RepoMirrors/selinux
1
0
Fork 0
mirror of https://github.com/SELinuxProject/selinux synced 2025-04-11 04:01:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

libsepol: Check kernel to CIL and Conf functions for supported versions

Browse Source 
For policy versions between 20 and 23, attributes exist in the
policy, but only in the type_attr_map. This means that there are
gaps in both the type_val_to_struct and p_type_val_to_name arrays
and policy rules can refer to those gaps which can lead to NULL
dereferences when using sepol_kernel_policydb_to_conf() and
sepol_kernel_policydb_to_cil().

This can be seen with the following policy:
  class CLASS1
  sid SID1
  class CLASS1 { PERM1 }
  attribute TYPE_ATTR1;
  type TYPE1;
  typeattribute TYPE1 TYPE_ATTR1;
  allow TYPE_ATTR1 self : CLASS1 PERM1;
  role ROLE1;
  role ROLE1 types TYPE1;
  user USER1 roles ROLE1;
  sid SID1 USER1:ROLE1:TYPE1

Compile the policy:
  checkpolicy -c 23 -o policy.bin policy.conf
Converting back to a policy.conf causes a segfault:
  checkpolicy -F -b -o policy.bin.conf policy.bin

Have both sepol_kernel_policydb_to_conf() and
sepol_kernel_policydb_to_cil() exit with an error if the kernel
policy version is between 20 and 23.

Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: James Carter <jwcart2@gmail.com>
This commit is contained in:
James Carter 2021-03-15 11:09:38 -04:00 committed by Nicolas Iooss
parent 750cc1136d
commit 43c5ed469c
No known key found for this signature in database
GPG Key ID: C191415F340DAAA0
2 changed files with 24 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
libsepol/src/kernel_to_cil.c
View File

@ -3164,6 +3164,18 @@ int sepol_kernel_policydb_to_cil(FILE *out, struct policydb *pdb)
goto exit;
}
if (pdb->policyvers >= POLICYDB_VERSION_AVTAB && pdb->policyvers <= POLICYDB_VERSION_PERMISSIVE) {
/*
* For policy versions between 20 and 23, attributes exist in the policy,
* but only in the type_attr_map. This means that there are gaps in both
* the type_val_to_struct and p_type_val_to_name arrays and policy rules
* can refer to those gaps.
*/
sepol_log_err("Writing policy versions between 20 and 23 as CIL is not supported");
rc = -1;
goto exit;
}
rc = constraint_rules_to_strs(pdb, mls_constraints, non_mls_constraints);
if (rc != 0) {
goto exit;

12
libsepol/src/kernel_to_conf.c
View File

@ -3041,6 +3041,18 @@ int sepol_kernel_policydb_to_conf(FILE *out, struct policydb *pdb)
goto exit;
}
if (pdb->policyvers >= POLICYDB_VERSION_AVTAB && pdb->policyvers <= POLICYDB_VERSION_PERMISSIVE) {
/*
* For policy versions between 20 and 23, attributes exist in the policy,
* but only in the type_attr_map. This means that there are gaps in both
* the type_val_to_struct and p_type_val_to_name arrays and policy rules
* can refer to those gaps.
*/
sepol_log_err("Writing policy versions between 20 and 23 as a policy.conf is not supported");
rc = -1;
goto exit;
}
rc = constraint_rules_to_strs(pdb, mls_constraints, non_mls_constraints);
if (rc != 0) {
goto exit;