packages/libsemanage
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

backport patches from upstream

Browse Source 
(cherry picked from commit b35a0b4145912aaf1c58580ed922c68a38996158)
This commit is contained in:
zgzxx 2023-06-13 15:08:08 +08:00 committed by openeuler-sync-bot
parent df14e52837
commit a249fab278
7 changed files with 1259 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

137
backport-libsemanage-Fall-back-to-semanage_copy_dir-when-rena.patch Normal file
View File

@ -0,0 +1,137 @@
From c7a3b93e31df312ed5b71436ec874054a95d4209 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 24 Mar 2022 13:00:34 +0100
Subject: [PATCH] libsemanage: Fall back to semanage_copy_dir when rename()
fails
In some circumstances, like semanage-store being on overlayfs, rename()
could fail with EXDEV - Invalid cross-device link. This is due to the
fact that overlays doesn't support rename() if source and target are not
on the same layer, e.g. in containers built from several layers. Even
though it's not atomic operation, it's better to try to copy files from
src to dst on our own in this case. Next rebuild will probably not fail
as the new directories will be on the same layer.
Fixes: https://github.com/SELinuxProject/selinux/issues/343
Reproducer:
$ cd selinux1
$ cat Dockerfile
FROM fedora:35
RUN dnf install -y selinux-policy selinux-policy-targeted
$ podman build -t localhost/selinux . --no-cache
$ cd ../selinux2
$ cat Dockerfile
FROM localhost/selinux
RUN semodule -B
$ podman build -t localhost/selinux2 . --no-cache
STEP 2/2: RUN semodule -B
libsemanage.semanage_commit_sandbox: Error while renaming /var/lib/selinux/targeted/active to /var/lib/selinux/targeted/previous. (Invalid cross-device link).
semodule: Failed!
Error: error building at STEP "RUN semodule -B": error while running runtime: exit status 1
With the fix:
$ podman build -t localhost/selinux2 . --no-cache
STEP 2/2: RUN semodule -B
libsemanage.semanage_rename: Warning: rename(/var/lib/selinux/targeted/active, /var/lib/selinux/targeted/previous) failed: Invalid cross-device link, fall back to non-atomic semanage_copy_dir_flags()
COMMIT localhost/selinux2
--> d2cfcebc1a1
Successfully tagged localhost/selinux2:latest
d2cfcebc1a1b34f1c2cd661ac18292b0612c3e5fa71d6fa1441be244da91b1af
Reported-by: Joseph Marrero Corchado <jmarrero@redhat.com>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: Ondrej Mosnacek <omosnace@redhat.com>
Reference:https://github.com/SELinuxProject/selinux/commit/c7a3b93e31df312ed5b71436ec874054a95d4209
Conflict: Modify the file paths
---
libsemanage/src/semanage_store.c | 30 ++++++++++++++++++++++++------
1 file changed, 24 insertions(+), 6 deletions(-)
diff --git a/src/semanage_store.c b/src/semanage_store.c
index 767f05cb..c6d2c5e7 100644
--- a/src/semanage_store.c
+++ b/src/semanage_store.c
@@ -697,6 +697,10 @@ int semanage_store_access_check(void)
/********************* other I/O functions *********************/
+static int semanage_rename(semanage_handle_t * sh, const char *tmp, const char *dst);
+int semanage_remove_directory(const char *path);
+static int semanage_copy_dir_flags(const char *src, const char *dst, int flag);
+
/* Callback used by scandir() to select files. */
static int semanage_filename_select(const struct dirent *d)
{
@@ -768,7 +772,21 @@ out:
return retval;
}
-static int semanage_copy_dir_flags(const char *src, const char *dst, int flag);
+static int semanage_rename(semanage_handle_t * sh, const char *src, const char *dst) {
+ int retval;
+
+ retval = rename(src, dst);
+ if (retval == 0 || errno != EXDEV)
+ return retval;
+
+ /* we can't use rename() due to filesystem limitation, lets try to copy files manually */
+ WARN(sh, "WARNING: rename(%s, %s) failed: %s, fall back to non-atomic semanage_copy_dir_flags()",
+ src, dst, strerror(errno));
+ if (semanage_copy_dir_flags(src, dst, 1) == -1) {
+ return -1;
+ }
+ return semanage_remove_directory(src);
+}
/* Copies all of the files from src to dst, recursing into
* subdirectories. Returns 0 on success, -1 on error. */
@@ -1770,7 +1788,7 @@ static int semanage_commit_sandbox(semanage_handle_t * sh)
goto cleanup;
}
- if (rename(active, backup) == -1) {
+ if (semanage_rename(sh, active, backup) == -1) {
ERR(sh, "Error while renaming %s to %s.", active, backup);
retval = -1;
goto cleanup;
@@ -1779,12 +1797,12 @@ static int semanage_commit_sandbox(semanage_handle_t * sh)
/* clean up some files from the sandbox before install */
/* remove homedir_template from sandbox */
- if (rename(sandbox, active) == -1) {
+ if (semanage_rename(sh, sandbox, active) == -1) {
ERR(sh, "Error while renaming %s to %s.", sandbox, active);
/* note that if an error occurs during the next
* function then the store will be left in an
* inconsistent state */
- if (rename(backup, active) < 0)
+ if (semanage_rename(sh, backup, active) < 0)
ERR(sh, "Error while renaming %s back to %s.", backup,
active);
retval = -1;
@@ -1795,10 +1813,10 @@ static int semanage_commit_sandbox(semanage_handle_t * sh)
* function then the store will be left in an
* inconsistent state */
int errsv = errno;
- if (rename(active, sandbox) < 0)
+ if (semanage_rename(sh, active, sandbox) < 0)
ERR(sh, "Error while renaming %s back to %s.", active,
sandbox);
- else if (rename(backup, active) < 0)
+ else if (semanage_rename(sh, backup, active) < 0)
ERR(sh, "Error while renaming %s back to %s.", backup,
active);
else
--
2.27.0

36
backport-libsemanage-Fix-USE_AFTER_FREE-CWE-672-in-semanage_direct_get_module_info.patch Normal file
View File

