mirror of
https://github.com/SELinuxProject/selinux
synced 2025-01-02 03:32:13 +00:00
e81c466bca
Before the CIL post processing phase (where expressions are evaluated, various ebitmaps are set, etc) there is a pre-verification where checks are made to find self references or loops in bounds, attribute sets, and class permissions. The class permission checking is faulty in two ways. First, it does not check for the use of "all" in a permission expression for a class that has no permissions. An error will still be generated later and secilc will exit cleanly, but without an error message that explains the problem. Second, it does not properly handle lists in permission expressions. For example, "(C ((P)))" is a legitimate class permission. The permissions expression contains one item that is a list containing one permission. This permission expression will be properly evaluated. Unfortunately, the class permission verification assumes that each item in the permission expression is either an operator or a permission datum and a segmenation fault will occur. Refactor the class permission checking to give a proper error when "all" is used in a permission expression for a class that has no permissions and so that it can handle lists in permission expressions. Also, check for the actual flavor of each item in the permission expression and return an error if an unexpected flavor is found. The failure to properly handle lists in permission expressions was found by oss-fuzz (#58085). Tested-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: James Carter <jwcart2@gmail.com> |
||
---|---|---|
.. | ||
include/cil | ||
src | ||
test | ||
.gitignore |