RepoMirrors/selinux
1
0
Fork 0
mirror of https://github.com/SELinuxProject/selinux synced 2025-02-01 10:21:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

libsepol: reject linking modules with no avrules

Browse Source 
Standard policy modules generated by compilers have at least one global
av rule.  Reject modules otherwise, e.g. generated by a fuzzer.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
This commit is contained in:
Christian Göttsche 2023-11-28 19:23:34 +01:00 committed by James Carter
parent 00cfecf629
commit 4724538b62
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
libsepol/src/link.c
View File

@ -2019,7 +2019,7 @@ static int debug_requirements(link_state_t * state, policydb_t * p)
memset(&req, 0, sizeof(req));
for (cur = p->global; cur != NULL; cur = cur->next) {
if (cur->enabled != NULL)
if (cur->enabled != NULL || cur->branch_list == NULL)
continue;
ret = is_decl_requires_met(state, cur->branch_list, &req);
@ -2142,6 +2142,11 @@ static int enable_avrules(link_state_t * state, policydb_t * pol)
/* 1) enable all of the non-else blocks */
for (block = pol->global; block != NULL; block = block->next) {
block->enabled = block->branch_list;
if (!block->enabled) {
ERR(state->handle, "Global block has no avrules!");
ret = SEPOL_ERR;
goto out;
}
block->enabled->enabled = 1;
for (decl = block->branch_list->next; decl != NULL;
decl = decl->next)