Merged update from upstream sources

This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/libsepol.git#7a48f3506f90b8ae7621c7f8574656b6750f4bd7

0012-libsepol-cil-Give-error-for-more-than-one-true-or-fa.patch

@@ -0,0 +1,170 @@
+From 3b26f0566698926ba38cbf3fa702f3ff78862c5e Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Tue, 20 Oct 2020 09:28:56 -0400
+Subject: [PATCH] libsepol/cil: Give error for more than one true or false
+ block
+
+Both tunableif and booleanif use conditional blocks (either true or
+false). No ordering is imposed, so a false block can be first (or even
+the only) block. Checks are made to ensure that the first and second
+(if it exists) blocks are either true or false, but no checks are made
+to ensure that there is only one true and/or one false block. If there
+are more than one true or false block, only the first will be used and
+the other will be ignored.
+
+Create a function, cil_verify_conditional_blocks(), that gives an error
+along with a message if more than one true or false block is specified
+and call that function when building tunableif and booleanif blocks in
+the AST.
+
+Signed-off-by: James Carter <jwcart2@gmail.com>
+Acked-by: Ondrej Mosnacek <omosnace@redhat.com>
+---
+ libsepol/cil/src/cil_build_ast.c | 44 +++++---------------------------
+ libsepol/cil/src/cil_verify.c    | 35 +++++++++++++++++++++++++
+ libsepol/cil/src/cil_verify.h    |  1 +
+ 3 files changed, 42 insertions(+), 38 deletions(-)
+
+diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
+index 3aabb05ec534..a895583404a7 100644
+--- a/libsepol/cil/src/cil_build_ast.c
++++ b/libsepol/cil/src/cil_build_ast.c
+@@ -2821,7 +2821,6 @@ int cil_gen_boolif(struct cil_db *db, struct cil_tree_node *parse_current, struc
+ 	int syntax_len = sizeof(syntax)/sizeof(*syntax);
+ 	struct cil_booleanif *bif = NULL;
+ 	struct cil_tree_node *next = NULL;
+-	struct cil_tree_node *cond = NULL;
+ 	int rc = SEPOL_ERR;
+ 
+ 	if (db == NULL || parse_current == NULL || ast_node == NULL) {
+@@ -2841,27 +2840,12 @@ int cil_gen_boolif(struct cil_db *db, struct cil_tree_node *parse_current, struc
+ 		goto exit;
+ 	}
+ 
+-	cond = parse_current->next->next;
+-
+-	/* Destroying expr tree after stack is created*/
+-	if (cond->cl_head->data != CIL_KEY_CONDTRUE &&
+-		cond->cl_head->data != CIL_KEY_CONDFALSE) {
+-		rc = SEPOL_ERR;
+-		cil_log(CIL_ERR, "Conditional neither true nor false\n");
++	rc = cil_verify_conditional_blocks(parse_current->next->next);
++	if (rc != SEPOL_OK) {
+ 		goto exit;
+ 	}
+ 
+-	if (cond->next != NULL) {
+-		cond = cond->next;
+-		if (cond->cl_head->data != CIL_KEY_CONDTRUE &&
+-			cond->cl_head->data != CIL_KEY_CONDFALSE) {
+-			rc = SEPOL_ERR;
+-			cil_log(CIL_ERR, "Conditional neither true nor false\n");
+-			goto exit;
+-		}
+-	}
+-
+-
++	/* Destroying expr tree */
+ 	next = parse_current->next->next;
+ 	cil_tree_subtree_destroy(parse_current->next);
+ 	parse_current->next = next;
+@@ -2905,7 +2889,6 @@ int cil_gen_tunif(struct cil_db *db, struct cil_tree_node *parse_current, struct
+ 	int syntax_len = sizeof(syntax)/sizeof(*syntax);
+ 	struct cil_tunableif *tif = NULL;
+ 	struct cil_tree_node *next = NULL;
+-	struct cil_tree_node *cond = NULL;
+ 	int rc = SEPOL_ERR;
+ 
+ 	if (db == NULL || parse_current == NULL || ast_node == NULL) {
