09820226ae
Rebase on upstream commit 32611aea6543
See
$ cd SELinuxProject/selinux
$ git log --pretty=oneline checkpolicy-3.2..32611aea6543 -- checkpolicy
98 lines
3.4 KiB
Diff
98 lines
3.4 KiB
Diff
From 750cc1136d054b77e84cd55be5fbe0e8ad0174e8 Mon Sep 17 00:00:00 2001
|
|
From: James Carter <jwcart2@gmail.com>
|
|
Date: Mon, 15 Mar 2021 11:09:37 -0400
|
|
Subject: [PATCH] checkpolicy: Do not automatically upgrade when using "-b"
|
|
flag
|
|
|
|
When reading a binary policy, do not automatically change the version
|
|
to the max policy version supported by libsepol or, if specified, the
|
|
value given using the "-c" flag.
|
|
|
|
If the binary policy version is less than or equal to version 23
|
|
(POLICYDB_VERSION_PERMISSIVE) than do not automatically upgrade the
|
|
policy and if a policy version is specified by the "-c" flag, only set
|
|
the binary policy to the specified version if it is lower than the
|
|
current version.
|
|
|
|
If the binary policy version is greater than version 23 than it should
|
|
be set to the maximum version supported by libsepol or, if specified,
|
|
the value given by the "-c" flag.
|
|
|
|
The reason for this change is that policy versions 20
|
|
(POLICYDB_VERSION_AVTAB) to 23 have a more primitive support for type
|
|
attributes where the datums are not written out, but they exist in the
|
|
type_attr_map. This means that when the binary policy is read by
|
|
libsepol, there will be gaps in the type_val_to_struct and
|
|
p_type_val_to_name arrays and policy rules can refer to those gaps.
|
|
Certain libsepol functions like sepol_kernel_policydb_to_conf() and
|
|
sepol_kernel_policydb_to_cil() do not support this behavior and need
|
|
to be able to identify these policies. Policies before version 20 do not
|
|
support attributes at all and can be handled by all libsepol functions.
|
|
|
|
Signed-off-by: James Carter <jwcart2@gmail.com>
|
|
---
|
|
checkpolicy/checkpolicy.c | 19 +++++++++++++++----
|
|
1 file changed, 15 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
|
|
index 5841c5c4c196..acf1eac41559 100644
|
|
--- a/checkpolicy/checkpolicy.c
|
|
+++ b/checkpolicy/checkpolicy.c
|
|
@@ -106,7 +106,7 @@ static int handle_unknown = SEPOL_DENY_UNKNOWN;
|
|
static const char *txtfile = "policy.conf";
|
|
static const char *binfile = "policy";
|
|
|
|
-unsigned int policyvers = POLICYDB_VERSION_MAX;
|
|
+unsigned int policyvers = 0;
|
|
|
|
static __attribute__((__noreturn__)) void usage(const char *progname)
|
|
{
|
|
@@ -515,7 +515,8 @@ int main(int argc, char **argv)
|
|
}
|
|
|
|
if (show_version) {
|
|
- printf("%d (compatibility range %d-%d)\n", policyvers,
|
|
+ printf("%d (compatibility range %d-%d)\n",
|
|
+ policyvers ? policyvers : POLICYDB_VERSION_MAX ,
|
|
POLICYDB_VERSION_MAX, POLICYDB_VERSION_MIN);
|
|
exit(0);
|
|
}
|
|
@@ -588,6 +589,16 @@ int main(int argc, char **argv)
|
|
exit(1);
|
|
}
|
|
}
|
|
+
|
|
+ if (policydbp->policyvers <= POLICYDB_VERSION_PERMISSIVE) {
|
|
+ if (policyvers > policydbp->policyvers) {
|
|
+ fprintf(stderr, "Binary policies with version <= %u cannot be upgraded\n", POLICYDB_VERSION_PERMISSIVE);
|
|
+ } else if (policyvers) {
|
|
+ policydbp->policyvers = policyvers;
|
|
+ }
|
|
+ } else {
|
|
+ policydbp->policyvers = policyvers ? policyvers : POLICYDB_VERSION_MAX;
|
|
+ }
|
|
} else {
|
|
if (conf) {
|
|
fprintf(stderr, "Can only generate policy.conf from binary policy\n");
|
|
@@ -629,6 +640,8 @@ int main(int argc, char **argv)
|
|
policydb_destroy(policydbp);
|
|
policydbp = &policydb;
|
|
}
|
|
+
|
|
+ policydbp->policyvers = policyvers ? policyvers : POLICYDB_VERSION_MAX;
|
|
}
|
|
|
|
if (policydb_load_isids(&policydb, &sidtab))
|
|
@@ -654,8 +667,6 @@ int main(int argc, char **argv)
|
|
}
|
|
}
|
|
|
|
- policydb.policyvers = policyvers;
|
|
-
|
|
if (!cil) {
|
|
if (!conf) {
|
|
policydb.policy_type = POLICY_KERN;
|
|
--
|
|
2.32.0
|
|
|