diff --git a/0001-libsemanage-Remove-legacy-and-duplicate-symbols.patch b/0001-libsemanage-Remove-legacy-and-duplicate-symbols.patch deleted file mode 100644 index 14cacc2..0000000 --- a/0001-libsemanage-Remove-legacy-and-duplicate-symbols.patch +++ /dev/null @@ -1,233 +0,0 @@ -From b46406de8a93abe10e685c422597516517c0bff3 Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Fri, 9 Oct 2020 15:00:50 +0200 -Subject: [PATCH] libsemanage: Remove legacy and duplicate symbols - -Versioned duplicate symbols cause problems for LTO. These symbols were -introduced during the CIL integration several releases ago and were only -consumed by other SELinux userspace components. - -Related: https://github.com/SELinuxProject/selinux/issues/245 - -Signed-off-by: Petr Lautrbach ---- - libsemanage/include/semanage/modules.h | 2 +- - libsemanage/src/libsemanage.map | 5 -- - libsemanage/src/modules.c | 100 +------------------------ - libsemanage/src/modules.h | 9 +-- - libsemanage/src/semanageswig_python.i | 2 - - 5 files changed, 4 insertions(+), 114 deletions(-) - -diff --git a/libsemanage/include/semanage/modules.h b/libsemanage/include/semanage/modules.h -index ac4039314857..b51f61f033d5 100644 ---- a/libsemanage/include/semanage/modules.h -+++ b/libsemanage/include/semanage/modules.h -@@ -33,7 +33,7 @@ typedef struct semanage_module_key semanage_module_key_t; - */ - - extern int semanage_module_install(semanage_handle_t *, -- char *module_data, size_t data_len, char *name, char *ext_lang); -+ char *module_data, size_t data_len, const char *name, const char *ext_lang); - extern int semanage_module_install_file(semanage_handle_t *, - const char *module_name); - extern int semanage_module_remove(semanage_handle_t *, char *module_name); -diff --git a/libsemanage/src/libsemanage.map b/libsemanage/src/libsemanage.map -index 1375a8ca0ea7..4bec06aaae27 100644 ---- a/libsemanage/src/libsemanage.map -+++ b/libsemanage/src/libsemanage.map -@@ -167,18 +167,13 @@ LIBSEMANAGE_1.0 { - semanage_mls_enabled; - semanage_module_disable; - semanage_module_enable; -- semanage_module_get_enabled; - semanage_module_get_name; - semanage_module_get_version; - semanage_module_info_datum_destroy; -- semanage_module_install; -- semanage_module_install_base; -- semanage_module_install_base_file; - semanage_module_install_file; - semanage_module_list; - semanage_module_list_nth; - semanage_module_remove; -- semanage_module_upgrade; - semanage_module_upgrade_file; - semanage_msg_get_channel; - semanage_msg_get_fname; -diff --git a/libsemanage/src/modules.c b/libsemanage/src/modules.c -index 6d3eb60ae462..8b36801038df 100644 ---- a/libsemanage/src/modules.c -+++ b/libsemanage/src/modules.c -@@ -42,70 +42,7 @@ - #include "modules.h" - #include "debug.h" - --asm(".symver semanage_module_get_enabled_1_1,semanage_module_get_enabled@@LIBSEMANAGE_1.1"); --asm(".symver semanage_module_get_enabled_1_0,semanage_module_get_enabled@LIBSEMANAGE_1.0"); --asm(".symver semanage_module_install_pp,semanage_module_install@LIBSEMANAGE_1.0"); --asm(".symver semanage_module_install_hll,semanage_module_install@@LIBSEMANAGE_1.1"); -- --/* Takes a module stored in 'module_data' and parses its headers. -- * Sets reference variables 'module_name' to module's name and -- * 'version' to