diff --git a/.checkpolicy.metadata b/.checkpolicy.metadata index 95c5a8a..9d51001 100644 --- a/.checkpolicy.metadata +++ b/.checkpolicy.metadata @@ -1 +1 @@ -71262b34fd4147bbe34ba00433cfd74850c645b0 SOURCES/checkpolicy-3.2.tar.gz +845c7408141b554d68df6490a7aa3fcc750ffc6d SOURCES/checkpolicy-3.3.tar.gz diff --git a/.gitignore b/.gitignore index 689e883..01e1d77 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/checkpolicy-3.2.tar.gz +SOURCES/checkpolicy-3.3.tar.gz diff --git a/SOURCES/0001-libsepol-checkpolicy-Set-user-roles-using-role-value.patch b/SOURCES/0001-libsepol-checkpolicy-Set-user-roles-using-role-value.patch deleted file mode 100644 index 2ea91bf..0000000 --- a/SOURCES/0001-libsepol-checkpolicy-Set-user-roles-using-role-value.patch +++ /dev/null @@ -1,78 +0,0 @@ -From dcd07fdcbf3ba9fc47aef924b9b9f81bdefcb18b Mon Sep 17 00:00:00 2001 -From: James Carter -Date: Mon, 8 Mar 2021 15:49:23 -0500 -Subject: [PATCH] libsepol/checkpolicy: Set user roles using role value instead - of dominance - -Roles in an optional block have two datums, one in the global block -and one in the avrule_decl where it is declared. The datum in the -global block does not have its dominace set. This is a problem because -the function set_user_role() sets the user's roles based on the global -datum's dominance ebitmap. If a user is declared with an associated role -that was declared in an optional block, then it will not have any roles -set for it because the dominance ebitmap is empty. - -Example/ - # handle_unknown deny - class CLASS1 - sid kernel - class CLASS1 { PERM1 } - type TYPE1; - allow TYPE1 self:CLASS1 PERM1; - role ROLE1; - role ROLE1 types { TYPE1 }; - optional { - require { - class CLASS1 { PERM1 }; - } - role ROLE1A; - user USER1A roles ROLE1A; - } - user USER1 roles ROLE1; - sid kernel USER1:ROLE1:TYPE1 - -In this example, USER1A would not have ROLE1A associated with it. - -Instead of using dominance, which has been deprecated anyway, just -set the bit corresponding to the role's value in the user's roles -ebitmap in set_user_role(). - -Signed-off-by: James Carter -Acked-by: Nicolas Iooss - -[N.I: added spaces around "-" operator] ---- - checkpolicy/policy_define.c | 9 ++------- - 1 file changed, 2 insertions(+), 7 deletions(-) - -diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c -index c9286f7733c5..16234f31bbc3 100644 ---- a/checkpolicy/policy_define.c -+++ b/checkpolicy/policy_define.c -@@ -4088,8 +4088,6 @@ cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void *arg2) - static int set_user_roles(role_set_t * set, char *id) - { - role_datum_t *r; -- unsigned int i; -- ebitmap_node_t *node; - - if (strcmp(id, "*") == 0) { - free(id); -@@ -4115,12 +4113,9 @@ static int set_user_roles(role_set_t * set, char *id) - return -1; - } - -- /* set the role and every role it dominates */ -- ebitmap_for_each_positive_bit(&r->dominates, node, i) { -- if (ebitmap_set_bit(&set->roles, i, TRUE)) -- goto oom; -- } - free(id); -+ if (ebitmap_set_bit(&set->roles, r->s.value - 1, TRUE)) -+ goto oom; - return 0; - oom: - yyerror("out of memory"); --- -2.32.0 - diff --git a/SOURCES/0002-checkpolicy-Do-not-automatically-upgrade-when-using-.patch b/SOURCES/0002-checkpolicy-Do-not-automatically-upgrade-when-using-.patch deleted file mode 100644 index 5b1f477..0000000 --- a/SOURCES/0002-checkpolicy-Do-not-automatically-upgrade-when-using-.patch +++ /dev/null @@ -1,97 +0,0 @@ -From 750cc1136d054b77e84cd55be5fbe0e8ad0174e8 Mon Sep 17 00:00:00 2001 -From: James Carter -Date: Mon, 15 Mar 2021 11:09:37 -0400 -Subject: [PATCH] checkpolicy: Do not automatically upgrade when using "-b" - flag - -When reading a binary policy, do not automatically change the version -to the max policy version supported by libsepol or, if specified, the -value given using the "-c" flag. - -If the binary policy version is less than or equal to version 23 -(POLICYDB_VERSION_PERMISSIVE) than do not automatically upgrade the -policy and if a policy version is specified by the "-c" flag, only set -the binary policy to the specified version if it is lower than the -current version. - -If the binary policy version is greater than version 23 than it should -be set to the maximum version supported by libsepol or, if specified, -the value given by the "-c" flag. - -The reason for this change is that policy versions 20 -(POLICYDB_VERSION_AVTAB) to 23 have a more primitive support for type -attributes where the datums are not written out, but they exist in the -type_attr_map. This means that when the binary policy is read by -libsepol, there will be gaps in the type_val_to_struct and -p_type_val_to_name arrays and policy rules can refer to those gaps. -Certain libsepol functions like sepol_kernel_policydb_to_conf() and -sepol_kernel_policydb_to_cil() do not support this behavior and need -to be able to identify these policies. Policies before version 20 do not -support attributes at all and can be handled by all libsepol functions. - -Signed-off-by: James Carter ---- - checkpolicy/checkpolicy.c | 19 +++++++++++++++---- - 1 file changed, 15 insertions(+), 4 deletions(-) - -diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c -index 5841c5c4c196..acf1eac41559 100644 ---- a/checkpolicy/checkpolicy.c -+++ b/checkpolicy/checkpolicy.c -@@ -106,7 +106,7 @@ static int handle_unknown = SEPOL_DENY_UNKNOWN; - static const char *txtfile = "policy.conf"; - static const char *binfile = "policy"; - --unsigned int policyvers = POLICYDB_VERSION_MAX; -+unsigned int policyvers = 0; - - static __attribute__((__noreturn__)) void usage(const char *progname) - { -@@ -515,7 +515,8 @@ int main(int argc, char **argv) - } - - if (show_version) { -- printf("%d (compatibility range %d-%d)\n", policyvers, -+ printf("%d (compatibility range %d-%d)\n", -+ policyvers ? policyvers : POLICYDB_VERSION_MAX , - POLICYDB_VERSION_MAX, POLICYDB_VERSION_MIN); - exit(0); - } -@@ -588,6 +589,16 @@ int main(int argc, char **argv) - exit(1); - } - } -+ -+ if (policydbp->policyvers <= POLICYDB_VERSION_PERMISSIVE) { -+ if (policyvers > policydbp->policyvers) { -+ fprintf(stderr, "Binary policies with version <= %u cannot be upgraded\n", POLICYDB_VERSION_PERMISSIVE); -+ } else if (policyvers) { -+ policydbp->policyvers = policyvers; -+ } -+ } else { -+ policydbp->policyvers = policyvers ? policyvers : POLICYDB_VERSION_MAX; -+ } - } else { - if (conf) { - fprintf(stderr, "Can only generate policy.conf from binary policy\n"); -@@ -629,6 +640,8 @@ int main(int argc, char **argv) - policydb_destroy(policydbp); - policydbp = &policydb; - } -+ -+ policydbp->policyvers = policyvers ? policyvers : POLICYDB_VERSION_MAX; - } - - if (policydb_load_isids(&policydb, &sidtab)) -@@ -654,8 +667,6 @@ int main(int argc, char **argv) - } - } - -- policydb.policyvers = policyvers; -- - if (!cil) { - if (!conf) { - policydb.policy_type = POLICY_KERN; --- -2.32.0 - diff --git a/SOURCES/0003-checkpolicy-silence-Wextra-semi-stmt-warning.patch b/SOURCES/0003-checkpolicy-silence-Wextra-semi-stmt-warning.patch deleted file mode 100644 index bbce173..0000000 --- a/SOURCES/0003-checkpolicy-silence-Wextra-semi-stmt-warning.patch +++ /dev/null @@ -1,48 +0,0 @@ -From ed7e3348d18bb00bcfcb3da6d4265307425bb882 Mon Sep 17 00:00:00 2001 -From: Nicolas Iooss -Date: Sat, 3 Jul 2021 16:31:20 +0200 -Subject: [PATCH] checkpolicy: silence -Wextra-semi-stmt warning - -On Ubuntu 20.04, when building with clang -Werror -Wextra-semi-stmt -(which is not the default build configuration), the compiler reports: - - checkpolicy.c:740:33: error: empty expression statement has no - effect; remove unnecessary ';' to silence this warning - [-Werror,-Wextra-semi-stmt] - FGETS(ans, sizeof(ans), stdin); - ^ - -Introduce "do { } while (0)" blocks to silence such warnings. - -Signed-off-by: Nicolas Iooss ---- - checkpolicy/checkpolicy.c | 13 ++++++++----- - 1 file changed, 8 insertions(+), 5 deletions(-) - -diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c -index acf1eac41559..8af31db5c6b7 100644 ---- a/checkpolicy/checkpolicy.c -+++ b/checkpolicy/checkpolicy.c -@@ -119,11 +119,14 @@ static __attribute__((__noreturn__)) void usage(const char *progname) - } - - #define FGETS(out, size, in) \ --if (fgets(out,size,in)==NULL) { \ -- fprintf(stderr, "fgets failed at line %d: %s\n", __LINE__,\ -- strerror(errno)); \ -- exit(1);\ --} -+do { \ -+ if (fgets(out,size,in)==NULL) { \ -+ fprintf(stderr, "fgets failed at line %d: %s\n", __LINE__, \ -+ strerror(errno)); \ -+ exit(1);\ -+ } \ -+} while (0) -+ - static int print_sid(sepol_security_id_t sid, - context_struct_t * context - __attribute__ ((unused)), void *data --- -2.32.0 - diff --git a/SOURCES/0004-checkpolicy-pass-CFLAGS-at-link-stage.patch b/SOURCES/0004-checkpolicy-pass-CFLAGS-at-link-stage.patch deleted file mode 100644 index d0ed351..0000000 --- a/SOURCES/0004-checkpolicy-pass-CFLAGS-at-link-stage.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 40e2f98519ba3fc6a4a0f2b4a2b8b0e1d864fd9e Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Tue, 6 Jul 2021 19:54:21 +0200 -Subject: [PATCH] checkpolicy: pass CFLAGS at link stage -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Pass CFLAGS when invoking CC at link time, it might contain optimization -or sanitizer flags required for linking. - -Signed-off-by: Christian Göttsche ---- - checkpolicy/Makefile | 4 ++-- - checkpolicy/test/Makefile | 4 ++-- - 2 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/checkpolicy/Makefile b/checkpolicy/Makefile -index 0d282ef93d14..be63c0182682 100644 ---- a/checkpolicy/Makefile -+++ b/checkpolicy/Makefile -@@ -30,10 +30,10 @@ all: $(TARGETS) - $(MAKE) -C test - - checkpolicy: $(CHECKPOLOBJS) $(LIBSEPOLA) -- $(CC) -o $@ $^ $(LDFLAGS) $(LDLIBS_LIBSEPOLA) -+ $(CC) $(CFLAGS) -o $@ $^ $(LDFLAGS) $(LDLIBS_LIBSEPOLA) - - checkmodule: $(CHECKMODOBJS) $(LIBSEPOLA) -- $(CC) -o $@ $^ $(LDFLAGS) $(LDLIBS_LIBSEPOLA) -+ $(CC) $(CFLAGS) -o $@ $^ $(LDFLAGS) $(LDLIBS_LIBSEPOLA) - - %.o: %.c - $(CC) $(CFLAGS) -o $@ -c $< -diff --git a/checkpolicy/test/Makefile b/checkpolicy/test/Makefile -index 89e7557c7aa6..e2a332b5a079 100644 ---- a/checkpolicy/test/Makefile -+++ b/checkpolicy/test/Makefile -@@ -13,10 +13,10 @@ endif - all: dispol dismod - - dispol: dispol.o $(LIBSEPOLA) -- $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS_LIBSEPOLA) -+ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LDLIBS_LIBSEPOLA) - - dismod: dismod.o $(LIBSEPOLA) -- $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS_LIBSEPOLA) -+ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LDLIBS_LIBSEPOLA) - - clean: - -rm -f dispol dismod *.o --- -2.32.0 - diff --git a/SOURCES/0005-checkpolicy-drop-pipe-compile-option.patch b/SOURCES/0005-checkpolicy-drop-pipe-compile-option.patch deleted file mode 100644 index debb48e..0000000 --- a/SOURCES/0005-checkpolicy-drop-pipe-compile-option.