Sandbox translations #1
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Since test-linker-cond-map.h and test-linker-types.h references policydb_t, include the policydb header file. Signed-off-by: James Carter <[email protected]>
This is needed to use "-Wmissing-prototypes". Signed-off-by: James Carter <[email protected]>
This is needed to use "-Wmissing-prototypes". Signed-off-by: James Carter <[email protected]>
This is needed to use "-Wmissing-prototypes". Signed-off-by: James Carter <[email protected]>
The functions helper_port_validate_local_proto(), get_type(), and get_fcontext_new() are not used, so remove them. Signed-off-by: James Carter <[email protected]>
checkpolicy(8) since 01b88ac ("checkpolicy: warn on bogus IP address or netmask in nodecon statement") warns about host bits set in IPv6 addresses. Adjust IPv6 netmasks in the libsepol tests so that the used address ::1 does not set any host bits and running the tests does not print several of the following warnings: net_contexts:15:WARNING 'host bits in ipv6 address set' at token '' on line 594: Acked-by: James Carter <[email protected]> Signed-off-by: Christian Göttsche <[email protected]>
The function __cil_verify_rule() is currently not used as all call sites are commented out. Keep the function for future references. Acked-by: James Carter <[email protected]> Signed-off-by: Christian Göttsche <[email protected]>
The code generated by swig triggers the following warning:
semanageswig_wrap.c:2759:24: warning: no previous prototype for ‘PyInit__semanage’ [-Wmissing-prototypes]
2759 | # define SWIG_init PyInit__semanage
| ^~~~~~~~~~~~~~~~
semanageswig_wrap.c:17772:1: note: in expansion of macro ‘SWIG_init’
17772 | SWIG_init(void) {
| ^~~~~~~~~
Ignore -Wmissing-prototypes for swig generated source files.
Acked-by: James Carter <[email protected]>
Signed-off-by: Christian Göttsche <[email protected]>
Check for missing prototypes like file local functions not declared static or external functions not being declared to avoid declaration/ definition desynchronizations. Acked-by: James Carter <[email protected]> Signed-off-by: Christian Göttsche <[email protected]>
selabel_open(3) takes an `unsigned int` as backend parameter. Acked-by: James Carter <[email protected]> Signed-off-by: Christian Göttsche <[email protected]>
If selabel_open(3) fails, e.g. when a specfile has the wrong file permissions, free the memory allocated for digests. Fixes: e40bbea ("libselinux: Add selabel_digest function") Acked-by: James Carter <[email protected]> Signed-off-by: Christian Göttsche <[email protected]>
The internal Sha1Update() functions only handles buffers up to a size of UINT32_MAX, due to its usage of the type uint32_t. This causes issues when processing more than UINT32_MAX bytes, e.g. with a specfile larger than 4G. 0aa974a ("libselinux: limit has buffer size") tried to address this issue, but failed since the overflow check if (digest->hashbuf_size + buf_len < digest->hashbuf_size) { will be done in the widest common type, which is size_t, the type of `buf_len`. Revert the type of `hashbuf_size` to size_t and instead process the data in blocks of supported size. Acked-by: James Carter <[email protected]> Signed-off-by: Christian Göttsche <[email protected]> Reverts: 0aa974a ("libselinux: limit has buffer size")
Signed-off-by: Petr Lautrbach <[email protected]>
Source https://translate.fedoraproject.org/projects/selinux/ Signed-off-by: Petr Lautrbach <[email protected]>
jwcart2
pushed a commit
that referenced
this pull request
Dec 16, 2022
Add return check for regex_data_create() to avoid NULL reference of regex_data (gdb) bt #0 0x00007fbde5caec14 in pthread_mutex_init () from /usr/lib64/libc.so.6 #1 0x00007fbde5e3a489 in regex_data_create () at regex.c:260 SELinuxProject#2 0x00007fbde5e3a4af in regex_prepare_data (regex=regex@entry=0x7fbde4613770, pattern_string=pattern_string@entry=0x563c6799a820 "^/home$", errordata=errordata@entry=0x7ffeb83fa950) at regex.c:76 SELinuxProject#3 0x00007fbde5e32fe6 in compile_regex (errbuf=0x0, spec=0x7fbde4613748) at label_file.h:407 SELinuxProject#4 lookup_all (key=0x563c679974e5 "/var/log/kadmind.log", type=<optimized out>, partial=partial@entry=false, match_count=match_count@entry=0x0, rec=<optimized out>, rec=<optimized out>) at label_file.c:949 SELinuxProject#5 0x00007fbde5e33350 in lookup (rec=<optimized out>, key=<optimized out>, type=<optimized out>) at label_file.c:1092 SELinuxProject#6 0x00007fbde5e31878 in selabel_lookup_common (rec=0x563c67998cc0, translating=1, key=<optimized out>, type=<optimized out>) at label.c:167 Signed-off-by: Jie Lu <[email protected]> Acked-by: James Carter <[email protected]>