@ -0,0 +1,36 @@
From 28510556f84263219a3d1846d6e2857c91680419 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Fri, 1 Apr 2022 15:35:47 +0200
Subject: [PATCH] libsemanage: Fix USE_AFTER_FREE (CWE-672) in
semanage_direct_get_module_info()
>From fclose(3):
Upon successful completion, 0 is returned. Otherwise, EOF is returned
and errno is set to indicate the error. In either case, any further
access (including another call to fclose()) to the stream results in
undefined behavior.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Reference: https://github.com/SELinuxProject/selinux/commit/28510556f84263219a3d1846d6e2857c91680419
Conflict: Modify the file paths
---
libsemanage/src/direct_api.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/direct_api.c b/src/direct_api.c
index d83941b0..d5716ce5 100644
--- a/src/direct_api.c
+++ b/src/direct_api.c
@@ -2293,6 +2293,7 @@ static int semanage_direct_get_module_info(semanage_handle_t *sh,
tmp = NULL;
if (fclose(fp) != 0) {
+ fp = NULL;
ERR(sh,
"Unable to close %s module lang ext file.",
(*modinfo)->name);
--
2.27.0

56
backport-libsemanage-avoid-double-fclose.patch Normal file
View File

@ -0,0 +1,56 @@
From e205e3e84a87ab0416d0d990d7534e6ea968332b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Fri, 8 Apr 2022 15:10:54 +0200
Subject: [PATCH] libsemanage: avoid double fclose
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The cleanup goto block in `semanage_direct_set_enabled()` closes the
file stream pointer fp if not NULL. Set the stream to NULL after a
manual fclose(3), even on failure.
direct_api.c: In function semanage_direct_set_enabled:
direct_api.c:2130:25: error: pointer fp may be used after fclose [-Werror=use-after-free]
2130 | if (fp != NULL) fclose(fp);
| ^~~~~~~~~~
direct_api.c:2092:29: note: call to fclose here
2092 | if (fclose(fp) != 0) {
| ^~~~~~~~~~
Acked-by: James Carter <jwcart2@gmail.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Reference: https://github.com/SELinuxProject/selinux/commit/e205e3e84a87ab0416d0d990d7534e6ea968332b
Conflict: Modify the file paths
---
libsemanage/src/direct_api.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/direct_api.c b/src/direct_api.c
index d5716ce5..7206483a 100644
--- a/src/direct_api.c
+++ b/src/direct_api.c
@@ -2089,7 +2089,9 @@ static int semanage_direct_set_enabled(semanage_handle_t *sh,
goto cleanup;
}
- if (fclose(fp) != 0) {
+ ret = fclose(fp);
+ fp = NULL;
+ if (ret != 0) {
ERR(sh,
"Unable to close disabled file for module %s",
modkey->name);
@@ -2097,8 +2099,6 @@ static int semanage_direct_set_enabled(semanage_handle_t *sh,
goto cleanup;
}
- fp = NULL;
-
break;
case 1: /* enable the module */
if (unlink(fn) < 0) {
--
2.27.0

47
backport-libsemanage-do-not-sort-empty-records.patch Normal file
View File

@ -0,0 +1,47 @@
From ea539017fbbc972a8239a7944eaa5ce4960b0903 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Tue, 19 Oct 2021 17:11:22 +0200
Subject: [PATCH] libsemanage: do not sort empty records
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Do not sort empty records to avoid calling qsort(3) with a NULL pointer.
qsort(3) might be annotated with the function attribute nonnull and
UBSan then complains:
database_join.c:80:2: runtime error: null pointer passed as argument 1, which is declared to never be null
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Reference: https://github.com/SELinuxProject/selinux/commit/ea539017fbbc972a8239a7944eaa5ce4960b0903
Conflict: Modify the file path.
---
libsemanage/src/database_join.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/src/database_join.c b/src/database_join.c
index b9b35a61..a49a6226 100644
--- a/src/database_join.c
+++ b/src/database_join.c
@@ -77,10 +77,14 @@ static int dbase_join_cache(semanage_handle_t * handle, dbase_join_t * dbase)
goto err;
/* Sort for quicker merge later */
- qsort(records1, rcount1, sizeof(record1_t *),
- (int (*)(const void *, const void *))rtable1->compare2_qsort);
- qsort(records2, rcount2, sizeof(record2_t *),
- (int (*)(const void *, const void *))rtable2->compare2_qsort);
+ if (rcount1 > 0) {
+ qsort(records1, rcount1, sizeof(record1_t *),
+ (int (*)(const void *, const void *))rtable1->compare2_qsort);
+ }
+ if (rcount2 > 0) {
+ qsort(records2, rcount2, sizeof(record2_t *),
+ (int (*)(const void *, const void *))rtable2->compare2_qsort);
+ }
/* Now merge into this dbase */
while (i < rcount1 || j < rcount2) {
--
2.27.0

35
backport-libsemanage-fix-memory-leak-in-semanage_user_roles.patch Normal file
View File

@ -0,0 +1,35 @@
From 3be312e0cf2c45adbe694b136f848fb62cba877e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Sat, 1 Apr 2023 14:49:02 +0200
Subject: [PATCH] libsemanage: fix memory leak in semanage_user_roles
The output parameter `role_arr` of semanage_user_get_roles() is an array
of non-owned role names. Since the array is never used again, as its
contents have been copied into the return value `roles`, free it.
Example leak report from useradd(8):
Direct leak of 8 byte(s) in 1 object(s) allocated from:
#0 0x5597624284a8 in __interceptor_calloc (./shadow/src/useradd+0xee4a8)
#1 0x7f53aefcbbf9 in sepol_user_get_roles src/user_record.c:270:21
Reference: https://github.com/SELinuxProject/selinux/commit/3be312e0cf2c45adbe694b136f848fb62cba877e
Conflict: Modify the file paths
---
libsemanage/src/seusers_local.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/seusers_local.c b/src/seusers_local.c
index 6508ec05..795a33d6 100644
--- a/src/seusers_local.c
+++ b/src/seusers_local.c
@@ -47,6 +47,7 @@ static char *semanage_user_roles(semanage_handle_t * handle, const char *sename)
}
}
}
+ free(roles_arr);
}
semanage_user_free(user);
}
--
2.27.0