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 02678b9d40f7de5cae1840f3d7ceedf1499c84a8 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Tue, 6 Jul 2021 19:54:22 +0200 -Subject: [PATCH] checkpolicy: drop -pipe compile option -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The compiler option -pipe does not affect the generated code; it affects -whether the compiler uses temporary files or pipes. As the benefit might -vary from system to system usually its up to the packager or build -framework to set it. -Also these are the only places where the flag is used. - -Signed-off-by: Christian Göttsche ---- - checkpolicy/Makefile | 2 +- - checkpolicy/test/Makefile | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/checkpolicy/Makefile b/checkpolicy/Makefile -index be63c0182682..f9e1fc7cecd4 100644 ---- a/checkpolicy/Makefile -+++ b/checkpolicy/Makefile -@@ -10,7 +10,7 @@ TARGETS = checkpolicy checkmodule - LEX = flex - YACC = bison -y - --CFLAGS ?= -g -Wall -Werror -Wshadow -O2 -pipe -fno-strict-aliasing -+CFLAGS ?= -g -Wall -Werror -Wshadow -O2 -fno-strict-aliasing - - # If no specific libsepol.a is specified, fall back on LDFLAGS search path - # Otherwise, as $(LIBSEPOLA) already appears in the dependencies, there -diff --git a/checkpolicy/test/Makefile b/checkpolicy/test/Makefile -index e2a332b5a079..8e5d16b3c5f0 100644 ---- a/checkpolicy/test/Makefile -+++ b/checkpolicy/test/Makefile -@@ -1,7 +1,7 @@ - # - # Makefile for building the dispol program - # --CFLAGS ?= -g -Wall -W -Werror -O2 -pipe -+CFLAGS ?= -g -Wall -W -Werror -O2 - - # If no specific libsepol.a is specified, fall back on LDFLAGS search path - # Otherwise, as $(LIBSEPOLA) already appears in the dependencies, there --- -2.32.0 - diff --git a/SOURCES/0006-checkpolicy-simplify-assignment.patch b/SOURCES/0006-checkpolicy-simplify-assignment.patch deleted file mode 100644 index 1cf5656..0000000 --- a/SOURCES/0006-checkpolicy-simplify-assignment.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 7cdb2a8fd2af0a063d6e505fd1250ca10ebbea11 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Tue, 6 Jul 2021 19:54:23 +0200 -Subject: [PATCH] checkpolicy: simplify assignment -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -checkpolicy.c:504:20: style: The statement 'if (policyvers!=n) policyvers=n' is logically equivalent to 'policyvers=n'. [duplicateConditionalAssign] - if (policyvers != n) - ^ -checkpolicy.c:505:17: note: Assignment 'policyvers=n' - policyvers = n; - ^ -checkpolicy.c:504:20: note: Condition 'policyvers!=n' is redundant - if (policyvers != n) - ^ - -Found by Cppcheck - -Signed-off-by: Christian Göttsche ---- - checkpolicy/checkpolicy.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c -index 8af31db5c6b7..b52595a87b29 100644 ---- a/checkpolicy/checkpolicy.c -+++ b/checkpolicy/checkpolicy.c -@@ -504,8 +504,7 @@ int main(int argc, char **argv) - usage(argv[0]); - exit(1); - } -- if (policyvers != n) -- policyvers = n; -+ policyvers = n; - break; - } - case 'E': --- -2.32.0 - diff --git a/SOURCES/0007-checkpolicy-drop-dead-condition.patch b/SOURCES/0007-checkpolicy-drop-dead-condition.patch deleted file mode 100644 index 1317c8e..0000000 --- a/SOURCES/0007-checkpolicy-drop-dead-condition.patch +++ /dev/null @@ -1,47 +0,0 @@ -From db674bf2186b34a3712e2069c769131503dcb9ff Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Tue, 6 Jul 2021 19:54:24 +0200 -Subject: [PATCH] checkpolicy: drop dead condition -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The variable `id` is guaranteed to be non-NULL due to the preceding -while condition. - - policy_define.c:1171:7: style: Condition '!id' is always false [knownConditionTrueFalse] - if (!id) { - ^ - policy_define.c:1170:13: note: Assuming that condition 'id=queue_remove(id_queue)' is not redundant - while ((id = queue_remove(id_queue))) { - ^ - policy_define.c:1171:7: note: Condition '!id' is always false - if (!id) { - ^ - -Found by Cppcheck. - -Signed-off-by: Christian Göttsche ---- - checkpolicy/policy_define.c | 5 ----- - 1 file changed, 5 deletions(-) - -diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c -index 16234f31bbc3..7eff747adacf 100644 ---- a/checkpolicy/policy_define.c -+++ b/checkpolicy/policy_define.c -@@ -1168,11 +1168,6 @@ int expand_attrib(void) - - ebitmap_init(&attrs); - while ((id = queue_remove(id_queue))) { -- if (!id) { -- yyerror("No attribute name for expandattribute statement?"); -- goto exit; -- } -- - if (!is_id_in_scope(SYM_TYPES, id)) { - yyerror2("attribute %s is not within scope", id); - goto exit; --- -2.32.0 - diff --git a/SOURCES/0008-checkpolicy-use-correct-format-specifier-for-unsigne.patch b/SOURCES/0008-checkpolicy-use-correct-format-specifier-for-unsigne.patch deleted file mode 100644 index 31bf65f..0000000 --- a/SOURCES/0008-checkpolicy-use-correct-format-specifier-for-unsigne.patch +++ /dev/null @@ -1,52 +0,0 @@ -From babc3d53518b7f9f01b83b9c997f9233a58af92b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Tue, 6 Jul 2021 19:54:25 +0200 -Subject: [PATCH] checkpolicy: use correct format specifier for unsigned -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - - test/dispol.c:288:4: warning: %d in format string (no. 1) requires 'int' but the argument type is 'unsigned int'. [invalidPrintfArgType_sint] - snprintf(buf, sizeof(buf), "unknown (%d)", i); - ^ - test/dismod.c:830:4: warning: %d in format string (no. 1) requires 'int' but the argument type is 'unsigned int'. [invalidPrintfArgType_sint] - snprintf(buf, sizeof(buf), "unknown (%d)", i); - ^ - -Found by Cppcheck. - -Signed-off-by: Christian Göttsche ---- - checkpolicy/test/dismod.c | 2 +- - checkpolicy/test/dispol.