97af65f696
Add checks for invalid read sizes from a binary policy to guard
allocations.
The common and class permission counts needs to be limited more strict
otherwise a too high count of common or class permissions can lead to
permission values with a too high value, which can lead to overflows
in shift operations.
In the fuzzer build the value will also be bounded to avoid oom reports.
==29857== ERROR: libFuzzer: out-of-memory (malloc(17179868160))
To change the out-of-memory limit use -rss_limit_mb=<N>
#0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
#6 0x4aa143 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa143)
#7 0x5259cb in malloc (./out/binpolicy-fuzzer+0x5259cb)
#8 0x580b5d in mallocarray ./libsepol/src/./private.h:93:9
#9 0x57c2ed in scope_read ./libsepol/src/policydb.c:4120:7
#10 0x576b0d in policydb_read ./libsepol/src/policydb.c:4462:9
#11 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6
#12 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
#13 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
#14 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
#15 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
#16 0x7ffad6e107ec in __libc_start_main csu/../csu/libc-start.c:332:16
#17 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
==19462== ERROR: libFuzzer: out-of-memory (malloc(18253611008))
To change the out-of-memory limit use -rss_limit_mb=<N>
#0 0x52dc61 in __sanitizer_print_stack_trace (./out/binpolicy-fuzzer+0x52dc61)
#1 0x475618 in fuzzer::PrintStackTrace() fuzzer.o
#2 0x458855 in fuzzer::Fuzzer::HandleMalloc(unsigned long) fuzzer.o
#3 0x45876a in fuzzer::MallocHook(void const volatile*, unsigned long) fuzzer.o
#4 0x534557 in __sanitizer::RunMallocHooks(void const*, unsigned long) (./out/binpolicy-fuzzer+0x534557)
#5 0x4aa7d7 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (./out/binpolicy-fuzzer+0x4aa7d7)
#6 0x4aa999 in __asan::asan_calloc(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*) (./out/binpolicy-fuzzer+0x4aa999)
#7 0x525b63 in __interceptor_calloc (./out/binpolicy-fuzzer+0x525b63)
#8 0x570938 in policydb_index_others ./libsepol/src/policydb.c:1245:6
#9 0x5771f3 in policydb_read ./src/policydb.c:4481:6
#10 0x55a214 in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:26:6
#11 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
#12 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
#13 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
#14 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
#15 0x7f4d933157ec in __libc_start_main csu/../csu/libc-start.c:332:16
#16 0x423689 in _start (./out/binpolicy-fuzzer+0x423689)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
|
||
|---|---|---|
| .circleci | ||
| .github/workflows | ||
| checkpolicy | ||
| dbus | ||
| gui | ||
| libselinux | ||
| libsemanage | ||
| libsepol | ||
| mcstrans | ||
| policycoreutils | ||
| python | ||
| restorecond | ||
| sandbox | ||
| scripts | ||
| secilc | ||
| semodule-utils | ||
| .gitignore | ||
| .travis.yml | ||
| CleanSpec.mk | ||
| CONTRIBUTING.md | ||
| lgtm.yml | ||
| Makefile | ||
| README.md | ||
| VERSION | ||
SELinux Userspace
Please submit all bug reports and patches to selinux@vger.kernel.org.
Subscribe by sending "subscribe selinux" in the body of an email to majordomo@vger.kernel.org.
Archive of this mailing list is available on https://lore.kernel.org/selinux/.
Installation
SELinux libraries and tools are packaged in several Linux distributions:
- Alpine Linux (https://pkgs.alpinelinux.org/package/edge/testing/x86/policycoreutils)
- Arch Linux User Repository (https://aur.archlinux.org/packages/policycoreutils/)
- Buildroot (https://git.buildroot.net/buildroot/tree/package/policycoreutils)
- Debian and Ubuntu (https://packages.debian.org/sid/policycoreutils)
- Gentoo (https://packages.gentoo.org/packages/sys-apps/policycoreutils)
- RHEL and Fedora (https://src.fedoraproject.org/rpms/policycoreutils)
- Yocto Project (http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/selinux)
- and many more (https://repology.org/project/policycoreutils/versions)
Building and testing
Build dependencies on Fedora:
# For C libraries and programs
dnf install \
audit-libs-devel \
bison \
bzip2-devel \
CUnit-devel \
diffutils \
flex \
gcc \
gettext \
glib2-devel \
make \
libcap-devel \
libcap-ng-devel \
pam-devel \
pcre2-devel \
xmlto
# For Python and Ruby bindings
dnf install \
python3-devel \
ruby-devel \
swig
Build dependencies on Debian:
# For C libraries and programs
apt-get install --no-install-recommends --no-install-suggests \
bison \
flex \
gawk \
gcc \
gettext \
make \
libaudit-dev \
libbz2-dev \
libcap-dev \
libcap-ng-dev \
libcunit1-dev \
libglib2.0-dev \
libpcre2-dev \
pkgconf \
python3 \
python3-distutils \
systemd \
xmlto
# For Python and Ruby bindings
apt-get install --no-install-recommends --no-install-suggests \
python3-dev \
ruby-dev \
swig
To build and install everything under a private directory, run:
make clean distclean
make DESTDIR=~/obj install install-rubywrap install-pywrap
On Debian PYTHON_SETUP_ARGS=--install-layout=deb needs to be set when installing the python wrappers in order to create the correct python directory structure.
To run tests with the built libraries and programs, several paths (relative to $DESTDIR) need to be added to variables $LD_LIBRARY_PATH, $PATH and $PYTHONPATH.
This can be done using ./scripts/env_use_destdir:
DESTDIR=~/obj ./scripts/env_use_destdir make test
Some tests require the reference policy to be installed (for example in python/sepolgen).
In order to run these ones, instructions similar to the ones in section install of ./.travis.yml can be executed.
To install as the default system libraries and binaries (overwriting any previously installed ones - dangerous!), on x86_64, run:
make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel
or on x86 (32-bit), run:
make install install-pywrap relabel
This may render your system unusable if the upstream SELinux userspace lacks library functions or other dependencies relied upon by your distribution. If it breaks, you get to keep both pieces.
Setting CFLAGS
Setting CFLAGS during the make process will cause the omission of many defaults. While the project strives to provide a reasonable set of default flags, custom CFLAGS could break the build, or have other undesired changes on the build output. Thus, be very careful when setting CFLAGS. CFLAGS that are encouraged to be set when overriding are:
- -fno-semantic-interposition for gcc or compilers that do not do this. clang does this by default. clang-10 and up will support passing this flag, but ignore it. Previous clang versions fail.
macOS
To install libsepol on macOS (mainly for policy analysis):
cd libsepol; make PREFIX=/usr/local install
This requires GNU coreutils:
brew install coreutils