selinux/libsepol/cil
James Carter e81c466bca libsepol/cil: Fix class permission verification in CIL
Before the CIL post processing phase (where expressions are evaluated,
various ebitmaps are set, etc) there is a pre-verification where
checks are made to find self references or loops in bounds, attribute
sets, and class permissions. The class permission checking is faulty
in two ways.

First, it does not check for the use of "all" in a permission expression
for a class that has no permissions. An error will still be generated
later and secilc will exit cleanly, but without an error message that
explains the problem.

Second, it does not properly handle lists in permission expressions.
For example, "(C ((P)))" is a legitimate class permission. The
permissions expression contains one item that is a list containing
one permission. This permission expression will be properly evaluated.
Unfortunately, the class permission verification assumes that each
item in the permission expression is either an operator or a
permission datum and a segmenation fault will occur.

Refactor the class permission checking to give a proper error when
"all" is used in a permission expression for a class that has no
permissions and so that it can handle lists in permission
expressions. Also, check for the actual flavor of each item in
the permission expression and return an error if an unexpected
flavor is found.

The failure to properly handle lists in permission expressions was
found by oss-fuzz (#58085).

Tested-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: James Carter <jwcart2@gmail.com>
2023-08-04 13:48:49 -04:00
..
include/cil libsepol/cil: Provide option to allow qualified names in declarations 2021-07-03 16:00:26 +02:00
src libsepol/cil: Fix class permission verification in CIL 2023-08-04 13:48:49 -04:00
test libsepol: Move secilc out of libsepol 2015-03-31 12:31:38 -04:00
.gitignore