diff --git a/.gitignore b/.gitignore index e2ddc3d..26b8857 100644 --- a/.gitignore +++ b/.gitignore @@ -36,3 +36,4 @@ mcstrans-0.3.1.tgz /mcstrans-3.3-rc2.tar.gz /mcstrans-3.3-rc3.tar.gz /mcstrans-3.3.tar.gz +/mcstrans-3.4.tar.gz diff --git a/0001-mcstrans-Fir-RESOURCE_LEAK-and-USE_AFTER_FREE-coveri.patch b/0001-mcstrans-Fir-RESOURCE_LEAK-and-USE_AFTER_FREE-coveri.patch deleted file mode 100644 index 632e628..0000000 --- a/0001-mcstrans-Fir-RESOURCE_LEAK-and-USE_AFTER_FREE-coveri.patch +++ /dev/null @@ -1,129 +0,0 @@ -From 58a11e55120de4700d4e874dee0d8c36d13caedd Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Wed, 28 Nov 2018 18:28:05 +0100 -Subject: [PATCH] mcstrans: Fir RESOURCE_LEAK and USE_AFTER_FREE coverity scan - defects - ---- - mcstrans/src/mcstrans.c | 21 +++++++++++++++++++-- - mcstrans/src/mcstransd.c | 4 +++- - 2 files changed, 22 insertions(+), 3 deletions(-) - -diff --git a/mcstrans/src/mcstrans.c b/mcstrans/src/mcstrans.c -index e92dfddb0d20..d0690e6b0dca 100644 ---- a/mcstrans/src/mcstrans.c -+++ b/mcstrans/src/mcstrans.c -@@ -633,16 +633,23 @@ add_cache(domain_t *domain, char *raw, char *trans) { - - map->raw = strdup(raw); - if (!map->raw) { -+ free(map); - goto err; - } - map->trans = strdup(trans); - if (!map->trans) { -+ free(map->raw); -+ free(map); - goto err; - } - - log_debug(" add_cache (%s,%s)\n", raw, trans); -- if (add_to_hashtable(domain->raw_to_trans, map->raw, map) < 0) -+ if (add_to_hashtable(domain->raw_to_trans, map->raw, map) < 0) { -+ free(map->trans); -+ free(map->raw); -+ free(map); - goto err; -+ } - - if (add_to_hashtable(domain->trans_to_raw, map->trans, map) < 0) - goto err; -@@ -1520,6 +1527,7 @@ trans_context(const char *incon, char **rcon) { - trans = compute_trans_from_raw(range, domain); - if (trans) - if (add_cache(domain, range, trans) < 0) { -+ free(trans); - free(range); - return -1; - } -@@ -1531,6 +1539,7 @@ trans_context(const char *incon, char **rcon) { - ltrans = compute_trans_from_raw(lrange, domain); - if (ltrans) { - if (add_cache(domain, lrange, ltrans) < 0) { -+ free(ltrans); - free(range); - return -1; - } -@@ -1549,6 +1558,7 @@ trans_context(const char *incon, char **rcon) { - utrans = compute_trans_from_raw(urange, domain); - if (utrans) { - if (add_cache(domain, urange, utrans) < 0) { -+ free(utrans); - free(ltrans); - free(range); - return -1; -@@ -1648,14 +1658,19 @@ untrans_context(const char *incon, char **rcon) { - canonical = compute_trans_from_raw(raw, domain); - if (canonical && strcmp(canonical, range)) - if (add_cache(domain, raw, canonical) < 0) { -+ free(canonical); - free(range); -+ free(raw); - return -1; - } - } -- if (canonical) -+ if (canonical) { - free(canonical); -+ free(raw); -+ } - if (add_cache(domain, raw, range) < 0) { - free(range); -+ free(raw); - return -1; - } - } else { -@@ -1673,6 +1688,7 @@ untrans_context(const char *incon, char **rcon) { - canonical = compute_trans_from_raw(lraw, domain); - if (canonical) - if (add_cache(domain, lraw, canonical) < 0) { -+ free(canonical); - free(lraw); - free(range); - return -1; -@@ -1704,6 +1720,7 @@ untrans_context(const char *incon, char **rcon) { - canonical = compute_trans_from_raw(uraw, domain); - if (canonical) - if (add_cache(domain, uraw, canonical) < 0) { -+ free(canonical); - free(uraw); - free(lraw); - free(range); -diff --git a/mcstrans/src/mcstransd.c b/mcstrans/src/mcstransd.c -index 59c152e73be1..5191fc98ef06 100644 ---- a/mcstrans/src/mcstransd.c -+++ b/mcstrans/src/mcstransd.c -@@ -335,6 +335,7 @@ process_events(struct pollfd **ufds, int *nfds) - /* Setup pollfd for deletion later. */ - (*ufds)[ii].fd = -1; - close(connfd); -+ connfd = -1; - /* So we don't get bothered later */ - revents = revents & ~(POLLHUP); - } -@@ -348,10 +349,11 @@ process_events(struct pollfd **ufds, int *nfds) - /* Set the pollfd up for deletion later. */ - (*ufds)[ii].fd = -1; - close(connfd); -+ connfd = -1; - - revents = revents & ~(POLLHUP); - } -- if (revents) { -+ if (revents && connfd != -1) { - syslog(LOG_ERR, "Unknown/error events (%x) encountered" - " for fd (%d)\n", revents, connfd); - --- -2.32.0 - diff --git a/0002-mcstrans-Fix-USER_AFTER_FREE-problem.patch b/0002-mcstrans-Fix-USER_AFTER_FREE-problem.patch deleted file mode 100644 index 5ec7917..0000000 --- a/0002-mcstrans-Fix-USER_AFTER_FREE-problem.