similarity index 100%
rename from recipes-security/selinux/checkpolicy_3.2.bb
rename to recipes-security/selinux/checkpolicy_3.3.bb
similarity index 100%
rename from recipes-security/selinux/libselinux-python_3.2.bb
rename to recipes-security/selinux/libselinux-python_3.3.bb
similarity index 100%
rename from recipes-security/selinux/libselinux_3.2.bb
rename to recipes-security/selinux/libselinux_3.3.bb
similarity index 100%
rename from recipes-security/selinux/libsemanage_3.2.bb
rename to recipes-security/selinux/libsemanage_3.3.bb
deleted file mode 100644
@@ -1,99 +0,0 @@
-From f34d3d30c8325e4847a6b696fe7a3936a8a361f3 Mon Sep 17 00:00:00 2001
-From: James Carter <jwcart2@gmail.com>
-Date: Thu, 8 Apr 2021 13:32:01 -0400
-Subject: [PATCH] libsepol/cil: Destroy classperms list when resetting
- classpermission
-
-Nicolas Iooss reports:
- A few months ago, OSS-Fuzz found a crash in the CIL compiler, which
- got reported as
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28648 (the title
- is misleading, or is caused by another issue that conflicts with the
- one I report in this message). Here is a minimized CIL policy which
- reproduces the issue:
-
- (class CLASS (PERM))
- (classorder (CLASS))
- (sid SID)
- (sidorder (SID))
- (user USER)
- (role ROLE)
- (type TYPE)
- (category CAT)
- (categoryorder (CAT))
- (sensitivity SENS)
- (sensitivityorder (SENS))
- (sensitivitycategory SENS (CAT))
- (allow TYPE self (CLASS (PERM)))
- (roletype ROLE TYPE)
- (userrole USER ROLE)
- (userlevel USER (SENS))
- (userrange USER ((SENS)(SENS (CAT))))
- (sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))
-
- (classpermission CLAPERM)
-
- (optional OPT
- (roletype nonexistingrole nonexistingtype)
- (classpermissionset CLAPERM (CLASS (PERM)))
- )
-
- The CIL policy fuzzer (which mimics secilc built with clang Address
- Sanitizer) reports:
-
- ==36541==ERROR: AddressSanitizer: heap-use-after-free on address
- 0x603000004f98 at pc 0x56445134c842 bp 0x7ffe2a256590 sp
- 0x7ffe2a256588
- READ of size 8 at 0x603000004f98 thread T0
- #0 0x56445134c841 in __cil_verify_classperms
- /selinux/libsepol/src/../cil/src/cil_verify.c:1620:8
- #1 0x56445134a43e in __cil_verify_classpermission
- /selinux/libsepol/src/../cil/src/cil_verify.c:1650:9
- #2 0x56445134a43e in __cil_pre_verify_helper
- /selinux/libsepol/src/../cil/src/cil_verify.c:1715:8
- #3 0x5644513225ac in cil_tree_walk_core
- /selinux/libsepol/src/../cil/src/cil_tree.c:272:9
- #4 0x564451322ab1 in cil_tree_walk
- /selinux/libsepol/src/../cil/src/cil_tree.c:316:7
- #5 0x5644513226af in cil_tree_walk_core
- /selinux/libsepol/src/../cil/src/cil_tree.c:284:9
- #6 0x564451322ab1 in cil_tree_walk
- /selinux/libsepol/src/../cil/src/cil_tree.c:316:7
- #7 0x5644512b88fd in cil_pre_verify
- /selinux/libsepol/src/../cil/src/cil_post.c:2510:7
- #8 0x5644512b88fd in cil_post_process
- /selinux/libsepol/src/../cil/src/cil_post.c:2524:7
- #9 0x5644511856ff in cil_compile
- /selinux/libsepol/src/../cil/src/cil.c:564:7
-
-The classperms list of a classpermission rule is created and filled
-in when classpermissionset rules are processed, so it doesn't own any
-part of the list and shouldn't retain any of it when it is reset.