937
backport-libsemanage-tests-free-memory.patch Normal file
View File

@ -0,0 +1,937 @@
From fe01a91a79574c21712fac2c58af1b54b7f3d46b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Tue, 19 Oct 2021 17:11:23 +0200
Subject: [PATCH] libsemanage/tests: free memory
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Free all memory in test cases, reported by LeakSanitizer.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Reference: https://github.com/SELinuxProject/selinux/commit/fe01a91a79574c21712fac2c58af1b54b7f3d46b
Conflict: Modify the file paths.
---
libsemanage/tests/test_bool.c | 34 +++++++++++++++++++++++++++++-
libsemanage/tests/test_fcontext.c | 32 +++++++++++++++++++++++++++-
libsemanage/tests/test_ibendport.c | 13 ++++++++++++
libsemanage/tests/test_iface.c | 24 +++++++++++++++++++++
libsemanage/tests/test_node.c | 29 +++++++++++++++++++++++++
libsemanage/tests/test_other.c | 6 ++++++
libsemanage/tests/test_port.c | 24 +++++++++++++++++++++
libsemanage/tests/test_user.c | 17 +++++++++++++++
libsemanage/tests/utilities.c | 5 ++++-
libsemanage/tests/utilities.h | 2 ++
10 files changed, 183 insertions(+), 3 deletions(-)
diff --git a/tests/test_bool.c b/tests/test_bool.c
index ae80d448..7bf5225b 100644
--- a/tests/test_bool.c
+++ b/tests/test_bool.c
@@ -132,6 +132,8 @@ semanage_bool_t *get_bool_nth(int idx)
if (i != (unsigned int) idx)
semanage_bool_free(records[i]);
+ free(records);
+
return boolean;
}
@@ -163,6 +165,8 @@ semanage_bool_key_t *get_bool_key_nth(int idx)
CU_ASSERT_FATAL(res >= 0);
CU_ASSERT_PTR_NOT_NULL_FATAL(key);
+ semanage_bool_free(boolean);
+
return key;
}
@@ -196,6 +200,9 @@ void add_local_bool(const char *name)
CU_ASSERT_PTR_NOT_NULL_FATAL(boolean);
CU_ASSERT_FATAL(semanage_bool_modify_local(sh, key, boolean) >= 0);
+
+ semanage_bool_key_free(key);
+ semanage_bool_free(boolean);
}
void delete_local_bool(const char *name)
@@ -208,6 +215,8 @@ void delete_local_bool(const char *name)
CU_ASSERT_PTR_NOT_NULL_FATAL(key);
CU_ASSERT_FATAL(semanage_bool_del_local(sh, key) >= 0);
+
+ semanage_bool_key_free(key);
}
/* Function bool_key_create */
@@ -447,6 +456,8 @@ void helper_bool_create(level_t level)
CU_ASSERT_PTR_NULL(semanage_bool_get_name(boolean));
CU_ASSERT(semanage_bool_get_value(boolean) == 0);
+ semanage_bool_free(boolean);
+
cleanup_handle(level);
}
@@ -483,6 +494,9 @@ void helper_bool_clone(level_t level, int bool_idx)
CU_ASSERT_EQUAL(val, val_clone);
+ semanage_bool_free(boolean_clone);
+ semanage_bool_free(boolean);
+
cleanup_handle(level);
}
@@ -514,6 +528,9 @@ void helper_bool_query(level_t level, const char *bool_str, int exp_res)
CU_ASSERT_PTR_NULL(resp);
}
+ semanage_bool_free(resp);
+ semanage_bool_key_free(key);
+
cleanup_handle(level);
}
@@ -647,6 +664,8 @@ void helper_bool_list(level_t level)
for (unsigned int i = 0; i < count; i++)
semanage_bool_free(records[i]);
+ free(records);
+
cleanup_handle(level);
}
@@ -662,7 +681,7 @@ void helper_bool_modify_del_local(level_t level, const char *name,
int old_val, int exp_res)
{
semanage_bool_t *boolean;
- semanage_bool_t *boolean_local;
+ semanage_bool_t *boolean_local = NULL;
semanage_bool_key_t *key = NULL;
int res;
int new_val;
@@ -696,6 +715,8 @@ void helper_bool_modify_del_local(level_t level, const char *name,
CU_ASSERT(semanage_bool_query_local(sh, key,
&boolean_local) >= 0);
CU_ASSERT(semanage_bool_compare2(boolean_local, boolean) == 0);
+ semanage_bool_free(boolean_local);
+
CU_ASSERT(semanage_bool_del_local(sh, key) >= 0);
CU_ASSERT(semanage_bool_query_local(sh, key,
&boolean_local) < 0);
@@ -734,15 +755,18 @@ void test_bool_query_local(void)
/* transaction */
setup_handle(SH_TRANS);
+ semanage_bool_key_free(key);
CU_ASSERT(semanage_bool_key_create(sh, BOOL1_NAME, &key) >= 0);
CU_ASSERT_PTR_NOT_NULL(key);
CU_ASSERT(semanage_bool_query_local(sh, key, &resp) < 0);
CU_ASSERT_PTR_NULL(resp);
+ semanage_bool_free(resp);
add_local_bool(BOOL1_NAME);
CU_ASSERT(semanage_bool_query_local(sh, key, &resp) >= 0);
CU_ASSERT_PTR_NOT_NULL(resp);
+ semanage_bool_free(resp);
semanage_bool_key_free(key);
CU_ASSERT(semanage_bool_key_create(sh, BOOL2_NAME, &key) >= 0);
@@ -751,8 +775,10 @@ void test_bool_query_local(void)
add_local_bool(BOOL2_NAME);
CU_ASSERT(semanage_bool_query_local(sh, key, &resp) >= 0);
CU_ASSERT_PTR_NOT_NULL(resp);
+ semanage_bool_free(resp);
/* cleanup */
+ semanage_bool_key_free(key);
delete_local_bool(BOOL1_NAME);
delete_local_bool(BOOL2_NAME);
cleanup_handle(SH_TRANS);
@@ -784,6 +810,7 @@ void test_bool_exists_local(void)
CU_ASSERT(resp == 0);
/* cleanup */
+ semanage_bool_key_free(key);
cleanup_handle(SH_TRANS);
}
@@ -918,12 +945,17 @@ void test_bool_list_local(void)
CU_ASSERT(semanage_bool_list_local(sh, &records, &count) >= 0);
CU_ASSERT(count == init_count + 1);
CU_ASSERT_PTR_NOT_NULL(records[0]);
+ semanage_bool_free(records[0]);
+ free(records);
add_local_bool(BOOL2_NAME);
CU_ASSERT(semanage_bool_list_local(sh, &records, &count) >= 0);
CU_ASSERT(count == init_count + 2);
