RepoMirrors
/
selinux
mirror of https://github.com/SELinuxProject/selinux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

libsepol: validate attribute-type maps 

Ensure the attribute-to-type maps contain no invalid entries, required
for generating typeattributeset statements when converting to CIL.

Reported-by: oss-fuzz (issue 69283)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
This commit is contained in:
Christian Göttsche 2024-06-08 19:18:38 +02:00 committed by James Carter
parent 5f822d33a9
commit 8c1110d134
1 changed files with 23 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
libsepol/src/policydb_validate.c
View File

@ -1654,6 +1654,26 @@ bad:
return -1;
}
static int validate_attrtype_map(sepol_handle_t *handle, const policydb_t *p, validate_t flavors[])
{
const ebitmap_t *maps = p->attr_type_map;
uint32_t i;
if (p->policy_type == POLICY_KERN) {
for (i = 0; i < p->p_types.nprim; i++) {
if (validate_ebitmap(&maps[i], &flavors[SYM_TYPES]))
goto bad;
}
} else if (maps)
goto bad;
return 0;
bad:
ERR(handle, "Invalid attr type map");
return -1;
}
static int validate_properties(sepol_handle_t *handle, const policydb_t *p)
{
switch (p->policy_type) {
@ -1790,6 +1810,9 @@ int policydb_validate(sepol_handle_t *handle, const policydb_t *p)
if (validate_typeattr_map(handle, p, flavors))
goto bad;
if (validate_attrtype_map(handle, p, flavors))
goto bad;
validate_array_destroy(flavors);
return 0;