Nicolas Iooss discovered that requiring a type in an optional block
after the type has already been declared in another optional block
results in a duplicate declaration error.
The following policy will trigger the error.
optional {
type T1;
}
optional {
require { type T1; }
}
In this case, although symtab_insert() in libsepol properly identifies
that the first T1 is a declaration while the second is a require, it
will return -2 which is the return value for a duplicate declaration
and expect the calling code to properly handle the situation. The
caller is require_symbol() in checkpolicy and it checks if the previous
declaration is in the current scope. If it is, then the require can be
ignored. It also checks to see if the declaration is a type and the
require an attribute or vice versa which is an error. The problem is
that -2 is returned if the declaration is not in scope which is
interpreted as a duplicate declaration error.
The function should return 1 instead which means that they symbol was not
added and needs to be freed later.
Signed-off-by: James Carter <jwcart2@xxxxxxxxxxxxx>
---
checkpolicy/module_compiler.c | 16 +++-------------
1 file changed, 3 insertions(+), 13 deletions(-)
diff --git a/checkpolicy/module_compiler.c b/checkpolicy/module_compiler.c
index 6e5483c..bb60f34 100644
--- a/checkpolicy/module_compiler.c
+++ b/checkpolicy/module_compiler.c
@@ -647,7 +647,6 @@ int require_symbol(uint32_t symbol_type,
} else if (retval == -2) {
/* ignore require statements if that symbol was
* previously declared and is in current scope */
- int prev_declaration_ok = 0;
if (is_id_in_scope(symbol_type, key)) {
if (symbol_type == SYM_TYPES) {
/* check that previous symbol has same
@@ -661,23 +660,14 @@ int require_symbol(uint32_t symbol_type,
table, key);
assert(old_datum != NULL);
unsigned char old_isattr = old_datum->flavor;
- prev_declaration_ok =
- (old_isattr == new_isattr ? 1 : 0);
- } else {
- prev_declaration_ok = 1;
+ if (old_isattr != new_isattr)
+ return -2;
}
- }
- if (prev_declaration_ok) {
/* ignore this require statement because it
* was already declared within my scope */
stack_top->require_given = 1;
- return 1;
- } else {
- /* previous declaration was not in scope or
- * had a mismatched type/attribute, so
- * generate an error */
- return -2;
}
+ return 1;
} else if (retval < 0) {
return -3;
} else { /* fall through possible if retval is 0 or 1 */
--
2.7.4
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
