selinux/libsepol
James Carter 982ec302b6 libsepol/cil: Account for anonymous category sets in an expression
It is possible for anonymous category sets to be in a category
expression if the expression has a macro parameter in it.
Unfortunately, anonymous category sets are not looked for when
resolving category expressions and a segfault will occur during
later processing if there was one.

As an example, consider the following portion of a policy.
  (macro m1 ((categoryset cs))
    (userlevel USER (s0 (cs)))
  )
  (call m1 ((c0 c1)))
This policy will cause a segault, because the categoryset datum
for the parameter cs is not seen as a categoryset and is treated
as a plain category.

When resolving an expression, check whether or not the datum that
is found is actually an anonymous category set associated with a
macro parameter. If it is, then resolve the category set if it
has not already been resolved and treat its categories as a sub
expression.

Signed-off-by: James Carter <jwcart2@gmail.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2021-06-22 09:32:57 -04:00
..
cil libsepol/cil: Account for anonymous category sets in an expression 2021-06-22 09:32:57 -04:00
include libsepol: Create function ebitmap_highest_set_bit() 2021-02-19 16:30:11 +01:00
man selinux: Update manpages after removing legacy boolean and user code 2019-07-29 23:46:47 +02:00
src libsepol: quote paths in CIL conversion 2021-06-14 09:35:03 -04:00
tests libsepol/tests: drop ncurses dependency 2020-05-04 10:31:44 +02:00
utils libsepol: build: follow standard semantics for DESTDIR and PREFIX 2018-02-14 15:59:36 +01:00
.gitignore
COPYING
Makefile
VERSION Update VERSIONs to 3.2 for release. 2021-03-04 16:42:59 +01:00