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c -index 3408e9b6b767..fadbc8d16695 100644 ---- a/checkpolicy/test/dismod.c -+++ b/checkpolicy/test/dismod.c -@@ -827,7 +827,7 @@ static void display_policycaps(policydb_t * p, FILE * fp) - ebitmap_for_each_positive_bit(&p->policycaps, node, i) { - capname = sepol_polcap_getname(i); - if (capname == NULL) { -- snprintf(buf, sizeof(buf), "unknown (%d)", i); -+ snprintf(buf, sizeof(buf), "unknown (%u)", i); - capname = buf; - } - fprintf(fp, "\t%s\n", capname); -diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c -index 8785b7252824..37f71842c9e6 100644 ---- a/checkpolicy/test/dispol.c -+++ b/checkpolicy/test/dispol.c -@@ -285,7 +285,7 @@ static void display_policycaps(policydb_t * p, FILE * fp) - ebitmap_for_each_positive_bit(&p->policycaps, node, i) { - capname = sepol_polcap_getname(i); - if (capname == NULL) { -- snprintf(buf, sizeof(buf), "unknown (%d)", i); -+ snprintf(buf, sizeof(buf), "unknown (%u)", i); - capname = buf; - } - fprintf(fp, "\t%s\n", capname); --- -2.32.0 - diff --git a/SOURCES/0009-checkpolicy-follow-declaration-after-statement.patch b/SOURCES/0009-checkpolicy-follow-declaration-after-statement.patch deleted file mode 100644 index 86e9d88..0000000 --- a/SOURCES/0009-checkpolicy-follow-declaration-after-statement.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 79e7724930d49cc8cdac4c7d4e80b1fafd22d1d7 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Tue, 6 Jul 2021 19:54:26 +0200 -Subject: [PATCH] checkpolicy: follow declaration-after-statement -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Follow the project style of no declaration after statement. - -Found by the GCC warning -Wdeclaration-after-statement. - -Signed-off-by: Christian Göttsche ---- - checkpolicy/checkmodule.c | 6 ++++-- - checkpolicy/policy_define.c | 3 ++- - checkpolicy/test/dismod.c | 2 +- - 3 files changed, 7 insertions(+), 4 deletions(-) - -diff --git a/checkpolicy/checkmodule.c b/checkpolicy/checkmodule.c -index 40d0ec9924e9..316b289865e1 100644 ---- a/checkpolicy/checkmodule.c -+++ b/checkpolicy/checkmodule.c -@@ -288,14 +288,16 @@ int main(int argc, char **argv) - } - - if (policy_type != POLICY_BASE && outfile) { -+ char *out_name; -+ char *separator; - char *mod_name = modpolicydb.name; - char *out_path = strdup(outfile); - if (out_path == NULL) { - fprintf(stderr, "%s: out of memory\n", argv[0]); - exit(1); - } -- char *out_name = basename(out_path); -- char *separator = strrchr(out_name, '.'); -+ out_name = basename(out_path); -+ separator = strrchr(out_name, '.'); - if (separator) { - *separator = '\0'; - } -diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c -index 7eff747adacf..049df55f8468 100644 ---- a/checkpolicy/policy_define.c -+++ b/checkpolicy/policy_define.c -@@ -1904,9 +1904,10 @@ int avrule_read_ioctls(struct av_ioctl_range_list **rangehead) - { - char *id; - struct av_ioctl_range_list *rnew, *r = NULL; -- *rangehead = NULL; - uint8_t omit = 0; - -+ *rangehead = NULL; -+ - /* read in all the ioctl commands */ - while ((id = queue_remove(id_queue))) { - if (strcmp(id,"~") == 0) { -diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c -index fadbc8d16695..b1b96115e79e 100644 ---- a/checkpolicy/test/dismod.c -+++ b/checkpolicy/test/dismod.c -@@ -697,8 +697,8 @@ int display_avblock(int field, policydb_t * policy, - { - avrule_block_t *block = policydb.global; - while (block != NULL) { -- fprintf(out_fp, "--- begin avrule block ---\n"); - avrule_decl_t *decl = block->branch_list; -+ fprintf(out_fp, "--- begin avrule block ---\n"); - while (decl != NULL) { - if (display_avdecl(decl, field, policy, out_fp)) { - return -1; --- -2.32.0 - diff --git a/SOURCES/0010-checkpolicy-remove-dead-assignments.patch b/SOURCES/0010-checkpolicy-remove-dead-assignments.patch deleted file mode 100644 index 3c0c137..0000000 --- a/SOURCES/0010-checkpolicy-remove-dead-assignments.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 7723180fa09b0c483c07a76a4678f2c2cd51bff6 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Tue, 6 Jul 2021 19:54:27 +0200 -Subject: [PATCH] checkpolicy: remove dead assignments -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The variable `cladatum` is otherwise always assigned before used, so -these two assignments without a follow up usages are not needed. - -Found by clang-analyzer. - -Signed-off-by: Christian Göttsche ---- - checkpolicy/checkpolicy.c | 4 ---- - 1 file changed, 4 deletions(-) - -diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c -index b52595a87b29..58edcc34e8cc 100644 ---- a/checkpolicy/checkpolicy.c -+++ b/checkpolicy/checkpolicy.c -@@ -1179,8 +1179,6 @@ int main(int argc, char **argv) - printf("\nNo such class.