From c6b0b7dab39ca9a9e8f39046a62b217bf74731b6 Mon Sep 17 00:00:00 2001 From: markeryang Date: Thu, 14 Aug 2025 02:51:58 +0000 Subject: [PATCH] backport patches from upstream --- ...he-way-libsepol-policy-are-generated.patch | 272 ++++++++++++++++++ ...-markers-for-info-nodes-w-o-children.patch | 35 +++ ...lly-allow-duplicate-role-declaration.patch | 40 +++ libsepol.spec | 24 +- 4 files changed, 370 insertions(+), 1 deletion(-) create mode 100644 Optimized-the-way-libsepol-policy-are-generated.patch create mode 100644 backport-libsepol-Fix-markers-for-info-nodes-w-o-children.patch create mode 100644 backport-libsepol-cil-Optionally-allow-duplicate-role-declaration.patch diff --git a/Optimized-the-way-libsepol-policy-are-generated.patch b/Optimized-the-way-libsepol-policy-are-generated.patch new file mode 100644 index 0000000..9db24dc --- /dev/null +++ b/Optimized-the-way-libsepol-policy-are-generated.patch @@ -0,0 +1,272 @@ +From ae864f32d4f70e789d5dc3eec74525e508df1720 Mon Sep 17 00:00:00 2001 +From: jinlun +Date: Mon, 28 Apr 2025 10:00:40 +0800 +Subject: [PATCH] Optimized the way libsepol policy are generated + +There are optimization patches in the kernel community that can save + the memory space of the policy, which causes the results of the + /sys/fs/selinux/policy generated by the kernel to be inconsistent + with the policy generated bt the call sepol_policydb_read. + +--- + libsepol-3.5/include/sepol/policydb.h | 3 + + .../include/sepol/policydb/policydb.h | 4 + + libsepol-3.5/src/hashtab.c | 9 +- + libsepol-3.5/src/libsepol.map.in | 1 + + libsepol-3.5/src/policydb.c | 86 +++++++++++++++++-- + libsepol-3.5/src/policydb_public.c | 5 ++ + 6 files changed, 98 insertions(+), 10 deletions(-) + +diff --git a/libsepol-3.5/include/sepol/policydb.h b/libsepol-3.5/include/sepol/policydb.h +index 792913d..0f74467 100644 +--- a/libsepol-3.5/include/sepol/policydb.h ++++ b/libsepol-3.5/include/sepol/policydb.h +@@ -111,6 +111,7 @@ extern int sepol_policydb_optimize(sepol_policydb_t * p); + * image contents. + */ + extern int sepol_policydb_read(sepol_policydb_t * p, sepol_policy_file_t * pf); ++extern int sepol_policydb_read_canonicalize(sepol_policydb_t * p, sepol_policy_file_t * pf); + + /* + * Write a policydb to a policy file. +diff --git a/libsepol-3.5/include/sepol/policydb/policydb.h b/libsepol-3.5/include/sepol/policydb/policydb.h +index ef1a014..5a84aba 100644 +--- a/libsepol-3.5/include/sepol/policydb/policydb.h ++++ b/libsepol-3.5/include/sepol/policydb/policydb.h +@@ -727,6 +727,10 @@ extern void policy_file_init(policy_file_t * x); + + extern int policydb_read(policydb_t * p, struct policy_file *fp, + unsigned int verbose); ++extern int policydb_read_canonicalize(policydb_t * p, struct policy_file *fp, ++ unsigned int verbose); ++ ++ + extern int avrule_read_list(policydb_t * p, avrule_t ** avrules, + struct policy_file *fp); + +diff --git a/libsepol-3.5/src/hashtab.c b/libsepol-3.5/src/hashtab.c +index 6f01d09..1d6825b 100644 +--- a/libsepol-3.5/src/hashtab.c ++++ b/libsepol-3.5/src/hashtab.c +@@ -34,15 +34,22 @@ + + #include "private.h" + ++static size_t hashtab_compute_size(size_t nel) ++{ ++ if (nel == 0) ++ return 0; ++ return (size_t)(1 << (32 - __builtin_clz((nel) - 1))); ++} + hashtab_t hashtab_create(unsigned int (*hash_value) (hashtab_t h, + const_hashtab_key_t key), + int (*keycmp) (hashtab_t h, + const_hashtab_key_t key1, + const_hashtab_key_t key2), +- unsigned int size) ++ unsigned int nel) + { + + hashtab_t p; ++ unsigned int size = hashtab_compute_size(nel); + + p = (hashtab_t) malloc(sizeof(hashtab_val_t)); + if (p == NULL) +diff --git a/libsepol-3.5/src/libsepol.map.in b/libsepol-3.5/src/libsepol.map.in +index 844924f..3061a66 100644 +--- a/libsepol-3.5/src/libsepol.map.in ++++ b/libsepol-3.5/src/libsepol.map.in +@@ -288,4 +288,5 @@ LIBSEPOL_3.4 { + sepol_string_to_av_perm; + sepol_string_to_security_class; + sepol_validate_transition_reason_buffer; ++ sepol_policydb_read_canonicalize; + } LIBSEPOL_3.0; +diff --git a/libsepol-3.5/src/policydb.c b/libsepol-3.5/src/policydb.c +index 21bcad7..ecc1480 100644 +--- a/libsepol-3.5/src/policydb.c ++++ b/libsepol-3.5/src/policydb.c +@@ -2090,7 +2090,7 @@ static int perm_read(policydb_t * p + return -1; + } + +-static int common_read(policydb_t * p, hashtab_t h, struct policy_file *fp) ++static int common_read_pre(policydb_t * p, hashtab_t h, struct policy_file *fp, int canonicalize) + { + char *key = 0; + common_datum_t *comdatum; +@@ -2113,12 +2113,18 @@ static int common_read(policydb_t * p, hashtab_t h, struct policy_file *fp) + + comdatum->s.value = le32_to_cpu(buf[1]); + +- if (symtab_init(&comdatum->permissions, PERM_SYMTAB_SIZE)) ++ nel = le32_to_cpu(buf[3]); ++ ++ if (!canonicalize) ++ rc = symtab_init(&comdatum->permissions, PERM_SYMTAB_SIZE); ++ else ++ rc = symtab_init(&comdatum->permissions, nel); ++ ++ if (rc) + goto bad; + comdatum->permissions.nprim = le32_to_cpu(buf[2]); + if (comdatum->permissions.nprim > PERM_SYMTAB_SIZE) + goto bad; +- nel = le32_to_cpu(buf[3]); + + key = malloc(len + 1); + if (!key) +@@ -2143,6 +2149,16 @@ static int common_read(policydb_t * p, hashtab_t h, struct policy_file *fp) + return -1; + } + ++static int common_read(policydb_t * p, hashtab_t h, struct policy_file *fp) ++{ ++ return common_read_pre(p, h, fp, 1); ++} ++ ++static int common_read_canonicalize(policydb_t * p, hashtab_t h, struct policy_file *fp) ++{ ++ return common_read_pre(p, h, fp, 1); ++} ++ + static int read_cons_helper(policydb_t * p, constraint_node_t ** nodep, + unsigned int ncons, + int allowxtarget, struct policy_file *fp) +@@ -2238,7 +2254,7 @@ static int read_cons_helper(policydb_t * p, constraint_node_t ** nodep, + return 0; + } + +-static int class_read(policydb_t * p, hashtab_t h, struct policy_file *fp) ++static int class_read_pre(policydb_t * p, hashtab_t h, struct policy_file *fp, int canonicalize) + { + char *key = 0; + class_datum_t *cladatum; +@@ -2265,12 +2281,17 @@ static int class_read(policydb_t * p, hashtab_t h, struct policy_file *fp) + if (cladatum->s.value > UINT16_MAX) + goto bad; + +- if (symtab_init(&cladatum->permissions, PERM_SYMTAB_SIZE)) ++ nel = le32_to_cpu(buf[4]); ++ if (!canonicalize) ++ rc = symtab_init(&cladatum->permissions, PERM_SYMTAB_SIZE); ++ else ++ rc = symtab_init(&cladatum->permissions, nel); ++ if (rc) + goto bad; ++ + cladatum->permissions.nprim = le32_to_cpu(buf[3]); + if (cladatum->permissions.nprim > PERM_SYMTAB_SIZE) + goto bad; +- nel = le32_to_cpu(buf[4]); + + ncons = le32_to_cpu(buf[5]); + +@@ -2351,6 +2372,16 @@ static int class_read(policydb_t * p, hashtab_t h, struct policy_file *fp) + return -1; + } + ++static int class_read(policydb_t * p, hashtab_t h, struct policy_file *fp) ++{ ++ return class_read_pre(p, h, fp, 0); ++} ++ ++static int class_read_canonicalize(policydb_t * p, hashtab_t h, struct policy_file *fp) ++{ ++ return class_read_pre(p, h, fp, 1); ++} ++ + static int role_read(policydb_t * p, hashtab_t h, struct policy_file *fp) + { + char *key = 0; +@@ -3507,6 +3538,11 @@ static int (*read_f[SYM_NUM]) (policydb_t * p, hashtab_t h, + common_read, class_read, role_read, type_read, user_read, + cond_read_bool, sens_read, cat_read,}; + ++static int (*read_f_canonicalize[SYM_NUM]) (policydb_t * p, hashtab_t h, ++ struct policy_file * fp) = { ++common_read_canonicalize, class_read_canonicalize, role_read, type_read, user_read, ++ cond_read_bool, sens_read, cat_read,}; ++ + /************** module reading functions below **************/ + + static avrule_t *avrule_read(policydb_t * p, struct policy_file *fp) +@@ -4226,7 +4262,7 @@ static sepol_access_vector_t policydb_string_to_av_perm( + * Read the configuration data from a policy database binary + * representation file into a policy database structure. + */ +-int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose) ++int policydb_read_pre(policydb_t * p, struct policy_file *fp, unsigned verbose, int canonicalize) + { + + unsigned int i, j, r_policyvers; +@@ -4444,9 +4480,26 @@ int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose) + ERR(fp->handle, "unexpected items in symbol table with no symbol"); + goto bad; + } +- for (j = 0; j < nel; j++) { +- if (read_f[i] (p, p->symtab[i].table, fp)) ++ ++ if (canonicalize) { ++ hashtab_destroy(p->symtab[i].table); ++ if (symtab_init(&p->symtab[i], nel)) + goto bad; ++ if (i == SYM_ROLES) { ++ if (roles_init(p)) ++ goto bad; ++ } ++ } ++ ++ ++ for (j = 0; j < nel; j++) { ++ if (canonicalize) { ++ if (read_f_canonicalize[i] (p, p->symtab[i].table, fp)) ++ goto bad; ++ } else { ++ if (read_f[i] (p, p->symtab[i].table, fp)) ++ goto bad; ++ } + } + + p->symtab[i].nprim = nprim; +@@ -4579,9 +4632,24 @@ int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose) + + return POLICYDB_SUCCESS; + bad: ++ if (canonicalize) { ++ for (i = 0; i < SYM_NUM; i++) { ++ hashtab_destroy(p->symtab[i].table); ++ } ++ } + return POLICYDB_ERROR; + } + ++int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose) ++{ ++ return policydb_read_pre(p, fp, verbose, 0); ++} ++ ++int policydb_read_canonicalize(policydb_t * p, struct policy_file *fp, unsigned verbose) ++{ ++ return policydb_read_pre(p, fp, verbose, 1); ++} ++ + int policydb_reindex_users(policydb_t * p) + { + unsigned int i = SYM_USERS; +diff --git a/libsepol-3.5/src/policydb_public.c b/libsepol-3.5/src/policydb_public.c +index 0218c94..bbc2583 100644 +--- a/libsepol-3.5/src/policydb_public.c ++++ b/libsepol-3.5/src/policydb_public.c +@@ -212,3 +212,8 @@ int sepol_policydb_compat_net(const sepol_policydb_t * p) + return (hashtab_search(p->p.p_classes.table, PACKET_CLASS_NAME) == + NULL); + } ++ ++int sepol_policydb_read_canonicalize(sepol_policydb_t * p, sepol_policy_file_t * pf) ++{ ++ return policydb_read_canonicalize(&p->p, &pf->pf, 0); ++} +-- +2.33.0 + diff --git a/backport-libsepol-Fix-markers-for-info-nodes-w-o-children.patch b/backport-libsepol-Fix-markers-for-info-nodes-w-o-children.patch new file mode 100644 index 0000000..53932cd --- /dev/null +++ b/backport-libsepol-Fix-markers-for-info-nodes-w-o-children.patch @@ -0,0 +1,35 @@ +From 3693e7ebb0a4e556fc7ef8e88108c508493c2b3b Mon Sep 17 00:00:00 2001 +From: Inseob Kim +Date: Mon, 7 Apr 2025 11:37:57 +0900 +Subject: [PATCH] libsepol: Fix markers for info nodes w/o children + +cil_write_src_info_node has been called with +__write_cil_ast_node_helper, but that may break the result CIL file in +case there are no children for the info node, because the "lme" marker +is printed with __write_cil_ast_last_child_helper. + +This change manually prints the "lme" marker in +__write_cil_ast_node_helper in case there are no children, so opening +markers and closing markers always match regardless of children. + +Signed-off-by: Inseob Kim +Acked-by: James Carter +--- + libsepol/cil/src/cil_write_ast.