[policycoreutils] Fix sepolicy communicate to handle invalid input
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Nov 30 05:01:36 UTC 2012
commit ad24fe0d6f066503d4c5a02c231083bb785fb119
Author: Dan Walsh <dwalsh at redhat.com>
Date: Fri Nov 30 00:01:24 2012 -0500
Fix sepolicy communicate to handle invalid input
policycoreutils-rhat.patch | 180 ++++++++++++++++++++++++++++++++++++++++----
policycoreutils.spec | 5 +-
2 files changed, 170 insertions(+), 15 deletions(-)
---
diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch
index 8f7cc59..30da694 100644
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@ -331654,10 +331654,10 @@ index 0000000..dc3ce6a
+
diff --git a/policycoreutils/sepolicy/info.c b/policycoreutils/sepolicy/info.c
new file mode 100644
-index 0000000..18aa555
+index 0000000..ae5424e
--- /dev/null
+++ b/policycoreutils/sepolicy/info.c
-@@ -0,0 +1,895 @@
+@@ -0,0 +1,1034 @@
+/**
+ * @file
+ * Command line tool to search TE rules.
@@ -331714,7 +331714,7 @@ index 0000000..18aa555
+
+enum input
+{
-+ TYPE, ATTRIBUTE, ROLE, USER, PORT, BOOLEAN,
++ TYPE, ATTRIBUTE, ROLE, USER, PORT, BOOLEAN, CLASS
+};
+
+static int py_insert_long(PyObject *dict, const char *name, int value)
@@ -332136,6 +332136,141 @@ index 0000000..18aa555
+}
+
+/**
++ * Prints a textual representation of an object class and possibly
++ * all of that object class' permissions.
++ *
++ * @param fp Reference to a file to which to print object class information
++ * @param type_datum Reference to sepol type_datum
++ * @param policydb Reference to a policy
++ * @param expand Flag indicating whether to print each object class'
++ * permissions
++ */
++static PyObject* get_class(const qpol_class_t * class_datum, const apol_policy_t * policydb)
++{
++ const char *class_name = NULL, *perm_name = NULL;
++ qpol_iterator_t *iter = NULL;
++ const qpol_common_t *common_datum = NULL;
++ qpol_policy_t *q = apol_policy_get_qpol(policydb);
++ int error = 0;
++ int rt;
++ PyObject *list = NULL;
++ PyObject *dict = PyDict_New();
++ if (!dict) goto err;
++
++ if (!class_datum)
++ goto err;
++
++ if (qpol_class_get_name(q, class_datum, &class_name))
++ goto err;
++
++ if (py_insert_string(dict, "name", class_name))
++ goto err;
++ /* get commons for this class */
++ if (qpol_class_get_common(q, class_datum, &common_datum))
++ goto err;
++
++ list = PyList_New(0);
++ if (!list) goto err;
++
++ if (common_datum) {
++ if (qpol_common_get_perm_iter(q, common_datum, &iter))
++ goto err;
++ /* print perms for the common */
++ for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
++ if (qpol_iterator_get_item(iter, (void **)&perm_name))
++ goto err;
++ if (py_append_string(list, perm_name))
++ goto err;
++ }
++ }
++ /* print unique perms for this class */
++ if (qpol_class_get_perm_iter(q, class_datum, &iter))
++ goto err;
++ for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
++ if (qpol_iterator_get_item(iter, (void **)&perm_name))
++ goto err;
++ if (py_append_string(list, perm_name))
++ goto err;
++ }
++ rt = py_insert_obj(dict, "permlist", list);
++ Py_DECREF(list); list = NULL;
++ if (rt) goto err;
++ qpol_iterator_destroy(&iter);
++ goto cleanup;
++
++err:
++ error = errno;
++ PyErr_SetString(PyExc_RuntimeError,strerror(errno));
++ py_decref(list); list=NULL;
++ py_decref(dict); dict=NULL;
++
++cleanup:
++ errno = error;
++ qpol_iterator_destroy(&iter);
++ return dict;
++}
++
++/**
++ * Get statistics regarding a policy's object classes.
++ * If this function is given a name, it will attempt to
++ * print statistics about a particular object class; otherwise
++ * the function prints statistics about all of the policy's object
++ * classes.
++ *
++ * @param name Reference to an object class' name; if NULL,
++ * all object classes will be considered
++ * @param policydb Reference to a policy
++ *
++ * @return 0 on success, < 0 on error.
++ */
++static PyObject* get_classes(const char *name, const apol_policy_t * policydb)
++{
++ qpol_iterator_t *iter = NULL;
++ size_t n_classes = 0;
++ const qpol_class_t *class_datum = NULL;
++ qpol_policy_t *q = apol_policy_get_qpol(policydb);
++ int error = 0;
++ int rt;
++ PyObject *obj;
++ PyObject *list = PyList_New(0);
++ if (!list) goto err;
++
++ if (name != NULL) {
++ if (qpol_policy_get_class_by_name(q, name, &class_datum))
++ goto err;
++ obj = get_class(class_datum, policydb);
++ rt = py_append_obj(list, obj);
++ Py_DECREF(obj);
++ if (rt) goto err;
++ } else {
++ if (qpol_policy_get_class_iter(q, &iter))
++ goto err;
++ if (qpol_iterator_get_size(iter, &n_classes))
++ goto err;
++
++ for (; !qpol_iterator_end(iter); qpol_iterator_next(iter)) {
++ if (qpol_iterator_get_item(iter, (void **)&class_datum))
++ goto err;
++ obj = get_class(class_datum, policydb);
++ rt = py_append_obj(list, obj);
++ Py_DECREF(obj);
++ if (rt) goto err;
++ }
++ qpol_iterator_destroy(&iter);
++ }
++ goto cleanup;
++err:
++ error = errno;
++ PyErr_SetString(PyExc_RuntimeError,strerror(errno));
++ py_decref(list); list = NULL;
++
++cleanup:
++ qpol_iterator_destroy(&iter);
++ errno = error;
++ return list;
++}
++
++/**
+ * Gets statistics regarding a policy's users.
+ * If this function is given a name, it will attempt to
+ * get statistics about a particular user; otherwise
@@ -332526,6 +332661,9 @@ index 0000000..18aa555
+ if (type == USER)
+ output = get_users(name, policy);
+
++ if (type == CLASS)
++ output = get_classes(name, policy);
++
+ if (type == BOOLEAN)
+ output = get_booleans(name, policy);
+
@@ -332551,6 +332689,7 @@ index 0000000..18aa555
+ PyModule_AddIntConstant(m, "ROLE", ROLE);
+ PyModule_AddIntConstant(m, "TYPE", TYPE);
+ PyModule_AddIntConstant(m, "USER", USER);
++ PyModule_AddIntConstant(m, "CLASS", CLASS);
+ PyModule_AddIntConstant(m, "BOOLEAN", BOOLEAN);
+}
diff --git a/policycoreutils/sepolicy/policy.c b/policycoreutils/sepolicy/policy.c
@@ -334177,10 +334316,10 @@ index 0000000..a40f37d
+selinux(8), sepolicy-generate(8), sepolicy-communicate(8), sepolicy-generate(8), sepolicy-network(8), sepolicy-transition(8)
diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py
new file mode 100755
-index 0000000..8dfce7c
+index 0000000..dd4adef
--- /dev/null
+++ b/policycoreutils/sepolicy/sepolicy.py
-@@ -0,0 +1,319 @@
+@@ -0,0 +1,331 @@
+#! /usr/bin/python -Es
+# Copyright (C) 2012 Red Hat
+# AUTHOR: Dan Walsh <dwalsh at redhat.com>
@@ -334291,21 +334430,31 @@ index 0000000..8dfce7c
+class CheckDomain(argparse.Action):
+ def __call__(self, parser, namespace, values, option_string=None):
+ from sepolicy.network import domains
-+ newval = getattr(namespace, self.dest)
-+ if not newval:
-+ newval = []
+
+ if isinstance(values,str):
+ if values not in domains:
+ raise ValueError("%s must be an SELinux process domain" % values)
-+ newval.append(values)
++ setattr(namespace, self.dest, values)
+ else:
++ newval = getattr(namespace, self.dest)
++ if not newval:
++ newval = []
++
+ for v in values:
+ if v not in domains:
+ raise ValueError("%s must be an SELinux process domain" % values)
+ newval.append(v)
++ setattr(namespace, self.dest, newval)
+
-+ setattr(namespace, self.dest, newval)
++all_classes = None
++class CheckClass(argparse.Action):
++ def __call__(self, parser, namespace, values, option_string=None):
++ global all_classes
++ if not all_classes:
++ all_classes = map(lambda x: x['name'], sepolicy.info(sepolicy.TCLASS))
++ if values not in all_classes:
++ raise ValueError("%s must be an SELinux process domain" % values)
++ setattr(namespace, self.dest, values)
+
+class CheckPort(argparse.Action):
+ def __call__(self, parser, namespace, values, option_string=None):
@@ -334399,7 +334548,9 @@ index 0000000..8dfce7c
+ comm.add_argument("-t", "--target", dest="target",
+ action=CheckDomain, required=True,
+ help=_("Target Domain"))
-+ comm.add_argument("-c", "--class", required=False, dest="tclass", default="file", help="class to use for communications, Default 'file'")
++ comm.add_argument("-c", "--class", required=False, dest="tclass",
++ action=CheckClass,
++ default="file", help="class to use for communications, Default 'file'")
+ comm.add_argument("-S", "--sourceaccess", required=False, dest="sourceaccess", default="open,write", help="comma separate list of permissions for the source type to use, Default 'open,write'")
+ comm.add_argument("-T", "--targetaccess", required=False, dest="targetaccess", default="open,read", help="comma separated list of permissions for the target type to use, Default 'open,read'")
+ comm.set_defaults(func=communicate)
@@ -334502,11 +334653,11 @@ index 0000000..8dfce7c
+ sys.exit(0)
diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py
new file mode 100644
-index 0000000..e43a2fb
+index 0000000..ece5b4b
--- /dev/null
+++ b/policycoreutils/sepolicy/sepolicy/__init__.py
-@@ -0,0 +1,136 @@
-+#!/usr/bin/env python
+@@ -0,0 +1,137 @@
++#!/usr/bin/python
+
+# Author: Thomas Liu <tliu at redhat.com>
+# Author: Dan Walsh <dwalsh at redhat.com>
@@ -334532,6 +334683,7 @@ index 0000000..e43a2fb
+PORT = _policy.PORT
+USER = _policy.USER
+BOOLEAN = _policy.BOOLEAN
++TCLASS = _policy.CLASS
+
+ALLOW = 'allow'
+AUDITALLOW = 'auditallow'
diff --git a/policycoreutils.spec b/policycoreutils.spec
index d628d4c..b5b68ba 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.1.13
-Release: 39%{?dist}
+Release: 40%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@@ -338,6 +338,9 @@ The policycoreutils-restorecond package contains the restorecond service.
%{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
%changelog
+* Fri Nov 30 2012 Dan Walsh <dwalsh at redhat.com> - 2.1.12-40
+- Fix sepolicy communicate to handle invalid input
+
* Thu Nov 29 2012 Dan Walsh <dwalsh at redhat.com> - 2.1.12-39
- Fix sepolicy network -p to handle high ports
More information about the scm-commits
mailing list