\n"); - break; - } -- cladatum = -- policydb.class_val_to_struct[tclass - 1]; - } else { - ans[strlen(ans) - 1] = 0; - cladatum = -@@ -1232,8 +1230,6 @@ int main(int argc, char **argv) - printf("\nNo such class.\n"); - break; - } -- cladatum = -- policydb.class_val_to_struct[tclass - 1]; - } else { - ans[strlen(ans) - 1] = 0; - cladatum = --- -2.32.0 - diff --git a/SOURCES/0011-checkpolicy-check-before-potential-NULL-dereference.patch b/SOURCES/0011-checkpolicy-check-before-potential-NULL-dereference.patch deleted file mode 100644 index 9d90846..0000000 --- a/SOURCES/0011-checkpolicy-check-before-potential-NULL-dereference.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 5a10f05f53ef78c48ebce3d512960c71100073d0 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Tue, 6 Jul 2021 19:54:28 +0200 -Subject: [PATCH] checkpolicy: check before potential NULL dereference -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - - policy_define.c: In function ‘define_te_avtab_extended_perms’: - policy_define.c:1946:17: error: potential null pointer dereference [-Werror=null-dereference] - 1946 | r->omit = omit; - | ^ - -In the case of `r` being NULL, avrule_read_ioctls() would return -with its parameter `rangehead` being a pointer to NULL, which is -considered a failure in its caller `avrule_ioctl_ranges`. -So it is not necessary to alter the return value. - -Found by GCC 11 with LTO enabled. - -Signed-off-by: Christian Göttsche ---- - checkpolicy/policy_define.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c -index 049df55f8468..887857851504 100644 ---- a/checkpolicy/policy_define.c -+++ b/checkpolicy/policy_define.c -@@ -1943,7 +1943,9 @@ int avrule_read_ioctls(struct av_ioctl_range_list **rangehead) - } - } - r = *rangehead; -- r->omit = omit; -+ if (r) { -+ r->omit = omit; -+ } - return 0; - error: - yyerror("out of memory"); --- -2.32.0 - diff --git a/SOURCES/0012-checkpolicy-avoid-potential-use-of-uninitialized-var.patch b/SOURCES/0012-checkpolicy-avoid-potential-use-of-uninitialized-var.patch deleted file mode 100644 index e91e78a..0000000 --- a/SOURCES/0012-checkpolicy-avoid-potential-use-of-uninitialized-var.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 5218bf4b262ae6c3aa0ec72c5116a73bbdb7806f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Tue, 6 Jul 2021 19:54:29 +0200 -Subject: [PATCH] checkpolicy: avoid potential use of uninitialized variable -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - - checkpolicy.c: In function ‘main’: - checkpolicy.c:1000:25: error: ‘tsid’ may be used uninitialized in this function [-Werror=maybe-uninitialized] - 1000 | printf("if_sid %d default_msg_sid %d\n", ssid, tsid); - | ^ - - checkpolicy.c: In function ‘main’: - checkpolicy.c:971:25: error: ‘tsid’ may be used uninitialized in this function [-Werror=maybe-uninitialized] - 971 | printf("fs_sid %d default_file_sid %d\n", ssid, tsid); - | ^ - -Found by GCC 11 with LTO enabled. - -Signed-off-by: Christian Göttsche ---- - checkpolicy/checkpolicy.c | 16 ++++++++++++---- - 1 file changed, 12 insertions(+), 4 deletions(-) - -diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c -index 58edcc34e8cc..e6cfd3372022 100644 ---- a/checkpolicy/checkpolicy.c -+++ b/checkpolicy/checkpolicy.c -@@ -970,8 +970,12 @@ int main(int argc, char **argv) - printf("fs kdevname? "); - FGETS(ans, sizeof(ans), stdin); - ans[strlen(ans) - 1] = 0; -- sepol_fs_sid(ans, &ssid, &tsid); -- printf("fs_sid %d default_file_sid %d\n", ssid, tsid); -+ ret = sepol_fs_sid(ans, &ssid, &tsid); -+ if (ret) { -+ printf("unknown fs kdevname\n"); -+ } else { -+ printf("fs_sid %d default_file_sid %d\n", ssid, tsid); -+ } - break; - case '9': - printf("protocol? "); -@@ -999,8 +1003,12 @@ int main(int argc, char **argv) - printf("netif name? "); - FGETS(ans, sizeof(ans), stdin); - ans[strlen(ans) - 1] = 0; -- sepol_netif_sid(ans, &ssid, &tsid); -- printf("if_sid %d default_msg_sid %d\n", ssid, tsid); -+ ret = sepol_netif_sid(ans, &ssid, &tsid); -+ if (ret) { -+ printf("unknown name\n"); -+ } else { -+ printf("if_sid %d default_msg_sid %d\n", ssid, tsid); -+ } - break; - case 'b':{ - char *p; --- -2.32.0 - diff --git a/SOURCES/0013-checkpolicy-drop-redundant-cast-to-the-same-type.patch b/SOURCES/0013-checkpolicy-drop-redundant-cast-to-the-same-type.patch deleted file mode 100644 index 86056eb..0000000 --- a/SOURCES/0013-checkpolicy-drop-redundant-cast-to-the-same-type.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 4e3d0990c6be73419df3c32b7de98c992797e3ef Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Tue, 6 Jul 2021 19:54:30 +0200 -Subject: [PATCH] checkpolicy: drop redundant cast to the same type -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Found by clang-tidy. - -Signed-off-by: Christian Göttsche ---- - checkpolicy/policy_define.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c -index 887857851504..efe3a1a26315 100644 ---- a/checkpolicy/policy_define.c -+++ b/checkpolicy/policy_define.c -@@ -1796,7 +1796,7 @@ int define_bool_tunable(int is_tunable) - return -1; - } - -- datum->state = (int)(bool_value[0] == 'T') ? 1 : 0; -+ datum->state = (bool_value[0] == 'T') ? 