+@@ -2924,27 +2907,12 @@ int cil_gen_tunif(struct cil_db *db, struct cil_tree_node *parse_current, struct
+ 		goto exit;
+ 	}
+ 
+-	cond = parse_current->next->next;
+-
+-	if (cond->cl_head->data != CIL_KEY_CONDTRUE &&
+-		cond->cl_head->data != CIL_KEY_CONDFALSE) {
+-		rc = SEPOL_ERR;
+-		cil_log(CIL_ERR, "Conditional neither true nor false\n");
++	rc = cil_verify_conditional_blocks(parse_current->next->next);
++	if (rc != SEPOL_OK) {
+ 		goto exit;
+ 	}
+ 
+-	if (cond->next != NULL) {
+-		cond = cond->next;
+-
+-		if (cond->cl_head->data != CIL_KEY_CONDTRUE &&
+-			cond->cl_head->data != CIL_KEY_CONDFALSE) {
+-			rc = SEPOL_ERR;
+-			cil_log(CIL_ERR, "Conditional neither true nor false\n");
+-			goto exit;
+-		}
+-	}
+-
+-	/* Destroying expr tree after stack is created*/
++	/* Destroying expr tree */
+ 	next = parse_current->next->next;
+ 	cil_tree_subtree_destroy(parse_current->next);
+ 	parse_current->next = next;
+diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c
+index c73bbeee371b..6706e21921fe 100644
+--- a/libsepol/cil/src/cil_verify.c
++++ b/libsepol/cil/src/cil_verify.c
+@@ -324,6 +324,41 @@ exit:
+ 	return SEPOL_ERR;
+ }
+ 
++int cil_verify_conditional_blocks(struct cil_tree_node *current)
++{
++	int found_true = CIL_FALSE;
++	int found_false = CIL_FALSE;
++
++	if (current->cl_head->data == CIL_KEY_CONDTRUE) {
++		found_true = CIL_TRUE;
++	} else if (current->cl_head->data == CIL_KEY_CONDFALSE) {
++		found_false = CIL_TRUE;
++	} else {
++		cil_tree_log(current, CIL_ERR, "Expected true or false block in conditional");
++		return SEPOL_ERR;
++	}
++
++	current = current->next;
++	if (current != NULL) {
++		if (current->cl_head->data == CIL_KEY_CONDTRUE) {
++			if (found_true) {
++				cil_tree_log(current, CIL_ERR, "More than one true block in conditional");
++				return SEPOL_ERR;
++			}
++		} else if (current->cl_head->data == CIL_KEY_CONDFALSE) {
++			if (found_false) {
++				cil_tree_log(current, CIL_ERR, "More than one false block in conditional");
++				return SEPOL_ERR;
++			}
++		} else {
++			cil_tree_log(current, CIL_ERR, "Expected true or false block in conditional");
++			return SEPOL_ERR;
++		}
++	}
++
++	return SEPOL_OK;
++}
++
+ int cil_verify_no_self_reference(struct cil_symtab_datum *datum, struct cil_list *datum_list)
+ {
+ 	struct cil_list_item *i;
+diff --git a/libsepol/cil/src/cil_verify.h b/libsepol/cil/src/cil_verify.h
+index bda1565fced5..905761b0a19c 100644
+--- a/libsepol/cil/src/cil_verify.h
++++ b/libsepol/cil/src/cil_verify.h
+@@ -61,6 +61,7 @@ int __cil_verify_syntax(struct cil_tree_node *parse_current, enum cil_syntax s[]
+ int cil_verify_expr_syntax(struct cil_tree_node *current, enum cil_flavor op, enum cil_flavor expr_flavor);
+ int cil_verify_constraint_leaf_expr_syntax(enum cil_flavor l_flavor, enum cil_flavor r_flavor, enum cil_flavor op, enum cil_flavor expr_flavor);
+ int cil_verify_constraint_expr_syntax(struct cil_tree_node *current, enum cil_flavor op);
++int cil_verify_conditional_blocks(struct cil_tree_node *current);
+ int cil_verify_no_self_reference(struct cil_symtab_datum *datum, struct cil_list *datum_list);
+ int __cil_verify_ranges(struct cil_list *list);
+ int __cil_verify_ordered_node_helper(struct cil_tree_node *node, uint32_t *finished, void *extra_args);
+-- 
+2.29.2
+