CU_ASSERT_PTR_NOT_NULL(records[0]);
CU_ASSERT_PTR_NOT_NULL(records[1]);
+ semanage_bool_free(records[0]);
+ semanage_bool_free(records[1]);
+ free(records);
/* cleanup */
delete_local_bool(BOOL1_NAME);
diff --git a/tests/test_fcontext.c b/tests/test_fcontext.c
index 62af711f..a5fcf849 100644
--- a/tests/test_fcontext.c
+++ b/tests/test_fcontext.c
@@ -214,6 +214,8 @@ semanage_fcontext_t *get_fcontext_nth(int idx)
if (i != (unsigned int) idx)
semanage_fcontext_free(records[i]);
+ free(records);
+
return fcontext;
}
@@ -230,6 +232,8 @@ semanage_fcontext_key_t *get_fcontext_key_nth(int idx)
CU_ASSERT_FATAL(semanage_fcontext_key_extract(sh, fcontext, &key) >= 0);
CU_ASSERT_PTR_NOT_NULL_FATAL(key);
+ semanage_fcontext_free(fcontext);
+
return key;
}
@@ -246,6 +250,10 @@ void add_local_fcontext(int fcontext_idx)
CU_ASSERT_PTR_NOT_NULL_FATAL(key);
CU_ASSERT_FATAL(semanage_fcontext_modify_local(sh, key, fcontext) >= 0);
+
+ /* cleanup */
+ semanage_fcontext_key_free(key);
+ semanage_fcontext_free(fcontext);
}
void delete_local_fcontext(int fcontext_idx)
@@ -257,6 +265,8 @@ void delete_local_fcontext(int fcontext_idx)
key = get_fcontext_key_nth(fcontext_idx);
CU_ASSERT_FATAL(semanage_fcontext_del_local(sh, key) >= 0);
+
+ semanage_fcontext_key_free(key);
}
semanage_fcontext_key_t *get_fcontext_key_from_str(const char *str, int type)
@@ -477,6 +487,7 @@ void helper_fcontext_get_set_con(level_t level, int fcontext_idx,
}
/* cleanup */
+ semanage_context_free(con);
semanage_fcontext_free(fcontext);
cleanup_handle(level);
}
@@ -587,12 +598,14 @@ void helper_fcontext_query(level_t level, const char *fcontext_expr,
CU_ASSERT(res >= 0);
const char *expr = semanage_fcontext_get_expr(resp);
CU_ASSERT_STRING_EQUAL(expr, fcontext_expr);
+ semanage_fcontext_free(resp);
} else {
CU_ASSERT(res < 0);
CU_ASSERT(resp == (void *) 42);
}
/* cleanup */
+ semanage_fcontext_key_free(key);
cleanup_handle(level);
}
@@ -752,6 +765,8 @@ void helper_fcontext_list(level_t level)
for (unsigned int i = 0; i < count; i++)
semanage_fcontext_free(records[i]);
+ free(records);
+
/* cleanup */
cleanup_handle(level);
}
@@ -768,7 +783,7 @@ void helper_fcontext_modify_del_local(level_t level, int fcontext_idx,
const char *con_str, int exp_res)
{
semanage_fcontext_t *fcontext;
- semanage_fcontext_t *fcontext_local;
+ semanage_fcontext_t *fcontext_local = NULL;
semanage_fcontext_key_t *key = NULL;
semanage_context_t *con = NULL;
int res;
@@ -803,6 +818,8 @@ void helper_fcontext_modify_del_local(level_t level, int fcontext_idx,
&fcontext_local) >= 0);
CU_ASSERT(semanage_fcontext_compare2(fcontext_local,
fcontext) == 0);
+ semanage_fcontext_free(fcontext_local);
+
CU_ASSERT(semanage_fcontext_del_local(sh, key) >= 0);
CU_ASSERT(semanage_fcontext_query_local(sh, key,
&fcontext_local) < 0);
@@ -811,6 +828,7 @@ void helper_fcontext_modify_del_local(level_t level, int fcontext_idx,
}
/* cleanup */
+ semanage_context_free(con);
semanage_fcontext_key_free(key);
semanage_fcontext_free(fcontext);
cleanup_handle(level);
@@ -846,6 +864,7 @@ void test_fcontext_query_local(void)
/* transaction */
setup_handle(SH_TRANS);
+ semanage_fcontext_key_free(key);
key = get_fcontext_key_nth(I_FIRST);
CU_ASSERT(semanage_fcontext_query_local(sh, key, &resp) < 0);
CU_ASSERT_PTR_NULL(resp);
@@ -853,14 +872,19 @@ void test_fcontext_query_local(void)
add_local_fcontext(I_FIRST);
CU_ASSERT(semanage_fcontext_query_local(sh, key, &resp) >= 0);
CU_ASSERT_PTR_NOT_NULL(resp);
+ semanage_fcontext_free(resp);
+ resp = NULL;
semanage_fcontext_key_free(key);
key = get_fcontext_key_nth(I_SECOND);
add_local_fcontext(I_SECOND);
CU_ASSERT(semanage_fcontext_query_local(sh, key, &resp) >= 0);
CU_ASSERT_PTR_NOT_NULL(resp);
+ semanage_fcontext_free(resp);
+ resp = NULL;
/* cleanup */
+ semanage_fcontext_key_free(key);
delete_local_fcontext(I_FIRST);
delete_local_fcontext(I_SECOND);
cleanup_handle(SH_TRANS);
@@ -898,6 +922,7 @@ void test_fcontext_exists_local(void)
CU_ASSERT(resp == 0);
/* cleanup */
+ semanage_fcontext_key_free(key);
cleanup_handle(SH_TRANS);
}
@@ -1031,12 +1056,17 @@ void test_fcontext_list_local(void)
CU_ASSERT(semanage_fcontext_list_local(sh, &records, &count) >= 0);
CU_ASSERT(count == 1);
CU_ASSERT_PTR_NOT_NULL(records[0]);
+ semanage_fcontext_free(records[0]);
+ free(records);
add_local_fcontext(I_SECOND);
CU_ASSERT(semanage_fcontext_list_local(sh, &records, &count) >= 0);
CU_ASSERT(count == 2);
CU_ASSERT_PTR_NOT_NULL(records[0]);
CU_ASSERT_PTR_NOT_NULL(records[1]);
+ semanage_fcontext_free(records[0]);
+ semanage_fcontext_free(records[1]);
+ free(records);
/* cleanup */
delete_local_fcontext(I_FIRST);
diff --git a/tests/test_ibendport.c b/tests/test_ibendport.c
index 79a8e2c8..8addc908 100644
--- a/tests/test_ibendport.c
+++ b/tests/test_ibendport.c
@@ -113,6 +113,8 @@ semanage_ibendport_t *get_ibendport_nth(int idx)
if (i != (unsigned int) idx)
semanage_ibendport_free(records[i]);
+ free(records);
+
return ibendport;
}
@@ -132,6 +134,8 @@ semanage_ibendport_key_t *get_ibendport_key_nth(int idx)