-
-Destroy the classperms list (without destroying the data in it) when
-resetting a classpermission rule.
-
-Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
-Signed-off-by: James Carter <jwcart2@gmail.com>
-
-Upstream-Status: Backport
-CVE: CVE-2021-36084
-Signed-off-by: Armin Kuster <akuster@mvista.com>
-
----
- libsepol/cil/src/cil_reset_ast.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-Index: libsepol-3.0/cil/src/cil_reset_ast.c
-===================================================================
---- libsepol-3.0.orig/cil/src/cil_reset_ast.c
-+++ libsepol-3.0/cil/src/cil_reset_ast.c
-@@ -52,7 +52,7 @@ static void cil_reset_classpermission(st
- return;
- }
-
-- cil_reset_classperms_list(cp->classperms);
-+ cil_list_destroy(&cp->classperms, CIL_FALSE);
- }
-
- static void cil_reset_classperms_set(struct cil_classperms_set *cp_set)
deleted file mode 100644
@@ -1,38 +0,0 @@
-From 2d35fcc7e9e976a2346b1de20e54f8663e8a6cba Mon Sep 17 00:00:00 2001
-From: James Carter <jwcart2@gmail.com>
-Date: Thu, 8 Apr 2021 13:32:04 -0400
-Subject: [PATCH] libsepol/cil: Destroy classperm list when resetting map perms
-
-Map perms share the same struct as regular perms, but only the
-map perms use the classperms field. This field is a pointer to a
-list of classperms that is created and added to when resolving
-classmapping rules, so the map permission doesn't own any of the
-data in the list and this list should be destroyed when the AST is
-reset.
-
-When resetting a perm, destroy the classperms list without destroying
-the data in the list.
-
-Signed-off-by: James Carter <jwcart2@gmail.com>
-
-Upstream-Status: Backport
-CVE: CVE-2021-36085
-Signed-off-by: Armin Kuster <akuster@mvista.com>
-
----
- libsepol/cil/src/cil_reset_ast.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-Index: libsepol-3.0/cil/src/cil_reset_ast.c
-===================================================================
---- libsepol-3.0.orig/cil/src/cil_reset_ast.c
-+++ libsepol-3.0/cil/src/cil_reset_ast.c
-@@ -34,7 +34,7 @@ static void cil_reset_class(struct cil_c
-
- static void cil_reset_perm(struct cil_perm *perm)
- {
-- cil_reset_classperms_list(perm->classperms);
-+ cil_list_destroy(&perm->classperms, CIL_FALSE);
- }
-
- static inline void cil_reset_classperms(struct cil_classperms *cp)
deleted file mode 100644
@@ -1,46 +0,0 @@
-From 49f9aa2a460fc95f04c99b44f4dd0d22e2f0e5ee Mon Sep 17 00:00:00 2001
-From: James Carter <jwcart2@gmail.com>
-Date: Thu, 8 Apr 2021 13:32:06 -0400
-Subject: [PATCH] libsepol/cil: cil_reset_classperms_set() should not reset
- classpermission
-
-In struct cil_classperms_set, the set field is a pointer to a
-struct cil_classpermission which is looked up in the symbol table.
-Since the cil_classperms_set does not create the cil_classpermission,
-it should not reset it.
-
-Set the set field to NULL instead of resetting the classpermission
-that it points to.
