verify file contexts during permissive and print line number on bad entry

libselinux/src/label.c

@@ -121,12 +121,11 @@ static inline int selabel_is_validate_set(const struct selinux_opt *opts,
 	return 0;
 }
 
-int selabel_validate(struct selabel_handle *rec,
-		     struct selabel_lookup_rec *contexts)
+int selabel_validate(struct selabel_lookup_rec *contexts)
 {
 	int rc = 0;
 
-	if (!rec->validating || contexts->validated)
+	if (contexts->validated)
 		goto out;
 
 	rc = selinux_validate(&contexts->ctx_raw);
@@ -143,7 +142,7 @@ static int selabel_fini(struct selabel_handle *rec,
 			    struct selabel_lookup_rec *lr,
 			    int translating)
 {
-	if (compat_validate(rec, lr, rec->spec_file, 0))
+	if (compat_validate(lr, rec->spec_file, lr->lineno))
 		return -1;
 
 	if (translating && !lr->ctx_trans &&

libselinux/src/label_backends_android.c

@@ -122,7 +122,7 @@ static int process_line(struct selabel_handle *rec,
 		spec_arr[nspec].lr.ctx_raw = context;
 
 		if (rec->validating) {
-			if (selabel_validate(rec, &spec_arr[nspec].lr) < 0) {
+			if (selabel_validate(&spec_arr[nspec].lr) < 0) {
 				selinux_log(SELINUX_ERROR,
 					    "%s:  line %u has invalid context %s\n",
 					    path, lineno, spec_arr[nspec].lr.ctx_raw);

libselinux/src/label_file.c

@@ -328,7 +328,7 @@ static int load_mmap(FILE *fp, size_t len, struct selabel_handle *rec,
 		spec->lr.ctx_raw = str_buf;
 
 		if (strcmp(spec->lr.ctx_raw, "<<none>>") && rec->validating) {
-			if (selabel_validate(rec, &spec->lr) < 0) {
+			if (selabel_validate(&spec->lr) < 0) {
 				selinux_log(SELINUX_ERROR,
 					    "%s: context %s is invalid\n",
 					    path, spec->lr.ctx_raw);

libselinux/src/label_file.h

@@ -472,6 +472,7 @@ static inline int process_line(struct selabel_handle *rec,
 	spec_arr[nspec].mode = 0;
 
 	spec_arr[nspec].lr.ctx_raw = context;
+	spec_arr[nspec].lr.lineno = lineno;
 
 	/*
 	 * bump data->nspecs to cause closef() to cover it in its free
@@ -506,7 +507,7 @@ static inline int process_line(struct selabel_handle *rec,
 	spec_hasMetaChars(&spec_arr[nspec]);
 
 	if (strcmp(context, "<<none>>") && rec->validating)
-		return compat_validate(rec, &spec_arr[nspec].lr, path, lineno);
+		return compat_validate(&spec_arr[nspec].lr, path, lineno);
 
 	return 0;
 }

libselinux/src/label_internal.h

@@ -73,6 +73,7 @@ struct selabel_lookup_rec {
 	char * ctx_raw;
 	char * ctx_trans;
 	int validated;
+	unsigned lineno;
 };
 
 struct selabel_handle {
@@ -111,8 +112,7 @@ struct selabel_handle {
  * Validation function
  */
 extern int
-selabel_validate(struct selabel_handle *rec,
-		 struct selabel_lookup_rec *contexts) hidden;
+selabel_validate(struct selabel_lookup_rec *contexts) hidden;
 
 /*
  * Compatibility support
@@ -127,8 +127,7 @@ extern void __attribute__ ((format(printf, 1, 2)))
 		selinux_log(type, fmt);
 
 extern int
-compat_validate(struct selabel_handle *rec,
-		struct selabel_lookup_rec *contexts,
+compat_validate(struct selabel_lookup_rec *contexts,
 		const char *path, unsigned lineno) hidden;
 
 /*

libselinux/src/matchpathcon.c

@@ -35,8 +35,7 @@ void set_matchpathcon_printf(void (*f) (const char *fmt, ...))
 	myprintf_compat = 1;
 }
 
-int compat_validate(struct selabel_handle *rec,
-		    struct selabel_lookup_rec *contexts,
+int compat_validate(struct selabel_lookup_rec *contexts,
 		    const char *path, unsigned lineno)
 {
 	int rc;
@@ -47,7 +46,7 @@ int compat_validate(struct selabel_handle *rec,
 	else if (mycanoncon)
 		rc = mycanoncon(path, lineno, ctx);
 	else {
-		rc = selabel_validate(rec, contexts);
+		rc = selabel_validate(contexts);
 		if (rc < 0) {
 			if (lineno) {
 				COMPAT_LOG(SELINUX_WARNING,