module's version. The caller is responsible for -- * free()ing 'module_name' and 'version'; they will be -- * set to NULL upon entering this function. Returns 0 on success, -1 -- * if out of memory, or -2 if data did not represent a module. -- */ --static int parse_module_headers(semanage_handle_t * sh, char *module_data, -- size_t data_len, char **module_name, char **version) --{ -- struct sepol_policy_file *pf; -- int file_type; -- *version = NULL; -- -- if (sepol_policy_file_create(&pf)) { -- ERR(sh, "Out of memory!"); -- return -1; -- } -- sepol_policy_file_set_mem(pf, module_data, data_len); -- sepol_policy_file_set_handle(pf, sh->sepolh); -- if (module_data == NULL || -- data_len == 0 || -- sepol_module_package_info(pf, &file_type, module_name, version) == -1) { -- sepol_policy_file_free(pf); -- ERR(sh, "Could not parse module data."); -- return -2; -- } -- sepol_policy_file_free(pf); -- if (file_type != SEPOL_POLICY_MOD) { -- ERR(sh, "Data did not represent a pp module. Please upgrade to the latest version of libsemanage to support hll modules."); -- return -2; -- } -- -- return 0; --} -- --/* This function is used to preserve ABI compatibility with -- * versions of semodule using LIBSEMANAGE_1.0 -- */ --int semanage_module_install_pp(semanage_handle_t * sh, -- char *module_data, size_t data_len) --{ -- char *name = NULL; -- char *version = NULL; -- int status; -- -- if ((status = parse_module_headers(sh, module_data, data_len, &name, &version)) != 0) { -- goto cleanup; -- } -- -- status = semanage_module_install_hll(sh, module_data, data_len, name, "pp"); -- --cleanup: -- free(name); -- free(version); -- return status; --} -- --int semanage_module_install_hll(semanage_handle_t * sh, -+int semanage_module_install(semanage_handle_t * sh, - char *module_data, size_t data_len, const char *name, const char *ext_lang) - { - if (sh->funcs->install == NULL) { -@@ -160,16 +97,6 @@ int semanage_module_extract(semanage_handle_t * sh, - return sh->funcs->extract(sh, modkey, extract_cil, mapped_data, data_len, modinfo); - } - --/* Legacy function that remains to preserve ABI -- * compatibility. Please use semanage_module_install instead. -- */ --int semanage_module_upgrade(semanage_handle_t * sh, -- char *module_data, size_t data_len) --{ -- return semanage_module_install_pp(sh, module_data, data_len); -- --} -- - /* Legacy function that remains to preserve ABI - * compatibility. Please use semanage_module_install_file instead. - */ -@@ -179,24 +106,6 @@ int semanage_module_upgrade_file(semanage_handle_t * sh, - return semanage_module_install_file(sh, module_name); - } - --/* Legacy function that remains to preserve ABI -- * compatibility. Please use semanage_module_install instead. -- */ --int semanage_module_install_base(semanage_handle_t * sh, -- char *module_data, size_t data_len) --{ -- return semanage_module_install_pp(sh, module_data, data_len); --} -- --/* Legacy function that remains to preserve ABI -- * compatibility. Please use semanage_module_install_file instead. -- */ --int semanage_module_install_base_file(semanage_handle_t * sh, -- const char *module_name) --{ -- return semanage_module_install_file(sh, module_name); --} -- - int semanage_module_remove(semanage_handle_t * sh, char *module_name) - { - if (sh->funcs->remove == NULL) { -@@ -780,7 +689,7 @@ int semanage_module_key_set_priority(semanage_handle_t *sh, - } - - --int semanage_module_get_enabled_1_1(semanage_handle_t *sh, -+int semanage_module_get_enabled(semanage_handle_t *sh, - const semanage_module_key_t *modkey, - int *enabled) - { -@@ -800,11 +709,6 @@ int semanage_module_get_enabled_1_1(semanage_handle_t *sh, - return sh->funcs->get_enabled(sh, modkey, enabled); - } - --int semanage_module_get_enabled_1_0(semanage_module_info_t *modinfo) --{ -- return modinfo->enabled; --} -- - int semanage_module_set_enabled(semanage_handle_t *sh, - const semanage_module_key_t *modkey, - int enabled) -diff --git a/libsemanage/src/modules.h b/libsemanage/src/modules.h -index 2d3576fb15df..64d4a157f5ca 100644 ---- a/libsemanage/src/modules.h -+++ b/libsemanage/src/modules.h -@@ -26,16 +26,9 @@ - - #include "semanage/modules.h" - --int semanage_module_install_pp(semanage_handle_t * sh, -- char *module_data, size_t data_len); --int semanage_module_install_hll(semanage_handle_t * sh, -- char *module_data, size_t data_len, const char *name, const char *ext_lang); --int semanage_module_upgrade(semanage_handle_t * sh, -- char *module_data, size_t data_len); -+ - int semanage_module_upgrade_file(semanage_handle_t * sh, - const char *module_name); --int semanage_module_install_base(semanage_handle_t * sh, -- char *module_data, size_t data_len); - int semanage_module_install_base_file(semanage_handle_t * sh, - const char *module_name); - -diff --git a/libsemanage/src/semanageswig_python.i b/libsemanage/src/semanageswig_python.i -index 8dd79fc24213..5f0113966962 100644 ---- a/libsemanage/src/semanageswig_python.i -+++ b/libsemanage/src/semanageswig_python.i -@@ -30,8 +30,6 @@ - %} - - %include "stdint.i" --%ignore semanage_module_install_pp; --%ignore semanage_module_install_hll; - - %wrapper %{ - --- -2.29.0 - diff --git a/0001-libsemanage-fix-use-after-free-in-parse_module_store.patch b/0001-libsemanage-fix-use-after-free-in-parse_module_store.patch new file mode 100644 index 0000000..065178e --- /dev/null +++ b/0001-libsemanage-fix-use-after-free-in-parse_module_store.patch @@ -0,0 +1,36 @@ +From 6bff61c5981d4b928a0c304aad0b4adf772776cd Mon Sep 17 00:00:00 2001 +From: HuaxinLu +Date: Mon, 14 Jun 2021 12:21:26 +0800 +Subject: [PATCH] libsemanage: fix use-after-free in parse_module_store() + +The passing parameter "arg" of parse_module_store will be freed after +calling. A copy of parameter should be used instead of itself. + +Signed-off-by: HuaxinLu +Acked-by: James Carter +--- + libsemanage/src/conf-parse.y | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libsemanage/src/conf-parse.y b/libsemanage/src/conf-parse.y +index 9bf9364a1ce4..eac913447ecd 100644 +--- a/libsemanage/src/conf-parse.y ++++ b/libsemanage/src/conf-parse.y +@@ -516,12 +516,12 @@ static int parse_module_store(char *arg) + char *s; + current_conf->store_type = SEMANAGE_CON_POLSERV_REMOTE; + if ((s = strchr(arg, ':')) == NULL) { +- current_conf->store_path = arg; ++ current_conf->store_path = strdup(arg); + current_conf->server_port = 4242; + } else { + char *endptr; + *s = '\0'; +- current_conf->store_path = arg; ++ current_conf->store_path = strdup(arg); + current_conf->server_port = strtol(s + 1, &endptr, 10); + if (*(s + 1) == '\0' || *endptr != '\0') { + return -2; +-- +2.32.0 + diff --git a/0002-libsemanage-silence-Wextra-semi-stmt-warning.patch b/0002-libsemanage-silence-Wextra-semi-stmt-warning.patch new file mode 100644 index 0000000..2455d95 --- /dev/null +++ b/0002-libsemanage-silence-Wextra-semi-stmt-warning.patch @@ -0,0 +1,65 @@ +From e1c6df329ce988bb03e9b0aa72cace3d679b9f9c Mon Sep 17 00:00:00 2001 +From: Nicolas Iooss +Date: Sat, 3 Jul 2021 16:31:19 +0200 +Subject: [PATCH] libsemanage: silence -Wextra-semi-stmt warning + +On Ubuntu 20.04, when building with clang -Werror -Wextra-semi-stmt +(which is not the default build configuration), the compiler reports: + + genhomedircon.c:742:67: error: empty expression statement has no + effect; remove unnecessary ';' to silence this warning + [-Werror,-Wextra-semi-stmt] + const semanage_seuser_t **u2 = (const semanage_seuser_t **) arg2;; + ^ + +Signed-off-by: Nicolas Iooss +--- + libsemanage/src/genhomedircon.c | 2 +- + libsemanage/tests/libsemanage-tests.c | 18 +++++++++++------- + 2 files changed, 12 insertions(+), 8 deletions(-) + +diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c +index d08c88de99a7..7ca9afc3c1c7 100644 +--- a/libsemanage/src/genhomedircon.c ++++ b/libsemanage/src/genhomedircon.c +@@ -740,7 +740,7 @@ static int write_user_context(genhomedircon_settings_t * s, FILE * out, + static int seuser_sort_func(const void *arg1, const void *arg2) + { + const semanage_seuser_t **u1 = (const semanage_seuser_t **) arg1; +- const semanage_seuser_t **u2 = (const semanage_seuser_t **) arg2;; ++ const semanage_seuser_t **u2 = (const semanage_seuser_t **) arg2; + const char *name1 = semanage_seuser_get_name(*u1); + const char *name2 = semanage_seuser_get_name(*u2); + +diff --git a/libsemanage/tests/libsemanage-tests.c b/libsemanage/tests/libsemanage-tests.c +index 2ae4a21be52a..ee1767034c28 100644 +--- a/libsemanage/tests/libsemanage-tests.c ++++ b/libsemanage/tests/libsemanage-tests.c +@@ -41,13 +41,17 @@ + #include + + #define DECLARE_SUITE(name) \ +- suite = CU_add_suite(#name, name##_test_init, name##_test_cleanup); \ +- if (NULL == suite) { \ +- CU_cleanup_registry(); \ +- return CU_get_error(); } \ +- if (name##_add_tests(suite)) { \ +- CU_cleanup_registry(); \ +- return CU_get_error(); } ++ do { \ ++ suite = CU_add_suite(#name, name##_test_init, name##_test_cleanup); \ ++ if (NULL == suite) { \ ++ CU_cleanup_registry(); \ ++ return CU_get_error(); \ ++ } \ ++ if (name##_add_tests(suite)) { \ ++ CU_cleanup_registry(); \ ++ return CU_get_error(); \ ++ } \ ++ } while (0) + + static void usage(char *progname) + { +-- +2.32.0 + diff --git a/0001-libsemanage-Fix-RESOURCE_LEAK-and-USE_AFTER_FREE-cov.patch b/0003-libsemanage-Fix-RESOURCE_LEAK-and-USE_AFTER_FREE-cov.patch similarity index 95% rename from 0001-libsemanage-Fix-RESOURCE_LEAK-and-USE_AFTER_FREE-cov.patch rename to 0003-libsemanage-Fix-RESOURCE_LEAK-and-USE_AFTER_FREE-cov.patch index b749443..fb3c99b 100644 --- a/0001-libsemanage-Fix-RESOURCE_LEAK-and-USE_AFTER_FREE-cov.patch +++ b/0003-libsemanage-Fix-RESOURCE_LEAK-and-USE_AFTER_FREE-cov.patch @@ -1,4 +1,4 @@ -From 20d75ec7c77c9c74d51d714db384b322b13fc731 Mon Sep 17 00:00:00 2001 +From cb0f1618cc3f81ac71717a426c6e471ccac1c065 