-
-Signed-off-by: James Carter <jwcart2@gmail.com>
-
-Upstream-Status: Backport
-[https://github.com/SELinuxProject/selinux/commit/c49a8ea09501ad66e799ea41b8154b6770fec2c8]
-
-CVE: CVE-2021-36086
-
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
----
- cil/src/cil_reset_ast.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/cil/src/cil_reset_ast.c b/cil/src/cil_reset_ast.c
-index 89f91e5..1d9ca70 100644
---- a/cil/src/cil_reset_ast.c
-+++ b/cil/src/cil_reset_ast.c
-@@ -59,7 +59,11 @@ static void cil_reset_classpermission(struct cil_classpermission *cp)
-
- static void cil_reset_classperms_set(struct cil_classperms_set *cp_set)
- {
-- cil_reset_classpermission(cp_set->set);
-+ if (cp_set == NULL) {
-+ return;
-+ }
-+
-+ cp_set->set = NULL;
- }
-
- static inline void cil_reset_classperms_list(struct cil_list *cp_list)
-2.17.1
-
similarity index 85%
rename from recipes-security/selinux/libsepol_3.2.bb
rename to recipes-security/selinux/libsepol_3.3.bb
@@ -9,10 +9,6 @@ LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=a6f89e2100d9b6cdffcea4f398e37343"
require selinux_common.inc
-SRC_URI += "file://CVE-2021-36084.patch \
- file://CVE-2021-36085.patch \
- file://CVE-2021-36086.patch "
-
inherit lib_package
S = "${WORKDIR}/git/libsepol"
similarity index 100%
rename from recipes-security/selinux/mcstrans_3.2.bb
rename to recipes-security/selinux/mcstrans_3.3.bb
similarity index 100%
rename from recipes-security/selinux/policycoreutils_3.2.bb
rename to recipes-security/selinux/policycoreutils_3.3.bb
similarity index 100%
rename from recipes-security/selinux/restorecond_3.2.bb
rename to recipes-security/selinux/restorecond_3.3.bb
deleted file mode 100644
@@ -1,134 +0,0 @@
-From bad0a746e9f4cf260dedba5828d9645d50176aac Mon Sep 17 00:00:00 2001
-From: James Carter <jwcart2@gmail.com>
-Date: Mon, 19 Apr 2021 09:06:15 -0400
-Subject: [PATCH] secilc/docs: Update the CIL documentation for various blocks
-
-Update the documentation for macros, booleans, booleanifs, tunables,
-tunableifs, blocks, blockabstracts, blockinherits, and optionals to
-tell where these statements can be used and, for those that have
-blocks, what statements are not allowed in them.
-
-Signed-off-by: James Carter <jwcart2@gmail.com>
-
-Upstream-Status: Backport
-CVE: CVE-2021-36087
-Signed-off-by: Armin Kuster <akuster@mvista.com>
-
----
- docs/cil_call_macro_statements.md | 2 ++
- docs/cil_conditional_statements.md | 6 +++++
- docs/cil_container_statements.md | 28 +++++++++++++++--------
- 3 files changed, 26 insertions(+), 10 deletions(-)
-
-Index: secilc/docs/cil_call_macro_statements.md
-===================================================================
---- secilc.orig/docs/cil_call_macro_statements.md
-+++ secilc/docs/cil_call_macro_statements.md
-@@ -58,6 +58,8 @@ When resolving macros the following plac
-
- - Items defined in the global namespace
-
-+[`tunable`](cil_conditional_statements.md#tunable), [`in`](cil_container_statements.md#in), [`block`](cil_container_statements.md#block), [`blockinherit`](cil_container_statements.md#blockinherit), [`blockabstract`](cil_container_statements.md#blockabstract), and other [`macro`](cil_call_macro_statements.md#macro) statements are not allowed in [`macro`](cil_call_macro_statements.md#macro) blocks.
-+
- **Statement definition:**
-
- ```secil
-Index: secilc/docs/cil_conditional_statements.md
-===================================================================
---- secilc.orig/docs/cil_conditional_statements.md
-+++ secilc/docs/cil_conditional_statements.md
-@@ -6,6 +6,8 @@ boolean
-
- Declares a run time boolean as true or false in the current namespace. The [`booleanif`](cil_conditional_statements.md#booleanif) statement contains the CIL code that will be in the binary policy file.
-
-+[`boolean`](cil_conditional_statements.md#boolean) are not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) blocks.
