checkpolicy: error out if required permission would exceed limit
A require statement for a class permission adds that permission to the
class representation for the current module. In case the resulting
class would have more than the supported amount of 32 permissions
assigned the resulting binary module will fail to load at link-time
without an informative error message (since [1]).
Bail out if adding a permission would result in a class having more than
the supported amount of 32 permissions assigned.
[1]: 97af65f696
Closes: https://github.com/SELinuxProject/selinux/issues/356
Reported-by: Julie Pichon
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
This commit is contained in:
parent
88a703399f
commit
25e9c91a8b
|
@ -851,6 +851,14 @@ int require_class(int pass)
|
||||||
free(perm_id);
|
free(perm_id);
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
if (datum->permissions.nprim >= PERM_SYMTAB_SIZE) {
|
||||||
|
yyerror2("Class %s would have too many permissions "
|
||||||
|
"to fit in an access vector with permission %s",
|
||||||
|
policydbp->p_class_val_to_name[datum->s.value - 1],
|
||||||
|
perm_id);
|
||||||
|
free(perm_id);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
allocated = 1;
|
allocated = 1;
|
||||||
if ((perm = malloc(sizeof(*perm))) == NULL) {
|
if ((perm = malloc(sizeof(*perm))) == NULL) {
|
||||||
yyerror("Out of memory!");
|
yyerror("Out of memory!");
|
||||||
|
|
Loading…
Reference in New Issue