Message ID | 20220519185418.168937-2-dominick.grift@defensec.nl |
---|---|
State | New |
Headers | show
Return-Path: <openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org> X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=iEAbbP/H; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=defensec.nl header.i=@defensec.nl header.a=rsa-sha256 header.s=default header.b=AiUQ5uPC; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=<UNKNOWN>) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4L3zf44RPNz9sGS for <incoming@patchwork.ozlabs.org>; Fri, 20 May 2022 04:58:36 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=aiU37rXU4x9Pju6JWohHYvOZD44ItmDtL8brcYDsYD8=; b=iEAbbP/HeEs/1r YIfCNnkfVVXrTxYmuUzMSkxAy6LyZMQ+HVyPRx+QHDCgRqB2DV1wyrDsg5UjLaxPzd2Az79Hy1F4+ BBk1AGW9P25N7T3i2rCo1Wrib6Hys46Q957pNnzCeh00WGf6o8NvqnNkAaEmvDFF4bSVw3KPyiPQ3 ihpScKs9eANcYAJv2TNIH0xriO+gInzmb8bxKHSaLZlr3EjEBORNsVOmk026xv/STsVDy/ZI53TsS 4seA8phv39rJj/VURclVQmZ6f4jZz5R5BgQW8L2P/zOOM9fstEftLUr8b6AcqloY4IDIrLwXIRByP /yDWLCy0/4nvTz/Jh8vg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1nrlJK-0090Nv-Bs; Thu, 19 May 2022 18:55:46 +0000 Received: from markus.defensec.nl ([45.80.168.93]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1nrlIP-00908m-NB for openwrt-devel@lists.openwrt.org; Thu, 19 May 2022 18:54:53 +0000 Received: from brutus.. (brutus.lan [IPv6:2a10:3781:2099::438]) by markus.defensec.nl (Postfix) with ESMTPSA id 1EB7CFC093E; Thu, 19 May 2022 20:54:42 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=defensec.nl; s=default; t=1652986482; bh=XoS3cwA34p5Xi665nVDvU7adl85uLIPpTI9h2YWXtTc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=AiUQ5uPCrKYD1vhSc5/17BN523K6QNoCpQbgJtUFlp1qT2/O6tp2EG0dyp7NWduhn l0BYyGRsSdfAmfjAqoF6p/iOu0qGPAPhjz+wc+tf/4I3FnKsiqfjRNj+JPH08TqV+g baPq0j3wy2KIkg0CuerLH70LUf3SMA/VOSa85l98= From: Dominick Grift <dominick.grift@defensec.nl> To: openwrt-devel@lists.openwrt.org Cc: daniel@makrotopia.org, Dominick Grift <dominick.grift@defensec.nl> Subject: [PATCH 1/8] libsepol: update to version 3.4 Date: Thu, 19 May 2022 20:54:13 +0200 Message-Id: <20220519185418.168937-2-dominick.grift@defensec.nl> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220519185418.168937-1-dominick.grift@defensec.nl> References: <20220519185418.168937-1-dominick.grift@defensec.nl> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220519_115450_020208_CC3D0009 X-CRM114-Status: GOOD ( 14.79 ) X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: 0a8c177d Update VERSIONs to 3.4 for release. 9e096e6e libsepol, checkpolicy: add support for self keyword in type transitions 539b0660 libsepol/cil: add support for self keyword in type transitions 9df [...] Content analysis details: (-0.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [45.80.168.93 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List <openwrt-devel.lists.openwrt.org> List-Unsubscribe: <https://lists.openwrt.org/mailman/options/openwrt-devel>, <mailto:openwrt-devel-request@lists.openwrt.org?subject=unsubscribe> List-Archive: <http://lists.openwrt.org/pipermail/openwrt-devel/> List-Post: <mailto:openwrt-devel@lists.openwrt.org> List-Help: <mailto:openwrt-devel-request@lists.openwrt.org?subject=help> List-Subscribe: <https://lists.openwrt.org/mailman/listinfo/openwrt-devel>, <mailto:openwrt-devel-request@lists.openwrt.org?subject=subscribe> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org> Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org |
Series | [1/8] libsepol: update to version 3.4 | expand |
