memory");
+-		return - 1;
++		return -1;
+ 	}
+ 	if (type_set_cpy(&dest->ttypes, &src->ttypes)) {
+ 		yyerror("out of memory");
+-		return - 1;
++		return -1;
+ 	}
+ 	dest->line = src->line;
+ 	dest->source_filename = strdup(source_file);
+-- 
+2.39.2.windows.1
+

_service Changed

_service:tar_scm:checkpolicy-3.3.tar.gz/VERSION -> _service:tar_scm:checkpolicy-3.4.tar.gz/VERSION Changed

_service:tar_scm:checkpolicy-3.3.tar.gz/module_compiler.c -> _service:tar_scm:checkpolicy-3.4.tar.gz/module_compiler.c Changed

_service:tar_scm:checkpolicy-3.3.tar.gz/parse_util.c -> _service:tar_scm:checkpolicy-3.4.tar.gz/parse_util.c Changed

_service:tar_scm:checkpolicy-3.3.tar.gz/policy_define.c -> _service:tar_scm:checkpolicy-3.4.tar.gz/policy_define.c Changed

@@ -1634,6 +1634,15 @@
 	}
 	add = 1;
 	while ((id = queue_remove(id_queue))) {
+		if (strcmp(id, "self") == 0) {
+			free(id);
+			if (add == 0) {
+				yyerror("-self is not supported");
+				goto bad;
+			}
+			avrule->flags |= RULE_SELF;
+			continue;
+		}
 		if (set_types(&avrule->ttypes, id, &add, 0))
 			goto bad;
 	}
@@ -3300,7 +3309,7 @@
 	type_datum_t *typdatum;
 	uint32_t otype;
 	unsigned int c, s, t;
-	int add, rc;
+	int add, self, rc;
 
 	if (pass == 1) {
 		/* stype */
@@ -3333,8 +3342,18 @@
 			goto bad;
 	}
 
-	add =1;
+	self = 0;
+	add = 1;
 	while ((id = queue_remove(id_queue))) {
+		if (strcmp(id, "self") == 0) {
+			free(id);
+			if (add == 0) {
+				yyerror("-self is not supported");
+				goto bad;
+			}
+			self = 1;
+			continue;
+		}
 		if (set_types(&ttypes, id, &add, 0))
 			goto bad;
 	}
@@ -3396,6 +3415,24 @@
 					goto bad;
 				}
 			}
+			if (self) {
+				rc = policydb_filetrans_insert(
+					policydbp, s+1, s+1, c+1, name,
+					NULL, otype, NULL
+				);
+				if (rc != SEPOL_OK) {
+					if (rc == SEPOL_EEXIST) {
+						yyerror2("duplicate filename transition for: filename_trans %s %s %s:%s",
+							name,
+							policydbp->p_type_val_to_names,
+							policydbp->p_type_val_to_names,
+							policydbp->p_class_val_to_namec);
+						goto bad;
+					}
+					yyerror("out of memory");
+					goto bad;
+				}
+			}
 		}
 	
 		/* Now add the real rule since we didn't find any duplicates */
@@ -3418,6 +3455,7 @@
 		}
 		ftr->tclass = c + 1;
 		ftr->otype = otype;
+		ftr->flags = self ? RULE_SELF : 0;
 	}
 
 	free(name);
@@ -3477,6 +3515,8 @@
 	return NULL;
 }
 
+#define PERMISSION_MASK(nprim) ((nprim) == PERM_SYMTAB_SIZE ? (~UINT32_C(0)) : ((UINT32_C(1) << (nprim)) - 1))
+
 int define_constraint(constraint_expr_t * expr)
 {
 	struct constraint_node *node;
@@ -3590,6 +3630,22 @@
 			cladatum = policydbp->class_val_to_structi;
 			node = cladatum->constraints;
 
