RepoMirrors
/
selinux
mirror of https://github.com/SELinuxProject/selinux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

libsepol: reject self flag in type rules in old policies 

The flag RULE_SELF in type rules is only supported in modular policies
since version 21 (MOD_POLICYDB_VERSION_SELF_TYPETRANS).

Reported-by: oss-fuzz (issue 68731)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
This commit is contained in:
Christian Göttsche 2024-05-06 19:31:07 +02:00 committed by James Carter
parent 6a223cb1c2
commit 1c91bc84e6
1 changed files with 13 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
libsepol/src/policydb_validate.c
View File

@ -1077,6 +1077,10 @@ static int validate_avrules(sepol_handle_t *handle, const avrule_t *avrule, int
switch(avrule->flags) { switch(avrule->flags) {
case 0: case 0:
case RULE_SELF: case RULE_SELF:
if (p->policyvers != POLICY_KERN &&
p->policyvers < MOD_POLICYDB_VERSION_SELF_TYPETRANS &&
(avrule->specified & AVRULE_TYPE))
goto bad;
break; break;
case RULE_NOTSELF: case RULE_NOTSELF:
switch(avrule->specified) { switch(avrule->specified) {
@ -1503,8 +1507,16 @@ static int validate_filename_trans_rules(sepol_handle_t *handle, const filename_
goto bad; goto bad;
/* currently only the RULE_SELF flag can be set */ /* currently only the RULE_SELF flag can be set */
if ((filename_trans->flags & ~RULE_SELF) != 0) switch (filename_trans->flags) {
case 0:
break;
case RULE_SELF:
if (p->policyvers != POLICY_KERN && p->policyvers < MOD_POLICYDB_VERSION_SELF_TYPETRANS)
goto bad;
break;
default:
goto bad; goto bad;
}
} }
return 0; return 0;