CU_ASSERT_FATAL(res >= 0);
CU_ASSERT_PTR_NOT_NULL_FATAL(key);
+ semanage_ibendport_free(ibendport);
+
return key;
}
@@ -148,6 +152,9 @@ void add_local_ibendport(int idx)
CU_ASSERT_FATAL(semanage_ibendport_modify_local(sh, key,
ibendport) >= 0);
+
+ semanage_ibendport_key_free(key);
+ semanage_ibendport_free(ibendport);
}
void delete_local_ibendport(int idx)
@@ -155,6 +162,8 @@ void delete_local_ibendport(int idx)
semanage_ibendport_key_t *key = NULL;
key = get_ibendport_key_nth(idx);
CU_ASSERT_FATAL(semanage_ibendport_del_local(sh, key) >= 0);
+
+ semanage_ibendport_key_free(key);
}
/* Function semanage_ibendport_query */
@@ -195,7 +204,9 @@ void test_ibendport_query(void)
CU_ASSERT_CONTEXT_EQUAL(con, con_exp);
/* cleanup */
+ free(name_exp);
free(name);
+ semanage_ibendport_key_free(key);
semanage_ibendport_free(ibendport);
semanage_ibendport_free(ibendport_exp);
cleanup_handle(SH_CONNECT);
@@ -356,12 +367,14 @@ void test_ibendport_modify_del_query_local(void)
CU_ASSERT(semanage_ibendport_query_local(sh, key,
&ibendport_local) >= 0);
CU_ASSERT_PTR_NOT_NULL_FATAL(ibendport_local);
+ semanage_ibendport_free(ibendport_local);
CU_ASSERT(semanage_ibendport_del_local(sh, key) >= 0);
CU_ASSERT(semanage_ibendport_query_local(sh, key,
&ibendport_local) < 0);
/* cleanup */
+ semanage_ibendport_key_free(key);
semanage_ibendport_free(ibendport);
cleanup_handle(SH_TRANS);
}
diff --git a/tests/test_iface.c b/tests/test_iface.c
index d5d530a8..434372f8 100644
--- a/tests/test_iface.c
+++ b/tests/test_iface.c
@@ -139,6 +139,8 @@ semanage_iface_t *get_iface_nth(int idx)
if (i != (unsigned int) idx)
semanage_iface_free(records[i]);
+ free(records);
+
return iface;
}
@@ -157,6 +159,9 @@ semanage_iface_key_t *get_iface_key_nth(int idx)
CU_ASSERT_FATAL(res >= 0);
CU_ASSERT_PTR_NOT_NULL_FATAL(key);
+ /* cleanup */
+ semanage_iface_free(iface);
+
return key;
}
@@ -171,6 +176,10 @@ void add_local_iface(int idx)
CU_ASSERT_PTR_NOT_NULL_FATAL(key);
CU_ASSERT_FATAL(semanage_iface_modify_local(sh, key, iface) >= 0);
+
+ /* cleanup */
+ semanage_iface_key_free(key);
+ semanage_iface_free(iface);
}
void delete_local_iface(int idx)
@@ -178,6 +187,9 @@ void delete_local_iface(int idx)
semanage_iface_key_t *key = NULL;
key = get_iface_key_nth(idx);
CU_ASSERT_FATAL(semanage_iface_del_local(sh, key) >= 0);
+
+ /* cleanup */
+ semanage_iface_key_free(key);
}
/* Function semanage_iface_compare */
@@ -309,6 +321,7 @@ void test_iface_get_set_ifcon(void)
CU_ASSERT_CONTEXT_EQUAL(con1, con2);
/* cleanup */
+ semanage_context_free(con1);
semanage_iface_free(iface);
cleanup_handle(SH_CONNECT);
}
@@ -332,6 +345,7 @@ void test_iface_get_set_msgcon(void)
CU_ASSERT_CONTEXT_EQUAL(con1, con2);
/* cleanup */
+ semanage_context_free(con1);
semanage_iface_free(iface);
cleanup_handle(SH_CONNECT);
}
@@ -357,6 +371,8 @@ void test_iface_create(void)
CU_ASSERT(semanage_iface_set_msgcon(sh, iface, msgcon) >= 0);
/* cleanup */
+ semanage_context_free(msgcon);
+ semanage_context_free(ifcon);
semanage_iface_free(iface);
cleanup_handle(SH_CONNECT);
}
@@ -393,6 +409,8 @@ void test_iface_clone(void)
CU_ASSERT_CONTEXT_EQUAL(msgcon, msgcon2);
/* cleanup */
+ semanage_context_free(msgcon);
+ semanage_context_free(ifcon);
semanage_iface_free(iface);
semanage_iface_free(iface_clone);
cleanup_handle(SH_CONNECT);
@@ -426,6 +444,7 @@ void test_iface_query(void)
CU_ASSERT_CONTEXT_EQUAL(con, con_exp);
/* cleanup */
+ semanage_iface_key_free(key);
semanage_iface_free(iface);
semanage_iface_free(iface_exp);
cleanup_handle(SH_CONNECT);
@@ -513,6 +532,8 @@ void test_iface_list(void)
for (unsigned int i = 0; i < count; i++)
semanage_iface_free(records[i]);
+ free(records);
+
/* cleanup */
cleanup_handle(SH_CONNECT);
}
@@ -541,11 +562,13 @@ void test_iface_modify_del_query_local(void)
CU_ASSERT(semanage_iface_query_local(sh, key, &iface_local) >= 0);
CU_ASSERT_PTR_NOT_NULL_FATAL(iface_local);
+ semanage_iface_free(iface_local);
CU_ASSERT(semanage_iface_del_local(sh, key) >= 0);
CU_ASSERT(semanage_iface_query_local(sh, key, &iface_local) < 0);
/* cleanup */
+ semanage_iface_key_free(key);
semanage_iface_free(iface);
cleanup_handle(SH_TRANS);
}
@@ -658,6 +681,7 @@ void test_iface_list_local(void)
/* cleanup */
for (unsigned int i = 0; i < count; i++)
semanage_iface_free(records[i]);
+ free(records);
delete_local_iface(I_FIRST);
delete_local_iface(I_SECOND);
diff --git a/tests/test_node.c b/tests/test_node.c
index 53c2eb69..e49e8c3b 100644
--- a/tests/test_node.c
+++ b/tests/test_node.c
@@ -148,6 +148,8 @@ semanage_node_t *get_node_nth(int idx)
if (i != (unsigned int) idx)
semanage_node_free(records[i]);
+ free(records);
+
return node;
}
@@ -167,6 +169,8 @@ semanage_node_key_t *get_node_key_nth(int idx)
CU_ASSERT_FATAL(res >= 0);
CU_ASSERT_PTR_NOT_NULL_FATAL(key);
+ semanage_node_free(node);
+
return key;
}
@@ -181,6 +185,10 @@ void add_local_node(int idx)
CU_ASSERT_PTR_NOT_NULL_FATAL(key);
CU_ASSERT_FATAL(semanage_node_modify_local(sh, key, node) >= 0);