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/libsepol/cil/src/cil_write_ast.c b/libsepol/cil/src/cil_write_ast.c +index 15d8bbafee..f9edadba8c 100644 +--- a/libsepol/cil/src/cil_write_ast.c ++++ b/libsepol/cil/src/cil_write_ast.c +@@ -1624,6 +1624,10 @@ static int __write_cil_ast_node_helper(struct cil_tree_node *node, uint32_t *fin + + if (node->flavor == CIL_SRC_INFO) { + cil_write_src_info_node(args->out, node); ++ ++ if (node->cl_head == NULL) { ++ fprintf(args->out, ";;* lme\n"); ++ } + return SEPOL_OK; + } + diff --git a/backport-libsepol-cil-Optionally-allow-duplicate-role-declaration.patch b/backport-libsepol-cil-Optionally-allow-duplicate-role-declaration.patch new file mode 100644 index 0000000..27699f4 --- /dev/null +++ b/backport-libsepol-cil-Optionally-allow-duplicate-role-declaration.patch @@ -0,0 +1,40 @@ +From ae3c44c2d44b5e2f1c87b4b095d522a7f11add7a Mon Sep 17 00:00:00 2001 +From: James Carter +Date: Mon, 21 Apr 2025 11:34:35 +0800 +Subject: [PATCH] libsepol-cil-Optionally-allow-duplicate-role-declarations + +Reference:https://github.com/SELinuxProject/selinux/commit/7492632a6b6a1081d0c057a2ecfc193be9989515 + +--- + libsepol/cil/src/cil_build_ast.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c +index 4177c9f..8264984 100644 +--- a/libsepol/cil/src/cil_build_ast.c ++++ b/libsepol/cil/src/cil_build_ast.c +@@ -92,6 +92,7 @@ static int cil_allow_multiple_decls(struct cil_db *db, enum cil_flavor f_new, en + switch (f_new) { + case CIL_TYPE: + case CIL_TYPEATTRIBUTE: ++ case CIL_ROLE: + if (db->multiple_decls) { + return CIL_TRUE; + } +@@ -1750,7 +1751,12 @@ int cil_gen_role(struct cil_db *db, struct cil_tree_node *parse_current, struct + + rc = cil_gen_node(db, ast_node, (struct cil_symtab_datum*)role, (hashtab_key_t)key, CIL_SYM_ROLES, CIL_ROLE); + if (rc != SEPOL_OK) { +- goto exit; ++ if (rc == SEPOL_EEXIST) { ++ cil_destroy_role(role); ++ role = NULL; ++ } else { ++ goto exit; ++ } + } + + return SEPOL_OK; +-- +2.33.0 + diff --git a/libsepol.spec b/libsepol.spec index 5d7a68e..1a7925c 100644 --- a/libsepol.spec +++ b/libsepol.spec @@ -1,6 +1,6 @@ Name: libsepol Version: 3.5 -Release: 5 +Release: 11 Summary: SELinux binary policy manipulation library License: LGPLv2+ URL: https://github.com/SELinuxProject/selinux/wiki/Releases @@ -40,6 +40,10 @@ Patch0031: backport-libsepol-Initialize-strs-on-declaration.patch Patch0032: backport-libsepol-mls-Do-not-destroy-context-on-memory-error.patch Patch0033: backport-libsepol-cil-cil_post-Initialize-tmp-on-declaration.patch Patch0034: backport-libsepol-cil-Initialize-avtab_datum-on-declaration.patch +Patch0035: backport-libsepol-cil-Optionally-allow-duplicate-role-declaration.patch +Patch0036: backport-libsepol-Fix-markers-for-info-nodes-w-o-children.patch + +Patch9000: Optimized-the-way-libsepol-policy-are-generated.patch BuildRequires: gcc flex @@ -100,6 +104,24 @@ make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" install %{_mandir}/man3/* %changelog +* Wed Aug 13 2025 yanglongkang - 3.5-11 +- backport patches from upstream + +* Thu May 8 2025 jinlun - 3.5-10 +- Revert "libsepol-Remove-special-handling-of-roles-in-module_to_cil" + +* Mon Apr 28 2025 changhan - 3.5-9 +- Change the author's mail + +* Mon Apr 28 2025 jinlun - 3.5-8 +- Optimized the way libsepol policy are generated + +* Mon Apr 21 2025 changhan - 3.5-7 +- backport libsepol: Remove special handling of roles in module_to_cil.c + +* Mon Apr 21 2025 changhan - 3.5-6 +- backport libsepol/cil: Optionally allow duplicate role declarations + * Tue Mar 18 2025 Linux_zhang - 3.5-5 - backport patches from upstream -- Gitee