diff --git a/.gitignore b/.gitignore index 15d30da..d79ffa9 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/libsepol-2.9.tar.gz +libsepol-3.8.tar.gz diff --git a/.libsepol.metadata b/.libsepol.metadata deleted file mode 100644 index 8f9bf80..0000000 --- a/.libsepol.metadata +++ /dev/null @@ -1 +0,0 @@ -b2447a0b2ea8dd45737535c3e407c950f16dcca5 SOURCES/libsepol-2.9.tar.gz diff --git a/SOURCES/0001-libsepol-cil-Fix-out-of-bound-read-of-file-context-p.patch b/SOURCES/0001-libsepol-cil-Fix-out-of-bound-read-of-file-context-p.patch deleted file mode 100644 index dc2da32..0000000 --- a/SOURCES/0001-libsepol-cil-Fix-out-of-bound-read-of-file-context-p.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 2b2f42f9311ede75c3fe61d356094999e8e161b9 Mon Sep 17 00:00:00 2001 -From: James Carter -Date: Thu, 8 Apr 2021 13:24:29 -0400 -Subject: [PATCH] libsepol/cil: Fix out-of-bound read of file context pattern - ending with "\" - -Based on patch by Nicolas Iooss, who writes: - OSS-Fuzz found a Heap-buffer-overflow in the CIL compiler when trying - to compile the following policy: - - (sid SID) - (sidorder(SID)) - (filecon "\" any ()) - (filecon "" any ()) - - When cil_post_fc_fill_data() processes "\", it goes beyond the NUL - terminator of the string. Fix this by returning when '\0' is read - after a backslash. - -To be consistent with the function compute_diffdata() in -refpolicy/support/fc_sort.py, also increment str_len in this case. - -Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28484 -Reported-by: Nicolas Iooss -Signed-off-by: James Carter ---- - libsepol/cil/src/cil_post.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c -index 0b09cecc..bdeaa7c6 100644 ---- a/libsepol/cil/src/cil_post.c -+++ b/libsepol/cil/src/cil_post.c -@@ -179,6 +179,13 @@ void cil_post_fc_fill_data(struct fc_data *fc, char *path) - break; - case '\\': - c++; -+ if (path[c] == '\0') { -+ if (!fc->meta) { -+ fc->stem_len++; -+ } -+ fc->str_len++; -+ return; -+ } - /* FALLTHRU */ - default: - if (!fc->meta) { --- -2.30.2 - diff --git a/SOURCES/0002-libsepol-cil-Destroy-classperms-list-when-resetting-.patch b/SOURCES/0002-libsepol-cil-Destroy-classperms-list-when-resetting-.patch deleted file mode 100644 index 185e1ac..0000000 --- a/SOURCES/0002-libsepol-cil-Destroy-classperms-list-when-resetting-.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 5012fee580f5e4744166462855767949311f9154 Mon Sep 17 00:00:00 2001 -From: James Carter -Date: Thu, 8 Apr 2021 13:32:01 -0400 -Subject: [PATCH] libsepol/cil: Destroy classperms list when resetting - classpermission - -Nicolas Iooss reports: - A few months ago, OSS-Fuzz found a crash in the CIL compiler, which - got reported as - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28648 (the title - is misleading, or is caused by another issue that conflicts with the - one I report in this message). Here is a minimized CIL policy which - reproduces the issue: - - (class CLASS (PERM)) - (classorder (CLASS)) - (sid SID) - (sidorder (SID)) - (user USER) - (role ROLE) - (type TYPE) - (category CAT) - (categoryorder (CAT)) - (sensitivity SENS) - (sensitivityorder (SENS)) - (sensitivitycategory SENS (CAT)) - (allow TYPE self (CLASS (PERM))) - (roletype ROLE TYPE) - (userrole USER ROLE) - (userlevel USER (SENS)) - (userrange USER ((SENS)(SENS (CAT)))) - (sidcontext SID (USER ROLE TYPE ((SENS)(SENS)))) - - (classpermission CLAPERM) - - (optional OPT - (roletype nonexistingrole nonexistingtype) - (classpermissionset CLAPERM (CLASS (PERM))) - ) - - The CIL policy fuzzer (which mimics secilc built with clang Address - Sanitizer) reports: - - ==36541==ERROR: AddressSanitizer: heap-use-after-free on address - 0x603000004f98 at pc 0x56445134c842 bp 0x7ffe2a256590 sp - 0x7ffe2a256588 - READ of size 8 at 0x603000004f98 thread T0 - #0 0x56445134c841 in __cil_verify_classperms - /selinux/libsepol/src/../cil/src/cil_verify.c:1620:8 - #1 0x56445134a43e in __cil_verify_classpermission - /selinux/libsepol/src/../cil/src/cil_verify.c:1650:9 - #2 0x56445134a43e in __cil_pre_verify_helper - /selinux/libsepol/src/../cil/src/cil_verify.c:1715:8 - #3 0x5644513225ac in cil_tree_walk_core - /selinux/libsepol/src/../cil/src/cil_tree.c:272:9 - #4 0x564451322ab1 in cil_tree_walk - /selinux/libsepol/src/../cil/src/cil_tree.c:316:7 - #5 0x5644513226af in cil_tree_walk_core - /selinux/libsepol/src/../cil/src/cil_tree.c:284:9 - #6 0x564451322ab1 in cil_tree_walk - /selinux/libsepol/src/../cil/src/cil_tree.c:316:7 - #7 0x5644512b88fd in cil_pre_verify - /selinux/libsepol/src/../cil/src/cil_post.c:2510:7 - #8 0x5644512b88fd in cil_post_process - /selinux/libsepol/src/../cil/src/cil_post.c:2524:7 - #9 0x5644511856ff in cil_compile - /selinux/libsepol/src/../cil/src/cil.c:564:7 - -The classperms list of a classpermission rule is created and filled -in when classpermissionset rules are processed, so it doesn't own any -part of the list and shouldn't retain any of it when it is reset. - -Destroy the classperms list (without destroying the data in it) when -resetting a classpermission rule. - -Reported-by: Nicolas Iooss -Signed-off-by: James Carter - -(cherry-picked from SElinuxProject - commit: f34d3d30c8325e4847a6b696fe7a3936a8a361f3) ---- - libsepol/cil/src/cil_reset_ast.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libsepol/cil/src/cil_reset_ast.c b/libsepol/cil/src/cil_reset_ast.c -index 43e6b88e..73e1fcf0 100644 ---- a/libsepol/cil/src/cil_reset_ast.c -+++ b/libsepol/cil/src/cil_reset_ast.c -@@ -52,7 +52,7 @@ static void cil_reset_classpermission(struct cil_classpermission *cp) - return; - } - -- cil_reset_classperms_list(cp->classperms); -+ cil_list_destroy(&cp->classperms, CIL_FALSE); - } - - static void cil_reset_classperms_set(struct cil_classperms_set *cp_set) --- -2.30.2 - diff --git a/SOURCES/0003-libsepol-cil-Destroy-classperm-list-when-resetting-m.patch b/SOURCES/0003-libsepol-cil-Destroy-classperm-list-when-resetting-m.patch deleted file mode 100644 index 27d91ae..0000000 --- a/SOURCES/0003-libsepol-cil-Destroy-classperm-list-when-resetting-m.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 8c8a21d4ca75e4b767d3dfaa181a83e4c0e1f3a1 Mon Sep 17 00:00:00 2001 -From: James Carter -Date: Thu, 8 Apr 2021 13:32:04 -0400 -Subject: [PATCH] libsepol/cil: Destroy classperm list when resetting map perms - -Map perms share the same struct as regular perms, but only the -map perms use the classperms field. This field is a pointer to a -list of classperms that is created and added to when resolving -classmapping rules, so the map permission doesn't own any of the -data in the list and this list should be destroyed when the AST is -reset. - -When resetting a perm, destroy the classperms list without destroying -the data in the list. - -Signed-off-by: James Carter - -(cherry-picked from SElinuxProject - commit: 2d35fcc7e9e976a2346b1de20e54f8663e8a6cba) ---- - libsepol/cil/src/cil_reset_ast.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libsepol/cil/src/cil_reset_ast.c b/libsepol/cil/src/cil_reset_ast.c -index 73e1fcf0..f321b396 100644 ---- a/libsepol/cil/src/cil_reset_ast.c -+++ b/libsepol/cil/src/cil_reset_ast.c -@@ -34,7 +34,7 @@ static void cil_reset_class(struct cil_class *class) - - static void cil_reset_perm(struct cil_perm *perm) - { -- cil_reset_classperms_list(perm->classperms); -+ cil_list_destroy(&perm->classperms, CIL_FALSE); - } - - static inline void cil_reset_classperms(struct cil_classperms *cp) --- -2.30.2 - diff --git a/SOURCES/0004-libsepol-cil-cil_reset_classperms_set-should-not-res.patch b/SOURCES/0004-libsepol-cil-cil_reset_classperms_set-should-not-res.patch deleted file mode 100644 index bc37ffb..0000000 --- a/SOURCES/0004-libsepol-cil-cil_reset_classperms_set-should-not-res.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 52bf0fe9ce922229e8bb3b99faa7c7dce2c3531f Mon Sep 17 00:00:00 2001 -From: James Carter -Date: Thu, 8 Apr 2021 13:32:06 -0400 -Subject: [PATCH] libsepol/cil: cil_reset_classperms_set() should not reset - classpermission - -In struct cil_classperms_set, the set field is a pointer to a -struct cil_classpermission which is looked up in the symbol table. -Since the cil_classperms_set does not create the cil_classpermission, -it should not reset it. - -Set the set field to NULL instead of resetting the classpermission -that it points to. - -Signed-off-by: James Carter - -(cherry-picked from SElinuxProject - commit: c49a8ea09501ad66e799ea41b8154b6770fec2c8) ---- - libsepol/cil/src/cil_reset_ast.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/libsepol/cil/src/cil_reset_ast.c b/libsepol/cil/src/cil_reset_ast.c -index f321b396..7bf0391b 100644 ---- a/libsepol/cil/src/cil_reset_ast.c -+++ b/libsepol/cil/src/cil_reset_ast.c -@@ -57,7 +57,11 @@ static void cil_reset_classpermission(struct cil_classpermission *cp) - - static void cil_reset_classperms_set(struct cil_classperms_set *cp_set) - { -- cil_reset_classpermission(cp_set->set); -+ if (cp_set == NULL) { -+ return; -+ } -+ -+ cp_set->set = NULL; - } - - static inline void cil_reset_classperms_list(struct cil_list *cp_list) --- -2.30.2 - diff --git a/SOURCES/0005-libsepol-cil-Set-class-field-to-NULL-when-resetting-.patch b/SOURCES/0005-libsepol-cil-Set-class-field-to-NULL-when-resetting-.patch deleted file mode 100644 index ec9349b..0000000 --- a/SOURCES/0005-libsepol-cil-Set-class-field-to-NULL-when-resetting-.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 6beea9f422cb452c01a24619247b559b67a4aeec Mon Sep 17 00:00:00 2001 -From: James Carter -Date: Thu, 8 Apr 2021 13:32:08 -0400 -Subject: [PATCH] libsepol/cil: Set class field to NULL when resetting struct - cil_classperms - -The class field of a struct cil_classperms points to the class looked -up in the symbol table, so that field should be set to NULL when -the cil_classperms is reset. - -Set the class field to NULL when resetting the struct cil_classperms. - -Signed-off-by: James Carter ---- - libsepol/cil/src/cil_reset_ast.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/libsepol/cil/src/cil_reset_ast.c b/libsepol/cil/src/cil_reset_ast.c -index 7bf0391b..e86ee3b8 100644 ---- a/libsepol/cil/src/cil_reset_ast.c -+++ b/libsepol/cil/src/cil_reset_ast.c -@@ -43,6 +43,7 @@ static inline void cil_reset_classperms(struct cil_classperms *cp) - return; - } - -+ cp->class = NULL; - cil_list_destroy(&cp->perms, CIL_FALSE); - } - --- -2.30.2 - diff --git a/SOURCES/0006-libsepol-cil-More-strict-verification-of-constraint-.patch b/SOURCES/0006-libsepol-cil-More-strict-verification-of-constraint-.patch deleted file mode 100644 index 3719767..0000000 --- a/SOURCES/0006-libsepol-cil-More-strict-verification-of-constraint-.patch +++ /dev/null @@ -1,42 +0,0 @@ -From e42e31d865be8dbb5ea1b99ffab434fcfec14df2 Mon Sep 17 00:00:00 2001 -From: James Carter -Date: Thu, 8 Apr 2021 13:32:11 -0400 -Subject: [PATCH] libsepol/cil: More strict verification of constraint leaf - expressions - -In constraint expressions u1, u3, r1, r3, t1, and t3 are never -allowed on the right side of an expression, but there were no checks -to verify that they were not used on the right side. The result was -that the expression "(eq t1 t1)" would be silently turned into -"(eq t1 t2)" when the binary policy was created. - -Verify that u1, u3, r1, r3, t1, and t3 are not used on the right -side of a constraint expression. - -Signed-off-by: James Carter ---- - libsepol/cil/src/cil_verify.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c -index 1036d73c..3972b1e9 100644 ---- a/libsepol/cil/src/cil_verify.c -+++ b/libsepol/cil/src/cil_verify.c -@@ -227,7 +227,13 @@ int cil_verify_constraint_leaf_expr_syntax(enum cil_flavor l_flavor, enum cil_fl - } - } - } else { -- if (r_flavor == CIL_CONS_U2) { -+ if (r_flavor == CIL_CONS_U1 || r_flavor == CIL_CONS_R1 || r_flavor == CIL_CONS_T1) { -+ cil_log(CIL_ERR, "u1, r1, and t1 are not allowed on the right side\n"); -+ goto exit; -+ } else if (r_flavor == CIL_CONS_U3 || r_flavor == CIL_CONS_R3 || r_flavor == CIL_CONS_T3) { -+ cil_log(CIL_ERR, "u3, r3, and t3 are not allowed on the right side\n"); -+ goto exit; -+ } else if (r_flavor == CIL_CONS_U2) { - if (op != CIL_EQ && op != CIL_NEQ) { - cil_log(CIL_ERR, "u2 on the right side must be used with eq or neq as the operator\n"); - goto exit; --- -2.30.2 - diff --git a/SOURCES/0007-libsepol-cil-Exit-with-an-error-if-declaration-name-.patch b/SOURCES/0007-libsepol-cil-Exit-with-an-error-if-declaration-name-.patch deleted file mode 100644 index c6ab282..0000000 --- a/SOURCES/0007-libsepol-cil-Exit-with-an-error-if-declaration-name-.patch +++ /dev/null @@ -1,194 +0,0 @@ -From 5edd2126ad3dc30f75f0ec9f73cd609bbe432c29 Mon Sep 17 00:00:00 2001 -From: James Carter -Date: Thu, 8 Apr 2021 13:32:12 -0400 -Subject: [PATCH] libsepol/cil: Exit with an error if declaration name is a - reserved word - -When CIL parses sets or conditional expressions, any identifier that -matches an operator name will always be taken as an operator. If a -declaration has the same name as an operator, then there is the -possibility of causing either confusion or a syntax error if it is -used in an expression. The potential for problems is much greater -than any possible advantage in allowing a declaration to share the -name of a reserved word. - -Create a new function, __cil_is_reserved_name() that is called when -an identifier is declared and its name is being validated. In this -function, check if the declaration has the same name as a reserved -word for an expression operator that can be used with the identifer's -flavor and exit with an error if it does. - -Also, move the check for types, type aliases, and type attributes -matching the reserved word "self" to this new function. - -Finally, change the name of the function __cil_verify_name() to -cil_verify_name(), since this function is neither static nor a -helper function. - -Signed-off-by: James Carter ---- - libsepol/cil/src/cil_build_ast.c | 28 ++--------------- - libsepol/cil/src/cil_verify.c | 52 +++++++++++++++++++++++++++++++- - libsepol/cil/src/cil_verify.h | 2 +- - 3 files changed, 54 insertions(+), 28 deletions(-) - -diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c -index b90b0f60..fe7b7777 100644 ---- a/libsepol/cil/src/cil_build_ast.c -+++ b/libsepol/cil/src/cil_build_ast.c -@@ -110,7 +110,7 @@ int cil_gen_node(struct cil_db *db, struct cil_tree_node *ast_node, struct cil_s - symtab_t *symtab = NULL; - struct cil_symtab_datum *prev; - -- rc = __cil_verify_name((const char*)key); -+ rc = cil_verify_name((const char*)key, nflavor); - if (rc != SEPOL_OK) { - goto exit; - } -@@ -1919,12 +1919,6 @@ int cil_gen_roleattribute(struct cil_db *db, struct cil_tree_node *parse_current - goto exit; - } - -- if (parse_current->next->data == CIL_KEY_SELF) { -- cil_log(CIL_ERR, "The keyword '%s' is reserved\n", CIL_KEY_SELF); -- rc = SEPOL_ERR; -- goto exit; -- } -- - cil_roleattribute_init(&attr); - - key = parse_current->next->data; -@@ -2303,12 +2297,6 @@ int cil_gen_type(struct cil_db *db, struct cil_tree_node *parse_current, struct - goto exit; - } - -- if (parse_current->next->data == CIL_KEY_SELF) { -- cil_log(CIL_ERR, "The keyword '%s' is reserved\n", CIL_KEY_SELF); -- rc = SEPOL_ERR; -- goto exit; -- } -- - cil_type_init(&type); - - key = parse_current->next->data; -@@ -2357,12 +2345,6 @@ int cil_gen_typeattribute(struct cil_db *db, struct cil_tree_node *parse_current - goto exit; - } - -- if (parse_current->next->data == CIL_KEY_SELF) { -- cil_log(CIL_ERR, "The keyword '%s' is reserved\n", CIL_KEY_SELF); -- rc = SEPOL_ERR; -- goto exit; -- } -- - cil_typeattribute_init(&attr); - - key = parse_current->next->data; -@@ -3064,12 +3046,6 @@ int cil_gen_alias(struct cil_db *db, struct cil_tree_node *parse_current, struct - goto exit; - } - -- if (flavor == CIL_TYPEALIAS && parse_current->next->data == CIL_KEY_SELF) { -- cil_log(CIL_ERR, "The keyword '%s' is reserved\n", CIL_KEY_SELF); -- rc = SEPOL_ERR; -- goto