checkpolicy: warn on bogus IP address or netmask in nodecon statement

Warn if the netmask is not contiguous or the address has host bits set, e.g.: 127.0.0.0 255.255.245.0 127.0.0.1 255.255.255.0 Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-11-30 12:00:34 +01:00 · 2021-11-30 12:00:34 +01:00 · 01b88ac323
parent 413518a637
commit 01b88ac323
1 changed files with 50 additions and 0 deletions
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@ -5290,6 +5290,14 @@ int define_ipv4_node_context()
 		goto out;
 	}

+	if (mask.s_addr != 0 && ((~mask.s_addr + 1) & ~mask.s_addr) != 0) {
+		yywarn("ipv4 mask is not contiguous");
+	}
+
+	if ((~mask.s_addr & addr.s_addr) != 0) {
+		yywarn("host bits in ipv4 address set");
+	}
+
 	newc = malloc(sizeof(ocontext_t));
 	if (!newc) {
 		yyerror("out of memory");
@ -5325,6 +5333,40 @@ out:
 	return rc;
 }

+static int ipv6_is_mask_contiguous(const struct in6_addr *mask)
+{
+	int filled = 1;
+	unsigned i;
+
+	for (i = 0; i < 16; i++) {
+		if ((((~mask->s6_addr[i] & 0xFF) + 1) & (~mask->s6_addr[i] & 0xFF)) != 0) {
+			return 0;
+		}
+		if (!filled && mask->s6_addr[i] != 0) {
+			return 0;
+		}
+
+		if (filled && mask->s6_addr[i] != 0xFF) {
+			filled = 0;
+		}
+	}
+
+	return 1;
+}
+
+static int ipv6_has_host_bits_set(const struct in6_addr *addr, const struct in6_addr *mask)
+{
+	unsigned i;
+
+	for (i = 0; i < 16; i++) {
+		if ((addr->s6_addr[i] & ~mask->s6_addr[i]) != 0) {
+			return 1;
+		}
+	}
+
+	return 0;
+}
+
 int define_ipv6_node_context(void)
 {
 	char *id;
@ -5376,6 +5418,14 @@ int define_ipv6_node_context(void)
 		goto out;
 	}

+	if (!ipv6_is_mask_contiguous(&mask)) {
+		yywarn("ipv6 mask is not contiguous");
+	}
+
+	if (ipv6_has_host_bits_set(&addr, &mask)) {
+		yywarn("host bits in ipv6 address set");
+	}
+
 	newc = malloc(sizeof(ocontext_t));
 	if (!newc) {
 		yyerror("out of memory");