+
+ /* cleanup */
+ semanage_node_key_free(key);
+ semanage_node_free(node);
}
void delete_local_node(int idx)
@@ -190,6 +198,9 @@ void delete_local_node(int idx)
key = get_node_key_nth(idx);
CU_ASSERT_FATAL(semanage_node_del_local(sh, key) >= 0);
+
+ /* cleanup */
+ semanage_node_key_free(key);
}
/* Function semanage_node_compare */
@@ -305,6 +316,7 @@ void test_node_get_set_addr(void)
CU_ASSERT_STRING_EQUAL(addr, "192.168.0.1");
/* cleanup */
+ free(addr);
semanage_node_free(node);
cleanup_handle(SH_CONNECT);
}
@@ -334,6 +346,7 @@ void test_node_get_set_addr_bytes(void)
CU_ASSERT(addr1[i] == addr2[i]);
/* cleanup */
+ free(addr2);
semanage_node_free(node);
cleanup_handle(SH_CONNECT);
}
@@ -357,6 +370,7 @@ void test_node_get_set_mask(void)
CU_ASSERT_STRING_EQUAL(mask, "255.255.255.0");
/* cleanup */
+ free(mask);
semanage_node_free(node);
cleanup_handle(SH_CONNECT);
}
@@ -386,6 +400,7 @@ void test_node_get_set_mask_bytes(void)
CU_ASSERT(mask1[i] == mask2[i]);
/* cleanup */
+ free(mask2);
semanage_node_free(node);
cleanup_handle(SH_CONNECT);
}
@@ -436,6 +451,7 @@ void test_node_get_set_con(void)
CU_ASSERT_CONTEXT_EQUAL(con1, con2);
/* cleanup */
+ semanage_context_free(con1);
semanage_node_free(node);
cleanup_handle(SH_CONNECT);
}
@@ -461,6 +477,7 @@ void test_node_create(void)
CU_ASSERT(semanage_node_set_con(sh, node, con) >= 0);
/* cleanup */
+ semanage_context_free(con);
semanage_node_free(node);
cleanup_handle(SH_CONNECT);
}
@@ -508,6 +525,9 @@ void test_node_clone(void)
CU_ASSERT_CONTEXT_EQUAL(con, con2);
/* cleanup */
+ free(mask2);
+ free(addr2);
+ semanage_context_free(con);
semanage_node_free(node);
semanage_node_free(node_clone);
cleanup_handle(SH_CONNECT);
@@ -552,6 +572,8 @@ void test_node_query(void)
CU_ASSERT_CONTEXT_EQUAL(con, con_exp);
/* cleanup */
+ semanage_node_key_free(key);
+ semanage_node_free(node_exp);
semanage_node_free(node);
cleanup_handle(SH_CONNECT);
}
@@ -638,6 +660,8 @@ void test_node_list(void)
for (unsigned int i = 0; i < count; i++)
semanage_node_free(records[i]);
+ free(records);
+
/* cleanup */
cleanup_handle(SH_CONNECT);
}
@@ -679,6 +703,7 @@ void test_node_modify_del_query_local(void)
CU_ASSERT(semanage_node_query_local(sh, key, &node_local) >= 0);
CU_ASSERT_PTR_NOT_NULL_FATAL(node_local);
+ semanage_node_free(node_local);
CU_ASSERT(semanage_node_del_local(sh, key) >= 0);
CU_ASSERT(semanage_node_del_local(sh, key_tmp) >= 0);
@@ -686,6 +711,8 @@ void test_node_modify_del_query_local(void)
CU_ASSERT(semanage_node_query_local(sh, key, &node_local) < 0);
/* cleanup */
+ semanage_node_key_free(key_tmp);
+ semanage_node_key_free(key);
semanage_node_free(node);
semanage_node_free(node_tmp);
cleanup_handle(SH_TRANS);
@@ -800,6 +827,8 @@ void test_node_list_local(void)
for (unsigned int i = 0; i < count; i++)
semanage_node_free(records[i]);
+ free(records);
+
delete_local_node(I_FIRST);
delete_local_node(I_SECOND);
delete_local_node(I_THIRD);
diff --git a/tests/test_other.c b/tests/test_other.c
index c4ee0ed8..0a57e247 100644
--- a/tests/test_other.c
+++ b/tests/test_other.c
@@ -81,6 +81,9 @@ void test_semanage_context(void)
assert(str);
CU_ASSERT_STRING_EQUAL(str, "user_u:role_r:type_t:s0");
+ semanage_context_free(con);
+ con = NULL;
+
CU_ASSERT(semanage_context_from_string(sh, "my_u:my_r:my_t:s0",
&con) >= 0);
CU_ASSERT_STRING_EQUAL(semanage_context_get_user(con), "my_u");
@@ -95,6 +98,7 @@ void test_semanage_context(void)
CU_ASSERT_STRING_EQUAL(semanage_context_get_mls(con_clone), "s0");
/* cleanup */
+ free(str);
semanage_context_free(con);
semanage_context_free(con_clone);
cleanup_handle(SH_CONNECT);
@@ -115,6 +119,8 @@ void test_debug(void)
CU_ASSERT(semanage_module_info_set_priority(sh, modinfo, -42) < 0);
/* cleanup */
+ semanage_module_info_destroy(sh, modinfo);
+ free(modinfo);
CU_ASSERT(semanage_disconnect(sh) >= 0);
semanage_handle_destroy(sh);
}
diff --git a/tests/test_port.c b/tests/test_port.c
index 0408be4d..f4c6ec21 100644
--- a/tests/test_port.c
+++ b/tests/test_port.c
@@ -146,6 +146,8 @@ semanage_port_t *get_port_nth(int idx)
if (i != (unsigned int) idx)
semanage_port_free(records[i]);
+ free(records);
+
return port;
}
@@ -165,6 +167,9 @@ semanage_port_key_t *get_port_key_nth(int idx)
CU_ASSERT_FATAL(res >= 0);
CU_ASSERT_PTR_NOT_NULL_FATAL(key);
+ /* cleanup */
+ semanage_port_free(port);
+
return key;
}
@@ -181,6 +186,10 @@ void add_local_port(int port_idx)
CU_ASSERT_PTR_NOT_NULL_FATAL(key);
CU_ASSERT_FATAL(semanage_port_modify_local(sh, key, port) >= 0);
+
+ /* cleanup */
+ semanage_port_key_free(key);
+ semanage_port_free(port);
}
void delete_local_port(int port_idx)
@@ -192,6 +201,8 @@ void delete_local_port(int port_idx)
key = get_port_key_nth(port_idx);
CU_ASSERT_FATAL(semanage_port_del_local(sh, key) >= 0);
+
+ semanage_port_key_free(key);
}
/* Function semanage_port_compare */
@@ -447,6 +458,7 @@ void test_port_clone(void)
CU_ASSERT_CONTEXT_EQUAL(con, con2);
/* cleanup */
+ semanage_context_free(con);