exit; -- } -- - cil_alias_init(&alias); - - key = parse_current->next->data; -@@ -5294,7 +5270,7 @@ int cil_gen_macro(struct cil_db *db, struct cil_tree_node *parse_current, struct - - param->str = current_item->cl_head->next->data; - -- rc = __cil_verify_name(param->str); -+ rc = cil_verify_name(param->str, param->flavor); - if (rc != SEPOL_OK) { - cil_destroy_param(param); - goto exit; -diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c -index 3972b1e9..ea95c2cb 100644 ---- a/libsepol/cil/src/cil_verify.c -+++ b/libsepol/cil/src/cil_verify.c -@@ -47,7 +47,51 @@ - - #include "cil_verify.h" - --int __cil_verify_name(const char *name) -+static int __cil_is_reserved_name(const char *name, enum cil_flavor flavor) -+{ -+ switch (flavor) { -+ case CIL_BOOL: -+ case CIL_TUNABLE: -+ if ((name == CIL_KEY_EQ) || (name == CIL_KEY_NEQ)) -+ return CIL_TRUE; -+ break; -+ case CIL_PERM: -+ case CIL_MAP_PERM: -+ case CIL_USER: -+ case CIL_USERATTRIBUTE: -+ case CIL_ROLE: -+ case CIL_ROLEATTRIBUTE: -+ if (name == CIL_KEY_ALL) -+ return CIL_TRUE; -+ break; -+ case CIL_TYPE: -+ case CIL_TYPEATTRIBUTE: -+ case CIL_TYPEALIAS: -+ if ((name == CIL_KEY_ALL) || (name == CIL_KEY_SELF)) -+ return CIL_TRUE; -+ break; -+ case CIL_CAT: -+ case CIL_CATSET: -+ case CIL_CATALIAS: -+ case CIL_PERMISSIONX: -+ if ((name == CIL_KEY_ALL) || (name == CIL_KEY_RANGE)) -+ return CIL_TRUE; -+ break; -+ default: -+ /* All of these are not used in expressions */ -+ return CIL_FALSE; -+ break; -+ } -+ -+ /* Everything not under the default case is also checked for these */ -+ if ((name == CIL_KEY_AND) || (name == CIL_KEY_OR) || (name == CIL_KEY_NOT) || (name == CIL_KEY_XOR)) { -+ return CIL_TRUE; -+ } -+ -+ return CIL_FALSE; -+} -+ -+int cil_verify_name(const char *name, enum cil_flavor flavor) - { - int rc = SEPOL_ERR; - int len; -@@ -77,6 +121,12 @@ int __cil_verify_name(const char *name) - goto exit; - } - } -+ -+ if (__cil_is_reserved_name(name, flavor)) { -+ cil_log(CIL_ERR, "Name %s is a reserved word\n", name); -+ goto exit; -+ } -+ - return SEPOL_OK; - - exit: -diff --git a/libsepol/cil/src/cil_verify.h b/libsepol/cil/src/cil_verify.h -index bda1565f..e4b98919 100644 ---- a/libsepol/cil/src/cil_verify.h -+++ b/libsepol/cil/src/cil_verify.h -@@ -56,7 +56,7 @@ struct cil_args_verify { - int *pass; - }; - --int __cil_verify_name(const char *name); -+int cil_verify_name(const char *name, enum cil_flavor flavor); - int __cil_verify_syntax(struct cil_tree_node *parse_current, enum cil_syntax s[], int len); - int cil_verify_expr_syntax(struct cil_tree_node *current, enum cil_flavor op, enum cil_flavor expr_flavor); - int cil_verify_constraint_leaf_expr_syntax(enum cil_flavor l_flavor, enum cil_flavor r_flavor, enum cil_flavor op, enum cil_flavor expr_flavor); --- -2.30.2 - diff --git a/SOURCES/0008-libsepol-cil-Allow-permission-expressions-when-using.patch b/SOURCES/0008-libsepol-cil-Allow-permission-expressions-when-using.patch deleted file mode 100644 index 094448b..0000000 --- a/SOURCES/0008-libsepol-cil-Allow-permission-expressions-when-using.patch +++ /dev/null @@ -1,75 +0,0 @@ -From d6863cc6e4f472444a7944c9ea95333e587efd73 Mon Sep 17 00:00:00 2001 -From: James Carter -Date: Thu, 8 Apr 2021 13:32:14 -0400 -Subject: [PATCH] libsepol/cil: Allow permission expressions when using map - classes - -The following policy will cause a segfault: - (class CLASS (PERM)) - (class C (P1 P2 P3)) - (classorder (CLASS C)) - (sid SID) - (sidorder (SID)) - (user USER) - (role ROLE) - (type TYPE) - (category CAT) - (categoryorder (CAT)) - (sensitivity SENS) - (sensitivityorder (SENS)) - (sensitivitycategory SENS (CAT)) - (allow TYPE self (CLASS (PERM))) - (roletype ROLE TYPE) - (userrole USER ROLE) - (userlevel USER (SENS)) - (userrange USER ((SENS)(SENS (CAT)))) - (sidcontext SID (USER ROLE TYPE ((SENS)(SENS)))) - - (classmap CM (PM1 PM2 PM3)) - (classmapping CM PM1 (C (P1))) - (classmapping CM PM2 (C (P2))) - (classmapping CM PM3 (C (P3))) - (allow TYPE self (CM (and (all) (not PM2)))) - -The problem is that, while permission expressions are allowed for -normal classes, map classes are expected to only have permission -lists and no check is done to verify that only a permission list -is being used. - -When the above policy is parsed, the "and" and "all" are seen as -expression operators, but when the map permissions are converted to -normal class and permissions, the permission expression is assumed -to be a list of datums and since the operators are not datums a -segfault is the result. - -There is no reason to limit map classes to only using a list of -permissions and, in fact, it would be better to be able to use them -in the same way normal classes are used. - -Allow permissions expressions to be used for map classes by first -evaluating the permission expression and then converting the -resulting list to normal classes and permissions. - -Signed-off-by: James Carter ---- - libsepol/cil/src/cil_post.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c -index bdeaa7c6..a820d5ba 100644 ---- a/libsepol/cil/src/cil_post.c -+++ b/libsepol/cil/src/cil_post.c -@@ -2138,6 +2138,10 @@ static int __evaluate_classperms_list(struct cil_list *classperms, struct cil_db - } - } else { /* MAP */ - struct cil_list_item *i = NULL; -+ rc = __evaluate_classperms(cp, db); -+ if (rc != SEPOL_OK) { -+ goto exit; -+ } - cil_list_for_each(i, cp->perms) { - struct cil_perm *cmp = i->data; - rc = __evaluate_classperms_list(cmp->classperms, db); --- -2.30.2 - diff --git a/SOURCES/0009-libsepol-cil-Reorder-checks-for-invalid-rules-when-b.patch b/SOURCES/0009-libsepol-cil-Reorder-checks-for-invalid-rules-when-b.patch deleted file mode 100644 index afeaf6b..0000000 --- a/SOURCES/0009-libsepol-cil-Reorder-checks-for-invalid-rules-when-b.patch +++ /dev/null @@ -1,219 +0,0 @@ -From 6b6a787188804cad4f7f853e95eb0a58dea7ad62 Mon Sep 17 00:00:00 2001 -From: James Carter -Date: Tue, 30 Mar 2021 13:39:12 -0400 -Subject: [PATCH] libsepol/cil: Reorder checks for invalid rules when building - AST - -Reorder checks for invalid rules in the blocks of tunableifs, -in-statements, macros, and booleanifs when building the AST for -consistency. - -Order the checks in the same order the blocks will be resolved in, -so tuanbleif, in-statement, macro, booleanif, and then non-block -rules. - -Signed-off-by: James Carter ---- - libsepol/cil/src/cil_build_ast.c | 100 +++++++++++++++---------------- - 1 file changed, 50 insertions(+), 50 deletions(-) - -diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c -index fe7b7777..6d5a57fa 100644 ---- a/libsepol/cil/src/cil_build_ast.c -+++ b/libsepol/cil/src/cil_build_ast.c -@@ -49,10 +49,10 @@ - struct cil_args_build { - struct cil_tree_node *ast; - struct cil_db *db; -- struct cil_tree_node *macro; -- struct cil_tree_node *boolif; - struct cil_tree_node *tunif; - struct cil_tree_node *in; -+ struct cil_tree_node *macro; -+ struct cil_tree_node *boolif; - }; - - int cil_fill_list(struct cil_tree_node *current, enum cil_flavor flavor, struct cil_list **list) -@@ -6075,10 +6075,10 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f - struct cil_tree_node *ast_current = NULL; - struct cil_db *db = NULL; - struct cil_tree_node *ast_node = NULL; -- struct cil_tree_node *macro = NULL; -- struct cil_tree_node *boolif = NULL; - struct cil_tree_node *tunif = NULL; - struct cil_tree_node *in = NULL; -+ struct cil_tree_node *macro = NULL; -+ struct cil_tree_node *boolif = NULL; - int rc = SEPOL_ERR; - - if (parse_current == NULL || finished == NULL || extra_args == NULL) { -@@ -6088,10 +6088,10 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f - args = extra_args; - ast_current = args->ast; - db = args->db; -- macro = args->macro; -- boolif = args->boolif; - tunif = args->tunif; - in = args->in; -+ macro = args->macro; -+ boolif = args->boolif; - - if (parse_current->parent->cl_head != parse_current) { - /* ignore anything that isn't following a parenthesis */ -@@ -6108,13 +6108,31 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f - goto exit; - } - -+ if (tunif != NULL) { -+ if (parse_current->data == CIL_KEY_TUNABLE) { -+ rc = SEPOL_ERR; -+ cil_tree_log(parse_current, CIL_ERR, "Found tunable"); -+ cil_log(CIL_ERR, "Tunables cannot be defined within tunableif statement\n"); -+ goto exit; -+ } -+ } -+ -+ if (in != NULL) { -+ if (parse_current->data == CIL_KEY_IN) { -+ rc = SEPOL_ERR; -+ cil_tree_log(parse_current, CIL_ERR, "Found in-statement"); -+ cil_log(CIL_ERR, "in-statements cannot be defined within in-statements\n"); -+ goto exit; -+ } -+ } -+ - if (macro != NULL) { -- if (parse_current->data == CIL_KEY_MACRO || -- parse_current->data == CIL_KEY_TUNABLE || -+ if (parse_current->data == CIL_KEY_TUNABLE || - parse_current->data == CIL_KEY_IN || - parse_current->data == CIL_KEY_BLOCK || - parse_current->data == CIL_KEY_BLOCKINHERIT || -- parse_current->data == CIL_KEY_BLOCKABSTRACT) { -+ parse_current->data == CIL_KEY_BLOCKABSTRACT || -+ parse_current->data == CIL_KEY_MACRO) { - rc = SEPOL_ERR; - cil_tree_log(parse_current, CIL_ERR, "%s is not allowed in macros", (char *)parse_current->data); - goto exit; -@@ -6122,15 +6140,15 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f - } - - if (boolif != NULL) { -- if (parse_current->data != CIL_KEY_CONDTRUE && -+ if (parse_current->data != CIL_KEY_TUNABLEIF && -+ parse_current->data != CIL_KEY_CALL && -+ parse_current->data != CIL_KEY_CONDTRUE && - parse_current->data != CIL_KEY_CONDFALSE && -- parse_current->data != CIL_KEY_AUDITALLOW && -- parse_current->data != CIL_KEY_TUNABLEIF && - parse_current->data != CIL_KEY_ALLOW && - parse_current->data != CIL_KEY_DONTAUDIT && -+ parse_current->data != CIL_KEY_AUDITALLOW && - parse_current->data != CIL_KEY_TYPETRANSITION && -- parse_current->data != CIL_KEY_TYPECHANGE && -- parse_current->data != CIL_KEY_CALL) { -+ parse_current->data != CIL_KEY_TYPECHANGE) { - rc = SEPOL_ERR; - cil_tree_log(parse_current, CIL_ERR, "Found %s", (char*)parse_current->data); - if (((struct cil_booleanif*)boolif->data)->preserved_tunable) { -@@ -6144,24 +6162,6 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f - } - } - -- if (tunif != NULL) { -- if (parse_current->data == CIL_KEY_TUNABLE) { -- rc = SEPOL_ERR; -- cil_tree_log(parse_current, CIL_ERR, "Found tunable"); -- cil_log(CIL_ERR, "Tunables cannot be defined within tunableif statement\n"); -- goto exit; -- } -- } -- -- if (in != NULL) { -- if (parse_current->data == CIL_KEY_IN) { -- rc = SEPOL_ERR; -- cil_tree_log(parse_current, CIL_ERR, "Found in-statement"); -- cil_log(CIL_ERR, "in-statements cannot be defined within in-statements\n"); -- goto exit; -- } -- } -- - cil_tree_node_init(&ast_node); - - ast_node->parent = ast_current; -@@ -6447,14 +6447,6 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f - - if (rc == SEPOL_OK) { - if (ast_current->cl_head == NULL) { -- if (ast_current->flavor == CIL_MACRO) { -- args->macro = ast_current; -- } -- -- if (ast_current->flavor == CIL_BOOLEANIF) { -- args->boolif = ast_current; -- } -- - if (ast_current->flavor == CIL_TUNABLEIF) { - args->tunif = ast_current; - } -@@ -6463,6 +6455,14 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f - args->in = ast_current; - } - -+ if (ast_current->flavor == CIL_MACRO) { -+ args->macro = ast_current; -+ } -+ -+ if (ast_current->flavor == CIL_BOOLEANIF) { -+ args->boolif = ast_current; -+ } -+ - ast_current->cl_head = ast_node; - } else { - ast_current->cl_tail->next = ast_node; -@@ -6498,14 +6498,6 @@ int __cil_build_ast_last_child_helper(struct cil_tree_node *parse_current, void - - args->ast = ast->parent; - -- if (ast->flavor == CIL_MACRO) { -- args->macro = NULL; -- } -- -- if (ast->flavor == CIL_BOOLEANIF) { -- args->boolif = NULL; -- } -- - if (ast->flavor == CIL_TUNABLEIF) { - args->tunif = NULL; - } -@@ -6514,6 +6506,14 @@ int __cil_build_ast_last_child_helper(struct cil_tree_node *parse_current, void - args->in = NULL; - } - -+ if (ast->flavor == CIL_MACRO) { -+ args->macro = NULL; -+ } -+ -+ if (ast->flavor == CIL_BOOLEANIF) { -+ args->boolif = NULL; -+ } -+ - // At this point we no longer have any need for parse_current or any of its - // siblings; they have all been converted to the appropriate AST node. The - // full parse tree will get deleted elsewhere, but in an attempt to -@@ -6538,10 +6538,10 @@ int cil_build_ast(struct cil_db *db, struct cil_tree_node *parse_tree, struct ci - - extra_args.ast = ast; - extra_args.db = db; -- extra_args.macro = NULL; -- extra_args.boolif = NULL; - extra_args.tunif = NULL; - extra_args.in = NULL; -+ extra_args.macro = NULL; -+ extra_args.boolif = NULL; - - rc = cil_tree_walk(parse_tree, __cil_build_ast_node_helper, NULL, __cil_build_ast_last_child_helper, &extra_args); - if (rc != SEPOL_OK) { --- -2.30.2 - diff --git a/SOURCES/0010-libsepol-cil-Cleanup-build-AST-helper-functions.patch b/SOURCES/0010-libsepol-cil-Cleanup-build-AST-helper-functions.patch deleted file mode 100644 index 3f8a754..0000000 --- a/SOURCES/0010-libsepol-cil-Cleanup-build-AST-helper-functions.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 34f3ecbcffaa0ede0252d015d381cef847432fa0 Mon Sep 17 00:00:00 2001 -From: James Carter -Date: Tue, 30 Mar 2021 13:39:13 -0400 -Subject: [PATCH] libsepol/cil: Cleanup build AST helper functions - -Since parse_current, finished, and extra_args can never be NULL, -remove the useless check and directly assign local variables from -extra_args. - -Signed-off-by: James Carter ---- - libsepol/cil/src/cil_build_ast.c | 44 ++++++++------------------------ - 1 file changed, 10 insertions(+), 34 deletions(-) - -diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c -index 6d5a57fa..b7245dbc 100644 ---- a/libsepol/cil/src/cil_build_ast.c -+++ b/libsepol/cil/src/cil_build_ast.c -@@ -6071,28 +6071,16 @@ void cil_destroy_src_info(struct cil_src_info *info) - - int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *finished, void *extra_args) - { -- struct cil_args_build *args = NULL; -- struct cil_tree_node *ast_current = NULL; -- struct cil_db *db = NULL; -+ struct cil_args_build *args = extra_args; -+ struct cil_db *db = args->db; -+ struct cil_tree_node *ast_current = args->ast; -+ struct cil_tree_node *tunif = args->tunif; -+ struct cil_tree_node *in = args->in; -+ struct cil_tree_node *macro = args->macro; -+ struct cil_tree_node *boolif = args->boolif; - struct cil_tree_node *ast_node = NULL; -- struct cil_tree_node *tunif = NULL; -- struct cil_tree_node *in = NULL; -- struct cil_tree_node *macro = NULL; -- struct cil_tree_node *boolif = NULL; - int rc = SEPOL_ERR; - -- if (parse_current == NULL || finished == NULL || extra_args == NULL) { -- goto exit; -- } -- -- args = extra_args; -- ast_current = args->ast; -- db = args->db; -- tunif = args->tunif; -- in = args->in; -- macro = args->macro; -- boolif = args->boolif; -- - if (parse_current->parent->cl_head != parse_current) { - /* ignore anything that isn't following a parenthesis */ - rc = SEPOL_OK; -@@ -6480,20 +6468,11 @@ exit: - - int __cil_build_ast_last_child_helper(struct cil_tree_node *parse_current, void *extra_args) - { -- int rc = SEPOL_ERR; -- struct cil_tree_node *ast = NULL; -- struct cil_args_build *args = NULL; -- -- if (extra_args == NULL) { -- goto exit; -- } -- -- args = extra_args; -- ast = args->ast; -+ struct cil_args_build *args = extra_args; -+ struct cil_tree_node *ast = args->ast; - - if (ast->flavor == CIL_ROOT) { -- rc = SEPOL_OK; -- goto exit; -+ return SEPOL_OK; - } - - args->ast = ast->parent; -@@ -6522,9 +6501,6 @@ int __cil_build_ast_last_child_helper(struct cil_tree_node *parse_current, void - cil_tree_children_destroy(parse_current->parent); - - return SEPOL_OK; -- --exit: -- return rc; - } - - int cil_build_ast(struct cil_db *db, struct cil_tree_node *parse_tree, struct cil_tree_node *ast) --- -2.30.2 - diff --git a/SOURCES/0011-libsepol-cil-Create-new-first-child-helper-function-.patch b/SOURCES/0011-libsepol-cil-Create-new-first-child-helper-function-.patch