diff --git a/package/libs/libsepol/Makefile b/package/libs/libsepol/Makefile index 87f1ccd917..39f646b7c0 100644 --- a/package/libs/libsepol/Makefile +++ b/package/libs/libsepol/Makefile @@ -6,12 +6,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libsepol -PKG_VERSION:=3.3 +PKG_VERSION:=3.4 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/SELinuxProject/selinux/releases/download/$(PKG_VERSION) -PKG_HASH:=2d97df3eb8466169b389c3660acbb90c54200ac96e452eca9f41a9639f4f238b +PKG_HASH:=fc277ac5b52d59d2cd81eec8b1cccd450301d8b54d9dd48a993aea0577cf0336 PKG_MAINTAINER:=Thomas Petazzoni <thomas.petazzoni@bootlin.com>
0a8c177d Update VERSIONs to 3.4 for release. 9e096e6e libsepol,checkpolicy: add support for self keyword in type transitions 539b0660 libsepol/cil: add support for self keyword in type transitions 9df28c24 Update VERSIONs to 3.4-rc3 for release. 2a167d11 Update VERSIONs to 3.4-rc2 for release. 8c115936 libsepol/cil: comment out unused function __cil_verify_rule 80137479 libsepol/tests: adjust IPv6 netmasks c74df1cd libsepol/tests: Declare file local functions as static 4a77a5ba libsepol/tests: Include paired headers for prototypes 02f330c9 libsepol/tests Include policydb.h header for policydb_t declaration 9d57ab6c libsepol: drop unnecessary const discarding casts 68a29c3a libsepol: check correct pointer for oom 6bc29805 libsepol/cil: declare file local function pointer static 20187dbf libsepol: Replace calls to mallocarray() with calls to calloc() fed78faa libsepol: add policy utilities fbba2393 libsepol: export functions for policy analysis 3ae07ec3 libsepol: introduce sepol_const_security_context_t typedef f0e085f6 libsepol: add sepol_av_perm_to_string 73562de8 Update VERSIONs to 3.4-rc1 for release. f5a764d9 libsepol/cil: post process pirqcon rules cf7f7aaf libsepol/cil: drop unused function cil_tree_error 6bfd1be2 libsepol/cil: declare file local functions static c640af42 libsepol: mark immutable common helper parameter const 63599466 libsepol: mark immutable mls and context parameter const 0233e4f6 libsepol: add missing oom checks 5d3c4430 libsepol/cil: silence GCC 12 array-bounds false positive c3f0124b libsepol: Validate conditional expressions dfc652f0 libsepol: Use calloc when initializing bool_val_to_struct array 5456002f libsepol/cil: Write a message when a log message is truncated 29e610f9 libsepol: Don't write out constraint if it has no permissions 1f15c628 libsepol/cil: Don't add constraint if there are no permissions 0d84ebcb libsepol: Shorten the policy capability enum names 672d8c2c libsepol: validate boolean datum arrays 93ff4ce5 libsepol: reject xperm av rules in conditional statements 5b6e6254 libsepol: Do a more thorough validation of constraints cc1bd5e8 libsepol: fix reallocarray imports 2d35696d libsepol: NULL pointer offset fix 71bcdcc9 libsepol: Add 'ioctl_skip_cloexec' policy capability c900816e libsepol: Populate and use policy name bc26ddc5 libsepol/cil: Limit the amount of reporting for context rule conflicts c964fe14 libsepol/cil: Limit the neverallow violations reported 3c45d91c libsepol/cil: Provide more control over reporting bounds failures 3ffb84ec libsepol/cil: Add cil_get_log_level() function 71291385 libsepol: Fix two problems with neverallowxperm reporting 931380ca libsepol: Set args avtab pointer when reporting assertion violations fb3a383f libsepol: The src and tgt must be the same if neverallow uses self 46106724 libsepol: Make return value clearer when reporting neverallowx errors 88c79c68 libsepol: Refactor match_any_class_permissions() to be clearer 3b71e516 libsepol: Make use of previously created ebitmap when checking self cfdf4ec2 libsepol: Move assigning outer loop index out of inner loop 8f643827 libsepol: Remove unnessesary check for matching class 68d32d2c libsepol: Use (rc < 0) instead of (rc) when calling ebitmap functions 7312d3c6 libsepol: Create function check_assertion_self_match() and use it d4456cb4 libsepol: Move check of target types to