mirror of
https://github.com/SELinuxProject/selinux
synced 2025-02-06 04:42:58 +00:00
da51020d6f
Nicolas Iooss found while fuzzing secilc with AFL that the statement "(classpermissionset CPERM (CLASS (and unknow PERM)))" will cause a segfault. In order to support a policy module package using a permission that does not exist on the system it is loaded on, CIL will only give a warning when it fails to resolve an unknown permission. CIL itself will just ignore the unknown permission. This means that an expression like "(and UNKNOWN p1)" will look like "(and p1)" to CIL, but, since syntax checking has already been done, CIL won't know that the expression is not well-formed. When the expression is evaluated a segfault will occur because all expressions are assumed to be well-formed at evaluation time. Use an empty list to represent an unknown permission so that expressions will continue to be well-formed and expression evaluation will work but the unknown permission will still be ignored. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov> |
||
|---|---|---|
| .. | ||
| include/cil | ||
| src | ||
| test | ||
| .gitignore | ||