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Wed, 7 Nov 2018 18:17:34 +0100 Subject: [PATCH] libsemanage: Fix RESOURCE_LEAK and USE_AFTER_FREE coverity @@ -62,5 +62,5 @@ index 9a4e79385b69..393ec9faf92d 100644 } -- -2.30.0 +2.32.0 diff --git a/0004-libsemanage-Fix-USE_AFTER_FREE-CWE-672-in-semanage_d.patch b/0004-libsemanage-Fix-USE_AFTER_FREE-CWE-672-in-semanage_d.patch new file mode 100644 index 0000000..8d810f4 --- /dev/null +++ b/0004-libsemanage-Fix-USE_AFTER_FREE-CWE-672-in-semanage_d.patch @@ -0,0 +1,42 @@ +From 29aeba547563f32b9a2240ddeebd3e3ccb9dcf78 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Wed, 28 Jul 2021 10:25:51 +0200 +Subject: [PATCH] libsemanage: Fix USE_AFTER_FREE (CWE-672) in + semanage_direct_write_langext() + +From fclose(3): +Upon successful completion, 0 is returned. Otherwise, EOF is returned +and errno is set to indicate the error. In either case, any further +access (including another call to fclose()) to the stream results in +undefined behavior. + +Fixes: + Error: USE_AFTER_FREE (CWE-672): [#def1] + libsemanage-3.2/src/direct_api.c:1023: freed_arg: "fclose" frees "fp". + libsemanage-3.2/src/direct_api.c:1034: use_closed_file: Calling "fclose" uses file handle "fp" after closing it. + # 1032| + # 1033| cleanup: + # 1034|-> if (fp != NULL) fclose(fp); + # 1035| + # 1036| return ret; + +Signed-off-by: Petr Lautrbach +--- + libsemanage/src/direct_api.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c +index 393ec9faf92d..b7a3e0f17cc1 100644 +--- a/libsemanage/src/direct_api.c ++++ b/libsemanage/src/direct_api.c +@@ -1022,6 +1022,7 @@ static int semanage_direct_write_langext(semanage_handle_t *sh, + + if (fclose(fp) != 0) { + ERR(sh, "Unable to close %s module ext file.", modinfo->name); ++ fp = NULL; + ret = -1; + goto cleanup; + } +-- +2.32.0 + diff --git a/libsemanage.spec b/libsemanage.spec index 848a998..d3fa9ee 100644 --- a/libsemanage.spec +++ b/libsemanage.spec @@ -1,16 +1,19 @@ -%define libsepolver 3.2-1 -%define libselinuxver 3.2-1 +%define libsepolver 3.2-3 +%define libselinuxver 3.2-5 Summary: SELinux binary policy manipulation library Name: libsemanage Version: 3.2 -Release: 2%{?dist} +Release: 3%{?dist} License: LGPLv2+ Source0: https://github.com/SELinuxProject/selinux/releases/download/3.2/libsemanage-3.2.tar.gz # fedora-selinux/selinux: git format-patch -N 3.2 -- libsemanage # i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done # Patch list start -Patch0001: 0001-libsemanage-Fix-RESOURCE_LEAK-and-USE_AFTER_FREE-cov.patch +Patch0001: 0001-libsemanage-fix-use-after-free-in-parse_module_store.patch +Patch0002: 0002-libsemanage-silence-Wextra-semi-stmt-warning.patch +Patch0003: 0003-libsemanage-Fix-RESOURCE_LEAK-and-USE_AFTER_FREE-cov.patch +Patch0004: 0004-libsemanage-Fix-USE_AFTER_FREE-CWE-672-in-semanage_d.patch # Patch list end URL: https://github.com/SELinuxProject/selinux/wiki Source1: semanage.conf @@ -154,6 +157,9 @@ cp %{SOURCE1} ${RPM_BUILD_ROOT}%{_sysconfdir}/selinux/semanage.conf %{_libexecdir}/selinux/semanage_migrate_store %changelog +* Wed Jul 28 2021 Petr Lautrbach - 3.2-4 +- Rebase on upstream commit 32611aea6543 + * Fri Apr 16 2021 Mohan Boddu - 3.2-2 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937