before check for self a9d56880 libsepol: Use consistent return checking style 18e1ae11 libsepol: Check for error from check_assertion_extended_permissions() a700e426 libsepol: Remove uneeded error messages in assertion checking c2af8933 libsepol: Change label in check_assertion_avtab_match() 521e6ad7 libsepol: Return an error if check_assertion() returns an error. ff25475c libsepol: validate several flags 9bee80da libsepol: more strict constraint validation 496002e7 libsepol: use correct error type to please UBSAN 86cdb9f1 libsepol/cil: Ensure that the class in a classcommon is a kernel class f0823bbb libsepol/cil: Do not resolve names to declarations in abstract blocks 6d783e5b libsepol/cil: Mark as abstract all sub-blocks of an abstract block e6429963 libsepol/cil: Do not copy blockabstracts when inheriting a block 58443a00 libsepol: do not add gaps to string list 73850041 libsepol: invert only valid range of role bitmap 42a8dc46 libsepol: handle type gaps b8cba274 libsepol: drop trailing newlines in log messages f52f5e27 libsepol: return failure on saturated class name length c3d52a6a libsepol: check for saturated class name length ad2ff8a8 ci: run the tests under ASan/UBsan on GHActions b78560fd libsepol: check for valid sensitivity before lookup b2ba721e libsepol/cil: bail out on snprintf failure 5e6e516e libsepol: validate class default targets 24618ad3 libsepol: validate fsuse types 8a7215c6 libsepol: validate categories 80b94415 libsepol: validate policy properties 2c4da50a libsepol: validate permissive types 88e280a1 libsepol: validate genfs contexts 86281337 libsepol: validate ocontexts 5f816232 libsepol: validate type of avtab type rules 8c59d614 libsepol: validate constraint expression operators and attributes 312eac1c libsepol: validate avtab and avrule types ba6d8225 libsepol: resolve log message mismatch e39cf0a1 libsepol: validate permission count of classes fffb1609 libsepol: validate expanded user range and level 8fdb3eb2 libsepol: validate MLS levels e2e60d9b libsepol: split validation of datum array gaps and entries 691e6aff libsepol: do not create a string list with initial size zero 35ef9b95 libsepol: use correct size for initial string list 73154020 libsepol: do not crash on user gaps b76eda52 libsepol: do not crash on class gaps c12b7d90 libsepol: do not underflow on short format arguments 47c3d96e libsepol: use size_t for indexes in strs helpers 8565e2c5 libsepol: zero member before potential dereference 1b4979c5 libsepol: reject invalid filetrans source type 8750fb68 libsepol: reject abnormal huge sid ids f571438a libsepol: clean memory on conditional insertion failure 2331dcaf libsepol: enforce avtab item limit 97af65f6 libsepol: add checks for read sizes f0a5f6e3 libsepol: use reallocarray wrapper to avoid overflows 18303c85 libsepol: use mallocarray wrapper to avoid overflows 852f14d4 libsepol: use logging framework in ebitmap.c 5c178f9f libsepol: use logging framework in conditional.c 51394330 libsepol/fuzz: limit element sizes for fuzzing 82438341 libsepol: add libfuzz based fuzzer for reading binary policies e0ba1168 libsepol/fuzz: silence secilc-fuzzer 413518a6 libsepol/cil: support IPv4/IPv6 address embedding a46ade3f libsepol: Write out genfscon file type when writing out CIL policy 3677af8f libsepol/cil: Allow optional file type in genfscon rules c9ed5521 libsepol/cil: Refactor filecon file type handling 55e67489 libsepol: Add support for file types in writing out policy.conf c42dcf58 libsepol: use string literals as format strings f95dbf2c libsepol: avoid passing NULL pointer to memcpy b98d3c4c libsepol: do not pass NULL to memcpy Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> --- package/libs/libsepol/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)