- Upgrade to latest from NSA

Eliminate unaligned accesses from policy reading code from Stephen Smalley.
2007-08-28 17:35:57 +00:00 · 2007-08-28 17:35:57 +00:00 · b79588c078
commit b79588c078
parent d7175a2f83
2 changed files with 87 additions and 74 deletions
--- a/libsepol-rhat.patch
+++ b/libsepol-rhat.patch
@ -1,77 +1,88 @@
-diff --exclude-from=exclude -N -u -r nsalibsepol/include/sepol/handle.h libsepol-2.0.5/include/sepol/handle.h
+Index: libsepol/src/module.c
--- nsalibsepol/include/sepol/handle.h	2007-07-16 14:20:40.000000000 -0400
+===================================================================
-+++ libsepol-2.0.5/include/sepol/handle.h	2007-08-10 09:42:16.000000000 -0400
+--- libsepol/src/module.c	(revision 2538)
-@@ -7,6 +7,10 @@
+++ libsepol/src/module.c	(working copy)
- /* Create and return a sepol handle. */
+@@ -353,21 +353,27 @@
- sepol_handle_t *sepol_handle_create(void);
+ 				       struct policy_file *file,
 				       size_t ** offsets, uint32_t * sections)
 {
 -	uint32_t buf[3], nsec;
 +	uint32_t *buf = NULL, nsec;
 	unsigned i;
 -	size_t *off;
 +	size_t *off = NULL;
 	int rc;
-+/* Set whether or not to disable dontaudits, 0 is default and does 
+	buf = malloc(sizeof(uint32_t)*3);
-+ * not disable dontaudits, 1 disables them */
+	if (!buf) {
-+void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit);
+		ERR(file->handle, "out of memory");
 +		goto err;
 +	}
 +	  
- /* Destroy a sepol handle. */
+ 	rc = next_entry(buf, file, sizeof(uint32_t) * 3);
- void sepol_handle_destroy(sepol_handle_t *);
+ 	if (rc < 0) {
- 
+ 		ERR(file->handle, "module package header truncated");
-diff --exclude-from=exclude -N -u -r nsalibsepol/src/expand.c libsepol-2.0.5/src/expand.c
+-		return -1;
--- nsalibsepol/src/expand.c	2007-07-16 14:20:41.000000000 -0400
+		goto err;
-+++ libsepol-2.0.5/src/expand.c	2007-08-10 09:42:16.000000000 -0400
+ 	}
-@@ -1367,6 +1367,8 @@
+ 	if (le32_to_cpu(buf[0]) != SEPOL_MODULE_PACKAGE_MAGIC) {
- 	} else if (specified & AVRULE_AUDITDENY) {
+ 		ERR(file->handle,
- 		spec = AVTAB_AUDITDENY;
+ 		    "wrong magic number for module package:  expected %u, got %u",
- 	} else if (specified & AVRULE_DONTAUDIT) {
+ 		    SEPOL_MODULE_PACKAGE_MAGIC, le32_to_cpu(buf[0]));
-+		if (handle->disable_dontaudit)
+-		return -1;
-+			return EXPAND_RULE_SUCCESS;
+		goto err;
 		spec = AVTAB_AUDITDENY;
 	} else if (specified & AVRULE_NEVERALLOW) {
 		spec = AVTAB_NEVERALLOW;
 diff --exclude-from=exclude -N -u -r nsalibsepol/src/handle.c libsepol-2.0.5/src/handle.c
 --- nsalibsepol/src/handle.c	2007-07-16 14:20:41.000000000 -0400
 +++ libsepol-2.0.5/src/handle.c	2007-08-10 09:42:16.000000000 -0400
@@ -1,4 +1,5 @@
 #include <stdlib.h>
 +#include <assert.h>
 #include "handle.h"
 #include "debug.h"
@@ -13,9 +14,18 @@
 	sh->msg_callback = sepol_msg_default_handler;
 	sh->msg_callback_arg = NULL;
 +	/* by default do not disable dontaudits */
 +	sh->disable_dontaudit = 0;
