Hello,
After the crashes I found by running AFL on secilc were fixed (thanks!),
I continued to run AFL. It found a new way to make secilc crash, using
an unknown permission with a classmap, like what is done with the policy
attached to this email.
This policy does not make secilc 2.6 crash but triggers a NULL pointer
dereference in __evaluate_classperms_list() (in cil_post.c) when using
secilc from the master branch. More precisely if I revert commits
1b3b36aeecf2 ("libsepol/cil: Use empty list for category expression
evaluated as empty") and da51020d6f33 ("libsepol/cil: Use an empty list
to represent an unknown permission"), secilc no longer crashes. But it
produces a file which makes tools like apol, sesearch... behaves in a
weird way:
$ secilc secilc_crash_unknown_cm_perm.cil
$ echo $?
0
$ sesearch -A policy.30
[Errno 0] Error: 'policy.30'
I guess the internal structures of the generated policy get corrupted in
a way that the policy loader does not like (I have not yet spent time to
investigate where this "Errno 0 error" comes from).
Nicolas
(class CLASS (PERM))
(classorder (CLASS))
(sid SID)
(sidorder (SID))
(user USER)
(role ROLE)
(type TYPE)
(category CAT)
(categoryorder (CAT))
(sensitivity SENS)
(sensitivityorder (SENS))
(sensitivitycategory SENS (CAT))
(roletype ROLE TYPE)
(userrole USER ROLE)
(userlevel USER (SENS))
(userrange USER ((SENS)(SENS (CAT))))
(sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))
(classmap cm1 (mp1))
(classmapping cm1 mp1 (CLASS (PERM)))
(allow TYPE TYPE (cm1 (unknown)))
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