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 7a170534163ab9d9159dddfadb996587d98fe30e Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Thu, 9 May 2019 16:44:43 +0200 -Subject: [PATCH] mcstrans: Fix USER_AFTER_FREE problem - ---- - mcstrans/src/mcstrans.c | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/mcstrans/src/mcstrans.c b/mcstrans/src/mcstrans.c -index d0690e6b0dca..8678418a1570 100644 ---- a/mcstrans/src/mcstrans.c -+++ b/mcstrans/src/mcstrans.c -@@ -1664,10 +1664,8 @@ untrans_context(const char *incon, char **rcon) { - return -1; - } - } -- if (canonical) { -+ if (canonical) - free(canonical); -- free(raw); -- } - if (add_cache(domain, raw, range) < 0) { - free(range); - free(raw); --- -2.32.0 - diff --git a/0003-mcstrans-Do-not-accept-incomplete-contexts.patch b/0003-mcstrans-Do-not-accept-incomplete-contexts.patch deleted file mode 100644 index d86d83c..0000000 --- a/0003-mcstrans-Do-not-accept-incomplete-contexts.patch +++ /dev/null @@ -1,59 +0,0 @@ -From a6e2b2287254b2880e8697707f10bd303ffcc06a Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Mon, 15 Apr 2019 15:22:51 +0200 -Subject: [PATCH] mcstrans: Do not accept incomplete contexts -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Fixes: -$ python3 -> import selinux -> selinux.selinux_raw_context_to_color("xyz_u:xyz_r:xyz_t:") - -Traceback (most recent call last): - File "", line 2, in -OSError: [Errno 0] Error - -:: [ 10:25:45 ] :: [ BEGIN ] :: Running 'service mcstransd status' -Redirecting to /bin/systemctl status mcstransd.service -● mcstrans.service - Translates SELinux MCS/MLS labels to human readable form - Loaded: loaded (/usr/lib/systemd/system/mcstrans.service; disabled; vendor preset: disabled) - Active: failed (Result: core-dump) since Fri 2019-04-12 10:25:44 EDT; 1s ago - Process: 16681 ExecStart=/sbin/mcstransd -f (code=dumped, signal=SEGV) - Main PID: 16681 (code=dumped, signal=SEGV) - -systemd[1]: mcstrans.service: Main process exited, code=dumped, status=11/SEGV -systemd[1]: mcstrans.service: Failed with result 'core-dump'. - -Signed-off-by: Petr Lautrbach ---- - mcstrans/src/mcscolor.c | 12 ++++++++---- - 1 file changed, 8 insertions(+), 4 deletions(-) - -diff --git a/mcstrans/src/mcscolor.c b/mcstrans/src/mcscolor.c -index a38388501db5..94421a58dee4 100644 ---- a/mcstrans/src/mcscolor.c -+++ b/mcstrans/src/mcscolor.c -@@ -272,10 +272,14 @@ static const unsigned precedence[N_COLOR][N_COLOR - 1] = { - static const secolor_t default_color = { 0x000000, 0xffffff }; - - static int parse_components(context_t con, char **components) { -- components[COLOR_USER] = (char *)context_user_get(con); -- components[COLOR_ROLE] = (char *)context_role_get(con); -- components[COLOR_TYPE] = (char *)context_type_get(con); -- components[COLOR_RANGE] = (char *)context_range_get(con); -+ if ((components[COLOR_USER] = (char *)context_user_get(con)) == NULL) -+ return -1; -+ if ((components[COLOR_ROLE] = (char *)context_role_get(con)) == NULL) -+ return -1; -+ if ((components[COLOR_TYPE] = (char *)context_type_get(con)) == NULL) -+ return -1; -+ if ((components[COLOR_RANGE] = (char *)context_range_get(con)) == NULL) -+ return -1; - - return 0; - } --- -2.32.0 - diff --git a/0004-mcstrans-fix-RESOURCE_LEAK-CWE-772.patch b/0004-mcstrans-fix-RESOURCE_LEAK-CWE-772.patch deleted file mode 100644 index 59a0918..0000000 --- a/0004-mcstrans-fix-RESOURCE_LEAK-CWE-772.patch +++ /dev/null @@ -1,63 +0,0 @@ -From a98f2f8f2f1c14646ec9c80faecf14e9bf4bbd2c Mon Sep 17 00:00:00 2001 -From: Petr Lautrbach -Date: Thu, 5 Aug 2021 16:26:44 +0200 -Subject: [PATCH] mcstrans: fix RESOURCE_LEAK (CWE-772) - -Fixes: - Error: RESOURCE_LEAK (CWE-772): [#def1] - mcstrans-3.2/src/mcstrans.c:1527: alloc_fn: Storage is returned from allocation function "compute_trans_from_raw". - mcstrans-3.2/src/mcstrans.c:1527: var_assign: Assigning: "trans" = storage returned from "compute_trans_from_raw(range, domain)". - mcstrans-3.2/src/mcstrans.c:1529: noescape: Resource "trans" is not freed or pointed-to in "add_cache". - mcstrans-3.2/src/mcstrans.c:1515: overwrite_var: Overwriting "trans" in "trans = find_in_hashtable(range, domain, domain->raw_to_trans)" leaks the storage that "trans" points to. - # 1513| domain_t *domain = domains; - # 1514| for (;domain; domain = domain->next) { - # 1515|-> trans = find_in_hashtable(range, domain, domain->raw_to_trans); - # 1516| if (trans) break; - # 1517| - - Error: RESOURCE_LEAK (CWE-772): [#def2] - mcstrans-3.2/src/mcstrans.c:1654: alloc_fn: Storage is returned from allocation function "compute_raw_from_trans". - mcstrans-3.2/src/mcstrans.c:1654: var_assign: Assigning: "raw" = storage returned from "compute_raw_from_trans(range, domain)". - mcstrans-3.2/src/mcstrans.c:1656: noescape: Resource "raw" is not freed or pointed-to in "find_in_hashtable". - mcstrans-3.2/src/mcstrans.c:1669: noescape: Resource "raw" is not freed or pointed-to in "add_cache". - mcstrans-3.2/src/mcstrans.c:1642: overwrite_var: Overwriting "raw" in "raw = find_in_hashtable(range, domain, domain->trans_to_raw)" leaks the storage that "raw" points to. - # 1640| domain_t *domain = domains; - # 1641| for (;domain; domain = domain->next) { - # 1642|-> raw = find_in_hashtable(range, domain, domain->trans_to_raw); - # 1643| if (raw) break; - # 1644| - -Signed-off-by: Petr Lautrbach ---- - mcstrans/src/mcstrans.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/mcstrans/src/mcstrans.c b/mcstrans/src/mcstrans.c -index 8678418a1570..4e110e02f73a 100644 ---- a/mcstrans/src/mcstrans.c -+++ b/mcstrans/src/mcstrans.c -@@ -1598,6 +1598,10 @@ trans_context(const char *incon, char **rcon) { - } - if (dashp) - *dashp = '-'; -+ if (trans) { -+ free(trans); -+ trans = NULL; -+ } - } - - if (trans) { -@@ -1769,6 +1773,10 @@ untrans_context(const char *incon, char **rcon) { - } - if (dashp) - *dashp = '-'; -+ if (raw) { -+ free(raw); -+ raw = NULL; -+ } - } - - if (raw) { --- -2.32.0 - diff --git a/0005-mcstrans-avoid-missing-prototypes.patch b/0005-mcstrans-avoid-missing-prototypes.patch deleted file mode 100644 index c472841..0000000 --- a/0005-mcstrans-avoid-missing-prototypes.patch +++ /dev/null @@ -1,343 +0,0 @@ -From 0fd5d05f4c5cbe4fbeb445f1b0bccfe1833a7253 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Fri, 12 Nov 2021 16:41:58 +0100 -Subject: [PATCH] mcstrans: avoid missing prototypes -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Mark local functions static. -Export functions of mcscolor.c in mcscolor.h and avoid bare extern -function declarations. -Drop unused function emit_whitespace(). - -Signed-off-by: Christian Göttsche ---- - mcstrans/src/mcscolor.c | 2 ++ - mcstrans/src/mcscolor.h | 8 ++++++ - mcstrans/src/mcstrans.c | 57 ++++++++++++++++++---------------------- - mcstrans/src/mcstrans.h | 1 - - mcstrans/src/mcstransd.c | 13 +++------ - 5 files changed, 38 insertions(+), 43 deletions(-) - create mode 100644 mcstrans/src/mcscolor.h - -diff --git a/mcstrans/src/mcscolor.c b/mcstrans/src/mcscolor.c -index a38388501db5..9ff0ce2f29f1 100644 ---- a/mcstrans/src/mcscolor.c -+++ b/mcstrans/src/mcscolor.c -@@ -11,6 +11,8 @@ - #include - #include - #include -+ -+#include "mcscolor.h" - #include "mcstrans.h" - - /* Define data structures */ -diff --git a/mcstrans/src/mcscolor.h b/mcstrans/src/mcscolor.h -new file mode 100644 -index 000000000000..c37fe6ed5197 ---- /dev/null -+++ b/mcstrans/src/mcscolor.h -@@ -0,0 +1,8 @@ -+#ifndef __mcscolor_h__ -+#define __mcscolor_h__ -+ -+extern void finish_context_colors(void); -+extern int init_colors(void); -+extern int raw_color(const char *raw, char **color_str); -+ -+#endif -diff --git a/mcstrans/src/mcstrans.c b/mcstrans/src/mcstrans.c -index e92dfddb0d20..09577ea0cc0b 100644 ---- a/mcstrans/src/mcstrans.c -+++ b/mcstrans/src/mcstrans.c -@@ -136,7 +136,7 @@ typedef struct cat_constraint { - - static cat_constraint_t *cat_constraints; - --unsigned int -+static unsigned int - hash(const char *str) { - unsigned int hash = 5381; - int c; -@@ -213,7 +213,7 @@ parse_category(ebitmap_t *e, const char *raw, int allowinverse) - return 0; - } - --int -+static int - parse_ebitmap(ebitmap_t *e, ebitmap_t *def, const char *raw) { - int rc = ebitmap_cpy(e, def); - if (rc < 0) -@@ -224,7 +224,7 @@ parse_ebitmap(ebitmap_t *e, ebitmap_t *def, const char *raw) { - return 0; - } - --mls_level_t * -+static mls_level_t * - parse_raw(const char *raw) { - mls_level_t *mls = calloc(1, sizeof(mls_level_t)); - if (!mls) -@@ -248,7 +248,7 @@ err: - return NULL; - } - --void -+static void - destroy_word(word_t **list, word_t *word) { - if (!word) { - return; -@@ -267,7 +267,7 @@ destroy_word(word_t **list, word_t *word) { - free(word); - } - --word_t * -+static word_t * - create_word(word_t **list, const char *text) { - word_t *w = calloc(1, sizeof(word_t)); - if (!w) { -@@ -291,7 +291,7 @@ err: - return NULL; - } - --void -+static void - destroy_group(word_group_t **list, word_group_t *group) { - for (; list && *list; list = &(*list)->next) { - if (*list == group) { -@@ -324,7 +324,7 @@ destroy_group(word_group_t **list, word_group_t *group) { - free(group); - } - --word_group_t * -+static word_group_t * - create_group(word_group_t **list, const char *name) { - word_group_t *group = calloc(1, sizeof(word_group_t)); - if (!group) -@@ -357,7 +357,7 @@ err: - return NULL; - } - --void -+static void - destroy_domain(domain_t *domain) { - int i; - unsigned int rt = 0, tr = 0; -@@ -401,7 +401,7 @@ destroy_domain(domain_t *domain) { - syslog(LOG_INFO, "cache sizes: tr = %u, rt = %u", tr, rt); - } - --domain_t * -+static domain_t * - create_domain(const char *name) { - domain_t *domain = calloc(1, sizeof(domain_t)); - if (!domain) { -@@ -425,7 +425,7 @@ err: - return NULL; - } - --int -+static int - add_word(word_group_t *group, char *raw, char *trans) { - if (strchr(trans,'-')) { - log_error("'%s'is invalid because '-' is illegal in modifiers.\n", trans); -@@ -451,7 +451,7 @@ add_word(word_group_t *group, char *raw, char *trans) { - return 0; - } - --int -+static int - add_constraint(char op, char *raw, char *tok) { - log_debug("%s\n", "add_constraint"); - ebitmap_t empty; -@@ -521,7 +521,7 @@ add_constraint(char op, char *raw, char *tok) { - return 0; - } - --int -+static int - violates_constraints(mls_level_t *l) { - int nbits; - sens_constraint_t *s; -@@ -563,7 +563,7 @@ violates_constraints(mls_level_t *l) { - return 0; - } - --void -+static void - destroy_sens_constraint(sens_constraint_t **list, sens_constraint_t *constraint) { - if (!constraint) { - return; -@@ -580,7 +580,7 @@ destroy_sens_constraint(sens_constraint_t **list, sens_constraint_t *constraint) - free(constraint); - } - --void -+static void - destroy_cat_constraint(cat_constraint_t **list, cat_constraint_t *constraint) { - if (!constraint) { - return; -@@ -663,7 +663,7 @@ find_in_table(context_map_node_t **table, const char *key) { - return NULL; - } - --char * -+static char * - trim(char *str, const char *whitespace) { - char *p = str + strlen(str); - -@@ -672,7 +672,7 @@ trim(char *str, const char *whitespace) { - return str; - } - --char * -+static char * - triml(char *str, const char *whitespace) { - char *p = str; - -@@ -681,7 +681,7 @@ triml(char *str, const char *whitespace) { - return p; - } - --int -+static int - update(char **p, char *const val) { - free (*p); - *p = strdup(val); -@@ -692,7 +692,7 @@ update(char **p, char *const val) { - return 0; - } - --int -+static int - append(affix_t **affixes, const char *val) { - affix_t *affix = calloc(1, sizeof(affix_t)); - if (!affix) { -@@ -887,7 +887,7 @@ init_translations(void) { - return(read_translations(selinux_translations_path())); - } - --char * -+static char * - extract_range(const char *incon) { - context_t con = context_new(incon); - if (!con) { -@@ -910,7 +910,7 @@ extract_range(const char *incon) { - return r; - } - --char * -+static char * - new_context_str(const char *incon, const char *range) { - char *rcon = NULL; - context_t con = context_new(incon); -@@ -931,7 +931,7 @@ exit: - return NULL; - } - --char * -+static char * - find_in_hashtable(const char *range, domain_t *domain, context_map_node_t **table) { - char *trans = NULL; - context_map_t *map = find_in_table(table, range); -@@ -946,13 +946,6 @@ find_in_hashtable(const char *range, domain_t *domain, context_map_node_t **tabl - return trans; - } - --void --emit_whitespace(char*buffer, char *whitespace) { -- strcat(buffer, "["); -- strcat(buffer, whitespace); -- strcat(buffer, "]"); --} -- - static int - string_size(const void *p1, const void *p2) { - return strlen(*(char **)p2) - strlen(*(char **)p1); -@@ -969,7 +962,7 @@ word_size(const void *p1, const void *p2) { - return (w2_len - w1_len); - } - --void -+static void - build_regexp(pcre **r, char *buffer) { - const char *error; - int error_offset; -@@ -982,7 +975,7 @@ build_regexp(pcre **r, char *buffer) { - buffer[0] = '\0'; - } - --int -+static int - build_regexps(domain_t *domain) { - char buffer[1024 * 128]; - buffer[0] = '\0'; -@@ -1086,7 +1079,7 @@ build_regexps(domain_t *domain) { - return 0; - } - --char * -+static char * - compute_raw_from_trans(const char *level, domain_t *domain) { - - #ifdef DEBUG -@@ -1278,7 +1271,7 @@ err: - return NULL; - } - --char * -+static char * - compute_trans_from_raw(const char *level, domain_t *domain) { - - #ifdef DEBUG -diff --git a/mcstrans/src/mcstrans.h b/mcstrans/src/mcstrans.h -index e5cda93b8a4b..0addb325e569 100644 ---- a/mcstrans/src/mcstrans.h -+++ b/mcstrans/src/mcstrans.h -@@ -6,4 +6,3 @@ extern int init_translations(void); - extern void finish_context_translations(void); - extern int trans_context(const char *, char **); - extern int untrans_context(const char *, char **); -- -diff --git a/mcstrans/src/mcstransd.c b/mcstrans/src/mcstransd.c -index 59c152e73be1..536c0f32f23a 100644 ---- a/mcstrans/src/mcstransd.c -+++ b/mcstrans/src/mcstransd.c -@@ -16,6 +16,8 @@ - #include - #include - #include -+ -+#include "mcscolor.h" - #include "mcstrans.h" - - #ifdef UNUSED -@@ -43,15 +45,6 @@ - #define log_debug(fmt, ...) do {} while (0) - #endif - --extern int init_translations(void); --extern void finish_context_translations(void); --extern int trans_context(const char *, char **); --extern int untrans_context(const char *, char **); -- --extern int init_colors(void); --extern void finish_context_colors(void); --extern int raw_color(const char *, char **); -- - #define SETRANSD_PATHNAME "/sbin/mcstransd" - - /* name of program (for error messages) */ -@@ -514,7 +507,7 @@ initialize(void) - - } - --void dropprivs(void) -+static void dropprivs(void) - { - cap_t new_caps; - --- -2.33.1 - diff --git a/0006-mcstrans-port-to-new-PCRE2-from-end-of-life-PCRE.patch b/0006-mcstrans-port-to-new-PCRE2-from-end-of-life-PCRE.patch deleted file mode 100644 index b73d1b1..0000000 --- a/0006-mcstrans-port-to-new-PCRE2-from-end-of-life-PCRE.patch +++ /dev/null @@ -1,344 +0,0 @@ -From c8fea6b657cc256c43fc9c5dbe2c4e04677416c9 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Tue, 30 Nov 2021 12:04:25 +0100 -Subject: [PATCH] mcstrans: port to new PCRE2 from end-of-life PCRE -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Quoting pcre.org: - - There are two major versions of the PCRE library. The current - version, PCRE2, released in 2015, is now at version 10.39. - - The older, but still widely deployed PCRE library, originally - released in 1997, is at version 8.45. This version of PCRE is now at - end of life, and is no longer being actively maintained. Version - 8.45 is expected to be the final release of the older PCRE library, - and new projects should use PCRE2 instead. - -Signed-off-by: Christian Göttsche ---- - mcstrans/Makefile | 6 ++ - mcstrans/src/Makefile | 4 +- - mcstrans/src/mcstrans.c | 131 ++++++++++++++++++++++++++++------------ - mcstrans/utils/Makefile | 6 +- - 4 files changed, 104 insertions(+), 43 deletions(-) - -diff --git a/mcstrans/Makefile b/mcstrans/Makefile -index c993a9f52713..b20279ab984a 100644 ---- a/mcstrans/Makefile -+++ b/mcstrans/Makefile -@@ -1,3 +1,9 @@ -+PKG_CONFIG ?