deleted file mode 100644 index 3df60b7..0000000 --- a/SOURCES/0011-libsepol-cil-Create-new-first-child-helper-function-.patch +++ /dev/null @@ -1,98 +0,0 @@ -From 3e82b1e527fab1fb1dbcad8c70bdb59810a98783 Mon Sep 17 00:00:00 2001 -From: James Carter -Date: Tue, 30 Mar 2021 13:39:14 -0400 -Subject: [PATCH] libsepol/cil: Create new first child helper function for - building AST - -In order to find statements not allowed in tunableifs, in-statements, -macros, and booleanifs, there are tree node pointers that point to -each of these kinds of statements when its block is being parsed. -If the pointer is non-NULL, then the rule being parsed is in the block -of that kind of statement. - -The tree node pointers were being updated at the wrong point which -prevented an invalid statement from being found if it was the first -statement in the block of a tunableif, in-statement, macro, or -booleanif. - -Create a first child helper function for walking the parse tree and -in that function set the appropriate tree node pointer if the -current AST node is a tunableif, in-statement, macro, or booleanif. -This also makes the code symmetrical with the last child helper -where the tree node pointers are set to NULL. - -Signed-off-by: James Carter ---- - libsepol/cil/src/cil_build_ast.c | 42 +++++++++++++++++++------------- - 1 file changed, 25 insertions(+), 17 deletions(-) - -diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c -index b7245dbc..ceb55324 100644 ---- a/libsepol/cil/src/cil_build_ast.c -+++ b/libsepol/cil/src/cil_build_ast.c -@@ -6435,22 +6435,6 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f - - if (rc == SEPOL_OK) { - if (ast_current->cl_head == NULL) { -- if (ast_current->flavor == CIL_TUNABLEIF) { -- args->tunif = ast_current; -- } -- -- if (ast_current->flavor == CIL_IN) { -- args->in = ast_current; -- } -- -- if (ast_current->flavor == CIL_MACRO) { -- args->macro = ast_current; -- } -- -- if (ast_current->flavor == CIL_BOOLEANIF) { -- args->boolif = ast_current; -- } -- - ast_current->cl_head = ast_node; - } else { - ast_current->cl_tail->next = ast_node; -@@ -6466,6 +6450,30 @@ exit: - return rc; - } - -+int __cil_build_ast_first_child_helper(__attribute__((unused)) struct cil_tree_node *parse_current, void *extra_args) -+{ -+ struct cil_args_build *args = extra_args; -+ struct cil_tree_node *ast = args->ast; -+ -+ if (ast->flavor == CIL_TUNABLEIF) { -+ args->tunif = ast; -+ } -+ -+ if (ast->flavor == CIL_IN) { -+ args->in = ast; -+ } -+ -+ if (ast->flavor == CIL_MACRO) { -+ args->macro = ast; -+ } -+ -+ if (ast->flavor == CIL_BOOLEANIF) { -+ args->boolif = ast; -+ } -+ -+ return SEPOL_OK; -+} -+ - int __cil_build_ast_last_child_helper(struct cil_tree_node *parse_current, void *extra_args) - { - struct cil_args_build *args = extra_args; -@@ -6519,7 +6527,7 @@ int cil_build_ast(struct cil_db *db, struct cil_tree_node *parse_tree, struct ci - extra_args.macro = NULL; - extra_args.boolif = NULL; - -- rc = cil_tree_walk(parse_tree, __cil_build_ast_node_helper, NULL, __cil_build_ast_last_child_helper, &extra_args); -+ rc = cil_tree_walk(parse_tree, __cil_build_ast_node_helper, __cil_build_ast_first_child_helper, __cil_build_ast_last_child_helper, &extra_args); - if (rc != SEPOL_OK) { - goto exit; - } --- -2.30.2 - diff --git a/SOURCES/0012-libsepol-cil-Remove-unused-field-from-struct-cil_arg.patch b/SOURCES/0012-libsepol-cil-Remove-unused-field-from-struct-cil_arg.patch deleted file mode 100644 index efda5e2..0000000 --- a/SOURCES/0012-libsepol-cil-Remove-unused-field-from-struct-cil_arg.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 628f0f60995c2ed6d2de72bda34e6a62668be74b Mon Sep 17 00:00:00 2001 -From: James Carter -Date: Mon, 16 Nov 2020 17:06:59 -0500 -Subject: [PATCH] libsepol/cil: Remove unused field from struct - cil_args_resolve - -When resolving names, the struct cil_args_resolve is passed to the -various resolve functions. The field last_resolved_name is not used. - -Remove the last_resolved_name field from struct cil_args_resolve. - -Signed-off-by: James Carter ---- - libsepol/cil/src/cil_resolve_ast.c | 4 ---- - 1 file changed, 4 deletions(-) - -diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c -index ea08087d..ed876260 100644 ---- a/libsepol/cil/src/cil_resolve_ast.c -+++ b/libsepol/cil/src/cil_resolve_ast.c -@@ -51,7 +51,6 @@ struct cil_args_resolve { - struct cil_db *db; - enum cil_pass pass; - uint32_t *changed; -- char *last_resolved_name; - struct cil_tree_node *optstack; - struct cil_tree_node *boolif; - struct cil_tree_node *macro; -@@ -3907,7 +3906,6 @@ int cil_resolve_ast(struct cil_db *db, struct cil_tree_node *current) - extra_args.db = db; - extra_args.pass = pass; - extra_args.changed = &changed; -- extra_args.last_resolved_name = NULL; - extra_args.optstack = NULL; - extra_args.boolif= NULL; - extra_args.macro = NULL; -@@ -4236,7 +4234,5 @@ exit: - *datum = NULL; - } - -- args->last_resolved_name = name; -- - return rc; - } --- -2.30.2 - diff --git a/SOURCES/0013-libsepol-cil-Destroy-disabled-optional-blocks-after-.patch b/SOURCES/0013-libsepol-cil-Destroy-disabled-optional-blocks-after-.patch deleted file mode 100644 index 80f8dfb..0000000 --- a/SOURCES/0013-libsepol-cil-Destroy-disabled-optional-blocks-after-.patch +++ /dev/null @@ -1,115 +0,0 @@ -From d668f8e3a0a0361c03881ae3f00509196eaee064 Mon Sep 17 00:00:00 2001 -From: James Carter -Date: Mon, 8 Feb 2021 11:23:42 -0500 -Subject: [PATCH] libsepol/cil: Destroy disabled optional blocks after pass is - complete - -Nicolas Iooss reports: - I am continuing to investigate OSS-Fuzz crashes and the following one - is quite complex. Here is a CIL policy which triggers a - heap-use-after-free error in the CIL compiler: - - (class CLASS (PERM2)) - (classorder (CLASS)) - (classpermission CLSPRM) - (optional o - (mlsvalidatetrans x (domby l1 h1)) - (common CLSCOMMON (PERM1)) - (classcommon CLASS CLSCOMMON) - ) - (classpermissionset CLSPRM (CLASS (PERM1))) - - The issue is that the mlsvalidatetrans fails to resolve in pass - CIL_PASS_MISC3, which comes after the resolution of classcommon (in - pass CIL_PASS_MISC2). So: - - * In pass CIL_PASS_MISC2, the optional block still exists, the - classcommon is resolved and class CLASS is linked with common - CLSCOMMON. - * In pass CIL_PASS_MISC3, the optional block is destroyed, including - the common CLSCOMMON. - * When classpermissionset is resolved, function cil_resolve_classperms - uses "common_symtab = &class->common->perms;", which has been freed. - The use-after-free issue occurs in __cil_resolve_perms (in - libsepol/cil/src/cil_resolve_ast.c): - - // common_symtab was freed - rc = cil_symtab_get_datum(common_symtab, curr->data, &perm_datum); - -The fundamental problem here is that when the optional block is -disabled it is immediately destroyed in the middle of the pass, so -the class has not been reset and still refers to the now destroyed -common when the classpermissionset is resolved later in the same pass. - -Added a list, disabled_optionals, to struct cil_args_resolve which is -passed when resolving the tree. When optionals are disabled, they are -now added to this list and then are destroyed after the tree has been -reset between passes. - -Reported-by: Nicolas Iooss -Signed-off-by: James Carter -Acked-by: Nicolas Iooss ---- - libsepol/cil/src/cil_resolve_ast.c | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) - -diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c -index ed876260..979fa17d 100644 ---- a/libsepol/cil/src/cil_resolve_ast.c -+++ b/libsepol/cil/src/cil_resolve_ast.c -@@ -51,6 +51,7 @@ struct cil_args_resolve { - struct cil_db *db; - enum cil_pass pass; - uint32_t *changed; -+ struct cil_list *disabled_optionals; - struct cil_tree_node *optstack; - struct cil_tree_node *boolif; - struct cil_tree_node *macro; -@@ -3854,7 +3855,7 @@ int __cil_resolve_ast_last_child_helper(struct cil_tree_node *current, void *ext - - if (((struct cil_optional *)parent->data)->enabled == CIL_FALSE) { - *(args->changed) = CIL_TRUE; -- cil_tree_children_destroy(parent); -+ cil_list_append(args->disabled_optionals, CIL_NODE, parent); - } - - /* pop off the stack */ -@@ -3917,6 +3918,7 @@ int cil_resolve_ast(struct cil_db *db, struct cil_tree_node *current) - extra_args.in_list = NULL; - extra_args.blockstack = NULL; - -+ cil_list_init(&extra_args.disabled_optionals, CIL_NODE); - cil_list_init(&extra_args.sidorder_lists, CIL_LIST_ITEM); - cil_list_init(&extra_args.classorder_lists, CIL_LIST_ITEM); - cil_list_init(&extra_args.unordered_classorder_lists, CIL_LIST_ITEM); -@@ -3984,6 +3986,7 @@ int cil_resolve_ast(struct cil_db *db, struct cil_tree_node *current) - } - - if (changed && (pass > CIL_PASS_CALL1)) { -+ struct cil_list_item *item; - /* Need to re-resolve because an optional was disabled that contained - * one or more declarations. We only need to reset to the call1 pass - * because things done in the preceeding passes aren't allowed in -@@ -4012,6 +4015,11 @@ int cil_resolve_ast(struct cil_db *db, struct cil_tree_node *current) - cil_log(CIL_ERR, "Failed to reset declarations\n"); - goto exit; - } -+ cil_list_for_each(item, extra_args.disabled_optionals) { -+ cil_tree_children_destroy(item->data); -+ } -+ cil_list_destroy(&extra_args.disabled_optionals, CIL_FALSE); -+ cil_list_init(&extra_args.disabled_optionals, CIL_NODE); - } - - /* reset the arguments */ -@@ -4040,6 +4048,7 @@ exit: - __cil_ordered_lists_destroy(&extra_args.catorder_lists); - __cil_ordered_lists_destroy(&extra_args.sensitivityorder_lists); - __cil_ordered_lists_destroy(&extra_args.unordered_classorder_lists); -+ cil_list_destroy(&extra_args.disabled_optionals, CIL_FALSE); - cil_list_destroy(&extra_args.in_list, CIL_FALSE); - - return rc; --- -2.30.2 - diff --git a/SOURCES/0014-libsepol-cil-Check-if-name-is-a-macro-parameter-firs.patch b/SOURCES/0014-libsepol-cil-Check-if-name-is-a-macro-parameter-firs.patch deleted file mode 100644 index 876dc94..0000000 --- a/SOURCES/0014-libsepol-cil-Check-if-name-is-a-macro-parameter-firs.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 8d7ed6eb2c396d64b1a8f6d516cb9f6f86ba2ece Mon Sep 17 00:00:00 2001 -From: James Carter -Date: Wed, 4 Mar 2020 16:28:11 -0500 -Subject: [PATCH] libsepol/cil: Check if name is a macro parameter first - -Type transition file names are stored in a symbol table. Before the -name is added, the symbol table is searched to see if the name had -already been inserted. If it has, then the already existing datum is -returned. If it has not, then the name is added if either the -typetransition rule does not occur in a macro or the name is not one -of the macro parameters. - -Checking for a previous insertion before checking if the name is a -macro parameter can cause a macro parameter to be treated as the -actual name if a previous type transition file name is the same as -the parameter. - -Now check the name to see if it a macro paramter before checking for -its existence in the symbol table. - -Signed-off-by: James Carter -Acked-by: Ondrej Mosnacek ---- - libsepol/cil/src/cil_resolve_ast.c | 16 ++++++++-------- - 1 file changed, 8 insertions(+), 8 deletions(-) - -diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c -index 979fa17d..ae334620 100644 ---- a/libsepol/cil/src/cil_resolve_ast.c -+++ b/libsepol/cil/src/cil_resolve_ast.c -@@ -76,14 +76,6 @@ static struct cil_name * __cil_insert_name(struct cil_db *db, hashtab_key_t key, - enum cil_sym_index sym_index; - struct cil_symtab_datum *datum = NULL; - -- cil_flavor_to_symtab_index(CIL_NAME, &sym_index); -- symtab = &((struct cil_root *)db->ast->root->data)->symtab[sym_index]; -- -- cil_symtab_get_datum(symtab, key, &datum); -- if (datum != NULL) { -- return (struct cil_name *)datum; -- } -- - if (parent->flavor == CIL_CALL) { - struct cil_call *call = parent->data; - macro = call->macro; -@@ -99,6 +91,14 @@ static struct cil_name * __cil_insert_name(struct cil_db *db, hashtab_key_t key, - } - } - -+ cil_flavor_to_symtab_index(CIL_NAME, &sym_index); -+ symtab = &((struct cil_root *)db->ast->root->data)->symtab[sym_index]; -+ -+ cil_symtab_get_datum(symtab, key, &datum); -+ if (datum != NULL) { -+ return (struct cil_name *)datum; -+ } -+ - cil_name_init(&name); - cil_symtab_insert(symtab, key, (struct cil_symtab_datum *)name, ast_node); - cil_list_append(db->names, CIL_NAME, name); --- -2.30.2 - diff --git a/SOURCES/0015-libsepol-cil-fix-NULL-pointer-dereference-in-__cil_i.patch b/SOURCES/0015-libsepol-cil-fix-NULL-pointer-dereference-in-__cil_i.patch deleted file mode 100644 index 78f264a..0000000 --- a/SOURCES/0015-libsepol-cil-fix-NULL-pointer-dereference-in-__cil_i.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 7cb30b316eda0b2aa8adeaba28a8afe15fc58c28 Mon Sep 17 00:00:00 2001 -From: Nicolas Iooss -Date: Sun, 14 Mar 2021 19:25:58 +0100 -Subject: [PATCH] libsepol/cil: fix NULL pointer dereference in - __cil_insert_name - -OSS-Fuzz found a Null-dereference in __cil_insert_name when trying to -compile the following policy: - - (macro MACRO () - (classmap CLASS (PERM)) - (type TYPE) - (typetransition TYPE TYPE CLASS "name" TYPE) - ) - (call MACRO) - -When using a macro with no argument, macro->params is NULL and -cil_list_for_each(item, macro->params) dereferenced a NULL pointer. -Fix this by checking that macro->params is not NULL before using it. - -Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28565 -Signed-off-by: Nicolas Iooss ---- - libsepol/cil/src/cil_resolve_ast.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c -index ae334620..91e08633 100644 ---- a/libsepol/cil/src/cil_resolve_ast.c -+++ b/libsepol/cil/src/cil_resolve_ast.c -@@ -82,7 +82,7 @@ static struct cil_name * __cil_insert_name(struct cil_db *db, hashtab_key_t key, - } else if (parent->flavor == CIL_MACRO) { - macro = parent->data; - } -- if (macro != NULL) { -+ if (macro != NULL && macro->params != NULL) { - struct cil_list_item *item; - cil_list_for_each(item, macro->params) { - if (((struct cil_param*)item->data)->str == key) { --- -2.30.2 - diff --git a/SOURCES/0016-libsepol-cil-Report-disabling-an-optional-block-only.patch b/SOURCES/0016-libsepol-cil-Report-disabling-an-optional-block-only.patch deleted file mode 100644 index b6ba205..0000000 --- a/SOURCES/0016-libsepol-cil-Report-disabling-an-optional-block-only.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 2f9ce13779d3b92198e60cdbd3d19e7c08b5457f Mon Sep 17 00:00:00 2001 -From: James Carter -Date: Fri, 1 Nov 2019 09:50:53 -0400 -Subject: [PATCH] libsepol/cil: Report disabling an optional block only at high - verbose levels - -Since failing to resolve a statement in an optional block is normal, -only display messages about the statement failing to resolve and the -optional block being disabled at the highest verbosity level. - -These messages are now only at log level CIL_INFO instead of CIL_WARN. - -Signed-off-by: James Carter ---- - libsepol/cil/src/cil_resolve_ast.