1 : 0; - free(bool_value); - return 0; - cleanup: --- -2.32.0 - diff --git a/SOURCES/0014-checkpolicy-parse_util-drop-unused-declaration.patch b/SOURCES/0014-checkpolicy-parse_util-drop-unused-declaration.patch deleted file mode 100644 index 3324e3d..0000000 --- a/SOURCES/0014-checkpolicy-parse_util-drop-unused-declaration.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 47f4cbd357fa0b0dc46e2e95ce10fc2d9a586061 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Tue, 6 Jul 2021 19:54:31 +0200 -Subject: [PATCH] checkpolicy: parse_util drop unused declaration -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Signed-off-by: Christian Göttsche ---- - checkpolicy/parse_util.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/checkpolicy/parse_util.c b/checkpolicy/parse_util.c -index f2809b483be3..1795e93c31e4 100644 ---- a/checkpolicy/parse_util.c -+++ b/checkpolicy/parse_util.c -@@ -28,7 +28,6 @@ extern int yyparse(void); - extern void yyrestart(FILE *); - extern queue_t id_queue; - extern unsigned int policydb_errors; --extern unsigned long policydb_lineno; - extern policydb_t *policydbp; - extern int mlspol; - extern void set_source_file(const char *name); --- -2.32.0 - diff --git a/SOURCES/0015-checkpolicy-test-mark-file-local-functions-static.patch b/SOURCES/0015-checkpolicy-test-mark-file-local-functions-static.patch deleted file mode 100644 index 1f6668f..0000000 --- a/SOURCES/0015-checkpolicy-test-mark-file-local-functions-static.patch +++ /dev/null @@ -1,282 +0,0 @@ -From b306cd5b90979a4d6e1a85b842835deb77272873 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Tue, 6 Jul 2021 19:54:32 +0200 -Subject: [PATCH] checkpolicy/test: mark file local functions static -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Signed-off-by: Christian Göttsche ---- - checkpolicy/test/dismod.c | 36 ++++++++++++++++++------------------ - checkpolicy/test/dispol.c | 22 +++++++++++----------- - 2 files changed, 29 insertions(+), 29 deletions(-) - -diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c -index b1b96115e79e..90c293186afd 100644 ---- a/checkpolicy/test/dismod.c -+++ b/checkpolicy/test/dismod.c -@@ -111,7 +111,7 @@ static void display_id(policydb_t * p, FILE * fp, uint32_t symbol_type, - } - } - --int display_type_set(type_set_t * set, uint32_t flags, policydb_t * policy, -+static int display_type_set(type_set_t * set, uint32_t flags, policydb_t * policy, - FILE * fp) - { - unsigned int i, num_types; -@@ -175,7 +175,7 @@ int display_type_set(type_set_t * set, uint32_t flags, policydb_t * policy, - return 0; - } - --int display_mod_role_set(role_set_t * roles, policydb_t * p, FILE * fp) -+static int display_mod_role_set(role_set_t * roles, policydb_t * p, FILE * fp) - { - unsigned int i, num = 0; - -@@ -210,7 +210,7 @@ int display_mod_role_set(role_set_t * roles, policydb_t * p, FILE * fp) - - } - --int display_avrule(avrule_t * avrule, policydb_t * policy, -+static int display_avrule(avrule_t * avrule, policydb_t * policy, - FILE * fp) - { - class_perm_node_t *cur; -@@ -313,7 +313,7 @@ int display_avrule(avrule_t * avrule, policydb_t * policy, - return 0; - } - --int display_type_callback(hashtab_key_t key, hashtab_datum_t datum, void *data) -+static int display_type_callback(hashtab_key_t key, hashtab_datum_t datum, void *data) - { - type_datum_t *type; - FILE *fp; -@@ -355,14 +355,14 @@ int display_type_callback(hashtab_key_t key, hashtab_datum_t datum, void *data) - return 0; - } - --int display_types(policydb_t * p, FILE * fp) -+static int display_types(policydb_t * p, FILE * fp) - { - if (hashtab_map(p->p_types.table, display_type_callback, fp)) - return -1; - return 0; - } - --int display_users(policydb_t * p, FILE * fp) -+static int display_users(policydb_t * p, FILE * fp) - { - unsigned int i, j; - ebitmap_t *bitmap; -@@ -381,7 +381,7 @@ int display_users(policydb_t * p, FILE * fp) - return 0; - } - --int display_bools(policydb_t * p, FILE * fp) -+static int display_bools(policydb_t * p, FILE * fp) - { - unsigned int i; - -@@ -392,7 +392,7 @@ int display_bools(policydb_t * p, FILE * fp) - return 0; - } - --void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp) -+static void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp) - { - - cond_expr_t *cur; -@@ -427,14 +427,14 @@ void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp) - } - } - --void display_policycon(FILE * fp) -+static void display_policycon(FILE * fp) - { - /* There was an attempt to implement this at one time. Look through - * git history to find it. */ - fprintf(fp, "Sorry, not implemented\n"); - } - --void display_initial_sids(policydb_t * p, FILE * fp) -+static void display_initial_sids(policydb_t * p, FILE * fp) - { - ocontext_t *cur; - char *user, *role, *type; -@@ -459,7 +459,7 @@ void display_initial_sids(policydb_t * p, FILE * fp) - #endif - } - --void display_class_set(ebitmap_t *classes, policydb_t *p, FILE *fp) -+static void display_class_set(ebitmap_t *classes, policydb_t *p, FILE *fp) - { - unsigned int i, num = 0; - -@@ -482,7 +482,7 @@ void display_class_set(ebitmap_t *classes, policydb_t *p, FILE *fp) - fprintf(fp, " }"); - } - --void display_role_trans(role_trans_rule_t * tr, policydb_t * p, FILE * fp) -+static void display_role_trans(role_trans_rule_t * tr, policydb_t * p, FILE * fp) - { - for (; tr; tr = tr->next) { - fprintf(fp, "role transition "); -@@ -495,7 +495,7 @@ void display_role_trans(role_trans_rule_t * tr, policydb_t * p, FILE * fp) - } - } - --void display_role_allow(role_allow_rule_t * ra, policydb_t * p, FILE * fp) -+static void display_role_allow(role_allow_rule_t * ra, policydb_t * p, FILE * fp) - { - for (; ra; ra = ra->next) { - fprintf(fp, "role allow "); -@@ -517,7 +517,7 @@ static void display_filename_trans(filename_trans_rule_t * tr, policydb_t * p, F - } - } - --int role_display_callback(hashtab_key_t key __attribute__((unused)), -+static int role_display_callback(hashtab_key_t key __attribute__((unused)), - hashtab_datum_t datum, void *data) - { - role_datum_t *role; -@@ -611,7 +611,7 @@ int change_bool(char *name, int state, policydb_t * p, FILE * fp) - } - #endif - --int display_avdecl(avrule_decl_t * decl, int field, -+static int display_avdecl(avrule_decl_t * decl, int field, - policydb_t * policy, FILE * out_fp) - { - fprintf(out_fp, "decl %u:%s\n", decl->decl_id, -@@ -692,7 +692,7 @@ int display_avdecl(avrule_decl_t * decl, int field, - return 0; /* should never get here */ - } - --int display_avblock(int field, policydb_t * policy, -+static int display_avblock(int field, policydb_t * policy, - FILE * out_fp) - { - avrule_block_t *block = policydb.global; -@@ -710,7 +710,7 @@ int display_avblock(int field, policydb_t * policy, - return 0; - } - --int display_handle_unknown(policydb_t * p, FILE * out_fp) -+static int display_handle_unknown(policydb_t * p, FILE * out_fp) - { - if (p->handle_unknown == ALLOW_UNKNOWN) - fprintf(out_fp, "Allow unknown classes and perms\n"); -@@ -834,7 +834,7 @@ static void display_policycaps(policydb_t * p, FILE * fp) - } - } - --int menu(void) -+static int menu(void) - { - printf("\nSelect a command:\n"); - printf("1) display unconditional AVTAB\n"); -diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c -index 37f71842c9e6..8ddefb04ac89 100644 ---- a/checkpolicy/test/dispol.c -+++ b/checkpolicy/test/dispol.c -@@ -42,7 +42,7 @@ static __attribute__((__noreturn__)) void usage(const char *progname) - exit(1); - } - --int render_access_mask(uint32_t mask, avtab_key_t * key, policydb_t * p, -+static int render_access_mask(uint32_t mask, avtab_key_t * key, policydb_t * p, - FILE * fp) - { - char *perm; -@@ -54,13 +54,13 @@ int render_access_mask(uint32_t mask, avtab_key_t * key, policydb_t * p, - return 0; - } - --int render_type(uint32_t type, policydb_t * p, FILE * fp) -+static int render_type(uint32_t type, policydb_t * p, FILE * fp) - { - fprintf(fp, "%s", p->p_type_val_to_name[type - 1]); - return 0; - } - --int render_key(avtab_key_t * key, policydb_t * p, FILE * fp) -+static int render_key(avtab_key_t * key, policydb_t * p, FILE * fp) - { - char *stype, *ttype, *tclass; - stype = p->p_type_val_to_name[key->source_type - 1]; -@@ -84,7 +84,7 @@ int render_key(avtab_key_t * key, policydb_t * p, FILE * fp) - #define RENDER_DISABLED 0x0004 - #define RENDER_CONDITIONAL (RENDER_ENABLED|RENDER_DISABLED) - --int render_av_rule(avtab_key_t * key, avtab_datum_t * datum, uint32_t what, -+static int render_av_rule(avtab_key_t * key, avtab_datum_t * datum, uint32_t what, - policydb_t * p, FILE * fp) - { - if (!(what & RENDER_UNCONDITIONAL)) { -@@ -163,7 +163,7 @@ int render_av_rule(avtab_key_t * key, avtab_datum_t * datum, uint32_t what, - return 0; - } - --int display_avtab(avtab_t * a, uint32_t what, policydb_t * p, FILE * fp) -+static int display_avtab(avtab_t * a, uint32_t what, policydb_t * p, FILE * fp) - { - unsigned int i; - avtab_ptr_t cur; -@@ -178,7 +178,7 @@ int display_avtab(avtab_t * a, uint32_t what, policydb_t * p, FILE * fp) - return 0; - } - --int display_bools(policydb_t * p, FILE * fp) -+static int display_bools(policydb_t * p, FILE * fp) - { - unsigned int i; - -@@ -189,7 +189,7 @@ int display_bools(policydb_t * p, FILE * fp) - return 0; - } - --void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp) -+static void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp) - { - - cond_expr_t *cur; -@@ -224,7 +224,7 @@ void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp) - } - } - --int display_cond_expressions(policydb_t * p, FILE * fp) -+static int display_cond_expressions(policydb_t * p, FILE * fp) - { - cond_node_t *cur; - cond_av_list_t *av_cur; -@@ -249,7 +249,7 @@ int display_cond_expressions(policydb_t * p, FILE * fp) - return 0; - } - --int display_handle_unknown(policydb_t * p, FILE * out_fp) -+static int display_handle_unknown(policydb_t * p, FILE * out_fp) - { - if (p->handle_unknown == ALLOW_UNKNOWN) - fprintf(out_fp, "Allow unknown classes and permissions\n"); -@@ -260,7 +260,7 @@ int display_handle_unknown(policydb_t * p, FILE * out_fp) - return 0; - } - --int change_bool(char *name, int state, policydb_t * p, FILE * fp) -+static int change_bool(char *name, int state, policydb_t * p, FILE * fp) - { - cond_bool_datum_t *bool; - -@@ -368,7 +368,7 @@ static void display_filename_trans(policydb_t *p, FILE *fp) - hashtab_map(p->filename_trans, filenametr_display, &args); - } - --int menu(void) -+static int menu(void) - { - printf("\nSelect a command:\n"); - printf("1) display unconditional AVTAB\n"); --- -2.32.0 - diff --git a/SOURCES/0016-checkpolicy-mark-read-only-parameters-in-policy-defi.patch b/SOURCES/0016-checkpolicy-mark-read-only-parameters-in-policy-defi.patch deleted file mode 100644 index c44405b..0000000 --- a/SOURCES/0016-checkpolicy-mark-read-only-parameters-in-policy-defi.