checkpolicy-3.4-4

Rebase on upstream f56a72ac9e86

0001-checkpolicy-error-out-if-required-permission-would-e.patch

@@ -0,0 +1,51 @@
+From 25e9c91a8be5362fd4969f8b5e7710f62ec66ad5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Fri, 10 Jun 2022 17:06:37 +0200
+Subject: [PATCH] checkpolicy: error out if required permission would exceed
+ limit
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Content-type: text/plain
+
+A require statement for a class permission adds that permission to the
+class representation for the current module.  In case the resulting
+class would have more than the supported amount of 32 permissions
+assigned the resulting binary module will fail to load at link-time
+without an informative error message (since [1]).
+
+Bail out if adding a permission would result in a class having more than
+the supported amount of 32 permissions assigned.
+
+[1]: https://github.com/SELinuxProject/selinux/commit/97af65f69644a3233d073ae93980a0d2e51f42e1
+
+Closes: https://github.com/SELinuxProject/selinux/issues/356
+Reported-by: Julie Pichon
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ checkpolicy/module_compiler.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/checkpolicy/module_compiler.c b/checkpolicy/module_compiler.c
+index 129650fa2437..3188af892aa3 100644
+--- a/checkpolicy/module_compiler.c
++++ b/checkpolicy/module_compiler.c
+@@ -851,6 +851,14 @@ int require_class(int pass)
+ 				free(perm_id);
+ 				return -1;
+ 			}
++			if (datum->permissions.nprim >= PERM_SYMTAB_SIZE) {
++				yyerror2("Class %s would have too many permissions "
++					 "to fit in an access vector with permission %s",
++					 policydbp->p_class_val_to_name[datum->s.value - 1],
++					 perm_id);
++				free(perm_id);
++				return -1;
++			}
+ 			allocated = 1;
+ 			if ((perm = malloc(sizeof(*perm))) == NULL) {
+ 				yyerror("Out of memory!");
+-- 
+2.38.1
+

0002-checkpolicy-use-strict-function-prototype-for-defini.patch

@@ -0,0 +1,52 @@
+From 2a9c619b5fecbf01e999d4e787f7606994319f0d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Mon, 8 Aug 2022 19:36:19 +0200
+Subject: [PATCH] checkpolicy: use strict function prototype for definitions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Content-type: text/plain
+
+Clang 15 starts to complain about non strict function definitions:
+
+    policy_define.c:4907:30: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
+    int define_devicetree_context()
+                                 ^
+                                  void
+    policy_define.c:5298:29: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
+    int define_ipv4_node_context()
+                                ^
+                                 void
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ checkpolicy/policy_define.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
+index 8bf36859439c..f3b4887021c1 100644
+--- a/checkpolicy/policy_define.c
++++ b/checkpolicy/policy_define.c
+@@ -4904,7 +4904,7 @@ bad:
+ 	return -1;
+ }
+ 
+-int define_devicetree_context()
++int define_devicetree_context(void)
+ {
+ 	ocontext_t *newc, *c, *l, *head;
+ 
+@@ -5295,7 +5295,7 @@ int define_netif_context(void)
+ 	return 0;
+ }
+ 
+-int define_ipv4_node_context()
++int define_ipv4_node_context(void)
+ {	
+ 	char *id;
+ 	int rc = 0;
+-- 
+2.38.1
+

