libsepol: reject unsupported policy capabilities

Kernel policies with unsupported policy capabilities enabled can currently be parsed, since they result just in a bit set inside an ebitmap. Writing such a loaded policy into the traditional language or CIL will fail however, since the unsupported policy capabilities can not be converted into a name. Reject kernel policies with invalid policy capabilities. Reported-by: oss-fuzz (issue 60573) Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com>
2023-11-03 19:26:12 +01:00 · 2023-11-03 19:26:12 +01:00 · 7cf2bfb593
parent 7b754f703d
commit 7cf2bfb593
1 changed files with 21 additions and 0 deletions
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@ -1,6 +1,7 @@

 #include <sepol/policydb/conditional.h>
 #include <sepol/policydb/ebitmap.h>
+#include <sepol/policydb/polcaps.h>
 #include <sepol/policydb/policydb.h>
 #include <sepol/policydb/services.h>

@ -1552,6 +1553,23 @@ bad:
 	return -1;
 }

+static int validate_policycaps(sepol_handle_t *handle, const policydb_t *p)
+{
+	ebitmap_node_t *node;
+	uint32_t i;
+
+	ebitmap_for_each_positive_bit(&p->policycaps, node, i) {
+		if (!sepol_polcap_getname(i))
+			goto bad;
+	}
+
+	return 0;
+
+bad:
+	ERR(handle, "Invalid policy capability");
+	return -1;
+}
+
 static void validate_array_destroy(validate_t flavors[])
 {
 	unsigned int i;
@ -1574,6 +1592,9 @@ int policydb_validate(sepol_handle_t *handle, const policydb_t *p)
 	if (validate_properties(handle, p))
 		goto bad;

+	if (validate_policycaps(handle, p))
+		goto bad;
+
 	if (p->policy_type == POLICY_KERN) {
 		if (validate_avtab(handle, &p->te_avtab, p, flavors))
 			goto bad;