-+
- **Statement definition:**
-
- ```secil
-@@ -126,6 +128,8 @@ Tunables are similar to booleans, howeve
-
- Note that tunables can be treated as booleans by the CIL compiler command line parameter `-P` or `--preserve-tunables` flags.
-
-+Since [`tunableif`](cil_conditional_statements.md#tunableif) statements are resolved first, [`tunable`](cil_conditional_statements.md#tunable) statements are not allowed in [`in`](cil_container_statements.md#in), [`macro`](cil_call_macro_statements.md#macro), [`optional`](cil_container_statements.md#optional), and [`booleanif`](cil_conditional_statements.md#booleanif) blocks. To simplify processing, they are also not allowed in [`tunableif`](cil_conditional_statements.md#tunableif) blocks.
-+
- **Statement definition:**
-
- ```secil
-@@ -164,6 +168,8 @@ tunableif
-
- Compile time conditional statement that may or may not add CIL statements to be compiled.
-
-+If tunables are being treated as booleans (by using the CIL compiler command line parameter `-P` or `--preserve-tunables` flag), then only the statements allowed in a [`booleanif`](cil_conditional_statements.md#booleanif) block are allowed in a [`tunableif`](cil_conditional_statements.md#tunableif) block. Otherwise, [`tunable`](cil_conditional_statements.md#tunable) statements are not allowed in a [`tunableif`](cil_conditional_statements.md#tunableif) block.
-+
- **Statement definition:**
-
- ```secil
-Index: secilc/docs/cil_container_statements.md
-===================================================================
---- secilc.orig/docs/cil_container_statements.md
-+++ secilc/docs/cil_container_statements.md
-@@ -4,7 +4,11 @@ Container Statements
- block
- -----
-
--Start a new namespace where any CIL statement is valid.
-+Start a new namespace.
-+
-+Not allowed in [`macro`](cil_call_macro_statements.md#macro) and [`optional`](cil_container_statements.md#optional) blocks.
-+
-+[`sensitivity`](cil_mls_labeling_statements.md#sensitivity) and [`category`](cil_mls_labeling_statements.md#category) statements are not allowed in [`block`](cil_container_statements.md#block) blocks.
-
- **Statement definition:**
-
-@@ -47,6 +51,8 @@ blockabstract
-
- Declares the namespace as a 'template' and does not generate code until instantiated by another namespace that has a [`blockinherit`](cil_container_statements.md#blockinherit) statement.
-
-+Not allowed in [`macro`](cil_call_macro_statements.md#macro) and [`optional`](cil_container_statements.md#optional) blocks.
-+
- **Statement definition:**
-
- ```secil
-@@ -97,6 +103,8 @@ blockinherit
-
- Used to add common policy rules to the current namespace via a template that has been defined with the [`blockabstract`](cil_container_statements.md#blockabstract) statement. All [`blockinherit`](cil_container_statements.md#blockinherit) statements are resolved first and then the contents of the block are copied. This is so that inherited blocks will not be inherited. For a concrete example, please see the examples section.
-
-+Not allowed in [`macro`](cil_call_macro_statements.md#macro) blocks.
-+
- **Statement definition:**
-
- ```secil
-@@ -199,15 +207,11 @@ This example contains a template `client
- optional
- --------
-
--Declare an [`optional`](cil_container_statements.md#optional) namespace. All CIL statements in the optional block must be satisfied before instantiation in the binary policy. [`tunableif`](cil_conditional_statements.md#tunableif) and [`macro`](cil_call_macro_statements.md#macro) statements are not allowed in optional containers. The same restrictions apply to CIL policy statements within [`optional`](cil_container_statements.md#optional)'s that apply to kernel policy statements, i.e. only the policy statements shown in the following table are valid:
-+Declare an [`optional`](cil_container_statements.md#optional) namespace. All CIL statements in the optional block must be satisfied before instantiation in the binary policy.