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c -index 91e08633..dab8b276 100644 ---- a/libsepol/cil/src/cil_resolve_ast.c -+++ b/libsepol/cil/src/cil_resolve_ast.c -@@ -3765,14 +3765,16 @@ int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished - enum cil_log_level lvl = CIL_ERR; - - if (optstack != NULL) { -- lvl = CIL_WARN; -+ lvl = CIL_INFO; - - struct cil_optional *opt = (struct cil_optional *)optstack->data; - struct cil_tree_node *opt_node = opt->datum.nodes->head->data; -- cil_tree_log(opt_node, lvl, "Disabling optional '%s'", opt->datum.name); - /* disable an optional if something failed to resolve */ - opt->enabled = CIL_FALSE; -+ cil_tree_log(node, lvl, "Failed to resolve %s statement", cil_node_to_string(node)); -+ cil_tree_log(opt_node, lvl, "Disabling optional '%s'", opt->datum.name); - rc = SEPOL_OK; -+ goto exit; - } - - cil_tree_log(node, lvl, "Failed to resolve %s statement", cil_node_to_string(node)); --- -2.30.2 - diff --git a/SOURCES/0017-libsepol-cil-Use-AST-to-track-blocks-and-optionals-w.patch b/SOURCES/0017-libsepol-cil-Use-AST-to-track-blocks-and-optionals-w.patch deleted file mode 100644 index e33729b..0000000 --- a/SOURCES/0017-libsepol-cil-Use-AST-to-track-blocks-and-optionals-w.patch +++ /dev/null @@ -1,249 +0,0 @@ -From 599c1422479ae9dd9501c43680bf4a1667e7c951 Mon Sep 17 00:00:00 2001 -From: James Carter -Date: Tue, 30 Mar 2021 13:39:15 -0400 -Subject: [PATCH] libsepol/cil: Use AST to track blocks and optionals when - resolving - -When resolving the AST, block and optional stacks are used to -determine if the current rule being resolved is in a block or -an optional. There is no need to do this since the parent node -pointers can be used when exiting a block or an optional to -determine if resolution is still within a block or an optional. - -When entering either a block or an optional, update the appropriate -tree node pointer. When finished with the last child of a block or -optional, set the appropriate pointer to NULL. If a parent of the -same kind is found when the parent node pointers are followed back -to the root node, then set the pointer to that tree node. - -Signed-off-by: James Carter ---- - libsepol/cil/src/cil_resolve_ast.c | 107 +++++++++-------------------- - 1 file changed, 32 insertions(+), 75 deletions(-) - -diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c -index dab8b276..e0379782 100644 ---- a/libsepol/cil/src/cil_resolve_ast.c -+++ b/libsepol/cil/src/cil_resolve_ast.c -@@ -52,10 +52,10 @@ struct cil_args_resolve { - enum cil_pass pass; - uint32_t *changed; - struct cil_list *disabled_optionals; -- struct cil_tree_node *optstack; -+ struct cil_tree_node *optional; - struct cil_tree_node *boolif; - struct cil_tree_node *macro; -- struct cil_tree_node *blockstack; -+ struct cil_tree_node *block; - struct cil_list *sidorder_lists; - struct cil_list *classorder_lists; - struct cil_list *unordered_classorder_lists; -@@ -3692,16 +3692,16 @@ int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished - int rc = SEPOL_ERR; - struct cil_args_resolve *args = extra_args; - enum cil_pass pass = args->pass; -- struct cil_tree_node *optstack = args->optstack; -+ struct cil_tree_node *optional = args->optional; - struct cil_tree_node *boolif = args->boolif; -- struct cil_tree_node *blockstack = args->blockstack; -+ struct cil_tree_node *block = args->block; - struct cil_tree_node *macro = args->macro; - - if (node == NULL) { - goto exit; - } - -- if (optstack != NULL) { -+ if (optional != NULL) { - if (node->flavor == CIL_TUNABLE || node->flavor == CIL_MACRO) { - /* tuanbles and macros are not allowed in optionals*/ - cil_tree_log(node, CIL_ERR, "%s statement is not allowed in optionals", cil_node_to_string(node)); -@@ -3710,7 +3710,7 @@ int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished - } - } - -- if (blockstack != NULL) { -+ if (block != NULL) { - if (node->flavor == CIL_CAT || node->flavor == CIL_SENS) { - cil_tree_log(node, CIL_ERR, "%s statement is not allowed in blocks", cil_node_to_string(node)); - rc = SEPOL_ERR; -@@ -3764,11 +3764,11 @@ int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished - if (rc == SEPOL_ENOENT) { - enum cil_log_level lvl = CIL_ERR; - -- if (optstack != NULL) { -+ if (optional != NULL) { - lvl = CIL_INFO; - -- struct cil_optional *opt = (struct cil_optional *)optstack->data; -- struct cil_tree_node *opt_node = opt->datum.nodes->head->data; -+ struct cil_optional *opt = (struct cil_optional *)optional->data; -+ struct cil_tree_node *opt_node = NODE(opt);; - /* disable an optional if something failed to resolve */ - opt->enabled = CIL_FALSE; - cil_tree_log(node, lvl, "Failed to resolve %s statement", cil_node_to_string(node)); -@@ -3791,39 +3791,18 @@ int __cil_resolve_ast_first_child_helper(struct cil_tree_node *current, void *ex - { - int rc = SEPOL_ERR; - struct cil_args_resolve *args = extra_args; -- struct cil_tree_node *optstack = NULL; - struct cil_tree_node *parent = NULL; -- struct cil_tree_node *blockstack = NULL; -- struct cil_tree_node *new = NULL; - - if (current == NULL || extra_args == NULL) { - goto exit; - } - -- optstack = args->optstack; - parent = current->parent; -- blockstack = args->blockstack; - -- if (parent->flavor == CIL_OPTIONAL || parent->flavor == CIL_BLOCK) { -- /* push this node onto a stack */ -- cil_tree_node_init(&new); -- -- new->data = parent->data; -- new->flavor = parent->flavor; -- -- if (parent->flavor == CIL_OPTIONAL) { -- if (optstack != NULL) { -- optstack->parent = new; -- new->cl_head = optstack; -- } -- args->optstack = new; -- } else if (parent->flavor == CIL_BLOCK) { -- if (blockstack != NULL) { -- blockstack->parent = new; -- new->cl_head = blockstack; -- } -- args->blockstack = new; -- } -+ if (parent->flavor == CIL_BLOCK) { -+ args->block = parent; -+ } else if (parent->flavor == CIL_OPTIONAL) { -+ args->optional = parent; - } else if (parent->flavor == CIL_BOOLEANIF) { - args->boolif = parent; - } else if (parent->flavor == CIL_MACRO) { -@@ -3842,7 +3821,6 @@ int __cil_resolve_ast_last_child_helper(struct cil_tree_node *current, void *ext - int rc = SEPOL_ERR; - struct cil_args_resolve *args = extra_args; - struct cil_tree_node *parent = NULL; -- struct cil_tree_node *blockstack = NULL; - - if (current == NULL || extra_args == NULL) { - goto exit; -@@ -3853,30 +3831,31 @@ int __cil_resolve_ast_last_child_helper(struct cil_tree_node *current, void *ext - if (parent->flavor == CIL_MACRO) { - args->macro = NULL; - } else if (parent->flavor == CIL_OPTIONAL) { -- struct cil_tree_node *optstack; -- -+ struct cil_tree_node *n = parent->parent; - if (((struct cil_optional *)parent->data)->enabled == CIL_FALSE) { - *(args->changed) = CIL_TRUE; - cil_list_append(args->disabled_optionals, CIL_NODE, parent); - } -- -- /* pop off the stack */ -- optstack = args->optstack; -- args->optstack = optstack->cl_head; -- if (optstack->cl_head) { -- optstack->cl_head->parent = NULL; -+ args->optional = NULL; -+ while (n && n->flavor != CIL_ROOT) { -+ if (n->flavor == CIL_OPTIONAL) { -+ args->optional = n; -+ break; -+ } -+ n = n->parent; - } -- free(optstack); - } else if (parent->flavor == CIL_BOOLEANIF) { - args->boolif = NULL; - } else if (parent->flavor == CIL_BLOCK) { -- /* pop off the stack */ -- blockstack = args->blockstack; -- args->blockstack = blockstack->cl_head; -- if (blockstack->cl_head) { -- blockstack->cl_head->parent = NULL; -+ struct cil_tree_node *n = parent->parent; -+ args->block = NULL; -+ while (n && n->flavor != CIL_ROOT) { -+ if (n->flavor == CIL_BLOCK) { -+ args->block = n; -+ break; -+ } -+ n = n->parent; - } -- free(blockstack); - } - - return SEPOL_OK; -@@ -3885,16 +3864,6 @@ exit: - return rc; - } - --static void cil_destroy_tree_node_stack(struct cil_tree_node *curr) --{ -- struct cil_tree_node *next; -- while (curr != NULL) { -- next = curr->cl_head; -- free(curr); -- curr = next; -- } --} -- - int cil_resolve_ast(struct cil_db *db, struct cil_tree_node *current) - { - int rc = SEPOL_ERR; -@@ -3909,7 +3878,8 @@ int cil_resolve_ast(struct cil_db *db, struct cil_tree_node *current) - extra_args.db = db; - extra_args.pass = pass; - extra_args.changed = &changed; -- extra_args.optstack = NULL; -+ extra_args.block = NULL; -+ extra_args.optional = NULL; - extra_args.boolif= NULL; - extra_args.macro = NULL; - extra_args.sidorder_lists = NULL; -@@ -3918,7 +3888,6 @@ int cil_resolve_ast(struct cil_db *db, struct cil_tree_node *current) - extra_args.catorder_lists = NULL; - extra_args.sensitivityorder_lists = NULL; - extra_args.in_list = NULL; -- extra_args.blockstack = NULL; - - cil_list_init(&extra_args.disabled_optionals, CIL_NODE); - cil_list_init(&extra_args.sidorder_lists, CIL_LIST_ITEM); -@@ -4022,17 +3991,7 @@ int cil_resolve_ast(struct cil_db *db, struct cil_tree_node *current) - } - cil_list_destroy(&extra_args.disabled_optionals, CIL_FALSE); - cil_list_init(&extra_args.disabled_optionals, CIL_NODE); -- } -- -- /* reset the arguments */ -- changed = 0; -- while (extra_args.optstack != NULL) { -- cil_destroy_tree_node_stack(extra_args.optstack); -- extra_args.optstack = NULL; -- } -- while (extra_args.blockstack!= NULL) { -- cil_destroy_tree_node_stack(extra_args.blockstack); -- extra_args.blockstack = NULL; -+ changed = 0; - } - } - -@@ -4043,8 +4002,6 @@ int cil_resolve_ast(struct cil_db *db, struct cil_tree_node *current) - - rc = SEPOL_OK; - exit: -- cil_destroy_tree_node_stack(extra_args.optstack); -- cil_destroy_tree_node_stack(extra_args.blockstack); - __cil_ordered_lists_destroy(&extra_args.sidorder_lists); - __cil_ordered_lists_destroy(&extra_args.classorder_lists); - __cil_ordered_lists_destroy(&extra_args.catorder_lists); --- -2.30.2 - diff --git a/SOURCES/0018-libsepol-cil-Reorder-checks-for-invalid-rules-when-r.patch b/SOURCES/0018-libsepol-cil-Reorder-checks-for-invalid-rules-when-r.patch deleted file mode 100644 index cb5a832..0000000 --- a/SOURCES/0018-libsepol-cil-Reorder-checks-for-invalid-rules-when-r.patch +++ /dev/null @@ -1,175 +0,0 @@ -From 88f4d1c0b93d6a359d7fc7b2116de0da32c74ca5 Mon Sep 17 00:00:00 2001 -From: James Carter -Date: Tue, 30 Mar 2021 13:39:16 -0400 -Subject: [PATCH] libsepol/cil: Reorder checks for invalid rules when resolving - AST - -Reorder checks for invalid rules in the blocks of tunableifs, -in-statements, macros, and booleanifs when resolving the AST for -consistency. - -Order the checks in the same order the blocks will be resolved in, -so tuanbleif, in-statement, macro, booleanif, and then non-block -rules. - -Signed-off-by: James Carter ---- - libsepol/cil/src/cil_resolve_ast.c | 76 +++++++++++++++--------------- - 1 file changed, 39 insertions(+), 37 deletions(-) - -diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c -index e0379782..c520c44a 100644 ---- a/libsepol/cil/src/cil_resolve_ast.c -+++ b/libsepol/cil/src/cil_resolve_ast.c -@@ -52,10 +52,10 @@ struct cil_args_resolve { - enum cil_pass pass; - uint32_t *changed; - struct cil_list *disabled_optionals; -+ struct cil_tree_node *block; -+ struct cil_tree_node *macro; - struct cil_tree_node *optional; - struct cil_tree_node *boolif; -- struct cil_tree_node *macro; -- struct cil_tree_node *block; - struct cil_list *sidorder_lists; - struct cil_list *classorder_lists; - struct cil_list *unordered_classorder_lists; -@@ -3692,50 +3692,52 @@ int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished - int rc = SEPOL_ERR; - struct cil_args_resolve *args = extra_args; - enum cil_pass pass = args->pass; -- struct cil_tree_node *optional = args->optional; -- struct cil_tree_node *boolif = args->boolif; - struct cil_tree_node *block = args->block; - struct cil_tree_node *macro = args->macro; -+ struct cil_tree_node *optional = args->optional; -+ struct cil_tree_node *boolif = args->boolif; - - if (node == NULL) { - goto exit; - } - -- if (optional != NULL) { -- if (node->flavor == CIL_TUNABLE || node->flavor == CIL_MACRO) { -- /* tuanbles and macros are not allowed in optionals*/ -- cil_tree_log(node, CIL_ERR, "%s statement is not allowed in optionals", cil_node_to_string(node)); -+ if (block != NULL) { -+ if (node->flavor == CIL_CAT || -+ node->flavor == CIL_SENS) { -+ cil_tree_log(node, CIL_ERR, "%s statement is not allowed in blocks", cil_node_to_string(node)); - rc = SEPOL_ERR; - goto exit; - } - } - -- if (block != NULL) { -- if (node->flavor == CIL_CAT || node->flavor == CIL_SENS) { -- cil_tree_log(node, CIL_ERR, "%s statement is not allowed in blocks", cil_node_to_string(node)); -+ if (macro != NULL) { -+ if (node->flavor == CIL_BLOCK || -+ node->flavor == CIL_BLOCKINHERIT || -+ node->flavor == CIL_BLOCKABSTRACT || -+ node->flavor == CIL_MACRO) { -+ cil_tree_log(node, CIL_ERR, "%s statement is not allowed in macros", cil_node_to_string(node)); - rc = SEPOL_ERR; - goto exit; - } - } - -- if (macro != NULL) { -- if (node->flavor == CIL_BLOCKINHERIT || -- node->flavor == CIL_BLOCK || -- node->flavor == CIL_BLOCKABSTRACT || -- node->flavor == CIL_MACRO) { -- cil_tree_log(node, CIL_ERR, "%s statement is not allowed in macros", cil_node_to_string(node)); -+ if (optional != NULL) { -+ if (node->flavor == CIL_TUNABLE || -+ node->flavor == CIL_MACRO) { -+ /* tuanbles and macros are not allowed in optionals*/ -+ cil_tree_log(node, CIL_ERR, "%s statement is not allowed in optionals", cil_node_to_string(node)); - rc = SEPOL_ERR; - goto exit; - } - } - - if (boolif != NULL) { -- if (!(node->flavor == CIL_CONDBLOCK || -- node->flavor == CIL_AVRULE || -- node->flavor == CIL_TYPE_RULE || -- node->flavor == CIL_CALL || -- node->flavor == CIL_TUNABLEIF || -- node->flavor == CIL_NAMETYPETRANSITION)) { -+ if (!(node->flavor == CIL_TUNABLEIF || -+ node->flavor == CIL_CALL || -+ node->flavor == CIL_CONDBLOCK || -+ node->flavor == CIL_AVRULE || -+ node->flavor == CIL_TYPE_RULE || -+ node->flavor == CIL_NAMETYPETRANSITION)) { - if (((struct cil_booleanif*)boolif->data)->preserved_tunable) { - cil_tree_log(node, CIL_ERR, "%s statement is not allowed in booleanifs (tunableif treated as a booleanif)", cil_node_to_string(node)); - } else { -@@ -3801,12 +3803,12 @@ int __cil_resolve_ast_first_child_helper(struct cil_tree_node *current, void *ex - - if (parent->flavor == CIL_BLOCK) { - args->block = parent; -+ } else if (parent->flavor == CIL_MACRO) { -+ args->macro = parent; - } else if (parent->flavor == CIL_OPTIONAL) { - args->optional = parent; - } else if (parent->flavor == CIL_BOOLEANIF) { - args->boolif = parent; -- } else if (parent->flavor == CIL_MACRO) { -- args->macro = parent; - } - - return SEPOL_OK; -@@ -3828,7 +3830,17 @@ int __cil_resolve_ast_last_child_helper(struct cil_tree_node *current, void *ext - - parent = current->parent; - -- if (parent->flavor == CIL_MACRO) { -+ if (parent->flavor == CIL_BLOCK) { -+ struct cil_tree_node *n = parent->parent; -+ args->block = NULL; -+ while (n && n->flavor != CIL_ROOT) { -+ if (n->flavor == CIL_BLOCK) { -+ args->block = n; -+ break; -+ } -+ n = n->parent; -+ } -+ } else if (parent->flavor == CIL_MACRO) { - args->macro = NULL; - } else if (parent->flavor == CIL_OPTIONAL) { - struct cil_tree_node *n = parent->parent; -@@ -3846,16 +3858,6 @@ int __cil_resolve_ast_last_child_helper(struct cil_tree_node *current, void *ext - } - } else if (parent->flavor == CIL_BOOLEANIF) { - args->boolif = NULL; -- } else if (parent->flavor == CIL_BLOCK) { -- struct cil_tree_node *n = parent->parent; -- args->block = NULL; -- while (n && n->flavor != CIL_ROOT) { -- if (n->flavor == CIL_BLOCK) { -- args->block = n; -- break; -- } -- n = n->parent; -- } - } - - return SEPOL_OK; -@@ -3879,9 +3881,9 @@ int cil_resolve_ast(struct cil_db *db, struct cil_tree_node *current) - extra_args.pass = pass; - extra_args.changed = &changed; - extra_args.block = NULL; -+ extra_args.macro = NULL; - extra_args.optional = NULL; - extra_args.boolif= NULL; -- extra_args.macro = NULL; - extra_args.sidorder_lists = NULL; - extra_args.classorder_lists = NULL; - extra_args.unordered_classorder_lists = NULL; --- -2.30.2 - diff --git a/SOURCES/0019-libsepol-cil-Sync-checks-for-invalid-rules-in-boolea.patch b/SOURCES/0019-libsepol-cil-Sync-checks-for-invalid-rules-in-boolea.patch deleted file mode 100644 index 421a2c7..0000000 --- a/SOURCES/0019-libsepol-cil-Sync-checks-for-invalid-rules-in-boolea.patch +++ /dev/null @@ -1,86 +0,0 @@ -From dadf1e9ad66318fdd814cf06af2b83741467a3d8 Mon Sep 17 00:00:00 2001 -From: James Carter -Date: Tue, 30 Mar 2021 13:39:17 -0400 -Subject: [PATCH] libsepol/cil: Sync checks for invalid rules in booleanifs - -When building the AST, typemember rules in a booleanif block will -be incorrectly called invalid. They are allowed in the kernel -policy and should be allowed in CIL. - -When resolving the AST, if a neverallow rule is copied into a -booleanif block, it will not be considered an invalid rule, even -though this is not allowed in the kernel policy. - -Update the booleanif checks to allow typemember rules and to not -allow neverallow rules in booleanifs. Also use the same form of -conditional for the checks when building and resolving the AST. - -Signed-off-by: James Carter ---- - libsepol/cil/src/cil_build_ast.c | 3 ++- - libsepol/cil/src/cil_resolve_ast.c | 23 +++++++++++++++-------- - 2 files changed, 17 insertions(+), 9 deletions(-) - -diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c -index ceb55324..3a91be03 100644 ---- a/libsepol/cil/src/cil_build_ast.c -+++ b/libsepol/cil/src/cil_build_ast.c -@@ -6136,7 +6136,8 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f - parse_current->data != CIL_KEY_DONTAUDIT && - parse_current->data != CIL_KEY_AUDITALLOW && - parse_current->data != CIL_KEY_TYPETRANSITION && -- parse_current->data != CIL_KEY_TYPECHANGE) { -+ parse_current->data != CIL_KEY_TYPECHANGE && -+ parse_current->data != CIL_KEY_TYPEMEMBER) { - rc = SEPOL_ERR; - cil_tree_log(parse_current, CIL_ERR, "Found %s", (char*)parse_current->data); - if (((struct cil_booleanif*)boolif->data)->preserved_tunable) { -diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c -index c520c44a..06b6ab48 100644 ---- a/libsepol/cil/src/cil_resolve_ast.c -+++ b/libsepol/cil/src/cil_resolve_ast.c -@@ -3689,7 +3689,7 @@ exit: - - int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished, void *extra_args) - { -- int rc = SEPOL_ERR; -+ int rc = SEPOL_OK; - struct cil_args_resolve *args = extra_args; - enum cil_pass pass = args->pass; - struct cil_tree_node *block = args->block; -@@ -3732,18 +3732,25 @@ int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished - } - - if (boolif != NULL) { -- if (!