= pkg-config -+PCRE_MODULE := libpcre2-8 -+PCRE_CFLAGS := $(shell $(PKG_CONFIG) --cflags $(PCRE_MODULE)) -DPCRE2_CODE_UNIT_WIDTH=8 -+PCRE_LDLIBS := $(shell $(PKG_CONFIG) --libs $(PCRE_MODULE)) -+export PCRE_MODULE PCRE_CFLAGS PCRE_LDLIBS -+ - all: - $(MAKE) -C src - $(MAKE) -C utils -diff --git a/mcstrans/src/Makefile b/mcstrans/src/Makefile -index 76ef055714e9..ef518625cd3b 100644 ---- a/mcstrans/src/Makefile -+++ b/mcstrans/src/Makefile -@@ -20,10 +20,10 @@ CFLAGS ?= -Wall -W -Wundef -Wmissing-noreturn -Wmissing-format-attribute - all: $(PROG) - - $(PROG): $(PROG_OBJS) $(LIBSEPOLA) -- $(CC) $(LDFLAGS) -pie -o $@ $^ -lselinux -lcap -lpcre $(LDLIBS_LIBSEPOLA) -+ $(CC) $(LDFLAGS) -pie -o $@ $^ -lselinux -lcap $(PCRE_LDLIBS) $(LDLIBS_LIBSEPOLA) - - %.o: %.c -- $(CC) $(CFLAGS) -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -fPIE -c -o $@ $< -+ $(CC) $(CFLAGS) $(PCRE_CFLAGS) -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -fPIE -c -o $@ $< - - install: all - test -d $(DESTDIR)$(SBINDIR) || install -m 755 -d $(DESTDIR)$(SBINDIR) -diff --git a/mcstrans/src/mcstrans.c b/mcstrans/src/mcstrans.c -index 09577ea0cc0b..6e4bfd3b16bd 100644 ---- a/mcstrans/src/mcstrans.c -+++ b/mcstrans/src/mcstrans.c -@@ -26,7 +26,7 @@ - #include - #include - #include --#include -+#include - #include - #include - #include -@@ -36,7 +36,6 @@ - #include "mcstrans.h" - - #define N_BUCKETS 1453 --#define OVECCOUNT (512*3) - - #define log_error(fmt, ...) fprintf(stderr, fmt, __VA_ARGS__) - -@@ -82,9 +81,9 @@ typedef struct word_group { - affix_t *suffixes; - word_t *words; - -- pcre *prefix_regexp; -- pcre *word_regexp; -- pcre *suffix_regexp; -+ pcre2_code *prefix_regexp; -+ pcre2_code *word_regexp; -+ pcre2_code *suffix_regexp; - - ebitmap_t def; - -@@ -109,7 +108,7 @@ typedef struct domain { - base_classification_t *base_classifications; - word_group_t *groups; - -- pcre *base_classification_regexp; -+ pcre2_code *base_classification_regexp; - struct domain *next; - } domain_t; - -@@ -317,9 +316,9 @@ destroy_group(word_group_t **list, word_group_t *group) { - free(group->name); - free(group->sword); - free(group->join); -- pcre_free(group->prefix_regexp); -- pcre_free(group->word_regexp); -- pcre_free(group->suffix_regexp); -+ pcre2_code_free(group->prefix_regexp); -+ pcre2_code_free(group->word_regexp); -+ pcre2_code_free(group->suffix_regexp); - ebitmap_destroy(&group->def); - free(group); - } -@@ -392,7 +391,7 @@ destroy_domain(domain_t *domain) { - free(domain->base_classifications); - domain->base_classifications = next; - } -- pcre_free(domain->base_classification_regexp); -+ pcre2_code_free(domain->base_classification_regexp); - while (domain->groups) - destroy_group(&domain->groups, domain->groups); - free(domain->name); -@@ -963,14 +962,16 @@ word_size(const void *p1, const void *p2) { - } - - static void --build_regexp(pcre **r, char *buffer) { -- const char *error; -- int error_offset; -+build_regexp(pcre2_code **r, char *buffer) { -+ int error; -+ PCRE2_SIZE error_offset; - if (*r) -- pcre_free(*r); -- *r = pcre_compile(buffer, PCRE_CASELESS, &error, &error_offset, NULL); -- if (error) { -- log_error("pcre=%s, error=%s\n", buffer, error ? error: "none"); -+ pcre2_code_free(*r); -+ *r = pcre2_compile((PCRE2_SPTR8) buffer, PCRE2_ZERO_TERMINATED, PCRE2_CASELESS, &error, &error_offset, NULL); -+ if (!*r) { -+ PCRE2_UCHAR errbuf[256]; -+ pcre2_get_error_message(error, errbuf, sizeof(errbuf)); -+ log_error("pcre compilation of '%s' failed at offset %zu: %s\n", buffer, error_offset, errbuf); - } - buffer[0] = '\0'; - } -@@ -1088,12 +1089,12 @@ compute_raw_from_trans(const char *level, domain_t *domain) { - #endif - - int rc = 0; -- int ovector[OVECCOUNT]; -+ pcre2_match_data *match_data = NULL; - word_group_t *g = NULL; - char *work = NULL; - char *r = NULL; -- const char * match = NULL; -- int work_len; -+ char *match = NULL; -+ size_t work_len; - mls_level_t *mraw = NULL; - ebitmap_t set, clear, tmp; - -@@ -1114,11 +1115,20 @@ compute_raw_from_trans(const char *level, domain_t *domain) { - if (!domain->base_classification_regexp) - goto err; - log_debug(" compute_raw_from_trans work = %s\n", work); -- rc = pcre_exec(domain->base_classification_regexp, 0, work, work_len, 0, PCRE_ANCHORED, ovector, OVECCOUNT); -+ match_data = pcre2_match_data_create_from_pattern(domain->base_classification_regexp, NULL); -+ if (!match_data) { -+ log_error("allocation error %s", strerror(errno)); -+ goto err; -+ } -+ rc = pcre2_match(domain->base_classification_regexp, (PCRE2_SPTR8)work, work_len, 0, PCRE2_ANCHORED, match_data, NULL); - if (rc > 0) { -- match = NULL; -- pcre_get_substring(work, ovector, rc, 0, &match); -- log_debug(" compute_raw_from_trans match = %s len = %u\n", match, strlen(match)); -+ const PCRE2_SIZE *ovector = pcre2_get_ovector_pointer(match_data); -+ match = strndup(work + ovector[0], ovector[1] - ovector[0]); -+ if (!match) { -+ log_error("allocation error %s", strerror(errno)); -+ goto err; -+ } -+ log_debug(" compute_raw_from_trans match = %s len = %zu\n", match, strlen(match)); - base_classification_t *bc; - for (bc = domain->base_classifications; bc; bc = bc->next) { - if (!strcmp(bc->trans, match)) { -@@ -1138,12 +1148,23 @@ compute_raw_from_trans(const char *level, domain_t *domain) { - char *p=work + ovector[0] + ovector[1]; - while (*p && (strchr(" ", *p) != NULL)) - *p++ = '#'; -- pcre_free((char *)match); -+ -+ free(match); - match = NULL; - } else { -- log_debug(" compute_raw_from_trans no base classification matched %s\n", level); -+ switch (rc) { -+ case PCRE2_ERROR_NOMATCH: -+ log_debug(" compute_raw_from_trans no base classification matched %s\n", level); -+ break; -+ default: -+ log_error("compute_raw_from_trans: base matching error for input '%s': %d\n", level, rc); -+ break; -+ } - } - -+ pcre2_match_data_free(match_data); -+ match_data = NULL; -+ - if (mraw == NULL) { - goto err; - } -@@ -1154,23 +1175,43 @@ compute_raw_from_trans(const char *level, domain_t *domain) { - change = 0; - for (g = domain->groups; g && !change && !complete; g = g->next) { - int prefix = 0, suffix = 0; -- int prefix_offset = 0, prefix_len = 0; -- int suffix_offset = 0, suffix_len = 0; -+ PCRE2_SIZE prefix_offset = 0, prefix_len = 0; -+ PCRE2_SIZE suffix_offset = 0, suffix_len = 0; - if (g->prefix_regexp) { -- rc = pcre_exec(g->prefix_regexp, 0, work, work_len, 0, 0, ovector, OVECCOUNT); -+ match_data = pcre2_match_data_create_from_pattern(g->prefix_regexp, NULL); -+ if (!match_data) { -+ log_error("allocation error %s", strerror(errno)); -+ goto err; -+ } -+ rc = pcre2_match(g->prefix_regexp, (PCRE2_SPTR8)work, work_len, 0, 0, match_data, NULL); - if (rc > 0) { -+ const PCRE2_SIZE *ovector = pcre2_get_ovector_pointer(match_data); - prefix = 1; - prefix_offset = ovector[0]; - prefix_len = ovector[1] - ovector[0]; -+ } else if (rc != PCRE2_ERROR_NOMATCH) { -+ log_error("compute_raw_from_trans: prefix matching error for input '%s': %d\n", level, rc); - } -+ pcre2_match_data_free(match_data); -+ match_data = NULL; - } - if (g->suffix_regexp) { -- rc = pcre_exec(g->suffix_regexp, 0, work, work_len, 0, 0, ovector, OVECCOUNT); -+ match_data = pcre2_match_data_create_from_pattern(g->suffix_regexp, NULL); -+ if (!match_data) { -+ log_error("allocation error %s", strerror(errno)); -+ goto err; -+ } -+ rc = pcre2_match(g->suffix_regexp, (PCRE2_SPTR8)work, work_len, 0, 0, match_data, NULL); - if (rc > 0) { -+ const PCRE2_SIZE *ovector = pcre2_get_ovector_pointer(match_data); - suffix = 1; - suffix_offset = ovector[0]; - suffix_len = ovector[1] - ovector[0]; -+ } else if (rc != PCRE2_ERROR_NOMATCH) { -+ log_error("compute_raw_from_trans: suffix matching error for input '%s': %d\n", level, rc); - } -+ pcre2_match_data_free(match_data); -+ match_data = NULL; - } - - /* anchors prefix ^, suffix $ */ -@@ -1179,14 +1220,23 @@ compute_raw_from_trans(const char *level, domain_t *domain) { - (g->suffixes && suffix)) && - g->word_regexp) { - char *s = work + prefix_offset + prefix_len; -- int l = (suffix_len ? suffix_offset : work_len) - prefix_len - prefix_offset; -- rc = pcre_exec(g->word_regexp, 0, s, l, 0, 0, ovector, OVECCOUNT); -+ PCRE2_SIZE len = (suffix_len ? suffix_offset : work_len) - prefix_len - prefix_offset; -+ match_data = pcre2_match_data_create_from_pattern(g->word_regexp, NULL); -+ if (!match_data) { -+ log_error("allocation error %s", strerror(errno)); -+ goto err; -+ } -+ rc = pcre2_match(g->word_regexp, (PCRE2_SPTR8)s, len, 0, 0, match_data, NULL); - if (rc > 0) { -- match = NULL; -- pcre_get_substring(s, ovector, rc, 0, &match); -- trim((char *)match, g->whitespace); -+ const PCRE2_SIZE *ovector = pcre2_get_ovector_pointer(match_data); -+ match = strndup(s + ovector[0], ovector[1] - ovector[0]); -+ if (!match) { -+ log_error("allocation error %s", strerror(errno)); -+ goto err; -+ } -+ trim(match, g->whitespace); - if (*match) { -- char *p = triml((char *)match, g->whitespace); -+ char *p = triml(match, g->whitespace); - while (p && *p) { - int plen = strlen(p); - unsigned int i; -@@ -1223,9 +1273,13 @@ compute_raw_from_trans(const char *level, domain_t *domain) { - memset(work + suffix_offset, '#', suffix_len); - memset(s + ovector[0], '#', ovector[1] - ovector[0]); - } -- pcre_free((void *)match); -+ free(match); - match = NULL; -+ } else if (rc != PCRE2_ERROR_NOMATCH) { -+ log_error("compute_raw_from_trans: word matching error for input '%s' for substring '%s': %d\n", level, s, rc); - } -+ pcre2_match_data_free(match_data); -+ match_data = NULL; - } - /* YYY */ - complete=1; -@@ -1264,10 +1318,11 @@ err: - mls_level_destroy(mraw); - free(mraw); - free(work); -- pcre_free((void *)match); -+ free(match); - ebitmap_destroy(&tmp); - ebitmap_destroy(&set); - ebitmap_destroy(&clear); -+ pcre2_match_data_free(match_data); - return NULL; - } - -diff --git a/mcstrans/utils/Makefile b/mcstrans/utils/Makefile -index 9dfe772332b4..a48f4e72acc0 100644 ---- a/mcstrans/utils/Makefile -+++ b/mcstrans/utils/Makefile -@@ -14,13 +14,13 @@ endif - all: $(TARGETS) - - transcon: transcon.o ../src/mcstrans.o ../src/mls_level.o $(LIBSEPOLA) -- $(CC) $(LDFLAGS) -o $@ $^ -lpcre -lselinux $(LDLIBS_LIBSEPOLA) -+ $(CC) $(LDFLAGS) -o $@ $^ $(PCRE_LDLIBS) -lselinux $(LDLIBS_LIBSEPOLA) - - untranscon: untranscon.o ../src/mcstrans.o ../src/mls_level.o $(LIBSEPOLA) -- $(CC) $(LDFLAGS) -o $@ $^ -lpcre -lselinux $(LDLIBS_LIBSEPOLA) -+ $(CC) $(LDFLAGS) -o $@ $^ $(PCRE_LDLIBS) -lselinux $(LDLIBS_LIBSEPOLA) - - %.o: %.c -- $(CC) $(CFLAGS) -D_GNU_SOURCE -I../src -fPIE -c -o $@ $< -+ $(CC) $(CFLAGS) $(PCRE_CFLAGS) -D_GNU_SOURCE -I../src -fPIE -c -o $@ $< - - install: all - -mkdir -p $(DESTDIR)$(SBINDIR) --- -2.33.1 - diff --git a/mcstrans.spec b/mcstrans.spec index 812b864..05bd210 100644 --- a/mcstrans.spec +++ b/mcstrans.spec @@ -1,20 +1,14 @@ Summary: SELinux Translation Daemon Name: mcstrans -Version: 3.3 -Release: 2%{?dist} +Version: 3.4 +Release: 1%{?dist} License: GPL+ Url: https://github.com/SELinuxProject/selinux/wiki -Source: https://github.com/SELinuxProject/selinux/releases/download/3.3/mcstrans-3.3.tar.gz +Source: https://github.com/SELinuxProject/selinux/releases/download/3.4/mcstrans-3.4.tar.gz Source2: secolor.conf.8 -# fedora-selinux/selinux: git format-patch -N 3.3 -- mcstrans +# fedora-selinux/selinux: git format-patch -N 3.4 -- mcstrans # i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done # Patch list start -Patch0001: 0001-mcstrans-Fir-RESOURCE_LEAK-and-USE_AFTER_FREE-coveri.patch -Patch0002: 0002-mcstrans-Fix-USER_AFTER_FREE-problem.patch -Patch0003: 0003-mcstrans-Do-not-accept-incomplete-contexts.patch -Patch0004: 0004-mcstrans-fix-RESOURCE_LEAK-CWE-772.patch -Patch0005: 0005-mcstrans-avoid-missing-prototypes.patch -Patch0006: 0006-mcstrans-port-to-new-PCRE2-from-end-of-life-PCRE.patch # Patch list end BuildRequires: gcc BuildRequires: make @@ -97,6 +91,9 @@ install -m644 %{SOURCE2} %{buildroot}%{_mandir}/man8/ %{_usr}/share/mcstrans/util/* %changelog +* Fri May 20 2022 Petr Lautrbach - 3.4-1 +- SELinux userspace 3.4 release + * Fri Dec 10 2021 Petr Lautrbach - 3.3-2 - Port to new PCRE2 from end-of-life PCRE diff --git a/sources b/sources index 1986e2b..ace097f 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (mcstrans-3.3.tar.gz) = 2157a0361bb5a2bc8e149373b2dd7d9b042f8c4c0aa845ae6967a23d9b875d2dcd6176d99d7f8f15e17eb5877fea60814e19aabfe76950d25b75c9c25df811c2 +SHA512 (mcstrans-3.4.tar.gz) = bd612f1ae886c7a0300bb4aa1d52f139677787cc026475eada98e11a46910fa4a8baba9026530af6fa649a4f07978039f584e55567b87bbbb89ff06fb182518c