checkpolicy-3.5-0.rc1.1
- SELinux userspace 3.5-rc1 release
This commit is contained in:
Petr Lautrbach
parent
33ada68674
commit
e54c5cb165
1
.gitignore
vendored
1
.gitignore
vendored
@ -115,3 +115,4 @@ checkpolicy-2.0.22.tgz
|
||||
/checkpolicy-3.4-rc2.tar.gz
|
||||
/checkpolicy-3.4-rc3.tar.gz
|
||||
/checkpolicy-3.4.tar.gz
|
||||
/checkpolicy-3.5-rc1.tar.gz
|
||||
|
||||
@ -1,51 +0,0 @@
|
||||
From 25e9c91a8be5362fd4969f8b5e7710f62ec66ad5 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Fri, 10 Jun 2022 17:06:37 +0200
|
||||
Subject: [PATCH] checkpolicy: error out if required permission would exceed
|
||||
limit
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
Content-type: text/plain
|
||||
|
||||
A require statement for a class permission adds that permission to the
|
||||
class representation for the current module. In case the resulting
|
||||
class would have more than the supported amount of 32 permissions
|
||||
assigned the resulting binary module will fail to load at link-time
|
||||
without an informative error message (since [1]).
|
||||
|
||||
Bail out if adding a permission would result in a class having more than
|
||||
the supported amount of 32 permissions assigned.
|
||||
|
||||
[1]: https://github.com/SELinuxProject/selinux/commit/97af65f69644a3233d073ae93980a0d2e51f42e1
|
||||
|
||||
Closes: https://github.com/SELinuxProject/selinux/issues/356
|
||||
Reported-by: Julie Pichon
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
Acked-by: James Carter <jwcart2@gmail.com>
|
||||
---
|
||||
checkpolicy/module_compiler.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/checkpolicy/module_compiler.c b/checkpolicy/module_compiler.c
|
||||
index 129650fa2437..3188af892aa3 100644
|
||||
--- a/checkpolicy/module_compiler.c
|
||||
+++ b/checkpolicy/module_compiler.c
|
||||
@@ -851,6 +851,14 @@ int require_class(int pass)
|
||||
free(perm_id);
|
||||
return -1;
|
||||
}
|
||||
+ if (datum->permissions.nprim >= PERM_SYMTAB_SIZE) {
|
||||
+ yyerror2("Class %s would have too many permissions "
|
||||
+ "to fit in an access vector with permission %s",
|
||||
+ policydbp->p_class_val_to_name[datum->s.value - 1],
|
||||
+ perm_id);
|
||||
+ free(perm_id);
|
||||
+ return -1;
|
||||
+ }
|
||||
allocated = 1;
|
||||
if ((perm = malloc(sizeof(*perm))) == NULL) {
|
||||
yyerror("Out of memory!");
|
||||
--
|
||||
2.38.1
|
||||
|
||||
@ -1,52 +0,0 @@
|
||||
From 2a9c619b5fecbf01e999d4e787f7606994319f0d Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Mon, 8 Aug 2022 19:36:19 +0200
|
||||
Subject: [PATCH] checkpolicy: use strict function prototype for definitions
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
Content-type: text/plain
|
||||
|
||||
Clang 15 starts to complain about non strict function definitions:
|
||||
|
||||
policy_define.c:4907:30: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
|
||||
int define_devicetree_context()
|
||||
^
|
||||
void
|
||||
policy_define.c:5298:29: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
|
||||
int define_ipv4_node_context()
|
||||
^
|
||||
void
|
||||
|
||||
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||||
Reviewed-by: Daniel Burgener <dburgener@linux.microsoft.com>
|
||||
Acked-by: James Carter <jwcart2@gmail.com>
|
||||
---
|
||||
checkpolicy/policy_define.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
|
||||
index 8bf36859439c..f3b4887021c1 100644
|
||||
--- a/checkpolicy/policy_define.c
|
||||
+++ b/checkpolicy/policy_define.c
|
||||
@@ -4904,7 +4904,7 @@ bad:
|
||||
return -1;
|
||||
}
|
||||
|
||||
-int define_devicetree_context()
|
||||
+int define_devicetree_context(void)
|
||||
{
|
||||
ocontext_t *newc, *c, *l, *head;
|
||||
|
||||
@@ -5295,7 +5295,7 @@ int define_netif_context(void)
|
||||
return 0;
|
||||
}
|
||||
|
||||
-int define_ipv4_node_context()
|
||||
+int define_ipv4_node_context(void)
|
||||
{
|
||||
char *id;
|
||||
int rc = 0;
|
||||
--
|
||||
2.38.1
|
||||
|
||||
@ -1,37 +0,0 @@
|
||||
From c916f0884bd08b99ddc77b6a148a730d107a9979 Mon Sep 17 00:00:00 2001
|
||||
From: Juraj Marcin <juraj@jurajmarcin.com>
|
||||
Date: Mon, 29 Aug 2022 14:28:40 +0200
|
||||
Subject: [PATCH] checkpolicy: avoid passing NULL pointer to memset()
|
||||
Content-type: text/plain
|
||||
|
||||
Function `class_perm_node_init()` is called with `dest_perms` before it
|
||||
is checked that its allocation succeeded. If the allocation fails, then
|
||||
a NULL pointer is passed to `memset()` inside the
|
||||
`class_perm_node_init()` function.
