selinux: genheaders should fail if too many permissions are defined

Ensure that genheaders fails with an error if too many permissions
are defined in a class to fit within an access vector. This is similar
to a check performed by checkpolicy when compiling the policy.

Also, fix the suffix on the permission constants generated by this program.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>

diff --git a/scripts/selinux/genheaders/genheaders.c b/scripts/selinux/genheaders/genheaders.c
index 6a24569c3578af93673cdd40372fdd6224638de9..672b069dcfea4b2945d07b1de74afc8203c1a6a0 100644 (file)
--- a/scripts/selinux/genheaders/genheaders.c
+++ b/scripts/selinux/genheaders/genheaders.c
@@ -129,11 +129,16 @@ int main(int argc, char *argv[])
        for (i = 0; secclass_map[i].name; i++) {
                struct security_class_mapping *map = &secclass_map[i];
                for (j = 0; map->perms[j]; j++) {
+                       if (j >= 32) {
+                               fprintf(stderr, "Too many permissions to fit into an access vector at (%s, %s).\n",
+                                       map->name, map->perms[j]);
+                               exit(5);
+                       }
                        fprintf(fout, "#define %s__%s", map->name,
                                map->perms[j]);
                        for (k = 0; k < max(1, 40 - strlen(map->name) - strlen(map->perms[j])); k++)
                                fprintf(fout, " ");
-                       fprintf(fout, "0x%08xUL\n", (1<<j));
+                       fprintf(fout, "0x%08xU\n", (1<<j));
                }
        }