 +
 	return sh;
 	}
-+void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit)
+ 	mod->version = le32_to_cpu(buf[1]);
-+{
+@@ -376,23 +382,29 @@
-+	assert(sh !=NULL);
+ 	if (nsec > MAXSECTIONS) {
-+	sh->disable_dontaudit = disable_dontaudit;
+ 		ERR(file->handle, "too many sections (%u) in module package",
-+}
+ 		    nsec);
-+
+-		return -1;
- void sepol_handle_destroy(sepol_handle_t * sh)
+		goto err;
- {
+ 	}
 	free(sh);
 diff --exclude-from=exclude -N -u -r nsalibsepol/src/handle.h libsepol-2.0.5/src/handle.h
 --- nsalibsepol/src/handle.h	2007-07-16 14:20:40.000000000 -0400
 +++ libsepol-2.0.5/src/handle.h	2007-08-10 09:42:16.000000000 -0400
@@ -14,6 +14,9 @@
 	void (*msg_callback) (void *varg,
 			      sepol_handle_t * handle, const char *fmt, ...);
 	void *msg_callback_arg;
 +
 +	int disable_dontaudit;
 +
 };
- #endif
+ 	off = (size_t *) malloc((nsec + 1) * sizeof(size_t));
-diff --exclude-from=exclude -N -u -r nsalibsepol/src/libsepol.map libsepol-2.0.5/src/libsepol.map
+ 	if (!off) {
--- nsalibsepol/src/libsepol.map	2007-07-16 14:20:41.000000000 -0400
+ 		ERR(file->handle, "out of memory");
-+++ libsepol-2.0.5/src/libsepol.map	2007-08-10 09:42:16.000000000 -0400
+-		return -1;
-@@ -12,5 +12,6 @@
+		goto err;
- 	sepol_policydb_*; sepol_set_policydb_from_file; 
+ 	}
- 	sepol_policy_kern_*;
+ 
- 	sepol_policy_file_*;
+-	rc = next_entry(off, file, sizeof(uint32_t) * nsec);
-+	sepol_set_disable_dontaudit;
+	free(buf);
-   local: *;
+	buf = malloc(sizeof(uint32_t) * nsec);
- };
+	if (!buf) {
 +		ERR(file->handle, "out of memory");
 +		goto err;
 +	}
 +	rc = next_entry(buf, file, sizeof(uint32_t) * nsec);
 	if (rc < 0) {
 		ERR(file->handle, "module package offset array truncated");
 -		return -1;
 +		goto err;
 	}
 	for (i = 0; i < nsec; i++) {
 -		off[i] = le32_to_cpu(off[i]);
 +		off[i] = le32_to_cpu(buf[i]);
 		if (i && off[i] < off[i - 1]) {
 			ERR(file->handle, "offsets are not increasing (at %u, "
 			    "offset %zu -> %zu", i, off[i - 1],
@@ -401,10 +413,15 @@
 		}
 	}
 -	
 +	free(buf); 	
 	off[nsec] = policy_file_length(file);
 	*offsets = off;
 	return 0;
 +
 +err:
 +	free(buf);
 +	free(off);
 +	return -1;
 }
 /* Flags for which sections have been seen during parsing of module package. */
--- a/libsepol.spec
+++ b/libsepol.spec
@ -2,11 +2,12 @@
 Summary: SELinux binary policy manipulation library 
 Name: libsepol
 Version: 2.0.7
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Group: System Environment/Libraries
 Source: http://www.nsa.gov/selinux/archives/libsepol-%{version}.tgz
 URL:	http://www.selinuxproject.org
 Patch: libsepol-rhat.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Provides: libsepol.so
@ -38,6 +39,7 @@ needed for developing applications that manipulate binary policies.
 %prep
 %setup -q
 %patch -p 1 -b .rhat
 # sparc64 is an -fPIC arch, so we need to fix it here
 %ifarch sparc64
 sed -i 's/fpic/fPIC/g' src/Makefile