semanage_port_free(port);
semanage_port_free(port_clone);
cleanup_handle(SH_CONNECT);
@@ -480,6 +492,7 @@ void test_port_query(void)
CU_ASSERT_CONTEXT_EQUAL(con, con_exp);
/* cleanup */
+ semanage_port_key_free(key);
semanage_port_free(port);
semanage_port_free(port_exp);
cleanup_handle(SH_CONNECT);
@@ -567,6 +580,8 @@ void test_port_list(void)
for (unsigned int i = 0; i < count; i++)
semanage_port_free(records[i]);
+ free(records);
+
cleanup_handle(SH_CONNECT);
}
@@ -594,11 +609,14 @@ void test_port_modify_del_local(void)
con_local = semanage_port_get_con(port_local);
CU_ASSERT_CONTEXT_EQUAL(con, con_local);
+ semanage_port_free(port_local);
CU_ASSERT(semanage_port_del_local(sh, key) >= 0);
CU_ASSERT(semanage_port_query_local(sh, key, &port_local) < 0);
/* cleanup */
+ semanage_context_free(con);
+ semanage_port_key_free(key);
semanage_port_free(port);
cleanup_handle(SH_TRANS);
}
@@ -633,6 +651,7 @@ void test_port_query_local(void)
/* cleanup */
delete_local_port(I_FIRST);
+ semanage_port_key_free(key);
semanage_port_free(port);
semanage_port_free(port_exp);
cleanup_handle(SH_TRANS);
@@ -747,6 +766,8 @@ void test_port_list_local(void)
for (unsigned int i = 0; i < count; i++)
semanage_port_free(records[i]);
+ free(records);
+
delete_local_port(I_FIRST);
delete_local_port(I_SECOND);
delete_local_port(I_THIRD);
@@ -773,6 +794,7 @@ void helper_port_validate_local_noport(void)
helper_commit();
/* cleanup */
+ semanage_port_key_free(key);
helper_begin_transaction();
delete_local_port(I_FIRST);
cleanup_handle(SH_TRANS);
@@ -832,6 +854,8 @@ void helper_port_validate_local_twoports(void)
helper_begin_transaction();
CU_ASSERT(semanage_port_del_local(sh, key1) >= 0);
CU_ASSERT(semanage_port_del_local(sh, key2) >= 0);
+ semanage_context_free(con2);
+ semanage_context_free(con1);
semanage_port_key_free(key1);
semanage_port_key_free(key2);
semanage_port_free(port1);
diff --git a/tests/test_user.c b/tests/test_user.c
index cd082030..c3835c8d 100644
--- a/tests/test_user.c
+++ b/tests/test_user.c
@@ -130,6 +130,8 @@ semanage_user_t *get_user_nth(int idx)
if (i != (unsigned int) idx)
semanage_user_free(records[i]);
+ free(records);
+
return user;
}
@@ -149,6 +151,8 @@ semanage_user_key_t *get_user_key_nth(int idx)
CU_ASSERT_FATAL(res >= 0);
CU_ASSERT_PTR_NOT_NULL_FATAL(key);
+ semanage_user_free(user);
+
return key;
}
@@ -165,6 +169,9 @@ void add_local_user(int user_idx)
CU_ASSERT_PTR_NOT_NULL_FATAL(key);
CU_ASSERT_FATAL(semanage_user_modify_local(sh, key, user) >= 0);
+
+ semanage_user_key_free(key);
+ semanage_user_free(user);
}
void delete_local_user(int user_idx)
@@ -176,6 +183,8 @@ void delete_local_user(int user_idx)
key = get_user_key_nth(user_idx);
CU_ASSERT_FATAL(semanage_user_del_local(sh, key) >= 0);
+
+ semanage_user_key_free(key);
}
/* Function semanage_user_compare */
@@ -391,6 +400,7 @@ void test_user_roles(void)
CU_ASSERT(semanage_user_get_num_roles(user) == 0);
/* cleanup */
+ free(roles_arr);
semanage_user_free(user);
cleanup_handle(SH_CONNECT);
}
@@ -459,6 +469,7 @@ void test_user_query(void)
CU_ASSERT_PTR_NOT_NULL(user);
/* cleanup */
+ semanage_user_key_free(key);
semanage_user_free(user);
cleanup_handle(SH_CONNECT);
}
@@ -546,6 +557,8 @@ void test_user_list(void)
for (unsigned int i = 0; i < count; i++)
semanage_user_free(records[i]);
+ free(records);
+
cleanup_handle(SH_CONNECT);
}
@@ -573,10 +586,12 @@ void test_user_modify_del_query_local(void)
CU_ASSERT(semanage_user_query_local(sh, key, &user_local) >= 0);
CU_ASSERT_PTR_NOT_NULL_FATAL(user_local);
+ semanage_user_free(user_local);
CU_ASSERT(semanage_user_del_local(sh, key) >= 0);
CU_ASSERT(semanage_user_query_local(sh, key, &user_local) < 0);
/* cleanup */
+ semanage_user_key_free(key);
semanage_user_free(user);
cleanup_handle(SH_TRANS);
}
@@ -683,6 +698,8 @@ void test_user_list_local(void)
for (unsigned int i = 0; i < count; i++)
semanage_user_free(records[i]);
+ free(records);
+
delete_local_user(I_FIRST);
delete_local_user(I_SECOND);
delete_local_user(I_THIRD);
diff --git a/tests/utilities.c b/tests/utilities.c
index 18393215..b28ae155 100644
--- a/tests/utilities.c
+++ b/tests/utilities.c
@@ -99,6 +99,7 @@ int write_test_policy_from_file(const char *filename) {
char *buf = NULL;
size_t len = 0;
FILE *fptr = fopen(filename, "rb");
+ int rc;
if (!fptr) {
perror("fopen");
@@ -120,7 +121,9 @@ int write_test_policy_from_file(const char *filename) {
fread(buf, len, 1, fptr);
fclose(fptr);
- return write_test_policy(buf, len);
+ rc = write_test_policy(buf, len);
+ free(buf);
+ return rc;
}
int write_test_policy_src(unsigned char *data, unsigned int data_len) {
diff --git a/tests/utilities.h b/tests/utilities.h
index db4dabf9..298b3280 100644
--- a/tests/utilities.h
+++ b/tests/utilities.h
@@ -39,6 +39,8 @@
CU_ASSERT(semanage_context_to_string(sh, CON1, &__str) >= 0); \
CU_ASSERT(semanage_context_to_string(sh, CON2, &__str2) >= 0); \
CU_ASSERT_STRING_EQUAL(__str, __str2); \
+ free(__str2); \
+ free(__str); \
} while (0)
--
2.27.0

12
libsemanage.spec
View File

@ -3,13 +3,20 @@
Name: libsemanage
Version: 3.3
Release: 4
Release: 5
License: LGPLv2+
Summary: SELinux binary policy manipulation library
URL: https://github.com/SELinuxProject/selinux/wiki
Source0: https://github.com/SELinuxProject/selinux/releases/download/3.3/libsemanage-%{version}.tar.gz
Source1: semanage.conf
Patch6000: backport-libsemanage-do-not-sort-empty-records.patch
Patch6001: backport-libsemanage-tests-free-memory.patch
Patch6002: backport-libsemanage-Fall-back-to-semanage_copy_dir-when-rena.patch
Patch6003: backport-libsemanage-Fix-USE_AFTER_FREE-CWE-672-in-semanage_direct_get_module_info.patch
Patch6004: backport-libsemanage-avoid-double-fclose.patch
Patch6005: backport-libsemanage-fix-memory-leak-in-semanage_user_roles.patch
Patch9000: fix-test-failure-with-secilc.patch
BuildRequires: gcc python3-devel bison flex bzip2-devel audit-libs-devel
@ -105,6 +112,9 @@ make test
%changelog
* Tue Jun 13 2023 zhangguangzhi<zhangguangzhi3@huawei.com> - 3.3-5
- backport patches from upstream
* Sat Dec 17 2022 fangxiuning <fangxiuning@huawei.com> - 3.3-4
- add description