kybaaz/linux-xiaomi-chiron
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

selinux: declare data arrays const

Browse source 
The arrays for the policy capability names, the initial sid identifiers
and the class and permission names are not changed at runtime.  Declare
them const to avoid accidental modification.

Do not override the classmap and the initial sid list in the build time
script genheaders.

Check flose(3) is successful in genheaders.c, otherwise the written data
might be corrupted or incomplete.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
[PM: manual merge due to fuzz, minor style tweaks]
Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
Christian Göttsche 2022-05-02 16:43:38 +02:00 committed by Paul Moore
parent a9029d9704
commit ded34574d4
11 changed files with 71 additions and 58 deletions
Download patch file Download diff file Expand all files Collapse all files

75
scripts/selinux/genheaders/genheaders.c
View file

@ -59,35 +59,27 @@ int main(int argc, char *argv[])
exit(2);
}
for (i = 0; secclass_map[i].name; i++) {
struct security_class_mapping *map = &secclass_map[i];
map->name = stoupperx(map->name);
for (j = 0; map->perms[j]; j++)
map->perms[j] = stoupperx(map->perms[j]);
}
isids_len = sizeof(initial_sid_to_string) / sizeof (char *);
for (i = 1; i < isids_len; i++) {
const char *s = initial_sid_to_string[i];
if (s)
initial_sid_to_string[i] = stoupperx(s);
}
fprintf(fout, "/* This file is automatically generated. Do not edit. */\n");
fprintf(fout, "#ifndef _SELINUX_FLASK_H_\n#define _SELINUX_FLASK_H_\n\n");
for (i = 0; secclass_map[i].name; i++) {
struct security_class_mapping *map = &secclass_map[i];
fprintf(fout, "#define SECCLASS_%-39s %2d\n", map->name, i+1);
char *name = stoupperx(secclass_map[i].name);
fprintf(fout, "#define SECCLASS_%-39s %2d\n", name, i+1);
free(name);
}
fprintf(fout, "\n");
isids_len = sizeof(initial_sid_to_string) / sizeof(char *);
for (i = 1; i < isids_len; i++) {
const char *s = initial_sid_to_string[i];
if (s)
fprintf(fout, "#define SECINITSID_%-39s %2d\n", s, i);
if (s) {
char *sidname = stoupperx(s);
fprintf(fout, "#define SECINITSID_%-39s %2d\n", sidname, i);
free(sidname);
}
}
fprintf(fout, "\n#define SECINITSID_NUM %d\n", i-1);
fprintf(fout, "\nstatic inline bool security_is_socket_class(u16 kern_tclass)\n");
@ -96,10 +88,14 @@ int main(int argc, char *argv[])
fprintf(fout, "\tswitch (kern_tclass) {\n");
for (i = 0; secclass_map[i].name; i++) {
static char s[] = "SOCKET";
struct security_class_mapping *map = &secclass_map[i];
int len = strlen(map->name), l = sizeof(s) - 1;
if (len >= l && memcmp(map->name + len - l, s, l) == 0)
fprintf(fout, "\tcase SECCLASS_%s:\n", map->name);
int len, l;
char *name = stoupperx(secclass_map[i].name);
len = strlen(name);
l = sizeof(s) - 1;
if (len >= l && memcmp(name + len - l, s, l) == 0)
fprintf(fout, "\tcase SECCLASS_%s:\n", name);
free(name);
}
fprintf(fout, "\t\tsock = true;\n");
fprintf(fout, "\t\tbreak;\n");
@ -110,33 +106,52 @@ int main(int argc, char *argv[])
fprintf(fout, "}\n");
fprintf(fout, "\n#endif\n");
fclose(fout);
if (fclose(fout) != 0) {
fprintf(stderr, "Could not successfully close %s: %s\n",
argv[1], strerror(errno));
exit(4);
}
fout = fopen(argv[2], "w");
if (!fout) {
fprintf(stderr, "Could not open %s for writing: %s\n",
argv[2], strerror(errno));
exit(4);
exit(5);
}
fprintf(fout, "/* This file is automatically generated. Do not edit. */\n");
fprintf(fout, "#ifndef _SELINUX_AV_PERMISSIONS_H_\n#define _SELINUX_AV_PERMISSIONS_H_\n\n");
for (i = 0; secclass_map[i].name; i++) {
struct security_class_mapping *map = &secclass_map[i];
int len = strlen(map->name);
const struct security_class_mapping *map = &secclass_map[i];
int len;
char *name = stoupperx(map->name);
len = strlen(name);
for (j = 0; map->perms[j]; j++) {
char *permname;
if (j >= 32) {
fprintf(stderr, "Too many permissions to fit into an access vector at (%s, %s).\n",
map->name, map->perms[j]);
exit(5);
}
fprintf(fout, "#define %s__%-*s 0x%08xU\n", map->name,
39-len, map->perms[j], 1U<<j);
permname = stoupperx(map->perms[j]);
fprintf(fout, "#define %s__%-*s 0x%08xU\n", name,
39-len, permname, 1U<<j);
free(permname);
}
free(name);
}
fprintf(fout, "\n#endif\n");
fclose(fout);
if (fclose(fout) != 0) {
fprintf(stderr, "Could not successfully close %s: %s\n",
argv[2], strerror(errno));
exit(6);
}
exit(0);
}

4
scripts/selinux/mdp/mdp.c
View file

@ -82,7 +82,7 @@ int main(int argc, char *argv[])
/* print out the class permissions */
for (i = 0; secclass_map[i].name; i++) {
struct security_class_mapping *map = &secclass_map[i];
const struct security_class_mapping *map = &secclass_map[i];
fprintf(fout, "class %s\n", map->name);
fprintf(fout, "{\n");
for (j = 0; map->perms[j]; j++)
@ -103,7 +103,7 @@ int main(int argc, char *argv[])
#define SYSTEMLOW "s0"
#define SYSTEMHIGH "s1:c0.c1"
for (i = 0; secclass_map[i].name; i++) {
struct security_class_mapping *map = &secclass_map[i];
const struct security_class_mapping *map = &secclass_map[i];
fprintf(fout, "mlsconstrain %s {\n", map->name);
for (j = 0; map->perms[j]; j++)