Commits

Stephen Smalley  committed c71644b

Report source file and line information for neverallow failures.

Change-Id: I0def97a5f2f6097e2dad7bcd5395b8fa740d7073
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

  • Participants
  • Parent commits 24c94ac

Comments (0)

Files changed (5)

File include/sepol/policydb/policydb.h

 	class_perm_node_t *perms;
 	unsigned long line;	/* line number from policy.conf where
 				 * this rule originated  */
+	/* source file name and line number (e.g. .te file) */
+	char *source_filename;
+	unsigned long source_line;
 	struct avrule *next;
 } avrule_t;
 

File src/assertion.c

 				  policydb_t * p,
 				  avtab_t * te_avtab, avtab_t * te_cond_avtab,
 				  unsigned int stype, unsigned int ttype,
-				  class_perm_node_t * perm, unsigned long line)
+				  avrule_t * avrule)
 {
 	avtab_key_t avkey;
 	avtab_ptr_t node;
 	class_perm_node_t *curperm;
 
-	for (curperm = perm; curperm != NULL; curperm = curperm->next) {
+	for (curperm = avrule->perms; curperm != NULL; curperm = curperm->next) {
 		avkey.source_type = stype + 1;
 		avkey.target_type = ttype + 1;
 		avkey.target_class = curperm->class;
 	return 0;
 
       err:
-	if (line) {
+	if (avrule->source_filename) {
+		ERR(handle, "neverallow on line %lu of %s (or line %lu of policy.conf) violated by allow %s %s:%s {%s };",
+		    avrule->source_line, avrule->source_filename, avrule->line,
+		    p->p_type_val_to_name[stype],
+		    p->p_type_val_to_name[ttype],
+		    p->p_class_val_to_name[curperm->class - 1],
+		    sepol_av_to_string(p, curperm->class,
+				       node->datum.data & curperm->data));
+	} else if (avrule->line) {
 		ERR(handle, "neverallow on line %lu violated by allow %s %s:%s {%s };",
-		    line, p->p_type_val_to_name[stype], 
+		    avrule->line, p->p_type_val_to_name[stype],
 		    p->p_type_val_to_name[ttype],
 		    p->p_class_val_to_name[curperm->class - 1],
 		    sepol_av_to_string(p, curperm->class,
 			if (a->flags & RULE_SELF) {
 				if (check_assertion_helper
 				    (handle, p, &te_avtab, &te_cond_avtab, i, i,
-				     a->perms, a->line)) {
+				     a)) {
 					rc = -1;
 					goto out;
 				}
 					continue;
 				if (check_assertion_helper
 				    (handle, p, &te_avtab, &te_cond_avtab, i, j,
-				     a->perms, a->line)) {
+				     a)) {
 					rc = -1;
 					goto out;
 				}

File src/expand.c

 	avrule->specified = AVRULE_NEVERALLOW;
 	avrule->line = source_rule->line;
 	avrule->flags = source_rule->flags;
+	avrule->source_line = source_rule->source_line;
+	avrule->source_filename = strdup(source_rule->source_filename);
+	if (!avrule->source_filename)
+		goto err;
 
 	if (ebitmap_cpy(&avrule->stypes.types, &stypes))
 		goto err;
 			cur_perm = cur_perm->next;
 		}
 		new_rule->line = cur->line;
+		new_rule->source_line = cur->source_line;
+		new_rule->source_filename = strdup(cur->source_filename);
+		if (!new_rule->source_filename)
+			goto cleanup;
 
 		cur = cur->next;
 

File src/policydb.c

 	type_set_destroy(&x->stypes);
 	type_set_destroy(&x->ttypes);
 
+	free(x->source_filename);
+
 	next = x->perms;
 	while (next) {
 		cur = next;