libsepol: reject attributes in type av rules for kernel policies

The kernel does not support type attributes as source or target in type
av rules (type_transition, type_member, type_change)[1].  Such rules
should have been expanded[2].

[1]: abe3c63144/security/selinux/ss/services.c (L1843)
[2]: 0a8c177dac/libsepol/src/expand.c (L1981)

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
This commit is contained in:
Christian Göttsche 2022-12-20 16:41:34 +01:00 committed by James Carter
parent 60a0d7285d
commit fa936a0a30
1 changed files with 18 additions and 10 deletions

View File

@ -770,12 +770,20 @@ bad:
* Functions to validate a kernel policydb
*/
static int validate_avtab_key(const avtab_key_t *key, int conditional, validate_t flavors[])
static int validate_avtab_key(const avtab_key_t *key, int conditional, const policydb_t *p, validate_t flavors[])
{
if (validate_value(key->source_type, &flavors[SYM_TYPES]))
goto bad;
if (validate_value(key->target_type, &flavors[SYM_TYPES]))
goto bad;
if (p->policy_type == POLICY_KERN && key->specified & AVTAB_TYPE) {
if (validate_simpletype(key->source_type, p, flavors))
goto bad;
if (validate_simpletype(key->target_type, p, flavors))
goto bad;
} else {
if (validate_value(key->source_type, &flavors[SYM_TYPES]))
goto bad;
if (validate_value(key->target_type, &flavors[SYM_TYPES]))
goto bad;
}
if (validate_value(key->target_class, &flavors[SYM_CLASSES]))
goto bad;
switch (0xFFF & key->specified) {
@ -821,7 +829,7 @@ static int validate_avtab_key_and_datum(avtab_key_t *k, avtab_datum_t *d, void *
{
map_arg_t *margs = args;
if (validate_avtab_key(k, 0, margs->flavors))
if (validate_avtab_key(k, 0, margs->policy, margs->flavors))
return -1;
if ((k->specified & AVTAB_TYPE) && validate_simpletype(d->data, margs->policy, margs->flavors))
@ -845,13 +853,13 @@ static int validate_avtab(sepol_handle_t *handle, const avtab_t *avtab, const po
return 0;
}
static int validate_cond_av_list(sepol_handle_t *handle, const cond_av_list_t *cond_av, validate_t flavors[])
static int validate_cond_av_list(sepol_handle_t *handle, const cond_av_list_t *cond_av, const policydb_t *p, validate_t flavors[])
{
const struct avtab_node *avtab_ptr;
for (; cond_av; cond_av = cond_av->next) {
for (avtab_ptr = cond_av->node; avtab_ptr; avtab_ptr = avtab_ptr->next) {
if (validate_avtab_key(&avtab_ptr->key, 1, flavors)) {
if (validate_avtab_key(&avtab_ptr->key, 1, p, flavors)) {
ERR(handle, "Invalid cond av list");
return -1;
}
@ -996,9 +1004,9 @@ static int validate_cond_list(sepol_handle_t *handle, const cond_list_t *cond, c
for (; cond; cond = cond->next) {
if (validate_cond_expr(handle, cond->expr, &flavors[SYM_BOOLS]))
goto bad;
if (validate_cond_av_list(handle, cond->true_list, flavors))
if (validate_cond_av_list(handle, cond->true_list, p, flavors))
goto bad;
if (validate_cond_av_list(handle, cond->false_list, flavors))
if (validate_cond_av_list(handle, cond->false_list, p, flavors))
goto bad;
if (validate_avrules(handle, cond->avtrue_list, 1, p, flavors))
goto bad;