(node->flavor == CIL_TUNABLEIF || -- node->flavor == CIL_CALL || -- node->flavor == CIL_CONDBLOCK || -- node->flavor == CIL_AVRULE || -- node->flavor == CIL_TYPE_RULE || -- node->flavor == CIL_NAMETYPETRANSITION)) { -+ if (node->flavor != CIL_TUNABLEIF && -+ node->flavor != CIL_CALL && -+ node->flavor != CIL_CONDBLOCK && -+ node->flavor != CIL_AVRULE && -+ node->flavor != CIL_TYPE_RULE && -+ node->flavor != CIL_NAMETYPETRANSITION) { -+ rc = SEPOL_ERR; -+ } else if (node->flavor == CIL_AVRULE) { -+ struct cil_avrule *rule = node->data; -+ if (rule->rule_kind == CIL_AVRULE_NEVERALLOW) { -+ rc = SEPOL_ERR; -+ } -+ } -+ if (rc == SEPOL_ERR) { - if (((struct cil_booleanif*)boolif->data)->preserved_tunable) { - cil_tree_log(node, CIL_ERR, "%s statement is not allowed in booleanifs (tunableif treated as a booleanif)", cil_node_to_string(node)); - } else { - cil_tree_log(node, CIL_ERR, "%s statement is not allowed in booleanifs", cil_node_to_string(node)); - } -- rc = SEPOL_ERR; - goto exit; - } - } --- -2.30.2 - diff --git a/SOURCES/0020-libsepol-cil-Check-for-statements-not-allowed-in-opt.patch b/SOURCES/0020-libsepol-cil-Check-for-statements-not-allowed-in-opt.patch deleted file mode 100644 index 02a4356..0000000 --- a/SOURCES/0020-libsepol-cil-Check-for-statements-not-allowed-in-opt.patch +++ /dev/null @@ -1,151 +0,0 @@ -From 0e420cc6f6debc2050229ea537b592c963b81a7c Mon Sep 17 00:00:00 2001 -From: James Carter -Date: Tue, 30 Mar 2021 13:39:18 -0400 -Subject: [PATCH] libsepol/cil: Check for statements not allowed in optional - blocks - -While there are some checks for invalid statements in an optional -block when resolving the AST, there are no checks when building the -AST. - -OSS-Fuzz found the following policy which caused a null dereference -in cil_tree_get_next_path(). - (blockinherit b3) - (sid SID) - (sidorder(SID)) - (optional o - (ibpkeycon :(1 0)s) - (block b3 - (filecon""block()) - (filecon""block()))) - -The problem is that the blockinherit copies block b3 before -the optional block is disabled. When the optional is disabled, -block b3 is deleted along with everything else in the optional. -Later, when filecon statements with the same path are found an -error message is produced and in trying to find out where the block -was copied from, the reference to the deleted block is used. The -error handling code assumes (rightly) that if something was copied -from a block then that block should still exist. - -It is clear that in-statements, blocks, and macros cannot be in an -optional, because that allows nodes to be copied from the optional -block to somewhere outside even though the optional could be disabled -later. When optionals are disabled the AST is reset and the -resolution is restarted at the point of resolving macro calls, so -anything resolved before macro calls will never be re-resolved. -This includes tunableifs, in-statements, blockinherits, -blockabstracts, and macro definitions. Tunable declarations also -cannot be in an optional block because they are needed to resolve -tunableifs. It should be fine to allow blockinherit statements in -an optional, because that is copying nodes from outside the optional -to the optional and if the optional is later disabled, everything -will be deleted anyway. - -Check and quit with an error if a tunable declaration, in-statement, -block, blockabstract, or macro definition is found within an -optional when either building or resolving the AST. - -Signed-off-by: James Carter ---- - libsepol/cil/src/cil_build_ast.c | 32 ++++++++++++++++++++++++++++++ - libsepol/cil/src/cil_resolve_ast.c | 4 +++- - 2 files changed, 35 insertions(+), 1 deletion(-) - -diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c -index 3a91be03..4f72884c 100644 ---- a/libsepol/cil/src/cil_build_ast.c -+++ b/libsepol/cil/src/cil_build_ast.c -@@ -52,6 +52,7 @@ struct cil_args_build { - struct cil_tree_node *tunif; - struct cil_tree_node *in; - struct cil_tree_node *macro; -+ struct cil_tree_node *optional; - struct cil_tree_node *boolif; - }; - -@@ -6077,6 +6078,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f - struct cil_tree_node *tunif = args->tunif; - struct cil_tree_node *in = args->in; - struct cil_tree_node *macro = args->macro; -+ struct cil_tree_node *optional = args->optional; - struct cil_tree_node *boolif = args->boolif; - struct cil_tree_node *ast_node = NULL; - int rc = SEPOL_ERR; -@@ -6127,6 +6129,18 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f - } - } - -+ if (optional != NULL) { -+ if (parse_current->data == CIL_KEY_TUNABLE || -+ parse_current->data == CIL_KEY_IN || -+ parse_current->data == CIL_KEY_BLOCK || -+ parse_current->data == CIL_KEY_BLOCKABSTRACT || -+ parse_current->data == CIL_KEY_MACRO) { -+ rc = SEPOL_ERR; -+ cil_tree_log(parse_current, CIL_ERR, "%s is not allowed in optionals", (char *)parse_current->data); -+ goto exit; -+ } -+ } -+ - if (boolif != NULL) { - if (parse_current->data != CIL_KEY_TUNABLEIF && - parse_current->data != CIL_KEY_CALL && -@@ -6468,6 +6482,10 @@ int __cil_build_ast_first_child_helper(__attribute__((unused)) struct cil_tree_n - args->macro = ast; - } - -+ if (ast->flavor == CIL_OPTIONAL) { -+ args->optional = ast; -+ } -+ - if (ast->flavor == CIL_BOOLEANIF) { - args->boolif = ast; - } -@@ -6498,6 +6516,19 @@ int __cil_build_ast_last_child_helper(struct cil_tree_node *parse_current, void - args->macro = NULL; - } - -+ if (ast->flavor == CIL_OPTIONAL) { -+ struct cil_tree_node *n = ast->parent; -+ args->optional = NULL; -+ /* Optionals can be nested */ -+ while (n && n->flavor != CIL_ROOT) { -+ if (n->flavor == CIL_OPTIONAL) { -+ args->optional = n; -+ break; -+ } -+ n = n->parent; -+ } -+ } -+ - if (ast->flavor == CIL_BOOLEANIF) { - args->boolif = NULL; - } -@@ -6526,6 +6557,7 @@ int cil_build_ast(struct cil_db *db, struct cil_tree_node *parse_tree, struct ci - extra_args.tunif = NULL; - extra_args.in = NULL; - extra_args.macro = NULL; -+ extra_args.optional = NULL; - extra_args.boolif = NULL; - - rc = cil_tree_walk(parse_tree, __cil_build_ast_node_helper, __cil_build_ast_first_child_helper, __cil_build_ast_last_child_helper, &extra_args); -diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c -index 06b6ab48..8ffab438 100644 ---- a/libsepol/cil/src/cil_resolve_ast.c -+++ b/libsepol/cil/src/cil_resolve_ast.c -@@ -3723,8 +3723,10 @@ int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished - - if (optional != NULL) { - if (node->flavor == CIL_TUNABLE || -+ node->flavor == CIL_IN || -+ node->flavor == CIL_BLOCK || -+ node->flavor == CIL_BLOCKABSTRACT || - node->flavor == CIL_MACRO) { -- /* tuanbles and macros are not allowed in optionals*/ - cil_tree_log(node, CIL_ERR, "%s statement is not allowed in optionals", cil_node_to_string(node)); - rc = SEPOL_ERR; - goto exit; --- -2.30.2 - diff --git a/bachradsusi.gpg b/bachradsusi.gpg new file mode 100644 index 0000000..aa060bb --- /dev/null +++ b/bachradsusi.gpg @@ -0,0 +1,438 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBE97JQcBEAC/aeBxbuToAJokMiVxtMVFoUMgCbcVQDB21YhMq4i5a/HDzFno +qVPhQjGViGTKXQYR7SnT8CCfC3ggG7hqU0oaWKN3D003V6e/ivTJwMKrQRFqf5/A +vN7ELulXFxEt/ZjYmvTukpW5Li2AU7JBD0aO243Ld9jYdZOZn2zdfA8IpnE9Bmm3 +K/LO1Xb2F9ujF9faI5/IlJvdUFk3uiCKTSvM8kGwOmAwBI921Z5x/CYvy5kKEazU +lUxMqECl+Tu2YS6NDhWYNkifAIZ7lsUvGjW3/wfh7AvmAQyt/CxOXu9LL2nGzFhw +CIS4jVIxy5bDswNfHcaMX7B5WEyqTPtjzPAEMiLL4yHJZrHDPd26QHSaqtilVA4K +AeTYbME8iZIdacquFEq02PO9qAM21O48OknCTSolF7z6nBkk6l26W3EL+Gz5I2Et +3S9pab3FMjiiKVavM6UA5D0DQkNxxDn9blDXZyhX4HFrk+NnoETcGYFymPbbijgi +kFC4339/Z1aK31aJLkxiana5mqLthD4jCeg3B8Cp5IurqPr8QEh3FH8ZZhtdx2fX +TXHTmGQF/lXG4tg1eH5cb6wWGU93wD+5mf6czJlUZTY+kdevKtZCQnA0/2ENCOFW +Jdm/oMTUw6ozPd474ctzWKeO78e8yMvZst/Zp3Gq6SD9kcoPgiuMQ+BOkwARAQAB +tCRQZXRyIExhdXRyYmFjaCA8cGxhdXRyYmFAcmVkaGF0LmNvbT6JAjgEEwECACIF +Ak97JQcCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEGOorUuYLENzy1MP +/2c4fH8eXWbqoot/vLE+hJ14k0leYOQhVSo4lNlxRlbKNd5MQSX/QjkQgJNECbB3 +LM0KxE/zwVOZ+umvmxLxNskOxjubE6NzoF7Sm9ydoqjwzenIpR9BVtg71mfjBOoL +PNrst7tHRE5btSnnnOS9ddt/y9JOIvQpkjtBTI2TfVcp2b4Domg7i4qU/hJ7hu45 +5oAi6rPPkr0pcGiDKTqi46l7+9orsj9Mxs1XTmrTMMB/eV6PCU7Fo4WJNXS8SXd3 +sEVxXvpyYjUTTnDuewjT1q8NL7anrsckS16WYSVGKzRhqtP1Vudt1F/D5cWKVqQp +vQl/XW/uQS2IsgEWsbRmIAEZIUOy4TnuF494C/A+1BbJBdUr4Nl9zPH2bjrJeqYk +TsvGQr1icgO4pUg5oC456htkqCxCuPRqqrGDAZBx54TldgPwvCo31+aPQJlOlWvI +uWD/depp0De3oTK9FDnHh3swE0vyn4Ht96+vM+KNnDYgJ1FEaw1efYePFACobvEB +o2ZpLbnDyqAT4MzfHpHSbwzUOk52ZOnkl/KrUIOxhXtf4dxRS6J70Rzb+HWS3rY/ +LgaMO5Q0BJfbvknguKmE8dO8jx0pTlVER9ujqp+bVPXmFMha1j8vyGhJ3eLJZaRL +k3jgfRjiUUb4lNp+hXpvBwIYeFWl5kFVKg2aPywgnnFWiEYEExECAAYFAlBq4WgA +CgkQ4J/vJdlkhKxmjQCfevlawFaGTx58nDFN+4j/2U6uaGcAn2g1sZcTUrEEYHdL +byAyw1GNLksOiF4EEBEIAAYFAk99mCMACgkQ/2iSBAM3HxDivAD+Lu8U54iGgL5+ +h9KpeV+ZlHgIpj4cD+BVL85L6AQ3GP0A/1TwZ1tS6Ag3ut2G6AL2wewR3v9Mgu68 +E0M5esz5of4oiQEcBBMBAgAGBQJPh9ZuAAoJEBliWhMliBCHMSUH/30V/E930OTT +oWeq+QKkTJuMF0lrA5NaAy+xWtrynMKoiAuM0KFNGPfrPehkoxR4D+MKXH+xh0j2 +bHl6fXOHJCKZLhCtsC/o8j7kkjIJjixBlwYMul21rxecke7Zt4XpxHARJx4208Lk +ztpzOd7ZnDP6KYav3itpxK8Eyj4g8N2omoTQ2Dcd+sCa0jgRkyskpPxdt0fK0D04 +XW7b1LZkxwzwrAGSpjAZVzpKBXANcSmUQDAaIhGvYSKoiwVe2eaE5lUmvAaJQaTr +Ud/LCIwFofTLSaBRX8fEOe+UwvW36VtynPyETyROeTMp//Cm5e2CQVPoDv79soyi +E/oUW9DFDhCJARwEEwECAAYFAk+Oe6EACgkQlGXZM5TcxIlIRwf/VjfbN3eVf648 +vXvDctsXfucl37i6Yue2COJiGYuZOrN7wYxVvH2to8P3V53YV9OqDpJl2NXUro1V +iUjFHuIKp23VbtyBAYsrLeTMmHLjnXlaUPSr6JUDHUQhCF34BTk17e9y7tXlEshF +YVyPlGum7JhyarHB2rRdjQk8kyTqmQ4yHjw/nP/HlvVxdgb+mTmudTPVBafOT1R9 +MJ/SN2x4bclT4cQ0hjNEy/TsFzVduQj8yNOMFG9r6p1Vb+u1wn3BTANIh55R9aDh +3JFFIV/jBTkxukxR5iyGQiR53nl0e0qnQFxpfhFGclh0RktjrHZ3DBAzcuYXp540 +Vu9aq9QuPIkCHAQQAQIABgUCT4bdRgAKCRDCPZG7HYJE34FtEACfqPwWSItk1lNX +E0HOM1YuHXFfMGURF1AotskJatwtjGy9oDUQkjfsPROnWjgH9s0xD2UmlTrjJfWi +BdH0kTLiExVUOmvnM9VFMRhYxQZMwiHecm4FZ5IWUz4e05oGCkHFbMswXEoEG+qq +btOfLNpX67yy/JM6We+8PiXV/c2vaErpH5S8YChb5wD9lEWNM2aPBOUmbzONM1/f +EFd8AF6fUVYN7htuyG1n5zTv+oowmO2c0terJRGmMgVuLugIEnKKhaQ+H1K6bdZJ +7mX4xxx5izEyYeYhi9DhBHSwCLhWR+Yilqkc5U0nrF+3Z+Cb9THHppi071OIQ7pX +rGsQSpDzGRXCw0nKEBm0Li13re8cOoHMlPD0RHWZEIRZGSYX1YKBtVuv4kpSq8GN +85lZSDKGRNtbJBS7Qj4vyOlOrBO1eyyd4lepQCe2Ri3gU97rek52tOM+fAIibz7V +b4a0qbbphrz6PVMbDGiBxM92+YpdDyZGyL7wJ4g6DhRRcEUQahlZ1n7y+YQ60ETs +zt7+kD08Zi2BoJpiMHsFfoas2pot7VePFxGutwvq0p+OHSVlwkLgOaORPHumLA8u +J3BGlJTHsErUB2EEgdc/Tv1vsZzEI3Zi+hqw1gcbke21Ii8aDfshbeKW9hYJAhnW +m8VdF3n80UX5Eg56iybrLCjEyiAEYYkCHAQQAQIABgUCT7yYRAAKCRBOBfZjp6Qb +nnyTD/4gVbq8H5ka7fVdSAnX65/kFn5xkqGzbpCkjcqe/5uI2CvdYtjeQ4K6sm7I +5RLoyu/EE/JPbCRHiucsEak42WAZSRte/Wn2yTQpIb0mQ0wXJvuM+Hx7DSx2R12P +9rIZ4mGo/rEtdG7Y9Vog9M/XGx7w5IqSw2DF2yiYQJXsOzHjphfYB8JfoqjW/73k +n4E2IRJtCuWhfiJZJ+GEGceSBIredH3o01ThtbAeh/gzPRF3FU1361zyA1sXtmGe +qwnhNL1spHRlpub3cvAXQ8RSYrNdiFZB5zohNt+iL+qzVWaUJo+vYZal1Co5/roI +HN5nJef8kp1ngaYKvf1hIVvsdQsilVQIXKFWMd47aU6W8gPr1W2+U4yw+q+OXari +eo7gpH7/OvMSe/3wOhGVD8KJrMwAVnr3M4wo2CM6zlwxPGdltQI+IxDD8NTGTmNT +rRARYRQaFQyqd1SrVt4sSkeoegrpOG4oWXya/v4SeXHD4vt8vvvX3A4szB73a355 +IfbyRXDER3EfFfW5c+BnR3bxhfATTE6T0AKz1Gq30Xm2ycTGYCAZ2yBKewaegTpx +3O/E6APTXUnVWTIPQay8T4iVUiLFs7W1UFMY/RvmIvKKFIQWcm5O0L+27PJK+YSx +Uoo1Ivt1pclTuetbRbN8VnR3K9Pp5uZ4KLz6ZkffmJg2sOSu74kCHAQSAQgABgUC +WWMlagAKCRAyfirUINN1OOtFD/4jW0ZMGigpruCnvY0nr47rA12X6dJ6+KIBE+XB +QxuaQRjM5u44geksDwrqZ0nXrNvsa4SVwAhKVOrgMJVdzvUa1m2yeNCFHOTjln6Q +GjZ5f3a6aj6n/X5tlPptdklUr9ucEwXVd5fFMpWAiwaqZt38I2u0Pi+/qHDt0kLy +RSukmRPzRuS/kO1ugGO4aoO+sanVDl2Pq6LIwubL1Unk2HUerg8VCAyQrxYtZtHc +coyhmBTlAb+EmZnUVbQZ3Uy3eA89OuNTBhJWCk8vqROFm257MiH6gvG/V8CTrJfz +lpE+s9E6kxXhXpQWZUwtwWObq7vrJVkJhRwBsO9N2erxe+biBauFErYQPw3bg6xL +1BJLxDWnKUlMWs5o+h7lyjp+1B/gbnnlrUIlpW8IKVZRHwRUPGRN07SbbEO1lDk5 +uJDMk+r2KrOUNVYCEp794P014xodkLvB8X7ml6tcABE4V9d4uVDX3SsktOLMvtWg +nL6xWMoBYiVOXi3Rsm8vESBOb8JFQL/ItciUyAioM4Zjq5eqotVq90HMBO9kqcjC +YsYEs6RACRmyE+TNmzGoucIPTwPEi5Ib4gj+LG6iPOBprk5DSjD7F0/wnQPoq8PY +HIufb4+PgOXKf/ROQXDRLeD6eZBtPcDUJOgW19m7QcXZ8fvo6B91COe9jTF/H/i3 +A7NjR4kCHAQTAQgABgUCUQZ8hwAKCRDZsFd72T6Y/MoUD/9xxmXbPL2Zto6qECXs +Q1GFuydiYlURxDsVUiuc1tSgEoDb8XcXl37l/IKX1QmcpvHMPzeT0g8sNwIXSnL6 +BNCnFcfrd0tEz8uBPxVnzMiGwaHP1kB6Vs6sNV31+CJcTz8BHHbOdXZnhHqXSb02 +SonqAYeWVSlE08Ejvq0HIWRn6NIGdGqv6icBExryJjS3ZChRFpvgAJwsVO5f6BKH +oZnEn79uQR4XPHwuxRbm4hf6iYEbOhE7Hod6kTzS9vYIhyuTFTz5Kz/YxlMoZX/j +TIYsX0nZ3r+Tshur8iUXJhKvvXVlGyrGO2HXfEuIpJqEx4/qM9jUNP0EE7aPzZ6f +BP7Xq49Dx9lnZuSQ1jeXxEEpO+AND2xmnjCHr3EfgYZrrhCSxMQhvJh7wypkzu30 +D41BHPOPSotmM7WLceHWmYui0Wuq9X2hom5jq11XwACEtmNiP/odXjF0ovfK0d8l +j/kivgrXAZdN/ONJapVSLkRMS71S6eln+urR9HfswEfM7IPt0cRwN1oNIhXmK14+ +XBWvvwvalfuxG2UfxD8K0JXMwARlpGlV8lXpuzDV8EcrvLipKpqiQWaJer64kaQb +8qHEtT6+JNoGkymohrfeVagxKmPzDWR4v1a9lgZwY1FTRHNVPM0P8LWlN9q0CrYc +poBwkhTMV1YJ1OBSrkM9IM2vsokCMwQTAQgAHRYhBGMZHOlBgwmGicq4237xN+yT +Ww6vBQJjLRkzAAoJEH7xN+yTWw6vZSYP/36Bt4QhRtIh6HPWbHraFSl4omnuISu6 +lTHsqhik81nbIUiLZ5e/KN6ONSgD2jfMVQOLiPTQFOoxVZvOjaHmHvMuF7BCbr90 +Afh1qXW9txuPbVkhtC6hqIMn87b8UHEnt1l5MiafQnPHhoociqaqwfls/iu0nJGu +Jf5eVMXpdeWRk+ckGkqP+tXp/0G933jibSdYqwG1Tsw9D98xnGV3a/+zIqRtJflp +HPEjHPT6rVKAZxk7gkYSSsv6ONBwZHqwe9W1I+U4t6OPkGo5kNbMPBORB6/7B2Qo +LHx3+KYZs1j6glI+F/8IX2+JSFs07saMnsDhE7w5FzmwWV2JcUt42RSf8DVub438 +jgA/Ht5yPROEJ87de78aD/t/gPq/Gm3bnUz1BW0jxBidjqg1qPOMYjC7n4dH8X0N +cRfX6tWOdSXmDBbPg/vQi6CEIhsGVisKlnrgYi1wDZExU6UVMnBNvllUu9PXye+7 +51cIbrb+fwAWiwmu+AsL0qsjxZYo+9ozOLh9wLUhxOY5MZM82alN/mlUGzEiXN3R +i7D3rDrNFHdI4LGGLbO2hjPYrG4hdNHS+6WbU6qYcpBEhrqBtnUjoVqIKP2boBLR +ara7hHqVO120s8kgGtf/AoYpggD0H4qqUy4EFNjVdcL5T08w6ldQIYo7CEa1iHFt +ML4bsPcJh8lciQIzBBIBCAAdFiEEcQCq365ubpQNLgrWVeRaWujKfIoFAmMsvIwA +CgkQVeRaWujKfIqNXA//fjCpyIPPd6RnJhagWH8XCp5NB4cCT+LqAIR5yZfz1QE8 +Qbzpoobz9ysgXZ5XjLp/lbVffGyg986j0wUtSW1+g3kJcYXBUKjSWoBwwmZgyZky +95U+uklY8CdPjSeuzr2I5X/LogHNH1378d9aEmQXBfX1uW5g4Aqgnl0OOgkCVzgs +FFOO2o1j6svrrDVG52/mwXhNRm0yYK/hFB8T3PO2IvMQGDGJLHl6N5Kl7P2jtkyF +Isi4AEzJeop/2GJYXQ+VkUTSNRKQj8oOS5qe9/0RkF9uqeamoc81n2But8MZN2fv +R7ug2EuG2LHp9/pwu5ekohXmY8EtMbVbU7TYKgduK0FMBaK36jXN4Bapakfxr1z5 +pwdDjN4QiqUefBQlG1CJ6fGrqbdAupzRRDqN974rs5HafnbxioYRYjoo4H0zC8XN +UwgmA2wrwIIY/cyNCSnUuT8yVAnroPiFgmMoL8RM7C5pHQYh0u3fXPfvNBswjXmR +pJ6mhTqG6SS4qIaPhqoZqA1iyA6+Ua3YLBDT5wqvuqNMnfLtLUvMuridmlj97cRc +srQIr022NdpafDQVAiVhZO0CRyFd/++XT35iiDoiv20+LewC0VVza466AE1fkAme +rKlurlET8U/+U0JB6IP77ErjMgCzotV8e1DJkp/M37nMeNzazAb//ovsdkNM6P6J +AjMEEwEIAB0WIQRFaBEoRJtl+IDGF5c6hKlGtLpirgUCYy3RvAAKCRA6hKlGtLpi +rvhHD/99Lvgf+CjbhwC87CoKX84MyAyBlYACCSuySQBnEsVigz8sCVyTYDx52h1h +/SEj7XfTylAfIl1CjUedH4w3hk+7IN4scmhf5eeEMvQd8q+Q/hWQcXIUpwgKOcVD +NbUgYcbakJAPtilK1CeQvDdBD+aYoMsJTsII/f7FJzwjPM1XGf5EoODUC8BtQf/W +KAVoESwwAUwN6Y5XeYSwMqu1s7IHs3yNYLV8C6A7EQPVaVVlORqI+33rKyqAhK5X +ErNvAREQPYJMfRnQlIW7alSORwdG0JBgVLgV+jvoFo4a1AQImHDDtKxs2X5BCVG1 +I687uYDBy5Assl/VxRMIUpx5+zWvXyDZX/6nlL7AMokTlyosgP4iiifBS+5KMhan +phMgnDXYIJE10V46Bdw2tjd7wMKey6BcKgfbZSvU5z+SuVnQXCyl3/blRML54I5o +EomXPg6lgVxSb6BBnaJXzx4JKgLer5uom1OGsLgPMqEHRoO3bucr2xFdtq1Zegw4 +9S3qDhQ3bn8pg9JlYwmAAhBd3Xy5cPv01mV6ompOQ38SlMCJzcAGASdMw5scaxUl +7MloV2Nl32HIzPjK47bF7aVOFX7Tz+rEFLmJCchqmUSdxi42rJyHKVRqiAlNfZ9S +9FeaEfU+vBxOHsLNqVO7ErvrTafT5fjphZqvUTqZGCUiJUjPnYkCMwQTAQgAHRYh +BOJeJUyO5NMDVUv1r+xwGh2klMXrBQJjL1NOAAoJEOxwGh2klMXrYaIP/ifHM9eU +UT6JD0m6Oa3P3T161NhOvNqr71LDSztClsWo3XX0+ZK3wpjoC6vKqgx0Cc8OL1S2 +GqwCaxb5JqWpsoqR3NW6bTqTTUGREj/e0JHDeBzv57OEUTe4ea7qzqjhCX6iyzHa +qDP9fiAogMQ7uT2oCghDV5yo4JUrG5brw8GkMLEvRSs2BEv7xFAySRaGwNj+oziZ +VzL7sBzp1bCr5cwNZVYxoo3VAv6FUcExp1TydxzPVB8/VvxOa4zrht+hFTn6mjUi +NHBc7DYECgh4jlDR6TnAdvpg0FsujTXiN6A0obOUl9jGz2uFmdY+2ojlVtzqKXoP ++PDz8o2zMrRoQYkni9VyIc536E4OFIhfO6CrThMjJjPNn22Tq+fzRYkWTrlJom9b +nOldQ1BdUXQt2QNigdzqjhZTIgF5OEOTERh80dvwIbZ+7vN00BOsuncR5GUBQerU +F6+SksVRAaOg2lyoDdxUQ+Z28RU8R/n7VjMV8ctFkQvHHLBqKkpET8LRh0C/jSNh +gB8zLPc3Oa4wTf2xZWO58S18esbYMr74vRYrsACbmwxH5Tz+L6Br70Fmcz608+IQ +ESKW3657gemZgFud3AGokzKG5AuWykSinydiZbK8MRGLsdfPUojaVIgXFqnWKtkH +At9gkD8YbqGYzuVwBnljBNRdTUMk0ClgV6pjuQINBFom2R0BEAC9k1Ky6AIe9sPP +xrgsrXRe0dyYcoHufzeU3jFssl3+S4cRuvYCzdZfRfdjfHa4n+CxTaOd7xkefwJg +GpaR9KJbu8dqHm61GIiS5ZbMCRU8FAW6ohVeDqEwFrPAzZjtO41OTpeXCrPu5H5A +Tg/kDnabzlD2H8JWAqr0DYRRhFtJUihXUey9zK03wSjUi5E1+YHUC/fOpbS+msNN +945CeQNBN4Ljap9Q183Fkh0Wm4Q8C0OS1WN8a0XtqSALRCGAZ+EV6UrmQVP9PCC4 +/J0hoKQPv2bfpBAsrUGAO3Fnsw7804i2TY7O3JA8gGDYX6fwOVJMUXdD7FX7LM2P +pESqAdPrjqmPqHT8cPfq27GYgqHv3N4hP9Rjt9wxmHYFbJT0YCHw2ZMiAO/VcvvN +miGr590ZFiQEb1MJN1r+h5UDE1CtF6nTieirSXi9oMilHlo2NY5nAItv/T9PKk4X ++kaH3UoicMxrkT34tACGwxi4VIRYWL+ZquxE+bwXqAvbGJ0p3XbyREURCaO96J/2 +w951EvZErpFRQu4zzClmoMiNbwkQ8QdesSaqjMirlHyFI8T9BZrXbPazdVNUwfyR +LFil1q/kgXjXeJDoje73UiyGhqhlVOlEbunGzCwEBzrtQdPTDeFQr476/4pe0v4u +gdNYkL/gY8Izodn47d1XH68AuRSrzwARAQABiQI2BBgBCgAgFiEE6FPBhIsBhc9C +hk3zY6itS5gsQ3MFAlom2R0CGyAACgkQY6itS5gsQ3PQSA/8CZGTxQDbD2oLkGb6 +tyECIs5A1RsfwJ9aj0R/HuEO39ki8yM88fwi8F5AfzNcmYwp0rxyYDDYM0itObSv +A9WBB8YFZ2PKT1YHrwTzWbne+spmQYDRdFt+0Kx0JLvgv7SYvQ1jNdCazixH1SAM +9O+Tn5oFybVHjRavWsQYHp1CvXY5kOHOEDHhz37pGwFvyVyFdSYS5PWT0+0XU/g6 +Uq2HeFCurhUGuDXJ6WA6Ipvmu0vbi8GpyeiWCRoG76sqbBfQ7dd0oDMUHitewWGq +LP1Kioke9hu5p9CbkjYwGZjJWZEV6WHxOmICfFcBRPeIJyO8Kfa/vVBfQZj9fhqs +3sHSfAGIdKIB3tX0qKhMRdu/QoM14YQ1yK80JTUUOcrKLDt6QJinF1UQ/OcYQqGB +CXaRk1OKGFuuij16QudnX56+aYbNPltf7cLs1O7aodQcRxmMSgxSE/2ckthPYBsX +PWuDMYZCb3e6JMWsdnCI7iPpoPFAJmId7SWJebXZxntoX6YwZ7Tx58/QMLEqxMfE +ExQTAFg8/owvxCG12KaharLr4GpLx0aU39QEJenG1LqGLwiQh9Vxsejw+MkebZJE +6zhs7XBpenrd5c9OFOtb/Goxwal/6UXz7a62jZ7wDNpJw9xOfC3/eX/56+6dLVef +RFj/LOIu9reM4boTiY2dmGj1QC25Ag0EWibSSgEQAMhQB2Q329FSozPk7V6dYBO+ +jDBMr1jHWvNMCR/2DkwXfDAKK3haSWSqr51/wua9skFRezQvc9PhgvOIJi1jsxRf +xNoM82a2OpYJdj16FG5RVQ/ApojiywNvp1YPJbmq4DfXSuUA6q+OephsFLrx2cPY +nyDQaI6mrqTBecET4cdQTZK0nKKUPj3U2bI96zTBIYK8Kr7GMKXm8R1eV8bktwHT +HyDjI7hN5EjZViYqZYDQ3jt2vC1Aj6XpFw5K7Sv6f0l91zyjfcu6Llsfo8xtRhAl +lub8EBuO6ljJ5uWqDgjqTOkDXcIAUkhUCg8ztweR15zgJQQ/On0XDcHLtyi7zuQd +xNaKYKkD3oROTqce+YbNN3qnP4bV0qa0JLlTOrE/0/zmif7Q1zYOidcmMgGeF6Gp +pGQkkxY4gSKet8kD8h4AZXGlpFu4e9sue1ENDRmgWaqSzIWudMRZ3z0/s9EGNNiW +60nwJ1NBoySeQEmnwMzAHXneRM9pRGQ1S3/CKttq/0eWEH3Y/Td9xi4DNvTXcvgJ +uUUwoclWP2PCPg3zE+EQ1q/Kt2oYrT8NcemM9EO8btNzJ/Y1wSDLFAFNikHwYjTM +86jWoeGhSM3fD9HJjfqoB41gDKvNIVlhQavhe6df4+AoCo/mGosLYAPFaHHdkmqn +eT0Y0BnTRIS9yLcO8CBVABEBAAGJBGwEGAEIACAWIQToU8GEiwGFz0KGTfNjqK1L +mCxDcwUCWibSSgIbAgJACRBjqK1LmCxDc8F0IAQZAQgAHRYhBNalthyaVTQWgpLb +Z74iCR4+9iJ1BQJaJtJKAAoJEL4iCR4+9iJ1D2AP/1VMC8KOmzPYyiFY+1xHu2rv +siB0f80GH1jXwDSM/IKvsH1axCD0hMV5sSi52epCov37czSlR3MpQjo0xK32wJB9 +26AgbzJYZO48qulDUXUhPWJ9bxiyIcxI/3KEspY1RMoWv8AfYA/qSma1cSdT4IMo +SGJzPh3RyrUpeFP5QT02oGa5TuSQPiJwy/b9u+RVOi1SSqzHMJdKzZehGays65Pd +jC8Xtf4ipdYRBr6mIyUISOB+FBkY2MttFzNDUBdDrOepyjStQLZ1vUXnYKIiSRHX +o3XTW/W8fh72o26zeDbQcALywQMZqnwtrZluzKHZxF07whKmXvw9pUHXX6hbJDvm +GVMxnB/F6grPNi/V+Bv75sKOdImgnJBUp1Jz7288SPbNQwrqFKV2ZD3f0PFmolFj +Cz/Oc+UUk+swfnsT3pV6LClTThsOH8WlKJYxZLneX75HuVx4CmT+qv6GlFQuixjc +H0LtsbbSjAx7J2LRNVtfI+2DfMcIi8KJxe69MAKGqqxDyDPSWeFrs0MHmyD6/6m+ +GTovgUT5jOZbR6GVKelW054bmby0zQevWnRieANVeFoFsnwclJnqKIRzQiGod1p1 +b8HhSCw4nOeOQSifaOf3zcnFhYyByDMOtl3/AqGoLp/61u3Bk9h+BP4VPR3RUWzc +ggjmxJM0MrLzjaSXSedjzuQQAIq9g35FGpnaB8d/EjufED1TVSOkvNK/qJ+dD4Xz +f5RvnbprofMnzfEyy8jJ1Vqc3QZQU3IDQt/Un2ZywX0OboKGAIn/gyfwdkpnxJ0j +JoxRBuMplNpfNBw+oe0nFuozO9idFozKM+SWoE051/jvGHp1FqEPLnAAGeSbWB0L +RlAsnMjc5u6+SKHeFGRKYg7U0sO7ZKbVIT4ZmRnsQLDakHwbAgfcIakh9Whj0Ou5 +r78Cs+DcM3XAdtZ04d81jV5TsveR8/Cn473c6dvPIfnA2P4uClTCaCDv+jXG2f9a +FIuJhYCO+TdYs7qjAsXWngJUebRFiHbfSuYDw92/eqLdKD1Hoff4MnW5YOtDpp6E +sdCDuINeRtUtnidw2vIPezX+xdmycXIq9Fb+GvKrIDsKu0VO8HObVviLa/RE11ds +EHYlrarj4mqzS2MhvmU79Bazg9rDDB4WVs502n3uJaf6Sod/+ke1c3ff7AUPox2n +pjH/bVmkZJsOq5EqcvlH3m2FZUHSFWS/yTR1rPuJoHBMHVc4OPlTuSqT3qmKL2vb +vD1l3D4zHZs1paRLddYXiaex4qPU/0YpP61XU070MmFGYE8Z43TbMPHu/6LYBpw9 +p5Vj3VZwn2edNl4LGx+05hIABzM23I7JoQ44uPoTbohmYXF/DUGJ6h2LYdp81AVC +lSFWuQINBE97JQcBEACpbBqvDl8J65jEhPjOWczcDVB+WfG7GBHB7T6RxSNFIahy +mDqzx73zZD6n4NnZogPDPopYdRJ56u5AfF0bDZlgebl8+VEgPHGoay74Gf6k0B+c +pEkp5PaWQHHEqXINotVg29hTsf1u0sb+yjgcc+9WHw3MtpChsgk8Rc5N8Xvr1FJc +L+xynSvUCcLIwfgvLHYPPBYGIRpvz4ek/zgHvaGftDfnyMwrMbgi8kadrSb7PQgc +eWeTL7CQN1B88TPJFqKt/QxMdXaPy+Cr3P4XVy5V3/QEVFUizrtCCqJgxHMAeCP5 +QxwYEWmA2zxUzGA/t/QUDFbccKt2BdpdKBFtHLliE+yn9FHw98JayjhAJxxeCkrp +MED9N2aGHI1q44sbmeLKQ8EuIbCamfq7fqLXgkEy8jgivv2J9YfXejjjEobGLkss +Jlxaq9JeQgFEVl6f0jJ0PgkYPd11RxTcVLy4RB417cxc9LHcoKdAtcgBTcZXPPYO +L+eM9S7rTvFTna9IdF4bbnJFNjHDMhb/9XomxxBsekpTUXEm2DGoTpO2W/jwWcZY +LVrdhikkkF8b88EdWk94fUTcFA90I+Ch0YbS8XGM/WIklrMGa0JpA4OQW5oMhKDn +gqAcV7gxRYt6ylBPVh94/AIMz++wmfqBxETFP8HMgTVEApLBLjwru9B/4lRStwAR +AQABiQIfBBgBAgAJBQJPeyUHAhsMAAoJEGOorUuYLENzegsQAL6NuhGuzQf2GELc +O5J8/BW2yF9sxHWDLrw0Pntq8D35kgGfZLB52tN3DI4NwL0vE931bXC7ovi4kHPS +sazv+WPUckYfJ7qskWVD1yDtHsADduwudJpAflfZ4VIvMJqJ7FUw5Fy9ennw/Idp +H7LC+ubn6XT6Kh9oKvVmp+BQEOsdisjVw848Thik+gS08WvAjK9m+g7++FFwKy08 +5iXuuqZpvi94eU1QPvzxzzRZz6M4gQaz+pCq/5yf6I+Hu8G+5nq2foFN+G7FRkx7 +KJmJ3SAEsG3M23V9MKWON49ZbhTe5xW+1at/TKKoNGzNIYs07jApR2/E4J57yMWj +zsAqg77hTDRiV0jhHl0DJw3RHFi3z+SrK+6ie6mrq8WEPj62q9qdM8dFs+y5X3UT +x0nxly7GjOxxhi+Nt83PAG2wVFpqmhVLuyPnruvxzyrVFc8Dvx46DiKCzt4PPK/Y ++jnVIQ7Jr2Jm2ZCpzZZT5QNJuDp46mKHlNBkvSy3q3+pM6cM8vKSuCFd9+dw3dX/ +GptLebMrPOvLVDl4Bm9hSmG7rLpJy8U8Ns8pYSS1zaxHM8KqMaPuS/Zlx1SRIj/E +afefnHd5fIlmsH9C2O5fb18SFjmD14FCLcVTG7bwh3ZfbGo9sOJSShPxppPW2OoT +jwfANmj1cSg/VFr1d4HAEc83jFgumQINBGNZjyYBEACk7biPgvCVldNWq1CwVoJa +/Fvc4T49tqxcc/sY4uVlGo6oSi4fQcXE9XKPPBuRLmvpmMWvODQLzPxJMWUfJq6L +yYFmX2U9VRTcyITdmJs8itkEaDwq8BtXkeQfUDAVSFy6V6/uvVmNWD7pGXqJE1Gx +uV44Ihlh6v2YyqSzDG/rZur771hke8VZmlKMVMs1RSeOBA3nUmvZQ58+uqkhJNYq +OeQhxGIxDOHo7QhzTG+SlX+uQq6mzACKygVJJl33toaUwVAX5R02a0u67A5wC0wh +AoLSHInc3P7ayivWV/iESAz+gMIkuvJWns/Ak14J7MTGgjD6rle7PNMsPDCCwQSc +qA8F0x4OChCixbZGZn6Mr0u8+01VCEe2IjJwVUfFI/G4n1FZ1RAdqjkHfZJeD20L +GHSbjJLcnqLLFx3LDpI5dAxo5K2kFvz0VowrB58aHoofW8/g8yZygGQ4Zpw4JnpU +maPnMTiD5yvnFzEihM5L9DuaWqSK3sb9qzoaXABYRYI7OmX4B5nmMzFteHHq0tMt +aKWf0HkAsCP0BLJcS9Oc1/0I0+gC4oKLRD8a4+kaEpNr6BXvWnj7Y1h0Zr/CZS6+ +gi34CxWMl2Q34OSqtS37mzzBu+UZxffPR0aV2RXcEpc0c5HW550Thq1NF9EmFOoy +eG4J2ox9JRANZXLh/i7mNwARAQABtCVQZXRyIExhdXRyYmFjaCA8bGF1dHJiYWNo +QHJlZGhhdC5jb20+iQJXBBMBCABBFiEEuGgoR3ZN9g31LZksvDkF8jUXnPEFAmNZ +jyYCGwMFCQPCZwAFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQvDkF8jUX +nPGeAA//ScQ3kJMqI6FRULXo0aF7CpafPXVWdvj+mfQMlZzuGwXXTmM42T0DXnXR +BSjstWkmOXP/UqkN7bNeXH/S3D3GCJ2l0qx8Qp6fP0FloJIbemyxNtzl7yvAE7kW +vuBuLvUdm23cntv49gAzj+ElDqCxtT6A6qaqM6r7DLUvw+G+r6gkeu1hNQbtRpEK +9Dt8tHriQyI410qFRMbi3QxU+iTJ79HXwrXiYpX7V7T+ugiU9lgIiC/hWJCo6SY4 +knt9E6zhegUWN6zErl2HY8FBM2P9eHOTqToEOAhKeM1fXZvxe3m49fGq/spmRM1R +UUl1V9WFEaMiLg/Z2rmbD8LX9YtfYlQCbEwyX2nkIP1QIcr/DEfcmCA2MXCQCgsq +I/2XS3BTLPyjuqAYnXxrk+T/Cydcg4W3ZBYI/wT56GH02TQzB/wJsn0cW6EMG46V +SDY/mZ2/gwi54G/Pqb2R3ZC9I7wQ6/FFxuu8myI/QVmEiTlvTxBoyOdNlliBQxCk +Dczs1rxd/o8Wfjo1vwRHW84jZrCP3xr7xPJWuzsrmPU8kFHTgepGoY+4b/h3jGwl +V103RpRUK4JidwHsmYDVk6pgeUH69hf0iVcbFfKiViFTR+DwjbAOxTdsFgsYYn+7 +hBj2l+pV/uzeA0akL2dkgfJc9pAf6ItRUnGC+RlntZ0Pf2NbwIS5Ag0EY1mPJgEQ +AMRQDbNHBQ376nDF8miBZOAV1txpmbHc5D/X63PNapP0P1/I7SfcJU9D3wX8c4vm +xkjEYtH23s4lmT1VLsU7PisS3MacRemm9pL2bD53hs9XQEuU9OtJsZn1ZJ+Ynh6i +5sfW1bG3OiV/TWgYXW66GwE1hn9PuP8arodUmhEft+64G2u8Xtxr5yqlQJEUThV6 +280OJrxVbduaMi5C6UNeeGE5wuhfrQ0TNYZiwQ4KYbU3QhlWhHVjJlJ5hCLiktwF +DyR24P+wlTIziWA407mo2enQT+mz3bO7Paf4mBionGsJMoADqBThf4B69BxjJ7Yg +7oQVIZ7560YIRRmNo4tk5Mhep11OtQgZjZJR6MhWDaUO17w1qScrOPRj6G1IXP1R +5NarydJpLyAVb/5WFZ5jxUGMGtq3mYn4nKbbHUg2WzvCJvPctDE6EV2vaiRy5N1f +QjsHgSa29F2feh14p4ngFCmHjpdbcdjfv6rWL8tgkSpQlDdeHRRd1q03TKAg/byP +auAHKzvV+iWlmw1f6KBWjeTn0fofmk9eeQ+P1j0a3/XTxMOjB34SzqPRWzmLPLF6 +YmujBK2gymM+JLirJFFzao1i4lgmxqkDhQoNYHXmVYEd7w+/qUYbfKwO9eJOWzuU +WajxvJ1Vgv6z4CPy9if0gwfhrx0OOcIpBE/xZU+SwQQpABEBAAGJAjwEGAEIACYW +IQS4aChHdk32DfUtmSy8OQXyNRec8QUCY1mPJgIbDAUJA8JnAAAKCRC8OQXyNRec +8a+qD/4whGQ9J+td1iLFMpNRAqvuGtTnM6shZJNnC5CB56Cu7ElIpr74sk0R98Ia +1pJlBcLALbYSrqwluZaLiRVDPdub6tGSRVssqQdZcKThz33waTru9IfLhCrRSNd0 +ZMHJaOG1ErU0noWw2d4ifVJK+vvuvMeEyNm4H5pZOYzYeikqVUYzS143cSzMEwtv +PSdP5JkTQi4WNF09khH1D+QpJoXEgVEQla7Sr955Zdt3q5OlpYxxw+X62vslZ2OM +iKZ14kWVSRbVQ+WdnjtRYS4vivB6ko9QL770jZ131hKhC/BcWpEYSjfPpVua2oKb +ccKHXheIFEJ06kGkMeeoQPxmzPRBYIw/E+d5sZp7YXDyBGOAxBeiOaOnZ8vLBzy7 +2HFng3oB3hkVGTTHq+PsHdSSaRME3QrNpDsaGeSjw62FG3I4zK985GtrXAHEzN/F +fd17srl4mcRQ+8QM/a+XbF/8ugjE/RHhhFf8sWVAPutYzVE8lF+uqcduPuq/rTcU +BuzSVjnSRfXWqCokjh+ypUpHNUO8fZDzkTLuE5rwMG1xpPueDBTzvoGDQRqc2eoX +pJnDBmdlz83zHsoR2gIHcdqyc/hCV+fTvR8E0v9ZG3Jr6RFgWdD008PsGxUevIDg +MAYFwasZSTofEnzg49/WeIFU1rGB5HZVlmOJKZnKRuBiTakEP7kCDQRjWY9xARAA +rEkjlUH4hoSQAkVJCWWk+nF+daAP5IszrGEQH7TyOVwXbRZndSPFSUqKU2kEgHbM +m+wFYoZe95h9tjDh2sLCs338pVu5Chhz3dNseTF7/rbckw2rCU+JbalEiwck7tKL +qobvbh77jnrbQnkrZNc+nMeHHLrYyc5gHW6cSn4UlU42MKmTlSeOG4Ly9wXhgaKC +heIXNX3U/D682Tffl7Gopcm7pPZF92dwY4nIpCxU2ATimkSyulbhzk2CjZ1JYUJ1 +LHctMHm9F0LEGtc1GxDShzVZP8dOWpDs9BBwZDLXxCzC4rvZ+z5BJCDFbuNTKZQ5 +JEoW2sM8yP1LLZGXz44hsab1aPrvB3vcdS5ETP6bqT5267ZiotdhUifU/pTV5ze4 +7wNuaZenQtGd9olyh2dAqOk2DQrcBQFA0gRp55b4U62hLTYXxT+7jEbSVAxeXDPR +qPvqh/4kVn86llYjV6dAoASN1wWz423QH3u4ZK+S6g8HZ0HrY2+NBYgqthb6H/X6 +FiF5VcHWstkk967g4Xt0PgN/rlCtpXh4WK9sScX/CFdOURsHlb78ZN2LexaYaVBq +QuqvfHaAPJaIElXqMheZ8aYrO6Df4yzJ+6eTs3s4PqM6EMir5waFonx5Gh50X4xL +9p7IVqgNPhQsU8Z5U5hGYbmUH766GtENv4CI1upFA1cAEQEAAYkCPAQYAQgAJhYh +BLhoKEd2TfYN9S2ZLLw5BfI1F5zxBQJjWY9xAhsgBQkDwmcAAAoJELw5BfI1F5zx +4cMP+wbjKu2xCr63oyn+lo7NqMDLBYl4zHunYTZhG/egDakVWp5Ikj5/k3i+hVSY +fUyUhqQ/b/H096ropB7GA6EzS44GS+hLMdQOJOmEbjvAP/9dJDX2FQnYZzaA2f/e +Ikgaw283oOLnmYz0x7YAW/oxlnPn+7Sg7DGGqqn3nKofDUUrowfX0tQGwkGmJJqQ +gOH/ZfU4t51UCKzF6hWRbberBI8ezp24vYngA2kGef1fCUC+EIFhoYcdHHCtC1Ti +KmOUaeB9ZMiVXkP60fmCLKObwcKTyYpAFPqM05xgsMPFaXN+fQ7YVAGpCdthk53N +5Go+QqehwLoJk77CHZxIWJIf43p3UiuH1FsuXF7OdExzIhUSiUum6MoCI8BpVwn9 +uSKfXKLOdGDR6IJI8jqdC9LYoXqxZtDhpcqD70hFWJwJzZg+U2SvxZyhOqwtKXtD +TDtee3yGzPacSAJD7mFURc/DRi62UBMiFcqO1YW/5LgC4yjtzo7MTQPkaGbQLduH +IlCKa8pHWPqaLFdMawwqNrTNHWXCD4XxijJYwdAue3NUG/utekNm82mqnbbWw/AX +URIzefQsbyqiNYMztudJ9hAS8yCdkfb9SKVIvWYPQ77tHltOZF7K/NzOGeJaJr8l +vqZCfXpWmOduTpWaD2kIvU2Kx7gB4jXdMa2ai9N+/Hdr3lLouQINBGNZj8YBEADg +Y6HOawiThxQVI+0uvAAU9yisew1SSVO6mAsQtZM7s7BpLA3RGPj3UGojZIeejA+k +fq7A+PVLBhz/kSBTtw9/s3o4rlqNzz7SLaix6XKWCpHOBs84n3/LF6u9KMMVk9vT +sjKz8iDF9mBR2bmCfLvEk0HDiMyApv5SbOsZMB8k5PWyK8HYPyMI5umEaOsaC3tA +eihO3nzAxEf3oZl53J1pIw+ecdrQLbWbH0aqKngfCddD8Q0oMr/Iwly3W49+5eqJ +oelR9/dut/dg0a3Nn1wIGYRzC62CCsF5IZwKdyPh7nilEUFpA5Vlz+HfIFch2LfR +F3Q/GZD8fKzKxhjDIdgyaWSTsMbityKxX2G/pcjshyMsZT7I3Hx7SwQfFro58s2D +FsFLEZgBhJv+nW/HckeedaveXmXdHKjtsa8+rvGADti4wohOl+N5tbpYW3/zR3AY +qlh47hG0ikUJ8Tusnu865j3Z5mE+KqS68ypRVBMRrdJl2lGPDCnXGhl2720VPNMC +/jB2Mgm/L1mvQM1jPfdC3KgokDAH5NMzKvav6A71aLSUJli3UdkGHkX5d5urs3k3 +WmCt7XeTb30MBvNzBcSYTbw2UGIRE8G0CFc3wtiWWiQKPeFXYhn0+COCoW/EXpIC +VaAuMPMgcsldM13bKGyGo3NngsNEdopNFfr0KKW5XwARAQABiQRyBBgBCAAmFiEE +uGgoR3ZN9g31LZksvDkF8jUXnPEFAmNZj8YCGwIFCQPCZwACQAkQvDkF8jUXnPHB +dCAEGQEIAB0WIQQb4sD/CJSWIxAv0lZGlYgcJUUI0QUCY1mPxgAKCRBGlYgcJUUI +0ZkHD/9TlRvAaZETf+pv4/IceeL3KHwj5lrC/gojXxN0AjhAXljLSRCu0EyICxZy +3158h4k0vwjdv8699yHEN97PdF84m81mqxOz+juKBRHFK/EwAAgOdSlzGnUYgNkm +mCROFWtjeneNWaFdEnq9MItx1OascPeyxnWMjq7LLYMSESP4tgUV5KdlaVAXR6q/ +833u27/NodkDcNH2UK+IyT+Kt/uCOoIIL4ttxo/PvZTphzV8n6s0sJJE3/BrRxgv +CTkVU6zosyJsyau8/vayQYGPuBuEQVs4Tr+vZ42izbkHgElcZv9oYjJsxaqZqqMz +fWPte7m6Pl/pvtmlhPmpZ+ej7y8SRysBV+3aHNXaE1J3sIOmYxighlgZapSjHl/A +9N/KXdoLAjIZtBAOQ2ZFyRz/c2+VUqJgwiwdxoaFaYn2eUM+HSTbZfdGXBS/yyZL +YsM+L4M2aizQvDIRXzy8vG0vpHQEvPlXL0Gg0gyk0fox0OsAP5CfXmHC/AvYOHM8 +y81X2QqDf33Au1RIgog4cLqq2wpXEARWbAj0BAMIeJoCDCu9Mz2juK1ui2wr8AZ0 +42PCUgZK6CdUI18AsvApUhPsNunF7ZOc5mFMuaEGjjWJvrTG3qyrCY73ySBiGXWo +92ZB7FXu2MzgujPBEigByqeF6IV2x0EBHw/VrcxXq6Slgmik6G0SD/48l5mGCxM0 +Wr91raB9zQlwDbtD3PCbjA6DtkMrRyAq+81g75N6uiztGPCVw9n1HoGOSjN1hAhe +SgQQlcXbDLpzfdPFowDEHclFFfUODCIOuF+FgmxlAz5Exr9JkJdozBFqRZ4iF/tf +E5sHB0rzeUcY3J6VjTsjULjE4GSg5trsOc8GHUnFn9wwwkf9nR/Mr1RYcX0GkTcy +iUskw+AoRz6svOfAWIDJY450wgD0MHZK08IfUUsYTGecoXcvWf/hITtv/Af5MpQA +wuGEDltVDeu9EAu65SZlMkkMuQD1h3KOQjUJ6nY4a4M2CQ51ggs/c+vsemxsuYlG +vSuhrfXt6HGD3dhsOEeyEvIcjjpP1Ku5mqrPhqXFli1swfohhYGGVO+fM7G3l7wF +kAIi0B1szn0K13qRqBIwjnWL+orP1KLzvczCH6yD0FZY90CDdMtM0VB6AqT4BFh6 +5+ygjA4YiA7fFYBm8510ybUcNfzU3gUIJ5pF8MdGizO54tCPSK6U+iVRY4qfCFdu +IiOZ7FUUn78VIxQUMYMrozy7kn/0PQZa7KKRbXJ8sg0sgrQapwpgUjdMwuYZPGGv +1Jw5/+WUGWMbGxmlpHcEOmsPZpITH557M/kHyk9Ud0iKwciBI2mGLxiafCuLrUY4 +TknzOqbZgjdllcUG4cDBEQuBO/GSj1LUfpkCDQRnKRF7ARAAo5H9/6cStbyjWFeb +G6qDn6pT+4v1rlbRZo0rYwWkDmEAjOZMRC9SJipTCdQeNFlv6HEiiCvl3bmZIqrZ ++zvLI6U1+2dH7k06xNqIFLTV0zbr+tUkOwspg5nr59KsuNP01WBS0ELzunO/zHj+ +BOEdPg1KvB0IQFtqAwaAfuny67YvTr9O7Yz07ZCfTxPtHf6FJ80FPeRa0LoZYnW4 +UmSGtm1f59VD9+qe4yhRtNanamXUKjf8BTw0rQwjoJhVT5Mg0Z6hW6fhFrD57Lgd +8fBi5ZHHUlR4z1+nqGCUoHlHjc0JVyK8j8fofKafow/79ITaOqBzv+P3psY9ecBg +7wGaOHrqzRzRxAfKYRO2IaFHRGnsEE8FnwSEL00uPVxpiiTavrLJFEjku9GmP3OY +3rbwIPXbw1m9mZG1yAVbSEEf58WSWeoBp0O6qrwAdIbdgUX4BkQ8bX5MtUjXp5tm +0StmjQiZ7O91cg0VuWtrfj/I4E3xtloNzhtG2QLI4s7iAL1orhClxEuZRO9alUCS +cnRvhmw2Dh6sB6i56evcZdUFwxMXOByxfWr0fxX4QlR8jYqMPj7UMNj2PccTBOQX +umIW2cdGEeni9vrE9cLfZRSNCwPWAXWtr1zQW54Jx5DjCGHobQk53Z7kE+MZVAje +gOaT0u50cljBNfJootuln4+gbGMAEQEAAbQlUGV0ciBMYXV0cmJhY2ggPGxhdXRy +YmFjaEByZWRoYXQuY29tPokCVwQTAQgAQRYhBGjSGCM0KhNoOus+TvtMaFtdwcE+ +BQJnKRF7AhsDBQkDwmcABQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEPtM +aFtdwcE+doMQAI5mnNA8aH0dfeOZnz/NrMwY6H7jK/+lYatCx05e1TfK+zz9feRK +sxgP3Pjj0p9igo3jIdPcN5/YnlmVEeplDmSiKOOdendviy+sA8sukMo07Q+m1pYW +NzFtyiZd+c44mp9I1l7h6rktIY9XDedrlAkNog1VlUet9eNpmgXt2OmJNDmYftWc +KIpyw/ZLaubjRcAmxwsn7I6dWnT66Ffg9H8trcRlWipVWP8imO0EIpwC8RbhuNgk +xjt/cVf3CEpzokF4n0k3nqYmt90NNtGc0kG5QAlTvlUuHpNWzuzvdAPtMy3KEaXI +fu3IEZeIKCxSgWXTm7zRKUn0F6jKAsLXhK/WOA1Aa7NdAUwMxrEndfNoqBrusaLD +lpzWU7USv2YT+Pf3aQ7u1szg2J8V5eqRP+E8wwe54RNCgQrcDgUq5abyncsvull3 +GqJvzvZC7/Q3Th/g5Wc+dRaGBz0O9FBuRPQwjrnB932xW1fDf17cScpVKAvV/jwn +tpWXf7nSv2M0o9fihnTBl4d2c2EBKtTdp5W0IpeRl5uLad3AYoouP6RoZ+/Id/Zg +NeaQKH/ZlCxk5S9GLzYhm665ysOYRkh7NfoThRtvAqAeDcTKWGDG1nQok2KKOSyq +S81PT2AlMz7A26R0vsH/9lQ1uZFIhIGbxZXlGERZwXd1s+lgfWTbB5K+iQIzBBAB +CAAdFiEEuGgoR3ZN9g31LZksvDkF8jUXnPEFAmcpGAUACgkQvDkF8jUXnPFdGQ/+ +L7uA7EMB+Yh0urhZuOltZSNtge6b+UbLZTd8DRsf044e+Z0NJWdQ2saLBptGhIcn +as4Qd0gS+QkWB7lMrJ31uux15ZBjFsGtyqK+VoH8JIPvV8Mr5XojqA+UYUpXP6ns +ILrdkUvNzpeA51IxYuVMWcut8SUVYzjD11YG1P8LFzydsImaYe7se+RE85F3/2Po +kZNe0d0Gh36uyfJSND80XrrxLpROgabQgHNG0drL/DHjdoa3F0V5EUoG7NBwUrmB +RlWKYCLUFfW+8mQn6RVK8JIV9WaHrzi/KAZLonZb5dCjO0e+Ol16pyUofLA8SN7B +aqjens8ho297GtE3darkXmj5p3p4YPur/D+oZCNIH+BYMsht46VtE3v6V10P8KA2 +6MgNo5qME1Q0kC1DUYi68cPeDgrQBMWa+nF+m9i2aGeAyi3qDhZu03JLhOYAhv45 +OVRawm9vFqyKiBRANVogTRr+ch4zywaapwfVLQ+xiwVLqlT5n/iIzWCQ0hA15eKZ +gJV0kTXL4OWKBeJqSNnnLVm4AhZ2OpKHMsjE7BEopvCe9JZWFIrjtQ9TrriByOx0 +3anWkmm7b4lZ1HKDOI/Cxyz8BZvYizo7hSOdGjLrFBTD/Wk0swvpzB4NKh5I6N7k +gppXMTaWp36+KmQx66JzaZjepGl1VMNFdgiP6Sw6pO+5Ag0EZykRewEQAK4EY+06 +GeuX4wLlUqAMWCnbFELuhBZGWFLEIvP6WJS1WOvee45RVcpVfYMp3AqymiNRahAl +RMtSQ9YtXSdlBPkhtNcoV/hqjcNywMdbsy+Rs27pRk/DJVC0yVL4ABrSSlwhfNa4 +6X4ZvPr8GGDvjAUhK6NXQ7WrZJxYR9/U0nqRGtGuPBLhFey1H60n5axP8+2f9pFC +NbDJ13HbrhVju+RUeE8Gq5WJI5dea5SfYnXFERsT/zO+pw7ZaaSDmWKR1a88P6Bk +DD7e63ZIaAa849M/Dz+OgzNEgbyRjvgbO0OEIrS2x61lGoW7F9prEgzj97NIiBu6 +qpNCYJefkpfPENrk+wmOUthJfh6E7uphlliQams6dqXAc3Z+xBN9jFf74RpzVmIP +K/MFNr0EcUMFgURpBtaTrk4dGMh++v5i4qKxxwJHf4RsGCDsgH9ZZDemKz5q8uFN +TI1kbTnsKNt+d7L45U+3/mRm4l22g8eu+AvD6R4GfKjsyzEFCyGK7TmVYj0Y+EGR +9+YbRQ1GahXqtrR/aLC09LSyxQTqYfKU8KusnoceEbBOigEZUNPybpzibwHl1VEV +9crR5eT8MPHgs8xdpjQ7gRuPi12fvc83unpUsNIHSCxZqXoilGsz2+zpX2si3PxB +tK/tTo6ZFRLijhHs250Y1agp4MyXYq91A2VTABEBAAGJAjwEGAEIACYWIQRo0hgj +NCoTaDrrPk77TGhbXcHBPgUCZykRewIbDAUJA8JnAAAKCRD7TGhbXcHBPozGD/0Y +fkktGwGq2vPZUI/Fscv+VnEqVt94dBnS0/6GyYvhI7Tf81v+72URlQeX8TUQox9B +8d3Aru5b2+iSkPcvH70PbY8jt/yTwHtSlFzf6+YPIl+oyTz7DoiILSjrO51ntl8g +KmIb8Q9W74xV6VFIJ4m8rH04MKFpIlzUDq660JYQIGtOUFugSfg7aLVU/0j4WKKE +KfAfg93wYTKKd+JgRFy4FZPriem7HvlUSi2VKffdrrUF/PX35X74iKdPQoEADZi8 +KkMZULDtyQ6ZOu2hiDpArjo5hDadKM314Z65VnM11hjiEhmTF3IyGBllb0qBIk0L +nBVHuMYmiqBNJEbaqHLqIju8/RvFlYV+AMISeA7B68knbJcao13ogtDpuJ4hpgCj +j2B1n0NWMcju0gteu1sfsIaQbWHevH2vgl5LJDCNtUJN/NoWB2Uov27wEvsongwY +3du40TnM+5ejwf4r8D3wX+JpVCAhfr3Oc0knw14nRqFPAe1E7DNURJ8xfEV9iPRA +swo6qoh7IIxNETUG1rywRExNt6tHsojx0Wb0I0IB7CnWRK9F6oNRp0S4kVgp+Jeh +a9NGXFK2hn8qBD/rpUPsj/OdkiBN+C7Ai07rCNez+IKdnUfXkOJqLCOyeUwC9WPl +uFPB9RnnghYM4xhMWf8XvSLOOk/vgPxiqR5ANLObsbkCDQRnKRLhARAAuh+b2Oxj +9q+RRZ+pkDVf/M6P01yDmDhwtYHzi/LW8PFHC6iQlzMReyv1R5n3uCEpAZ++mdUe +Cgo2TmFnYdpmxEgdaMIW98uqe4fuHhoXU2Mh4eiN7jyJvXQCsijCDYzifoj03HY7 +nTVjw4+BSSu9kA3/vEqU9A5YjG01MmVSMaIaTrqZqsnypK6r2exJa7YVRYwRqpLY +C5ksikDVK9ftdfhjnsnYGS4pYyfMNSHY1KBMpHjT7wEkM+KZ2WRpjTZZ7nP9u4Lf +fJMKgcclRgf+13CeSaJfVIhjJlxGVLkloE8XJbOeh2vkK257e9BenEFgQnyLCpGJ +8YNsnsJVhxU1aA62dT7jmnOVMBhnGoNhMyzzfvUw0REz2VbpZBkiwZRfZ9MWUBsy +bneH8NwzZMQQLCc/yo/jnPrmDS+tgl4CXGzBtpxPUZSMuY4tHZZ2vBb0zcfhY7P1 +CrHuylXLFzkOO/XRP3w1F8I1UqJCjdTKjdjCDF/VWtedHee1iEsSHxPGH8fHp4Qp +rBDDwZ4NnfilYNHMDWm6U1bzhX2ynqcGArQSd1Ny/oL7JzE1qoH/nNrwVvOSSNWF +UTXFXeLy+SOXJdFJpGP+/wV+gYfyczoUP6vmCdK1Hs15WQvKzyP/nmLS5uLilfxV +KrxZDI6SNrS4f/XkHcGnYByFKUhq5gVN0ZcAEQEAAYkEcgQYAQgAJhYhBGjSGCM0 +KhNoOus+TvtMaFtdwcE+BQJnKRLhAhsCBQkDwmcAAkAJEPtMaFtdwcE+wXQgBBkB +CAAdFiEEcgDrLD9eSIRjwM6ezcroySfGvjEFAmcpEuEACgkQzcroySfGvjExiQ// +TKQ2Ci+sqNSVIcwg/k0Go1i4cA7lhKNdYRBCaIThB9jMqNg2zgPzgELBcaVJL8xw +0E2x2ZvBejM4X+eTrmkdufcxHR8B/zBF8oPlD2pgs/zZmZEO1gq4Cdab7yIoVNNr +foCZShxOCPR2wIixcYZtt5f7Z3zSXqkjIec6sTOedT75ZXrpQbvINeUkvOJfMCOi +ailauvDfv8k5iJUVbP+Dx1vOc88bvewVJcbLID4HIRr/PS+k1D10zGbnF71TnxGZ +r7anMZCSFCHJ5WV+BSwHHKtxRy+bJ1x9ML45Jcr1anTXeaHIeSKNzFBigJQSgHv0 +euegkD3Rmw+IcxNb4l536selaNR0UAwx1DC1qpjBtnE9/pXdTEsZQxq9kMrj0d+f +VKFjOKADVIpkx7o0dZ1jmbUmdjQVyGDgHE+Emgdd726/2ftWriW2uPeUC6YZiqbt +vBnCnwF+aV6P1nrE0BWJchLyBjDCe5Y2oXBAYF6xwpDPfMPr4oscqzPV4TWVULBi +brtRWgSxmvinIGFx9T9wQCVfX254dqBaAEhRMImoT/YP+6evRZKqQODRhI44OG7u +V71IVAJ8BHEBN8hxvQM3WPs1fhwMBFCyGfr/x/U4/c78R9JhxkU9VwmMbLGQP7VP +1QgfiHqZpHMk8ZUmQn6KLeurzWcnwPFkwgFPZED8OQOMXxAAio3DhWr5KDd3mICH +ALNY0A2ipb/JH6LSHxu0S3MLa/bF6PbqRY1+fKMT/cFVxln99rNUrX+hDRbc7qbh +KkxvGmcnXnkcTHah9bfUghEanlKkBr1g1ik3zgEnpO/x3+X39Ov+ge92MDawV0nq +k9R/9tS+ZD/ph72Q9kx3ZfVNSL0eWxjuwBzFW0Zwh5TAX4raSmyQCmAXi05O3YmN +iq4arSUg5oAOMRZ+d96DsrAS4Sdtlx6/CuKTBzEaGPQLQ9wJNB0Vmd/eQWTP99KY +cAdIwj5BJ5P0Z7+xhsVjQOntn4otnP6vN6RuDtYrS6M7TCN/ZeKCvN/G0nRac4D+ +IJX3CYYtYXgaoDuoetUWtc7O5PzHRETaBt/46ob2lzf6cT5QyVujTfz+i0rGEc63 +pvXK8mV+K7BFY/DHpdEhl1pDw2YYLbBmUthQWdsL6/TVvpMe/wZadvJ/by3AeRzQ +eusUucuSo9UNN7Yj8u3dRhxNgsSiU96A/SFlAoB5s3Onh5K4WEVCBu/INjdi+r2B +LJePSnA3I7VkRE9Haf1D28jtBzm3Xbft2rs3lO18FcCqw6kd7Ih3e0tZ8uUG9UDv +qTDHTUHLAWvwrq38gKKAu2RMaU06A5kR87RcQiizxOwBIwiHuUWMU4/Hyx6fXsOD +hEs0O6AFDarNDZGee2amKTAyZpG5Ag0EZykTxQEQAOwGV1boBD3vDLsoAT62nGxb +SqXiBsObxnpWbNifOzM9BUGPOIpHsSH32PZGG/+LNjNdECfyyP1RysH5OT7j92Q8 +vgRQoG3X985gbOjYyZc0xvAkTSvWxOiy5CuF3X8sJ3NSerQDXwjP9qVqLVj/3FB8 +nka1HFS7KzC3Zo/kzCoxeZ3/hV3PTWIjcoJvtBSCKPZyOJxnRqWfi5BNJo3S2SR1 +mxV967zawXiZ8MeeBl6rLhOfCBtz9g+bqrXZYoenuMn5Js2mcH0haYeMSV3UWIC4 +kinzr1EJxs+L1/hVCVBNiiDc6DXcFXoz9ZVc9kjpZTOMoZVDkRkyOeen+5Sya9wK +4teLmDLME4+pgeHCS/Wa4KrYyEWe7NpG1VTkSJnRS+fyYGTWtwEiuwT6J9U0t1d5 +hbxhM7YAhlnOEnNVmqa3Bq3yqJs9G/7gicZ7CIJ9JBHKTJzOnKfpGhxBSOgOoCOa +WW6uVCzDqfrYPmCUIKQmanB441xJFGuHVPMLBjVjswoMKGkK3gM6KMRCDYQ53u6s +FK+Jcl8HobBSezVIUKpKVX3IW9d506cE0FhSW/NvWJv0FIMVloyC2BpOjSWVgEwX +tk/m3SKPsgCAcCqzi7xlloR8+E9C2xci9cdGG5faghgSjaP6j0qDww/slRPQJc5A +DIeukkOYTCiSiDwQtblJABEBAAGJAjMEGAEIACcWIQRo0hgjNCoTaDrrPk77TGhb +XcHBPgUCZykTxQMbIAQFCQPCZwAAADcWD/4qJRLn7TcMtRMF43Yn+dX+O13YrxBC +T4n1QVmiPsGrUca4Vg1J+trV6IMsGrhktpiaV0qeL/km0h02m4gEDZKDyWWXdeWh +EXFaTVy9yCpSXUWJl5gSXTSwxrqBWyWLlLLk4UT9l9sk5mMdy0JA8unobV4M/eXQ +ggR11DL3ji7aO0hsqxyxXkJcawWjVGW5KL1EaoDKIJ/CwxOI5ipFueMIRQjQvw9A +o/w2fq11qVXY9zknk6pFkp/RDHLes+wVHDtebZfJ9xV7Mb1mf/k03dT56GaA/U3E +XvJ2FdgWR+zf+YMEa9MPDHYo2UNEvk9mOk247M8s+OeexdlkPgyKW5A8mtYuY/dR +j8W6C4pLcMWa+d/vIUpm5Guw0F5q0AWk9/FbBe9HLztEevvRnuHXmfTZeto/nCAi +Yg4pCj6p3JoN5CLebR8YtWm9AJBbX1kgVvqSU2VgwYIFsxBEz8Wu2h7z/eSCSeIg +ARFbTlJ6cBrRkXCVyhbv0LPWWUfAUqiEtdGxrA4Xx/jKrI02JjRdW/bZkXjSka8K ++cDlpcr9ixBWW5LkWsOdiL8jExfTGw25FA7Wd1HiHnBv36Mu/zb+0/I63d+fLq93 +e3lmmVx9qQF8p5Okf4ojY9YoIHVkLS7t9AgFjm/ucmpEGbXxyPk2Cr3l+b5R41x3 +dBW9kxiuWpZN3Q== +=iuRK +-----END PGP PUBLIC KEY BLOCK----- \ No newline at end of file diff --git a/libsepol-3.8.tar.gz.asc b/libsepol-3.8.tar.gz.asc new file mode 100644 index 0000000..4752ca2 --- /dev/null +++ b/libsepol-3.8.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEcgDrLD9eSIRjwM6ezcroySfGvjEFAmeaa/0ACgkQzcroySfG +vjEtfQ/+N7svYoFdJeuqnwRIQyw7QcVwsKiVKBN6HQ2IS/JCKjQktBbK49chNxVM +kNaJguPr6+5XF6c2fMVNNEoEcaLE6yhLKVx5EwccK280t0VNZZKuu8thffSRu/ws +rFrWj/YPSZrOo/d+1D4Ew8G13irB30k9G6j9Wc1veO95orbjHIWql5Xj19WwHWqh +C+eD/6Q8/B5a5Oz44/vjvzz3WKrBL5DUXh4ZNGmLnUxVUK8na5Hwvcpt3MR5eYRp +PN13couFsNh8aQMqDA08MzW2KnSGAXXiV42SCZOF4xJtReLUvpJPoXTkjFaUPbOL +Jes6SMWsj/HYu/9EbjVXBb+OKtL7usq67qVN7ejVxkSooA/Ist2bQPkSW1GfWN/O +8iWEXN/XJ9Axglbxl8/UMIYxt/xyrDXGf1v59mK8s1jCzn2mqNekUTD1z3kN3qBK +Jvre7IMRPNcWDH1wktwvTyrS4D+wz1wysqlxcxGQA7OucqeRAwxZL2LxGrJIhsxR +z7Ln/ZODhAcZuU3TfeYW/U6QkIAHfjb7aFn5G+V7hxlhqCetkgS+oHDsbuGf9BkO +t9v8ewRJYyXArkr39AZaIr8aazeqd3YcJNuWfLVGnDPgr7hyGepJsNmKcYy2Vqff +qSrj8/IOfidSepVIfviOr5KUT3WM5HcXn4C0aSmeJbl9K/75a+U= +=7HxV +-----END PGP SIGNATURE----- diff --git a/SPECS/libsepol.spec b/libsepol.spec similarity index 82% rename from SPECS/libsepol.spec rename to libsepol.spec index eac7fe1..2bdc0e4 100644 --- a/SPECS/libsepol.spec +++ b/libsepol.spec @@ -1,32 +1,28 @@ +## START: Set by rpmautospec +## (rpmautospec version 0.6.5) +## RPMAUTOSPEC: autochangelog +## END: Set by rpmautospec + Summary: SELinux binary policy manipulation library Name: libsepol -Version: 2.9 -Release: 3%{?dist} -License: LGPLv2+ -Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/libsepol-2.9.tar.gz -Patch0001: 0001-libsepol-cil-Fix-out-of-bound-read-of-file-context-p.patch -Patch0002: 0002-libsepol-cil-Destroy-classperms-list-when-resetting-.patch -Patch0003: 0003-libsepol-cil-Destroy-classperm-list-when-resetting-m.patch -Patch0004: 0004-libsepol-cil-cil_reset_classperms_set-should-not-res.patch -Patch0005: 0005-libsepol-cil-Set-class-field-to-NULL-when-resetting-.patch -Patch0006: 0006-libsepol-cil-More-strict-verification-of-constraint-.patch -Patch0007: 0007-libsepol-cil-Exit-with-an-error-if-declaration-name-.patch -Patch0008: 0008-libsepol-cil-Allow-permission-expressions-when-using.patch -Patch0009: 0009-libsepol-cil-Reorder-checks-for-invalid-rules-when-b.patch -Patch0010: 0010-libsepol-cil-Cleanup-build-AST-helper-functions.patch -Patch0011: 0011-libsepol-cil-Create-new-first-child-helper-function-.patch -Patch0012: 0012-libsepol-cil-Remove-unused-field-from-struct-cil_arg.patch -Patch0013: 0013-libsepol-cil-Destroy-disabled-optional-blocks-after-.patch -Patch0014: 0014-libsepol-cil-Check-if-name-is-a-macro-parameter-firs.patch -Patch0015: 0015-libsepol-cil-fix-NULL-pointer-dereference-in-__cil_i.patch -Patch0016: 0016-libsepol-cil-Report-disabling-an-optional-block-only.patch -Patch0017: 0017-libsepol-cil-Use-AST-to-track-blocks-and-optionals-w.patch -Patch0018: 0018-libsepol-cil-Reorder-checks-for-invalid-rules-when-r.patch -Patch0019: 0019-libsepol-cil-Sync-checks-for-invalid-rules-in-boolea.patch -Patch0020: 0020-libsepol-cil-Check-for-statements-not-allowed-in-opt.patch +Version: 3.8 +Release: 1%{?dist} +License: LGPL-2.1-or-later +Source0: https://github.com/SELinuxProject/selinux/releases/download/%{version}/libsepol-%{version}.tar.gz +Source1: https://github.com/SELinuxProject/selinux/releases/download/%{version}/libsepol-%{version}.tar.gz.asc +Source2: https://github.com/bachradsusi.gpg URL: https://github.com/SELinuxProject/selinux/wiki +# $ git clone https://github.com/fedora-selinux/selinux.git +# $ cd selinux +# $ git format-patch -N libsepol-3.8 -- libsepol +# $ i=1; for j in 0*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done +# Patch list start +# Patch list end +BuildRequires: make BuildRequires: gcc BuildRequires: flex +BuildRequires: gnupg2 +Obsoletes: %{name}-compat = 3.1-4 %description Security-enhanced Linux is a feature of the Linux® kernel and a number @@ -60,7 +56,15 @@ Requires: %{name}-devel%{?_isa} = %{version}-%{release} The libsepol-static package contains the static libraries and header files needed for developing applications that manipulate binary policies. +%package utils +Summary: SELinux libsepol utilities +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description utils +The libsepol-utils package contains the utilities + %prep +%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p 2 -n libsepol-%{version} # sparc64 is an -fPIC arch, so we need to fix it here @@ -69,29 +73,20 @@ sed -i 's/fpic/fPIC/g' src/Makefile %endif %build -make clean -make %{?_smp_mflags} CFLAGS="%{optflags}" LDFLAGS="%{?__global_ldflags}" +%set_build_flags +CFLAGS="$CFLAGS -fno-semantic-interposition" +%make_build LIBDIR="%{_libdir}" %install -mkdir -p ${RPM_BUILD_ROOT}/%{_lib} -mkdir -p ${RPM_BUILD_ROOT}/%{_libdir} +mkdir -p ${RPM_BUILD_ROOT}%{_libdir} mkdir -p ${RPM_BUILD_ROOT}%{_includedir} mkdir -p ${RPM_BUILD_ROOT}%{_bindir} mkdir -p ${RPM_BUILD_ROOT}%{_mandir}/man3 mkdir -p ${RPM_BUILD_ROOT}%{_mandir}/man8 -make DESTDIR="${RPM_BUILD_ROOT}" LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" install -rm -f ${RPM_BUILD_ROOT}%{_bindir}/genpolbools -rm -f ${RPM_BUILD_ROOT}%{_bindir}/genpolusers -rm -f ${RPM_BUILD_ROOT}%{_bindir}/chkcon -rm -rf ${RPM_BUILD_ROOT}%{_mandir}/man8 +%make_install LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" +rm -rf ${RPM_BUILD_ROOT}%{_mandir}/man8/gen* rm -rf ${RPM_BUILD_ROOT}%{_mandir}/ru/man8 -%post -/sbin/ldconfig -exit 0 - -%postun -p /sbin/ldconfig - %files static %{_libdir}/libsepol.a @@ -107,42 +102,190 @@ exit 0 %{_includedir}/sepol/cil/*.h %files -%{!?_licensedir:%global license %%doc} -%license COPYING -%{_libdir}/libsepol.so.1 +%license LICENSE +%{_libdir}/libsepol.so.2 + +%files utils +%{_bindir}/chkcon +%{_bindir}/sepol_check_access +%{_bindir}/sepol_compute_av +%{_bindir}/sepol_compute_member +%{_bindir}/sepol_compute_relabel +%{_bindir}/sepol_validate_transition +%{_mandir}/man8/chkcon.8.gz %changelog -* Wed Aug 18 2021 Vit Mojzis - 2.9-3 -- cil: Fix out-of-bound read of file context pattern ending with "\" -- cil: Destroy classperms list when resetting classpermission (#1983517) -- cil: Destroy classperm list when resetting map perms (#1983521) -- cil: cil_reset_classperms_set() should not reset classpermission (#1983525) -- cil: Set class field to NULL when resetting struct cil_classperms -- cil: More strict verification of constraint leaf expressions -- cil: Exit with an error if declaration name is a reserved word -- cil: Allow permission expressions when using map classes -- cil: Reorder checks for invalid rules when building AST -- cil: Cleanup build AST helper functions -- cil: Create new first child helper function for building AST -- cil: Remove unused field from struct cil_args_resolve -- cil: Destroy disabled optional blocks after pass is complete -- cil: Check if name is a macro parameter first -- cil: fix NULL pointer dereference in __cil_insert_name -- cil: Report disabling an optional block only at high verbose levels -- cil: Use AST to track blocks and optionals when resolving -- cil: Reorder checks for invalid rules when resolving AST -- cil: Sync checks for invalid rules in booleanifs -- cil: Check for statements not allowed in optional blocks (#1983530) +## START: Generated by rpmautospec +* Thu Jan 30 2025 Petr Lautrbach - 3.8-1 +- SELinux userspace 3.8 release -* Wed Jan 06 2021 Vit Mojzis - 2.9-2 -- Drop unnecessary telinit (#1838257) +* Wed Dec 18 2024 Petr Lautrbach - 3.8-0.rc3.1 +- SELinux userspace 3.8-rc3 release + +* Thu Dec 05 2024 Petr Lautrbach - 3.8-0.rc1.1 +- SELinux userspace 3.8-rc1 release + +* Tue Nov 12 2024 Vit Mojzis - 3.7-4 +- cil: Check that sym_index is within bounds (RHEL-34823) +- cil: Initialize avtab_datum on declaration (RHEL-34810) +- mls: Do not destroy context on memory error (RHEL-34810) +- cil/cil_post: Initialize tmp on declaration (RHEL-34810) +- Initialize "strs" on declaration (RHEL-34810) + +* Tue Oct 29 2024 Troy Dawson - 3.7-3 +- Bump release for October 2024 mass rebuild (RHEL-64018) + +* Fri Aug 09 2024 Vit Mojzis - 3.7-2 +- sepol_compute_sid: Do not destroy uninitialized context (RHEL-34808) + +* Thu Jun 27 2024 Petr Lautrbach - 3.7-1 +- SELinux userspace 3.7 release + +* Mon Jun 24 2024 Troy Dawson - 3.6-4 +- Bump release for June 2024 mass rebuild + +* Thu Jan 25 2024 Fedora Release Engineering - 3.6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Sun Jan 21 2024 Fedora Release Engineering - 3.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Thu Dec 14 2023 Petr Lautrbach - 3.6-1 +- SELinux userspace 3.6 release + +* Thu Nov 23 2023 Petr Lautrbach - 3.6-0.rc2.1 +- SELinux userspace 3.6-rc2 release + +* Fri Nov 10 2023 Petr Lautrbach - 3.6-0.rc1.1 +- SELinux userspace 3.6-rc1 release + +* Thu Jul 20 2023 Fedora Release Engineering - 3.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Fri Feb 24 2023 Petr Lautrbach - 3.5-1 +- SELinux userspace 3.5 release + +* Mon Feb 13 2023 Petr Lautrbach - 3.5-0.rc3.1 +- SELinux userspace 3.5-rc3 release + +* Thu Jan 19 2023 Fedora Release Engineering - 3.5-0.rc2.1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Mon Jan 16 2023 Petr Lautrbach - 3.5-0.rc2.1 +- SELinux userspace 3.5-rc2 release + +* Fri Dec 23 2022 Petr Lautrbach - 3.5-0.rc1.1 +- SELinux userspace 3.5-rc1 release + +* Mon Nov 21 2022 Petr Lautrbach - 3.4-4 +- Rebase on upstream f56a72ac9e86 + +* Thu Jul 21 2022 Fedora Release Engineering - 3.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Wed May 25 2022 Petr Lautrbach - 3.4-2 +- rebuilt + +* Thu May 19 2022 Petr Lautrbach - 3.4-1 +- SELinux userspace 3.4 release + +* Tue May 10 2022 Petr Lautrbach - 3.4-0.rc3.1 +- SELinux userspace 3.4-rc3 release + +* Thu Apr 21 2022 Petr Lautrbach - 3.4-0.rc2.1 +- SELinux userspace 3.4-rc2 release + +* Tue Apr 12 2022 Petr Lautrbach - 3.4-0.rc1.1 +- SELinux userspace 3.4-rc1 release + +* Thu Jan 20 2022 Fedora Release Engineering - 3.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Thu Nov 11 2021 Petr Lautrbach - 3.3-2 +- Use correct libdir in libsepol.pc (#2018492) + +* Fri Oct 22 2021 Petr Lautrbach - 3.3-1 +- SELinux userspace 3.3 release + +* Thu Oct 7 2021 Petr Lautrbach - 3.3-0.rc3.1 +- SELinux userspace 3.3-rc3 release + +* Wed Sep 29 2021 Petr Lautrbach - 3.3-0.rc2.1 +- SELinux userspace 3.3-rc2 release + +* Wed Jul 28 2021 Petr Lautrbach - 3.2-3 +- Rebase on upstream commit 32611aea6543 + +* Thu Jul 22 2021 Fedora Release Engineering - 3.