0013-libsepol-free-memory-when-realloc-fails.patch

@@ -0,0 +1,81 @@
+From a2bd2a8ea5ef687e8b4dc2694f7d5e99a1ec2a06 Mon Sep 17 00:00:00 2001
+From: Nicolas Iooss <nicolas.iooss@m4x.org>
+Date: Thu, 12 Nov 2020 21:24:06 +0100
+Subject: [PATCH] libsepol: free memory when realloc() fails
+
+In get_class_info(), if realloc(class_buf, new_class_buf_len) fails to
+grow the memory, the function returns NULL without freeing class_buf.
+This leads to a memory leak which is reported by clang's static
+analyzer:
+https://580-118970575-gh.circle-artifacts.com/0/output-scan-build/2020-11-11-194150-6152-1/report-42a899.html#EndPath
+
+Fix the memory leak by calling free(class_buf).
+
+While at it, use size_t insted of int to store the size of the buffer
+which is growing.
+
+Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
+---
+ libsepol/src/services.c | 19 +++++++++++--------
+ 1 file changed, 11 insertions(+), 8 deletions(-)
+
+diff --git a/libsepol/src/services.c b/libsepol/src/services.c
+index beb0711f6680..72b39657cd2e 100644
+--- a/libsepol/src/services.c
++++ b/libsepol/src/services.c
+@@ -312,17 +312,20 @@ static char *get_class_info(sepol_security_class_t tclass,
+ 	else
+ 		state_num = mls + 2;
+ 
+-	int class_buf_len = 0;
+-	int new_class_buf_len;
+-	int len, buf_used;
++	size_t class_buf_len = 0;
++	size_t new_class_buf_len;
++	size_t buf_used;
++	int len;
+ 	char *class_buf = NULL, *p;
+ 	char *new_class_buf = NULL;
+ 
+ 	while (1) {
+ 		new_class_buf_len = class_buf_len + EXPR_BUF_SIZE;
+ 		new_class_buf = realloc(class_buf, new_class_buf_len);
+-			if (!new_class_buf)
+-				return NULL;
++		if (!new_class_buf) {
++			free(class_buf);
++			return NULL;
++		}
+ 		class_buf_len = new_class_buf_len;
+ 		class_buf = new_class_buf;
+ 		buf_used = 0;
+@@ -330,7 +333,7 @@ static char *get_class_info(sepol_security_class_t tclass,
+ 
+ 		/* Add statement type */
+ 		len = snprintf(p, class_buf_len - buf_used, "%s", statements[state_num]);
+-		if (len < 0 || len >= class_buf_len - buf_used)
++		if (len < 0 || (size_t)len >= class_buf_len - buf_used)
+ 			continue;
+ 
+ 		/* Add class entry */
+@@ -338,7 +341,7 @@ static char *get_class_info(sepol_security_class_t tclass,
+ 		buf_used += len;
+ 		len = snprintf(p, class_buf_len - buf_used, "%s ",
+ 				policydb->p_class_val_to_name[tclass - 1]);
+-		if (len < 0 || len >= class_buf_len - buf_used)
++		if (len < 0 || (size_t)len >= class_buf_len - buf_used)
+ 			continue;
+ 
+ 		/* Add permission entries (validatetrans does not have perms) */
+@@ -351,7 +354,7 @@ static char *get_class_info(sepol_security_class_t tclass,
+ 		} else {
+ 			len = snprintf(p, class_buf_len - buf_used, "(");
+ 		}
+-		if (len < 0 || len >= class_buf_len - buf_used)
++		if (len < 0 || (size_t)len >= class_buf_len - buf_used)
+ 			continue;
+ 		break;
+ 	}
+-- 
+2.29.2
+

gating.yaml

@@ -0,0 +1,16 @@
+--- !Policy
+product_versions:
+  - fedora-*
+decision_context: bodhi_update_push_testing
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
+
+--- !Policy
+product_versions:
+  - fedora-*
+decision_context: bodhi_update_push_stable
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
+

libsepol.spec

@@ -1,7 +1,7 @@
 Summary: SELinux binary policy manipulation library
 Name: libsepol
 Version: 3.1
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: LGPLv2+
 Source0: https://github.com/SELinuxProject/selinux/releases/download/20200710/libsepol-3.1.tar.gz
 URL: https://github.com/SELinuxProject/selinux/wiki
@@ -21,9 +21,13 @@ Patch0008: 0008-libsepol-silence-potential-NULL-pointer-dereference-.patch
 Patch0009: 0009-libsepol-Get-rid-of-the-old-and-duplicated-symbols.patch
 Patch0010: 0010-libsepol-Drop-deprecated-functions.patch
 Patch0011: 0011-libsepol-Bump-libsepol.so-version.patch
+Patch0012: 0012-libsepol-cil-Give-error-for-more-than-one-true-or-fa.patch
+Patch0013: 0013-libsepol-free-memory-when-realloc-fails.patch
 # Patch list end
+BuildRequires: make
 BuildRequires: gcc
 BuildRequires: flex
+Obsoletes: %{name}-compat = 3.1-4
 
 %description
 Security-enhanced Linux is a feature of the Linux® kernel and a number
@@ -57,12 +61,6 @@ Requires: %{name}-devel%{?_isa} = %{version}-%{release}
 The libsepol-static package contains the static libraries and header files
 needed for developing applications that manipulate binary policies. 
 
-%package compat
-Summary: Temporary compat libsepol.so.1 used for transition to libsepol.so.2
-
-%description compat
-Temporary compat libsepol.so.1 used for transition to libsepol.so.2
-
 %prep
 %autosetup -p 2 -n libsepol-%{version}
 
@@ -90,12 +88,6 @@ rm -f ${RPM_BUILD_ROOT}%{_bindir}/chkcon
 rm -rf ${RPM_BUILD_ROOT}%{_mandir}/man8
 rm -rf ${RPM_BUILD_ROOT}%{_mandir}/ru/man8
 
-%set_build_flags
-CFLAGS="$CFLAGS -fno-semantic-interposition"
-sed -i 's/LIBVERSION = 2/LIBVERSION = 1/' src/Makefile
-%make_build
-cp src/libsepol.so.1 ${RPM_BUILD_ROOT}/%{_libdir}/libsepol.so.1
-
 %files static
 %{_libdir}/libsepol.a
 
@@ -115,10 +107,11 @@ cp src/libsepol.so.1 ${RPM_BUILD_ROOT}/%{_libdir}/libsepol.so.1
 %license COPYING
 %{_libdir}/libsepol.so.2
 
-%files compat
-%{_libdir}/libsepol.so.1
-
 %changelog
+* Fri Nov 20 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-5
+- Drop and obsolete libsepol-compat subpackage
+- cil: Give error for more than one true or false block
+
 * Fri Oct 23 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-4
 - Drop deprecated functions and duplicated symbols
 - Dange library version to libsepol.so.2