+			if (strcmp(id, "*") == 0) {
+				node->permissions = PERMISSION_MASK(cladatum->permissions.nprim);
+				continue;
+			}
+
+			if (strcmp(id, "~") == 0) {
+				node->permissions = ~node->permissions & PERMISSION_MASK(cladatum->permissions.nprim);
+				if (node->permissions == 0) {
+					yywarn("omitting constraint with no permission set");
+					cladatum->constraints = node->next;
+					constraint_expr_destroy(node->expr);
+					free(node);
+				}
+				continue;
+			}
+
 			perdatum =
 			    (perm_datum_t *) hashtab_search(cladatum->
 							    permissions.
@@ -3609,7 +3665,7 @@
 				}
 				if (!perdatum) {
 					yyerror2("permission %s is not"
-						 " defined", id);
+						 " defined for class %s", id, policydbp->p_class_val_to_namei);
 					free(id);
 					ebitmap_destroy(&classmap);
 					return -1;
@@ -5290,6 +5346,14 @@
 		goto out;
 	}
 
+	if (mask.s_addr != 0 && ((~mask.s_addr + 1) & ~mask.s_addr) != 0) {
+		yywarn("ipv4 mask is not contiguous");
+	}
+
+	if ((~mask.s_addr & addr.s_addr) != 0) {
+		yywarn("host bits in ipv4 address set");
+	}
+
 	newc = malloc(sizeof(ocontext_t));
 	if (!newc) {
 		yyerror("out of memory");
@@ -5325,6 +5389,40 @@
 	return rc;
 }
 
+static int ipv6_is_mask_contiguous(const struct in6_addr *mask)
+{
+	int filled = 1;
+	unsigned i;
+
+	for (i = 0; i < 16; i++) {
+		if ((((~mask->s6_addri & 0xFF) + 1) & (~mask->s6_addri & 0xFF)) != 0) {
+			return 0;
+		}
+		if (!filled && mask->s6_addri != 0) {
+			return 0;
+		}
+
+		if (filled && mask->s6_addri != 0xFF) {
+			filled = 0;
+		}
+	}
+
+	return 1;
+}
+
+static int ipv6_has_host_bits_set(const struct in6_addr *addr, const struct in6_addr *mask)
+{
+	unsigned i;
+
+	for (i = 0; i < 16; i++) {
+		if ((addr->s6_addri & ~mask->s6_addri) != 0) {
+			return 1;
+		}
+	}
+
+	return 0;
+}
+
 int define_ipv6_node_context(void)
 {
 	char *id;
@@ -5376,6 +5474,14 @@
 		goto out;
 	}
 
+	if (!ipv6_is_mask_contiguous(&mask)) {
+		yywarn("ipv6 mask is not contiguous");
+	}
+
+	if (ipv6_has_host_bits_set(&addr, &mask)) {
+		yywarn("host bits in ipv6 address set");
+	}
+
 	newc = malloc(sizeof(ocontext_t));
 	if (!newc) {
 		yyerror("out of memory");

_service:tar_scm:checkpolicy-3.3.tar.gz/policy_scan.l -> _service:tar_scm:checkpolicy-3.4.tar.gz/policy_scan.l Changed

@@ -60,7 +60,14 @@
 
 %%
 \n.*				{
+#if defined(__GNUC__) && __GNUC__ >= 8
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wstringop-truncation"
+#endif
 				  strncpy(linebuflno, yytext+1, 255);
+#if defined(__GNUC__) && __GNUC__ >= 8
+#pragma GCC diagnostic pop
+#endif
 				  linebuflno254 = 0;
 				  lno = 1 - lno;
 				  policydb_lineno++;
@@ -308,11 +315,11 @@
 int yyerror(const char *msg)
 {
 	if (source_file0)
-		fprintf(stderr, "%s:%ld:",
+		fprintf(stderr, "%s:%lu:",
 			source_file, source_lineno);
 	else
 		fprintf(stderr, "(unknown source)::");
-	fprintf(stderr, "ERROR '%s' at token '%s' on line %ld:\n%s\n%s\n",
+	fprintf(stderr, "ERROR '%s' at token '%s' on line %lu:\n%s\n%s\n",
 			msg,
 			yytext,
 			policydb_lineno,
@@ -327,11 +334,11 @@
 		return yyerror(msg);
 
 	if (source_file0)
-		fprintf(stderr, "%s:%ld:",
+		fprintf(stderr, "%s:%lu:",
 			source_file, source_lineno);
 	else
 		fprintf(stderr, "(unknown source)::");
-	fprintf(stderr, "WARNING '%s' at token '%s' on line %ld:\n%s\n%s\n",
+	fprintf(stderr, "WARNING '%s' at token '%s' on line %lu:\n%s\n%s\n",
 			msg,
 			yytext,
 			policydb_lineno,