On 01/18/2017 09:53 PM, James Carter wrote:
> Nicolas Iooss discovered that requiring a type in an optional block
> after the type has already been declared in another optional block
> results in a duplicate declaration error.
>
from what i have been told and from experience, types cannot, reliably,
be declared in optional blocks.
if the above is true, then the compiler should not allow one to declare
a type in an optional block in the first place
> The following policy will trigger the error.
>
> optional {
> type T1;
> }
>
> optional {
> require { type T1; }
> }
>
> In this case, although symtab_insert() in libsepol properly identifies
> that the first T1 is a declaration while the second is a require, it
> will return -2 which is the return value for a duplicate declaration
> and expect the calling code to properly handle the situation. The
> caller is require_symbol() in checkpolicy and it checks if the previous
> declaration is in the current scope. If it is, then the require can be
> ignored. It also checks to see if the declaration is a type and the
> require an attribute or vice versa which is an error. The problem is
> that -2 is returned if the declaration is not in scope which is
> interpreted as a duplicate declaration error.
>
> The function should return 1 instead which means that they symbol was not
> added and needs to be freed later.
>
> Signed-off-by: James Carter <jwcart2@xxxxxxxxxxxxx>
> ---
> checkpolicy/module_compiler.c | 16 +++-------------
> 1 file changed, 3 insertions(+), 13 deletions(-)
>
> diff --git a/checkpolicy/module_compiler.c b/checkpolicy/module_compiler.c
> index 6e5483c..bb60f34 100644
> --- a/checkpolicy/module_compiler.c
> +++ b/checkpolicy/module_compiler.c
> @@ -647,7 +647,6 @@ int require_symbol(uint32_t symbol_type,
> } else if (retval == -2) {
> /* ignore require statements if that symbol was
> * previously declared and is in current scope */
> - int prev_declaration_ok = 0;
> if (is_id_in_scope(symbol_type, key)) {
> if (symbol_type == SYM_TYPES) {
> /* check that previous symbol has same
> @@ -661,23 +660,14 @@ int require_symbol(uint32_t symbol_type,
> table, key);
> assert(old_datum != NULL);
> unsigned char old_isattr = old_datum->flavor;
> - prev_declaration_ok =
> - (old_isattr == new_isattr ? 1 : 0);
> - } else {
> - prev_declaration_ok = 1;
> + if (old_isattr != new_isattr)
> + return -2;
> }
> - }
> - if (prev_declaration_ok) {
> /* ignore this require statement because it
> * was already declared within my scope */
> stack_top->require_given = 1;
> - return 1;
> - } else {
> - /* previous declaration was not in scope or
> - * had a mismatched type/attribute, so
> - * generate an error */
> - return -2;
> }
> + return 1;
> } else if (retval < 0) {
> return -3;
> } else { /* fall through possible if retval is 0 or 1 */
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