-
--| | | | |
--| ------------------- | -------------- | ------------------ | ------------------ |
--| [`allow`](cil_access_vector_rules.md#allow) | [`allowx`](cil_access_vector_rules.md#allowx) | [`auditallow`](cil_access_vector_rules.md#auditallow) | [`auditallowx`](cil_access_vector_rules.md#auditallowx) |
--| [`booleanif`](cil_conditional_statements.md#booleanif) | [`dontaudit`](cil_access_vector_rules.md#dontaudit) | [`dontauditx`](cil_access_vector_rules.md#dontauditx) | [`typepermissive`](cil_type_statements.md#typepermissive) |
--| [`rangetransition`](cil_mls_labeling_statements.md#rangetransition) | [`role`](cil_role_statements.md#role) | [`roleallow`](cil_role_statements.md#roleallow) | [`roleattribute`](cil_role_statements.md#roleattribute) |
--| [`roletransition`](cil_role_statements.md#roletransition) | [`type`](cil_type_statements.md#type) | [`typealias`](cil_type_statements.md#typealias) | [`typeattribute`](cil_type_statements.md#typeattribute) |
--| [`typechange`](cil_type_statements.md#typechange) | [`typemember`](cil_type_statements.md#typemember) | [`typetransition`](cil_type_statements.md#typetransition) | |
-+Not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) blocks.
-+
-+[`tunable`](cil_conditional_statements.md#tunable), [`in`](cil_container_statements.md#in), [`block`](cil_container_statements.md#block), [`blockabstract`](cil_container_statements.md#blockabstract), and [`macro`](cil_call_macro_statements.md#macro) statements are not allowed in [`optional`](cil_container_statements.md#optional) blocks.
-
- **Statement definition:**
-
-@@ -266,7 +270,11 @@ This example will instantiate the option
- in
- --
-
--Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)). This statement is not allowed in [`booleanif`](cil_conditional_statements.md#booleanif) or [`tunableif`](cil_conditional_statements.md#tunableif) statements. This only works for containers that aren't inherited using [`blockinherit`](cil_conditional_statements.md#blockinherit).
-+Allows the insertion of CIL statements into a named container ([`block`](cil_container_statements.md#block), [`optional`](cil_container_statements.md#optional) or [`macro`](cil_call_macro_statements.md#macro)).
-+
-+Not allowed in [`macro`](cil_call_macro_statements.md#macro), [`booleanif`](cil_conditional_statements.md#booleanif), and other [`in`](cil_container_statements.md#in) blocks.
-+
-+[`tunable`](cil_conditional_statements.md#tunable) and [`in`](cil_container_statements.md#in) statements are not allowed in [`in`](cil_container_statements.md#in) blocks.
-
- **Statement definition:**
-
similarity index 90%
rename from recipes-security/selinux/secilc_3.2.bb
rename to recipes-security/selinux/secilc_3.3.bb
@@ -8,8 +8,6 @@ LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=c7e802b9a3b0c2c852669864c08b9138"
require selinux_common.inc
-SRC_URI += "file://CVE-2021-36087.patch"
-
DEPENDS += "libsepol xmlto-native"
S = "${WORKDIR}/git/secilc"
similarity index 100%
rename from recipes-security/selinux/selinux-dbus_3.2.bb
rename to recipes-security/selinux/selinux-dbus_3.3.bb
similarity index 100%
rename from recipes-security/selinux/selinux-gui_3.2.bb
rename to recipes-security/selinux/selinux-gui_3.3.bb
similarity index 100%