|
||||
|
||||
Signed-off-by: Juraj Marcin <juraj@jurajmarcin.com>
|
||||
---
|
||||
checkpolicy/policy_define.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
|
||||
index f3b4887021c1..54bb304b331f 100644
|
||||
--- a/checkpolicy/policy_define.c
|
||||
+++ b/checkpolicy/policy_define.c
|
||||
@@ -2371,11 +2371,12 @@ static int avrule_cpy(avrule_t *dest, const avrule_t *src)
|
||||
src_perms = src->perms;
|
||||
while (src_perms) {
|
||||
dest_perms = (class_perm_node_t *) calloc(1, sizeof(class_perm_node_t));
|
||||
- class_perm_node_init(dest_perms);
|
||||
if (!dest_perms) {
|
||||
yyerror("out of memory");
|
||||
return -1;
|
||||
}
|
||||
+ class_perm_node_init(dest_perms);
|
||||
+
|
||||
if (!dest->perms)
|
||||
dest->perms = dest_perms;
|
||||
else
|
||||
--
|
||||
2.38.1
|
||||
|
||||
@ -1,26 +0,0 @@
|
||||
From a0a216ff7d86004ddc36d516377f0a6ffe88076c Mon Sep 17 00:00:00 2001
|
||||
From: Paul Moore <paul@paul-moore.com>
|
||||
Date: Fri, 30 Sep 2022 17:44:12 -0400
|
||||
Subject: [PATCH] docs: provide a top level LICENSE file
|
||||
Content-type: text/plain
|
||||
|
||||
Provide a top level LICENSE file explaining how multiple the SELinux
|
||||
userspace is released under multiple different licenses. Also ensure
|
||||
that all the different license files share a consistent file name,
|
||||
LICENSE, to make it easier for people to identify the license files.
|
||||
|
||||
This is to help meet the OpenSSF Best Practices requirements.
|
||||
|
||||
Signed-off-by: Paul Moore <paul@paul-moore.com>
|
||||
---
|
||||
checkpolicy/{COPYING => LICENSE} | 0
|
||||
1 file changed, 0 insertions(+), 0 deletions(-)
|
||||
rename checkpolicy/{COPYING => LICENSE} (100%)
|
||||
|
||||
diff --git a/checkpolicy/COPYING b/checkpolicy/LICENSE
|
||||
similarity index 100%
|
||||
rename from checkpolicy/COPYING
|
||||
rename to checkpolicy/LICENSE
|
||||
--
|
||||
2.38.1
|
||||
|
||||
@ -1,21 +1,17 @@
|
||||
%define libselinuxver 3.4-6
|
||||
%define libsepolver 3.4-4
|
||||
%define libselinuxver 3.5-0
|
||||
%define libsepolver 3.5-0
|
||||
|
||||
Summary: SELinux policy compiler
|
||||
Name: checkpolicy
|
||||
Version: 3.4
|
||||
Release: 4%{?dist}
|
||||
Version: 3.5
|
||||
Release: 0.rc1.1%{?dist}
|
||||
License: GPL-2.0-or-later AND LGPL-2.1-or-later
|
||||
Source0: https://github.com/SELinuxProject/selinux/releases/download/3.4/checkpolicy-3.4.tar.gz
|
||||
Source0: https://github.com/SELinuxProject/selinux/releases/download/3.5-rc1/checkpolicy-3.5-rc1.tar.gz
|
||||
# $ git clone https://github.com/fedora-selinux/selinux.git
|
||||
# $ cd selinux
|
||||
# $ git format-patch -N 3.4 -- checkpolicy
|
||||
# $ git format-patch -N 3.5-rc1 -- checkpolicy
|
||||
# $ i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
|
||||
# Patch list start
|
||||
Patch0001: 0001-checkpolicy-error-out-if-required-permission-would-e.patch
|
||||
Patch0002: 0002-checkpolicy-use-strict-function-prototype-for-defini.patch
|
||||
Patch0003: 0003-checkpolicy-avoid-passing-NULL-pointer-to-memset.patch
|
||||
Patch0004: 0004-docs-provide-a-top-level-LICENSE-file.patch
|
||||
# Patch list end
|
||||
BuildRequires: gcc
|
||||
BuildRequires: make
|
||||
@ -36,7 +32,7 @@ This package contains checkpolicy, the SELinux policy compiler.
|
||||
Only required for building policies.
|
||||
|
||||
%prep
|
||||
%autosetup -p 2 -n checkpolicy-%{version}
|
||||
%autosetup -p 2 -n checkpolicy-%{version}-rc1
|
||||
|
||||
%build
|
||||
|
||||
@ -65,6 +61,9 @@ install test/dispol ${RPM_BUILD_ROOT}%{_bindir}/sedispol
|
||||
%{_bindir}/sedispol
|
||||
|
||||
%changelog
|
||||
* Tue Dec 27 2022 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc1.1
|
||||
- SELinux userspace 3.5-rc1 release
|
||||
|
||||
* Mon Nov 21 2022 Petr Lautrbach <lautrbach@redhat.com> - 3.4-4
|
||||
- Rebase on upstream f56a72ac9e86
|
||||
|
||||
|
||||
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (checkpolicy-3.4.tar.gz) = e7f7a4e987af473fd7cda0e47539061a8cb2e65a6b930f4736c538eb319129b260a3f03d2f50863e73a275ee3d58c441c33f95c80ea2bff6157e37226be54b92
|
||||
SHA512 (checkpolicy-3.5-rc1.tar.gz) = e1913a874b109a3a0456928ca24cb0ac718279278376aa8e00e03b06384756e13eef266139fa05c30d7a6b6970d754f063519e4eeba26b3827093f0cec4fe68a
|
||||
|
||||
Loading…
Reference in New Issue
Block a user