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 1711757378d1ff1e7437fd7d5ddf263272284641 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= -Date: Tue, 6 Jul 2021 19:54:33 +0200 -Subject: [PATCH] checkpolicy: mark read-only parameters in policy define const -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Make it more obvious which parameters are read-only and not being -modified and allow callers to pass const pointers. - -Signed-off-by: Christian Göttsche ---- - checkpolicy/policy_define.c | 15 ++++++++------- - 1 file changed, 8 insertions(+), 7 deletions(-) - -diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c -index efe3a1a26315..75a67d5c8a7c 100644 ---- a/checkpolicy/policy_define.c -+++ b/checkpolicy/policy_define.c -@@ -77,7 +77,7 @@ extern int yyerror(const char *msg); - #define ERRORMSG_LEN 255 - static char errormsg[ERRORMSG_LEN + 1] = {0}; - --static int id_has_dot(char *id); -+static int id_has_dot(const char *id); - static int parse_security_context(context_struct_t *c); - - /* initialize all of the state variables for the scanner/parser */ -@@ -141,7 +141,7 @@ int insert_id(const char *id, int push) - - /* If the identifier has a dot within it and that its first character - is not a dot then return 1, else return 0. */ --static int id_has_dot(char *id) -+static int id_has_dot(const char *id) - { - if (strchr(id, '.') >= id + 1) { - return 1; -@@ -2172,7 +2172,7 @@ void avrule_xperm_setrangebits(uint16_t low, uint16_t high, - } - } - --int avrule_xperms_used(av_extended_perms_t *xperms) -+int avrule_xperms_used(const av_extended_perms_t *xperms) - { - unsigned int i; - -@@ -2347,7 +2347,7 @@ unsigned int xperms_for_each_bit(unsigned int *bit, av_extended_perms_t *xperms) - return 0; - } - --int avrule_cpy(avrule_t *dest, avrule_t *src) -+int avrule_cpy(avrule_t *dest, const avrule_t *src) - { - class_perm_node_t *src_perms; - class_perm_node_t *dest_perms, *dest_tail; -@@ -2395,7 +2395,7 @@ int avrule_cpy(avrule_t *dest, avrule_t *src) - return 0; - } - --int define_te_avtab_ioctl(avrule_t *avrule_template) -+int define_te_avtab_ioctl(const avrule_t *avrule_template) - { - avrule_t *avrule; - struct av_ioctl_range_list *rangelist; -@@ -3444,9 +3444,10 @@ bad: - return -1; - } - --static constraint_expr_t *constraint_expr_clone(constraint_expr_t * expr) -+static constraint_expr_t *constraint_expr_clone(const constraint_expr_t * expr) - { -- constraint_expr_t *h = NULL, *l = NULL, *e, *newe; -+ constraint_expr_t *h = NULL, *l = NULL, *newe; -+ const constraint_expr_t *e; - for (e = expr; e; e = e->next) { - newe = malloc(sizeof(*newe)); - if (!newe) --- -2.32.0 - diff --git a/SPECS/checkpolicy.spec b/SPECS/checkpolicy.spec index b0d8457..e4e1e0b 100644 --- a/SPECS/checkpolicy.spec +++ b/SPECS/checkpolicy.spec @@ -1,33 +1,17 @@ -%define libselinuxver 3.2-5 -%define libsepolver 3.2-3 +%define libselinuxver 3.3-1 +%define libsepolver 3.3-1 Summary: SELinux policy compiler Name: checkpolicy -Version: 3.2 -Release: 4%{?dist} +Version: 3.3 +Release: 1%{?dist} License: GPLv2 -Source0: https://github.com/SELinuxProject/selinux/releases/download/3.2/checkpolicy-3.2.tar.gz +Source0: https://github.com/SELinuxProject/selinux/releases/download/3.3/checkpolicy-3.3.tar.gz # $ git clone https://github.com/fedora-selinux/selinux.git # $ cd selinux -# $ git format-patch -N 3.2 -- checkpolicy +# $ git format-patch -N 3.3 -- checkpolicy # $ i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done # Patch list start -Patch0001: 0001-libsepol-checkpolicy-Set-user-roles-using-role-value.patch -Patch0002: 0002-checkpolicy-Do-not-automatically-upgrade-when-using-.patch -Patch0003: 0003-checkpolicy-silence-Wextra-semi-stmt-warning.patch -Patch0004: 0004-checkpolicy-pass-CFLAGS-at-link-stage.patch -Patch0005: 0005-checkpolicy-drop-pipe-compile-option.patch -Patch0006: 0006-checkpolicy-simplify-assignment.patch -Patch0007: 0007-checkpolicy-drop-dead-condition.patch -Patch0008: 0008-checkpolicy-use-correct-format-specifier-for-unsigne.patch -Patch0009: 0009-checkpolicy-follow-declaration-after-statement.patch -Patch0010: 0010-checkpolicy-remove-dead-assignments.patch -Patch0011: 0011-checkpolicy-check-before-potential-NULL-dereference.patch -Patch0012: 0012-checkpolicy-avoid-potential-use-of-uninitialized-var.patch -Patch0013: 0013-checkpolicy-drop-redundant-cast-to-the-same-type.patch -Patch0014: 0014-checkpolicy-parse_util-drop-unused-declaration.patch -Patch0015: 0015-checkpolicy-test-mark-file-local-functions-static.patch -Patch0016: 0016-checkpolicy-mark-read-only-parameters-in-policy-defi.patch # Patch list end BuildRequires: gcc BuildRequires: make @@ -77,6 +61,15 @@ install test/dispol ${RPM_BUILD_ROOT}%{_bindir}/sedispol %{_bindir}/sedispol %changelog +* Fri Oct 22 2021 Petr Lautrbach - 3.3-1 +- SELinux userspace 3.3 release + +* Mon Oct 11 2021 Petr Lautrbach - 3.3-0.rc3.1 +- SELinux userspace 3.3-rc3 release + +* Wed Sep 29 2021 Petr Lautrbach - 3.3-0.rc2.1 +- SELinux userspace 3.3-rc2 release + * Mon Aug 09 2021 Mohan Boddu - 3.2-4 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688