rename from recipes-security/selinux/selinux-python_3.2.bb
rename to recipes-security/selinux/selinux-python_3.3.bb
similarity index 100%
rename from recipes-security/selinux/selinux-sandbox_3.2.bb
rename to recipes-security/selinux/selinux-sandbox_3.3.bb
@@ -1,7 +1,7 @@
HOMEPAGE = "https://github.com/SELinuxProject"
SRC_URI = "git://github.com/SELinuxProject/selinux.git;branch=master;protocol=https"
-SRCREV = "cf853c1a0c2328ad6c62fb2b2cc55d4926301d6b"
+SRCREV = "7f600c40bc18d8180993edcd54daf45124736776"
UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+)"
similarity index 100%
rename from recipes-security/selinux/semodule-utils_3.2.bb
rename to recipes-security/selinux/semodule-utils_3.3.bb
Signed-off-by: Yi Zhao <yi.zhao@windriver.com> --- ...{checkpolicy_3.2.bb => checkpolicy_3.3.bb} | 0 ...python_3.2.bb => libselinux-python_3.3.bb} | 0 .../{libselinux_3.2.bb => libselinux_3.3.bb} | 0 ...{libsemanage_3.2.bb => libsemanage_3.3.bb} | 0 .../selinux/libsepol/CVE-2021-36084.patch | 99 ------------- .../selinux/libsepol/CVE-2021-36085.patch | 38 ----- .../selinux/libsepol/CVE-2021-36086.patch | 46 ------ .../{libsepol_3.2.bb => libsepol_3.3.bb} | 4 - .../{mcstrans_3.2.bb => mcstrans_3.3.bb} | 0 ...oreutils_3.2.bb => policycoreutils_3.3.bb} | 0 ...{restorecond_3.2.bb => restorecond_3.3.bb} | 0 .../selinux/secilc/CVE-2021-36087.patch | 134 ------------------ .../selinux/{secilc_3.2.bb => secilc_3.3.bb} | 2 - ...elinux-dbus_3.2.bb => selinux-dbus_3.3.bb} | 0 ...{selinux-gui_3.2.bb => selinux-gui_3.3.bb} | 0 ...ux-python_3.2.bb => selinux-python_3.3.bb} | 0 ...-sandbox_3.2.bb => selinux-sandbox_3.3.bb} | 0 recipes-security/selinux/selinux_common.inc | 2 +- ...ule-utils_3.2.bb => semodule-utils_3.3.bb} | 0 19 files changed, 1 insertion(+), 324 deletions(-) rename recipes-security/selinux/{checkpolicy_3.2.bb => checkpolicy_3.3.bb} (100%) rename recipes-security/selinux/{libselinux-python_3.2.bb => libselinux-python_3.3.bb} (100%) rename recipes-security/selinux/{libselinux_3.2.bb => libselinux_3.3.bb} (100%) rename recipes-security/selinux/{libsemanage_3.2.bb => libsemanage_3.3.bb} (100%) delete mode 100644 recipes-security/selinux/libsepol/CVE-2021-36084.patch delete mode 100644 recipes-security/selinux/libsepol/CVE-2021-36085.patch delete mode 100644 recipes-security/selinux/libsepol/CVE-2021-36086.patch rename recipes-security/selinux/{libsepol_3.2.bb => libsepol_3.3.bb} (85%) rename recipes-security/selinux/{mcstrans_3.2.bb => mcstrans_3.3.bb} (100%) rename recipes-security/selinux/{policycoreutils_3.2.bb => policycoreutils_3.3.bb} (100%) rename recipes-security/selinux/{restorecond_3.2.bb => restorecond_3.3.bb} (100%) delete mode 100644 recipes-security/selinux/secilc/CVE-2021-36087.patch rename recipes-security/selinux/{secilc_3.2.bb => secilc_3.3.bb} (90%) rename recipes-security/selinux/{selinux-dbus_3.2.bb => selinux-dbus_3.3.bb} (100%) rename recipes-security/selinux/{selinux-gui_3.2.bb => selinux-gui_3.3.bb} (100%) rename recipes-security/selinux/{selinux-python_3.2.bb => selinux-python_3.3.bb} (100%) rename recipes-security/selinux/{selinux-sandbox_3.2.bb => selinux-sandbox_3.3.bb} (100%) rename recipes-security/selinux/{semodule-utils_3.2.bb => semodule-utils_3.3.bb} (100%)