RepoMirrors
/
selinux
mirror of https://github.com/SELinuxProject/selinux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

libsepol: more strict validation 

Ensure the ibendport port is not 0 (similar to the kernel).

More general depth test for boolean expressions.

Ensure the boolean id is not set for logic operators.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
This commit is contained in:
Christian Göttsche 2023-11-03 19:26:37 +01:00 committed by James Carter
parent 80eb21924b
commit 7b754f703d
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
libsepol/src/policydb_validate.c
View File

@ -1002,13 +1002,15 @@ static int validate_cond_expr(sepol_handle_t *handle, const struct cond_expr *ex
case COND_BOOL:
if (validate_value(expr->boolean, boolean))
goto bad;
if (depth == (COND_EXPR_MAXDEPTH - 1))
if (depth >= (COND_EXPR_MAXDEPTH - 1))
goto bad;
depth++;
break;
case COND_NOT:
if (depth < 0)
goto bad;
if (expr->boolean != 0)
goto bad;
break;
case COND_OR:
case COND_AND:
@ -1017,6 +1019,8 @@ static int validate_cond_expr(sepol_handle_t *handle, const struct cond_expr *ex
case COND_NEQ:
if (depth < 1)
goto bad;
if (expr->boolean != 0)
goto bad;
depth--;
break;
default:
@ -1203,6 +1207,8 @@ static int validate_ocontexts(sepol_handle_t *handle, const policydb_t *p, valid
goto bad;
break;
case OCON_IBENDPORT:
if (octx->u.ibendport.port == 0)
goto bad;
if (!octx->u.ibendport.dev_name)
goto bad;
break;