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Mon Mar 8 2021 Petr Lautrbach - 3.2-1 +- SELinux userspace 3.2 release + +* Fri Feb 5 2021 Petr Lautrbach - 3.2-0.rc2.1 +- SELinux userspace 3.2-rc2 release + +* Tue Jan 26 2021 Fedora Release Engineering - 3.2-0.rc1.1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Wed Jan 20 2021 Petr Lautrbach - 3.2-0.rc1.1 +- SELinux userspace 3.2-rc1 release + +* Fri Nov 20 2020 Petr Lautrbach - 3.1-5 +- Drop and obsolete libsepol-compat subpackage +- cil: Give error for more than one true or false block + +* Fri Oct 23 2020 Petr Lautrbach - 3.1-4 +- Drop deprecated functions and duplicated symbols +- Dange library version to libsepol.so.2 +- temporary ship -compat with libsepol.so.1 +- Re-enable LTO flags + +* Mon Jul 27 2020 Petr Lautrbach - 3.1-3 +- Disable LTO cflags +- Drop telinit from % post sciptlet + +* Mon Jul 13 2020 Tom Stellard - 3.1-2 +- Use make macros +- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro +- Use set_build_flags and -fno-semantic-interposition + +* Fri Jul 10 2020 Petr Lautrbach - 3.1-1 +- SELinux userspace 3.1 release + +* Wed Jan 29 2020 Fedora Release Engineering - 3.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Tue Jan 28 2020 Petr Lautrbach - 3.0-2 +- Fix -fno-common issues discovered by GCC 10 + +* Fri Dec 6 2019 Petr Lautrbach - 3.0-1 +- SELinux userspace 3.0 release + +* Mon Nov 11 2019 Petr Lautrbach - 3.0-0.rc.1 +- SELinux userspace 3.0-rc1 release + +* Thu Jul 25 2019 Fedora Release Engineering - 2.9-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild * Mon Mar 18 2019 Petr Lautrbach - 2.9-1 - SELinux userspace 2.9 release -* Mon Nov 5 2018 Petr Lautrbach - 2.8-2 +* Wed Mar 6 2019 Petr Lautrbach - 2.9-0.rc2.1 +- SELinux userspace 2.9-rc2 release + +* Fri Feb 01 2019 Fedora Release Engineering - 2.9-0.rc1.1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Fri Jan 25 2019 Petr Lautrbach - 2.9-0.rc1.1 +- SELinux userspace 2.9-rc1 release + +* Tue Nov 13 2018 Petr Lautrbach - 2.8-3 - Fix RESOURCE_LEAK coverity scan defects +* Fri Jul 13 2018 Fedora Release Engineering - 2.8-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + * Fri May 25 2018 Petr Lautrbach - 2.8-1 - SELinux userspace 2.8 release @@ -282,7 +425,7 @@ exit 0 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild * Tue May 6 2014 Dan Walsh - 2.3-1 -- Update to upstream +- Update to upstream * Improve error message for name-based transition conflicts. * Revert libsepol: filename_trans: use some better sorting to compare and merge. * Report source file and line information for neverallow failures. @@ -290,7 +433,7 @@ exit 0 * Add sepol_validate_transition_reason_buffer function from Richard Haines. * Thu Oct 31 2013 Dan Walsh - 2.2-1 -- Update to upstream +- Update to upstream - Richard Haines patch V1 Allow constraint denials to be determined. - Add separate role declarations as required by modern checkpolicy. @@ -298,12 +441,12 @@ exit 0 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild * Thu Feb 7 2013 Dan Walsh - 2.1.9-1 -- Update to upstream +- Update to upstream - filename_trans: use some better sorting to compare and merge - coverity fixes - implement default type policy syntax - Fix memory leak issues found by Klocwork -- Add CONTRAINT_NAMES to the kernel +- Add CONTRAINT_NAMES to the kernel * Sun Jan 27 2013 Dan Walsh - 2.1.8-8 - Update to latest patches from eparis/Upstream @@ -327,7 +470,7 @@ exit 0 - Revert patch that was attempting to expand filetrans attributes, but is breaking filetrans rules * Thu Sep 13 2012 Dan Walsh - 2.1.8-1 -- Update to upstream +- Update to upstream * fix neverallow checking on attributes * Move context_copy() after switch block in ocontext_copy_*(). * check for missing initial SID labeling statement. @@ -344,7 +487,7 @@ exit 0 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild * Wed Jul 4 2012 Dan Walsh - 2.1.7-1 -- Update to upstream +- Update to upstream * reserve policycapability for redhat testing of ptrace child * cosmetic changes to make the source easier to read * prepend instead of append to filename_trans list @@ -358,7 +501,7 @@ exit 0 - Add support for ptrace_child * Thu Mar 29 2012 Dan Walsh - 2.1.5-1 -- Update to upstream +- Update to upstream * checkpolicy: implement new default labeling behaviors * Fri Jan 13 2012 Fedora Release Engineering - 2.1.4-6 @@ -374,11 +517,11 @@ exit 0 - Add Eparis patch for handling of default transition labeling * Mon Dec 5 2011 Dan Walsh - 2.1.4-2 -- Allow policy to specify the source of target for generating the default user,role +- Allow policy to specify the source of target for generating the default user,role - or mls label for a new target. * Fri Nov 4 2011 Dan Walsh - 2.1.4-1 -- Update to upstream +- Update to upstream * regenerate .pc on VERSION change * Move ebitmap_* functions from mcstrans to libsepol * expand: do filename_trans type comparison on mapped representation @@ -410,23 +553,23 @@ dup! - Add patch to handle preserving tunables * Thu Sep 1 2011 Dan Walsh - 2.1.2-2 -- export expand_module_avrules +- export expand_module_avrules * Thu Aug 18 2011 Dan Walsh - 2.1.2-0 -- Update to upstream +- Update to upstream * Only call role_fix_callback for base.p_roles during expansion. * use mapped role number instead of module role number * Mon Aug 1 2011 Dan Walsh 2.1.1-1 -- Update to upstream +- Update to upstream * Minor fix to reading policy with filename transition rules * Wed Jul 27 2011 Dan Walsh 2.1.0-1 -- Update to upstream +- Update to upstream * Release, minor version bump * Tue May 3 2011 Dan Walsh 2.0.45-1 -- Update to upstream +- Update to upstream * Warn if filename_trans rules are dropped by Steve Lawrence. * Thu Apr 21 2011 Dan Walsh 2.0.44-2 @@ -439,7 +582,7 @@ dup! * Tue Apr 12 2011 Dan Walsh 2.0.43-3 - re-add Erics patch for filename transitions - + * Tue Apr 12 2011 Dan Walsh 2.0.43-1 -Update to upstream * Add new class field in role_transition by Harry Ciao. @@ -586,7 +729,7 @@ Resolves: #555835 * Reject self aliasing at link time from Stephen Smalley. * Allow handle_unknown in base to be overridden by semanage.conf from Stephen Smalley. * Fixed bug in require checking from Stephen Smalley. - * Added user hierarchy checking from Todd Miller. + * Added user hierarchy checking from Todd Miller. * Wed Sep 26 2007 Dan Walsh 2.0.11-1 * Pass CFLAGS to CC even on link command, per Dennis Gilmore. @@ -627,7 +770,7 @@ Resolves: #555835 * Fri Mar 30 2007 Dan Walsh 2.0.2-1 - Upgrade to latest from NSA - * Merged fix from Karl to remap booleans at expand time to + * Merged fix from Karl to remap booleans at expand time to avoid holes in the symbol table. * Wed Feb 7 2007 Dan Walsh 2.0.1-1 @@ -635,7 +778,7 @@ Resolves: #555835 * Merged libsepol segfault fix from Stephen Smalley for when sensitivities are required but not present in the base. * Merged patch to add errcodes.h to libsepol by Karl MacMillan. - + * Fri Jan 19 2007 Dan Walsh 1.16.0-1 - Upgrade to latest from NSA * Updated version for stable branch. @@ -682,7 +825,7 @@ Resolves: #555835 - Fix location of include directory to devel package * Fri Aug 25 2006 Dan Walsh 1.12.25-2 -- Remove invalid Requires +- Remove invalid Requires * Thu Aug 24 2006 Dan Walsh 1.12.25-1 - Upgrade to latest from NSA @@ -799,7 +942,7 @@ Resolves: #555835 * Merged bug fix patch from Ivan Gyurdiev. * Added a defined flag to level_datum_t for use by checkpolicy. * Merged nodecon support patch from Ivan Gyurdiev. - * Merged cleanups patch from Ivan Gyurdiev. + * Merged cleanups patch from Ivan Gyurdiev. * Mon Feb 13 2006 Dan Walsh 1.11.14-2 - Fix post install not to fire if /dev/initctr does not exist @@ -823,13 +966,13 @@ Resolves: #555835 - Upgrade to latest from NSA * Merged assertion copying bugfix from Joshua Brindle. * Merged sepol_av_to_string patch from Joshua Brindle. - * Merged clone record on set_con patch from Ivan Gyurdiev. + * Merged clone record on set_con patch from Ivan Gyurdiev. * Mon Jan 30 2006 Dan Walsh 1.11.10-1 - Upgrade to latest from NSA * Merged cond_expr mapping and package section count bug fixes from Joshua Brindle. - * Merged improve port/fcontext API patch from Ivan Gyurdiev. + * Merged improve port/fcontext API patch from Ivan Gyurdiev. * Merged fixes for overflow bugs on 64-bit from Ivan Gyurdiev. * Fri Jan 13 2006 Dan Walsh 1.11.9-1 @@ -885,7 +1028,7 @@ Resolves: #555835 * Mon Dec 5 2005 Dan Walsh 1.9.42-1 - Upgrade to latest from NSA - * Dropped handle from user_del_role interface. + * Dropped handle from user_del_role interface. * Mon Nov 28 2005 Dan Walsh 1.9.41-1 - Upgrade to latest from NSA @@ -904,7 +1047,7 @@ Resolves: #555835 degenerate case where there are no booleans or booleans.local files. * Cleaned up sepol_genusers to not warn on missing local.users. - + * Tue Nov 8 2005 Dan Walsh 1.9.38-1 - Upgrade to latest from NSA * Removed sepol_port_* from libsepol.map, as the port interfaces @@ -927,16 +1070,16 @@ Resolves: #555835 * Mon Oct 31 2005 Dan Walsh 1.9.34-1 - Upgrade to latest from NSA - * Merged record interface, record bugfix, and set_roles patches + * Merged record interface, record bugfix, and set_roles patches from Ivan Gyurdiev. * Fri Oct 28 2005 Dan Walsh 1.9.33-1 - Upgrade to latest from NSA - * Merged count specification change from Ivan Gyurdiev. + * Merged count specification change from Ivan Gyurdiev. * Wed Oct 26 2005 Dan Walsh 1.9.32-1 - Upgrade to latest from NSA - * Added further checking and error reporting to + * Added further checking and error reporting to sepol_module_package_read and _info. * Merged sepol handle passing, DEBUG conversion, and memory leak fix patches from Ivan Gyurdiev. @@ -957,8 +1100,8 @@ Resolves: #555835 * Mon Oct 24 2005 Dan Walsh 1.9.26-1 - Upgrade to latest from NSA - * Merged context interface cleanup, record conversion code, - key passing, and bug fix patches from Ivan Gyurdiev. + * Merged context interface cleanup, record conversion code, + key passing, and bug fix patches from Ivan Gyurdiev. * Fri Oct 21 2005 Dan Walsh 1.9.25-1 - Upgrade to latest from NSA @@ -974,7 +1117,7 @@ Resolves: #555835 and hierarchy checking on expansion. * Reworked check_assertions() and hierarchy_check_constraints() to take handles and use callback-based error reporting. - * Changed expand_module() to call check_assertions() and + * Changed expand_module() to call check_assertions() and hierarchy_check_constraints() prior to returning the expanded policy. @@ -987,9 +1130,9 @@ Resolves: #555835 * Added handle argument to policydb_from_image/to_image. * Added sepol_module_package_set_file_contexts interface. * Dropped sepol_module_package_create_file interface. - * Reworked policydb_read/write, policydb_from_image/to_image, + * Reworked policydb_read/write, policydb_from_image/to_image, and sepol_module_package_read/write to use callback-based error - reporting system rather than DEBUG. + reporting system rather than DEBUG. * Tue Oct 18 2005 Dan Walsh 1.9.19-1 - Upgrade to latest from NSA @@ -1029,9 +1172,9 @@ Resolves: #555835 Caller must do so first. 2) policydb_init no longer takes policy_type argument. Caller must set policy_type separately. - 3) expand_module automatically enables the global branch. + 3) expand_module automatically enables the global branch. Caller no longer needs to do so. - 4) policydb_write uses the policy_type and policyvers from the + 4) policydb_write uses the policy_type and policyvers from the policydb itself, and sepol_set_policyvers() has been removed. * Fri Oct 7 2005 Dan Walsh 1.9.12-1 @@ -1042,7 +1185,7 @@ Resolves: #555835 - Upgrade to latest from NSA * Merged bug fix for check_assertions handling of no assertions from Joshua Brindle (Tresys). - + * Tue Oct 4 2005 Dan Walsh 1.9.10-1 - Upgrade to latest from NSA * Merged iterate patch from Ivan Gyurdiev. @@ -1078,7 +1221,7 @@ Resolves: #555835 * Wed Sep 14 2005 Dan Walsh 1.9.1-2 - Upgrade to latest from NSA - * Merged stddef.h patch and debug conversion patch from + * Merged stddef.h patch and debug conversion patch from Ivan Gyurdiev. * Mon Sep 12 2005 Dan Walsh 1.9.1-1 @@ -1102,14 +1245,14 @@ Resolves: #555835 * Tue Aug 23 2005 Dan Walsh 1.7.20-1 - Upgrade to latest from NSA - * Merged more fixes for resource leaks on error paths - from Serge Hallyn (IBM). Bugs found by Coverity. + * Merged more fixes for resource leaks on error paths + from Serge Hallyn (IBM). Bugs found by Coverity. * Fri Aug 19 2005 Dan Walsh 1.7.19-1 - Upgrade to latest from NSA * Changed to treat all type conflicts as fatal errors. - * Merged several error handling fixes from - Serge Hallyn (IBM). Bugs found by Coverity. + * Merged several error handling fixes from + Serge Hallyn (IBM). Bugs found by Coverity. * Mon Aug 15 2005 Dan Walsh 1.7.17-1 - Upgrade to latest from NSA @@ -1119,7 +1262,7 @@ Resolves: #555835 - Upgrade to latest from NSA * Fixed empty list test in cond_write_av_list. Bug found by Coverity, reported by Serge Hallyn (IBM). - * Merged patch to policydb_write to check errors + * Merged patch to policydb_write to check errors when writing the type->attribute reverse map from Serge Hallyn (IBM). Bug found by Coverity. * Fixed policydb_destroy to properly handle NULL type_attr_map @@ -1129,7 +1272,7 @@ Resolves: #555835 - Upgrade to latest from NSA * Fixed empty list test in cond_write_av_list. Bug found by Coverity, reported by Serge Hallyn (IBM). - * Merged patch to policydb_write to check errors + * Merged patch to policydb_write to check errors when writing the type->attribute reverse map from Serge Hallyn (IBM). Bug found by Coverity. * Fixed policydb_destroy to properly handle NULL type_attr_map @@ -1138,15 +1281,15 @@ Resolves: #555835 * Thu Aug 11 2005 Dan Walsh 1.7.13-1 - Upgrade to latest from NSA - * Improved memory use by SELinux by both reducing the avtab + * Improved memory use by SELinux by both reducing the avtab node size and reducing the number of avtab nodes (by not expanding attributes in TE rules when possible). Added expand_avtab and expand_cond_av_list functions for use by assertion checker, hierarchy checker, compatibility code, and dispol. Added new inline ebitmap operators and converted - existing users of ebitmaps to the new operators for greater + existing users of ebitmaps to the new operators for greater efficiency. - Note: The binary policy format version has been incremented to + Note: The binary policy format version has been incremented to version 20 as a result of these changes. * Thu Aug 11 2005 Dan Walsh 1.7.12-1 @@ -1170,11 +1313,11 @@ Resolves: #555835 * Merged mls_context_to_sid bugfix from Ivan Gyurdiev. * Wed Jul 27 2005 Dan Walsh 1.7.6-2 -- Fix MLS Free +- Fix MLS Free * Mon Jul 25 2005 Dan Walsh 1.7.6-1 - Upgrade to latest from NSA - * Merged context reorganization, memory leak fixes, + * Merged context reorganization, memory leak fixes, port and interface loading, replacements for genusers and genbools, debug traceback, and bugfix patches from Ivan Gyurdiev. * Merged uninitialized variable bugfix from Dan Walsh. @@ -1196,7 +1339,7 @@ Resolves: #555835 * Merged genbools debugging message cleanup from Red Hat. * Thu Jul 7 2005 Dan Walsh 1.7-2 -- Remove genpolbools and genpoluser +- Remove genpolbools and genpoluser * Thu Jul 7 2005 Dan Walsh 1.7-1 - Upgrade to latest from NSA @@ -1221,7 +1364,7 @@ Resolves: #555835 * Mon May 16 2005 Dan Walsh 1.5.8-1 - Upgrade to latest from NSA - * Added sepol_ prefix to Flask types to avoid + * Added sepol_ prefix to Flask types to avoid namespace collision with libselinux. * Fri May 13 2005 Dan Walsh 1.5.7-1 @@ -1316,6 +1459,6 @@ Resolves: #555835 * Tue Aug 10 2004 Dan Walsh 0.3.1-1 - Initial version -- Created by Stephen Smalley - +- Created by Stephen Smalley +## END: Generated by rpmautospec diff --git a/sources b/sources new file mode 100644 index 0000000..6166006 --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (libsepol-3.8.tar.gz) = 06da9bac1075b54177c3237994f3db0f9a50e16a363874df7ba11a52084bce4af9623ecfc1db1779b555dee6aab62fbfbf1cd03cf5760bd00f74ea5775897e09