jwcart2
pushed a commit
that referenced
this pull request
Jan 11, 2023
Add return check for regex_data_create() to avoid NULL reference of regex_data (gdb) bt #0 0x00007fbde5caec14 in pthread_mutex_init () from /usr/lib64/libc.so.6 #1 0x00007fbde5e3a489 in regex_data_create () at regex.c:260 SELinuxProject#2 0x00007fbde5e3a4af in regex_prepare_data (regex=regex@entry=0x7fbde4613770, pattern_string=pattern_string@entry=0x563c6799a820 "^/home$", errordata=errordata@entry=0x7ffeb83fa950) at regex.c:76 SELinuxProject#3 0x00007fbde5e32fe6 in compile_regex (errbuf=0x0, spec=0x7fbde4613748) at label_file.h:407 SELinuxProject#4 lookup_all (key=0x563c679974e5 "/var/log/kadmind.log", type=<optimized out>, partial=partial@entry=false, match_count=match_count@entry=0x0, rec=<optimized out>, rec=<optimized out>) at label_file.c:949 SELinuxProject#5 0x00007fbde5e33350 in lookup (rec=<optimized out>, key=<optimized out>, type=<optimized out>) at label_file.c:1092 SELinuxProject#6 0x00007fbde5e31878 in selabel_lookup_common (rec=0x563c67998cc0, translating=1, key=<optimized out>, type=<optimized out>) at label.c:167 Signed-off-by: Jie Lu <[email protected]> Acked-by: James Carter <[email protected]>
jwcart2
pushed a commit
that referenced
this pull request
May 3, 2023
The output parameter `role_arr` of semanage_user_get_roles() is an array
of non-owned role names. Since the array is never used again, as its
contents have been copied into the return value `roles`, free it.
Example leak report from useradd(8):
Direct leak of 8 byte(s) in 1 object(s) allocated from:
#0 0x5597624284a8 in __interceptor_calloc (./shadow/src/useradd+0xee4a8)
#1 0x7f53aefcbbf9 in sepol_user_get_roles src/user_record.c:270:21
jwcart2
pushed a commit
that referenced
this pull request
May 3, 2023
The output parameter `role_arr` of semanage_user_get_roles() is an array
of non-owned role names. Since the array is never used again, as its
contents have been copied into the return value `roles`, free it.
Example leak report from useradd(8):
Direct leak of 8 byte(s) in 1 object(s) allocated from:
#0 0x5597624284a8 in __interceptor_calloc (./shadow/src/useradd+0xee4a8)
#1 0x7f53aefcbbf9 in sepol_user_get_roles src/user_record.c:270:21
jwcart2
pushed a commit
that referenced
this pull request
Mar 20, 2024
In case the init function for a selabel backend fails, free the possible
already allocated data:
Direct leak of 16 byte(s) in 1 object(s) allocated from:
#0 0x5e7e2bf001e3 in malloc (/tmp/destdir/usr/sbin/selabel_digest+0xc71e3)
#1 0x7233764baa65 in selabel_media_init /home/christian/Coding/workspaces/selinux/libselinux/src/label_media.c:226:30
SELinuxProject#2 0x7233764ac1fe in selabel_open /home/christian/Coding/workspaces/selinux/libselinux/src/label.c:227:6
SELinuxProject#3 0x5e7e2bf3ebfc in main /home/christian/Coding/workspaces/selinux/libselinux/utils/selabel_digest.c:125:8
SELinuxProject#4 0x7233761856c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: 16 byte(s) leaked in 1 allocation(s).
Signed-off-by: Christian Göttsche <[email protected]>
Acked-by: James Carter <[email protected]>
jwcart2
pushed a commit
that referenced
this pull request
Mar 27, 2024
In case the init function for a selabel backend fails, free the possible
already allocated data:
Direct leak of 16 byte(s) in 1 object(s) allocated from:
#0 0x5e7e2bf001e3 in malloc (/tmp/destdir/usr/sbin/selabel_digest+0xc71e3)
#1 0x7233764baa65 in selabel_media_init /home/christian/Coding/workspaces/selinux/libselinux/src/label_media.c:226:30
SELinuxProject#2 0x7233764ac1fe in selabel_open /home/christian/Coding/workspaces/selinux/libselinux/src/label.c:227:6
SELinuxProject#3 0x5e7e2bf3ebfc in main /home/christian/Coding/workspaces/selinux/libselinux/utils/selabel_digest.c:125:8
SELinuxProject#4 0x7233761856c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: 16 byte(s) leaked in 1 allocation(s).
Signed-off-by: Christian Göttsche <[email protected]>
Acked-by: James Carter <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Test the sandbox translations