0003-checkpolicy-avoid-passing-NULL-pointer-to-memset.patch

@@ -0,0 +1,37 @@
+From c916f0884bd08b99ddc77b6a148a730d107a9979 Mon Sep 17 00:00:00 2001
+From: Juraj Marcin <juraj@jurajmarcin.com>
+Date: Mon, 29 Aug 2022 14:28:40 +0200
+Subject: [PATCH] checkpolicy: avoid passing NULL pointer to memset()
+Content-type: text/plain
+
+Function `class_perm_node_init()` is called with `dest_perms` before it
+is checked that its allocation succeeded. If the allocation fails, then
+a NULL pointer is passed to `memset()` inside the
+`class_perm_node_init()` function.
+
+Signed-off-by: Juraj Marcin <juraj@jurajmarcin.com>
+---
+ checkpolicy/policy_define.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
+index f3b4887021c1..54bb304b331f 100644
+--- a/checkpolicy/policy_define.c
++++ b/checkpolicy/policy_define.c
+@@ -2371,11 +2371,12 @@ static int avrule_cpy(avrule_t *dest, const avrule_t *src)
+ 	src_perms = src->perms;
+ 	while (src_perms) {
+ 		dest_perms = (class_perm_node_t *) calloc(1, sizeof(class_perm_node_t));
+-		class_perm_node_init(dest_perms);
+ 		if (!dest_perms) {
+ 			yyerror("out of memory");
+ 			return -1;
+ 		}
++		class_perm_node_init(dest_perms);
++
+ 		if (!dest->perms)
+ 			dest->perms = dest_perms;
+ 		else
+-- 
+2.38.1
+

0004-docs-provide-a-top-level-LICENSE-file.patch

@@ -0,0 +1,26 @@
+From a0a216ff7d86004ddc36d516377f0a6ffe88076c Mon Sep 17 00:00:00 2001
+From: Paul Moore <paul@paul-moore.com>
+Date: Fri, 30 Sep 2022 17:44:12 -0400
+Subject: [PATCH] docs: provide a top level LICENSE file
+Content-type: text/plain
+
+Provide a top level LICENSE file explaining how multiple the SELinux
+userspace is released under multiple different licenses.  Also ensure
+that all the different license files share a consistent file name,
+LICENSE, to make it easier for people to identify the license files.
+
+This is to help meet the OpenSSF Best Practices requirements.
+
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+---
+ checkpolicy/{COPYING => LICENSE} | 0
+ 1 file changed, 0 insertions(+), 0 deletions(-)
+ rename checkpolicy/{COPYING => LICENSE} (100%)
+
+diff --git a/checkpolicy/COPYING b/checkpolicy/LICENSE
+similarity index 100%
+rename from checkpolicy/COPYING
+rename to checkpolicy/LICENSE
+-- 
+2.38.1
+

checkpolicy.spec

@@ -1,10 +1,10 @@
-%define libselinuxver 3.4-1
+%define libselinuxver 3.4-6
-%define libsepolver 3.4-1
+%define libsepolver 3.4-4
 
 Summary: SELinux policy compiler
 Name: checkpolicy
 Version: 3.4
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPL-2.0-or-later AND LGPL-2.1-or-later
 Source0: https://github.com/SELinuxProject/selinux/releases/download/3.4/checkpolicy-3.4.tar.gz
 # $ git clone https://github.com/fedora-selinux/selinux.git
@@ -12,6 +12,10 @@ Source0: https://github.com/SELinuxProject/selinux/releases/download/3.4/checkpo
 # $ git format-patch -N 3.4 -- checkpolicy
 # $ i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
 # Patch list start
+Patch0001: 0001-checkpolicy-error-out-if-required-permission-would-e.patch
+Patch0002: 0002-checkpolicy-use-strict-function-prototype-for-defini.patch
+Patch0003: 0003-checkpolicy-avoid-passing-NULL-pointer-to-memset.patch
+Patch0004: 0004-docs-provide-a-top-level-LICENSE-file.patch
 # Patch list end
 BuildRequires: gcc
 BuildRequires: make
@@ -50,7 +54,7 @@ install test/dispol ${RPM_BUILD_ROOT}%{_bindir}/sedispol
 
 %files
 %{!?_licensedir:%global license %%doc}
-%license COPYING
+%license LICENSE
 %{_bindir}/checkpolicy
 %{_bindir}/checkmodule
 %{_mandir}/man8/checkpolicy.8.gz
@@ -61,6 +65,9 @@ install test/dispol ${RPM_BUILD_ROOT}%{_bindir}/sedispol
 %{_bindir}/sedispol
 
 %changelog
+* Mon Nov 21 2022 Petr Lautrbach <lautrbach@redhat.com> - 3.4-4
+- Rebase on upstream f56a72ac9e86
+
 * Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.4-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild