From patchwork Sat Mar 11 13:12:55 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Yi Zhao X-Patchwork-Id: 20804 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 46E8BC61DA4 for ; Sat, 11 Mar 2023 13:13:36 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web10.44266.1678540411900105996 for ; Sat, 11 Mar 2023 05:13:32 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@windriver.com header.s=pps06212021 header.b=CDUEamHd; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=2434990727=yi.zhao@windriver.com) Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 32BD3C1H012457; Sat, 11 Mar 2023 05:13:30 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=from : to : subject : date : message-id : in-reply-to : references : content-type : content-transfer-encoding : mime-version; s=PPS06212021; bh=HmZO51ENXNFpayaohMVFelead2egJ8NAKUzklOWo/+Y=; b=CDUEamHddDLY164tLN10zJ8WrmMJnD52o7wQkCmTn3X3FUZVDOKxl/38XVL5Xr7ddpsX FCORiip9MUkHZSkLtjL/ieli8KSfVAsNtQmI64U9oF1gVIqJHf20dfduAxW4w2rK4Y4I rOb5dLZ+E4dagz5TF/JQT0y9q2wOG7GXASzawcXauCb3Wp78EOeasL6YmPBwVCvVk8ya kPTfpmsfyyrmlkB7pXO31U2IdVu0BuyqvE2LQ0UT/rvDiE0pGBwrXmHof7iTMYJaSING 5OqIVm+/ArAdNJwlTVm1xWR3M/ax2IxT9EnkXLh4FrGs5lNxTIuTOLh2Ybjch54UPLhg AA== Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2106.outbound.protection.outlook.com [104.47.58.106]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 3p8nt8r554-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 11 Mar 2023 05:13:30 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bsK0DPsBblebEc2w63RaYZzvQJE0e3NBuBJARhGfiA/SJ9XAkCS2r5NQPCg3O9DRzJXk+t+mDWZY+54KKuSIhRAMwVQNd7JDN9hRTuKRcytsNvivvafiz9CaoMTjL/NNtXUj2IPYWpkFfCFgcwTjXAbpha19xk76rjA6YlbNoHrQ7nsfH8Rjuth0gve4YKEtdm0FbT1+Iu73iv8cjBwCUTSxvVxsoTIdh6Y5Vxvdg26b+fBl6dhAmkokpmh7Zwbbngzc5AE1yKYfuyE2KR7bY0dDmqrDxNwL9fRSJ8k+DMVNmqX5Mddj5HrxyPfm05ew+4eDPK4CnSgV1t9Tc/lgvQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=HmZO51ENXNFpayaohMVFelead2egJ8NAKUzklOWo/+Y=; b=RahQjUhY13tgNMdRPIXOSY2zENJM2OSDQICTZKgvlytCN3GnQlJ5hzwJj+6PEqLs7/ojyCK8M4vX7IujJ71vXKTVsYAd9QYb823xzh9IZmU3e45mG3ct1Qei55sufOUqhn4lR32khc9x8xmU4nFwLBIqBZ+W9GbT69pU9XfETGTXeDmw/jqY3+n9dDIZIjOY7FofROXVy7xxm3wHpcscstG6iXDZfaUmFW4umqPYHJRHDUQp3sJ8XoYpjDYassG/LHdk8uVw/oDBZmzsw1doyEqdXbLV6HQ+dUKlead/WtCuiDsDOyBa5LwqMQMm1baYV0b+GELBV0D0C7uCzX9QTw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from CO1PR11MB4867.namprd11.prod.outlook.com (2603:10b6:303:9a::13) by CH3PR11MB7203.namprd11.prod.outlook.com (2603:10b6:610:148::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6178.22; Sat, 11 Mar 2023 13:13:29 +0000 Received: from CO1PR11MB4867.namprd11.prod.outlook.com ([fe80::42a3:f515:f89b:4eb3]) by CO1PR11MB4867.namprd11.prod.outlook.com ([fe80::42a3:f515:f89b:4eb3%5]) with mapi id 15.20.6178.023; Sat, 11 Mar 2023 13:13:29 +0000 From: Yi Zhao To: yocto@lists.yoctoproject.org, joe.macdonald@siemens.com, joe@deserted.net, joe_macdonald@mentor.com Subject: [meta-selinux][PATCH 04/17] libsepol: upgrade 3.4 -> 3.5 Date: Sat, 11 Mar 2023 21:12:55 +0800 Message-Id: <20230311131308.1337339-4-yi.zhao@windriver.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230311131308.1337339-1-yi.zhao@windriver.com> References: <20230311131308.1337339-1-yi.zhao@windriver.com> X-ClientProxiedBy: SG2PR03CA0128.apcprd03.prod.outlook.com (2603:1096:4:91::32) To CO1PR11MB4867.namprd11.prod.outlook.com (2603:10b6:303:9a::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CO1PR11MB4867:EE_|CH3PR11MB7203:EE_ X-MS-Office365-Filtering-Correlation-Id: 16c3f4aa-c711-454c-9a36-08db223267ce X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 9ggNKqkvM7VNpiKWR1lxcWwxajaRlkO7GVM1uNmIDE6WjFE79wF5GK/Q++ec6MpNuUQ7mAln7d/U/qJxcW+r5bkEYmHYK/VQQhqWbJR6PTYsbjCHt81xoHrwusdoHK5UkUXtjanWEHZ2kHn8A5nNUL+xA/m6xuPlIzaRRBm1HwC55JKDjR8K7zJQIMULt7zqYSps3LDXdure+v9pk+xcddPS/WogLH1VBsySw76GagQEaxTbXi4r0WWhNjkGREuEyY17QkkMQ+BcaVOP26Z7tT0oFpGCYUqNBm5ytuhlaN+atNRj0zBW6azqpiRBz+Twq/toRvVCIrc90zCd/fKc/s2gxTJRpq7r0qRvd1p0swT/XyWHADZX16z+HIDzoGAgu5XCIPt9W1c8hJMvB91c/g51qjv/1BjB7zcA8weteu1DL1wcIGwmiObVWk6Jx38Q+cdeeCAPaDsGmcawZa4mxxs2JI1nG3I4yjgV6NnNXItsbSFHcT9a0GDbFa8kuBY/ZJtDAcKC+Tva6dQTkWUPVUMW43QE83nfBxHpJfFT3OW40O+QUWWshX5p28GOGjbKG227yEOWbcTXVNZlJ/vgQMXUhXDCu84sVaLW6gJ7G8zAQDPvqNg1s0A/T+cP/DSOQ06V8K6ps9ZFWrfe/mWKtwZu8k7xgg/DIF9dtPTyRZIbtd/8UsDVg5GsCfGMBstH X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CO1PR11MB4867.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230025)(4636009)(39850400004)(396003)(136003)(366004)(376002)(346002)(451199018)(38350700002)(86362001)(36756003)(38100700002)(44832011)(2906002)(41300700001)(8936002)(5660300002)(6512007)(6506007)(1076003)(186003)(26005)(83380400001)(6666004)(316002)(66574015)(2616005)(66476007)(66556008)(66946007)(6486002)(52116002)(478600001)(8676002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?H6tSRiOKohSzzYLgDF5OSnyen83o?= =?utf-8?q?S5Wh2hG6MRpfKOw3JzfxWmSp4ISgmrtzBj6RaZtM5eyp9gGcl83r3qLbsEHffhQd1?= =?utf-8?q?XVQQG2B+IX+uBX64K5NLrCo/T6KL+lUF/wLBksUmguLJHZW/EoqZgy9ZRlTzVnI6s?= =?utf-8?q?uBnMzTmQTA0oiFMUA9kyaLyDqJJ1p3u6rcMQaPwtyWf93wZVJwWB//If7oxW/bm4s?= =?utf-8?q?6wiw1bjRJ/dNJCu/n9b82h1gLqX1YuNFUfW24zJCC1uml1H9Z9NHRjW9qTkpZAXs2?= =?utf-8?q?M3yflhGXiB59lahm7WCuKYgwnvYH49ftopjXAMblKABoZrUvVqCrEOASPVzM3VUUW?= =?utf-8?q?YxpWwHHye2rUR4TMI7Tc7M9/vus99ot0gSbJpPBYI16repgGgYpE/N3mA3yw/hGwS?= =?utf-8?q?uhk/VSbOQbeajGA6L8LUMv/+inUMJPPMxHYVHhIvXlPD0AVB08HdwkL8P52qjMkq1?= =?utf-8?q?vLQeHCH+zg6wS/0A73FVyubC5e8U6NGa20m506z6rCxNW970AbSYnwgxEBAIQ3J3U?= =?utf-8?q?iJKHL2R7sTYTwLdCZMMdQ1037+uWWyTJFWkkpVTnYiJiTR3nxPckDDaWt8M5Ln2A4?= =?utf-8?q?blTFZFF1Tp4W7H1y8Kxjs+OGzGB5IgdEA+WwXGeZpL5eqGgP1ki7pR1wJRM/TbqCu?= =?utf-8?q?gIHWJWSEWk5UJo5nZ6ZFIwRx3beMaOWfxrgLXuRHRU4zspdFWgFsFqqZmWyTnnjPq?= =?utf-8?q?SB51JKOGdddaT0GUkxKP/BVfbBb1tA7ZYjDYMtH+sH6JFc2WlQH5KYGgIKpFp7VjB?= =?utf-8?q?hwpF2pYAVyX4UDSE6a/azTGGi3ml+slIx7qR30aY+S64AgwZ+kivV6kcmXGWBjoLo?= =?utf-8?q?ZKuNnZYgCm/BoeLFyGcT5Pc0FpfVMcopgfzUBrjK9Frr5Mrm+4Ad7+tqYQGCspvVe?= =?utf-8?q?pW38vEOG2lFH3AkEitOXEo8AQ86bdB6pOn5urAqyUrJv6x9cphTuCbl1ijRl2Vhvk?= =?utf-8?q?F9dKeEEnPAnnv/+q/0TybqP/s6s2QqRvdnyHQBN+w4b37aBhKq1UVw9adf+mWVxgn?= =?utf-8?q?Yu/8QaT2jtP6K4MW9gqm2JAE3A36K/60+1cid7JDmCrfGYxufEE/v7bKCIXWHs8pS?= =?utf-8?q?Jh05SJIAVcS9gFhWX4fs77GjJ4DE7eD226pgDHqSZjaGiqm417XV+z+zl8BB9zxcB?= =?utf-8?q?JiBcsMeChDf9LDh6k0Ss0MtZGnvO6FHvEwzVSQLPIn8kxMLEAFWw0WcT4bZ7/KAwq?= =?utf-8?q?7FW/7m53JkCWZ3u5MySTq+ffQU7a1KZy1LjypDlqzPAzG3SOTdgdNF9+/Qe2I9vqh?= =?utf-8?q?WX5vBE8UlGZn16uxesiFW+D/f4v+ZCRrNKeLG7zLhkjDT8d31q+pZrx6S0PQusA2X?= =?utf-8?q?G48djaqH3IOM0F6R2e0aI3lG21EpmsMWW0i3V2Ak9uCQkXozBgWxkECx7+1R3/+Wz?= =?utf-8?q?tl+9V+VwFoAh79NY7fN3UBtOGwn3TQG9bD1GjSZ0D5LuzsAjvaTGaedjepG9xoojx?= =?utf-8?q?Pf+KesdwL+gDyNIY8Ari0cnvCQ/I5dswByy0Hj/IUrJCgXaoCj2VLQrECrPa/EA5G?= =?utf-8?q?pTTXtATFZK99k0Dl9Qhv6s6912ySpinbyg=3D=3D?= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 16c3f4aa-c711-454c-9a36-08db223267ce X-MS-Exchange-CrossTenant-AuthSource: CO1PR11MB4867.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Mar 2023 13:13:28.9922 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: eL79toEnWnUpisvd9kgv+pVhw09JN/G3yAI6Wwjl2RD/a96UdbzIvs8HVTCqDsuRn1u4KT0L+n5mDQH/CQosLg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH3PR11MB7203 X-Proofpoint-ORIG-GUID: 9vFEY3GMr7qEtf1bTA7HH8xqfGm1cPqj X-Proofpoint-GUID: 9vFEY3GMr7qEtf1bTA7HH8xqfGm1cPqj X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-03-11_04,2023-03-10_01,2023-02-09_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 mlxlogscore=618 suspectscore=0 bulkscore=0 lowpriorityscore=0 malwarescore=0 phishscore=0 priorityscore=1501 impostorscore=0 clxscore=1015 adultscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2303110118 X-MIME-Autoconverted: from 8bit to quoted-printable by mx0a-0064b401.pphosted.com id 32BD3C1H012457 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 11 Mar 2023 13:13:36 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto/message/59386 License-Update: Rename COPYING to LICENSE. No content changes. * Drop backport patch. Signed-off-by: Yi Zhao --- ...idation-of-user-declarations-in-modu.patch | 80 ------------------- .../{libsepol_3.4.bb => libsepol_3.5.bb} | 4 +- 2 files changed, 1 insertion(+), 83 deletions(-) delete mode 100644 recipes-security/selinux/libsepol/0001-libsepol-fix-validation-of-user-declarations-in-modu.patch rename recipes-security/selinux/{libsepol_3.4.bb => libsepol_3.5.bb} (78%) diff --git a/recipes-security/selinux/libsepol/0001-libsepol-fix-validation-of-user-declarations-in-modu.patch b/recipes-security/selinux/libsepol/0001-libsepol-fix-validation-of-user-declarations-in-modu.patch deleted file mode 100644 index 47c1806..0000000 --- a/recipes-security/selinux/libsepol/0001-libsepol-fix-validation-of-user-declarations-in-modu.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 4831f73dd356fd72916f594dbeae44d26c93bb6b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Tue, 7 Jun 2022 17:01:45 +0200 -Subject: [PATCH] libsepol: fix validation of user declarations in modules -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Users are allowed to be declared in modules. Modules do not get expanded -leaving the `struct user_datum` members `exp_range` and `exp_dfltlevel` -empty. -Do no validate the expanded range and level for modular polices. - -Reported-by: bauen1 -Signed-off-by: Christian Göttsche -Acked-by: James Carter - -Upstream-Status: Backport -[https://github.com/SELinuxProject/selinux/commit/88a703399f3f44be2502fd4ecd22ac3d3c560694] - -Signed-off-by: Yi Zhao ---- - src/policydb_validate.c | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/src/policydb_validate.c b/src/policydb_validate.c -index da18282..99d4eb7 100644 ---- a/src/policydb_validate.c -+++ b/src/policydb_validate.c -@@ -18,7 +18,7 @@ typedef struct validate { - typedef struct map_arg { - validate_t *flavors; - sepol_handle_t *handle; -- int mls; -+ policydb_t *policy; - } map_arg_t; - - static int create_gap_ebitmap(char **val_to_name, uint32_t nprim, ebitmap_t *gaps) -@@ -571,7 +571,7 @@ static int validate_mls_range(mls_range_t *range, validate_t *sens, validate_t * - return -1; - } - --static int validate_user_datum(sepol_handle_t *handle, user_datum_t *user, validate_t flavors[], int mls) -+static int validate_user_datum(sepol_handle_t *handle, user_datum_t *user, validate_t flavors[], policydb_t *p) - { - if (validate_value(user->s.value, &flavors[SYM_USERS])) - goto bad; -@@ -581,9 +581,9 @@ static int validate_user_datum(sepol_handle_t *handle, user_datum_t *user, valid - goto bad; - if (validate_mls_semantic_level(&user->dfltlevel, &flavors[SYM_LEVELS], &flavors[SYM_CATS])) - goto bad; -- if (mls && validate_mls_range(&user->exp_range, &flavors[SYM_LEVELS], &flavors[SYM_CATS])) -+ if (p->mls && p->policy_type != POLICY_MOD && validate_mls_range(&user->exp_range, &flavors[SYM_LEVELS], &flavors[SYM_CATS])) - goto bad; -- if (mls && validate_mls_level(&user->exp_dfltlevel, &flavors[SYM_LEVELS], &flavors[SYM_CATS])) -+ if (p->mls && p->policy_type != POLICY_MOD && validate_mls_level(&user->exp_dfltlevel, &flavors[SYM_LEVELS], &flavors[SYM_CATS])) - goto bad; - if (user->bounds && validate_value(user->bounds, &flavors[SYM_USERS])) - goto bad; -@@ -599,7 +599,7 @@ static int validate_user_datum_wrapper(__attribute__((unused)) hashtab_key_t k, - { - map_arg_t *margs = args; - -- return validate_user_datum(margs->handle, d, margs->flavors, margs->mls); -+ return validate_user_datum(margs->handle, d, margs->flavors, margs->policy); - } - - static int validate_bool_datum(sepol_handle_t *handle, cond_bool_datum_t *boolean, validate_t flavors[]) -@@ -689,7 +689,7 @@ static int validate_datum(__attribute__ ((unused))hashtab_key_t k, hashtab_datum - - static int validate_datum_array_entries(sepol_handle_t *handle, policydb_t *p, validate_t flavors[]) - { -- map_arg_t margs = { flavors, handle, p->mls }; -+ map_arg_t margs = { flavors, handle, p }; - - if (hashtab_map(p->p_commons.table, validate_common_datum_wrapper, &margs)) - goto bad; --- -2.25.1 - diff --git a/recipes-security/selinux/libsepol_3.4.bb b/recipes-security/selinux/libsepol_3.5.bb similarity index 78% rename from recipes-security/selinux/libsepol_3.4.bb rename to recipes-security/selinux/libsepol_3.5.bb index e756557..0c28e9b 100644 --- a/recipes-security/selinux/libsepol_3.4.bb +++ b/recipes-security/selinux/libsepol_3.5.bb @@ -5,14 +5,12 @@ as by programs like load_policy that need to perform specific transformations \ on binary policies such as customizing policy boolean settings." SECTION = "base" LICENSE = "LGPL-2.0-or-later" -LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343" +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=a6f89e2100d9b6cdffcea4f398e37343" require selinux_common.inc inherit lib_package -SRC_URI += "file://0001-libsepol-fix-validation-of-user-declarations-in-modu.patch" - S = "${WORKDIR}/git/libsepol" DEPENDS = "flex-native"