On Tue, Sep 8, 2020 at 9:50 AM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > > On Tue, Sep 8, 2020 at 9:46 AM Stephen Smalley > <stephen.smalley.work@xxxxxxxxx> wrote: > > > > On Fri, Sep 4, 2020 at 8:49 AM Stephen Smalley > > <stephen.smalley.work@xxxxxxxxx> wrote: > > > > > > On Thu, Sep 3, 2020 at 2:19 PM James Carter <jwcart2@xxxxxxxxx> wrote: > > > > > > > > CIL was not correctly determining the depth of constraint expressions > > > > which prevented it from giving an error when the max depth was exceeded. > > > > This allowed invalid policy binaries with constraint expressions exceeding > > > > the max depth to be created. > > > > > > > > Correctly calculate the depth of constraint expressions when building > > > > the AST and give an error when the max depth is exceeded. > > > > > > > > Reported-by: Jonathan Hettwer <j2468h@xxxxxxxxx> > > > > Signed-off-by: James Carter <jwcart2@xxxxxxxxx> > > > > > > The fix for conditional boolean expression depth checking can be a > > > separate patch. For this one, > > > > > > Acked-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx> > > > > Actually, this breaks selinux-testsuite. Will have to look into why. > > /usr/sbin/semodule -i test_policy/test_policy.pp test_mlsconstrain.cil > > test_overlay_defaultrange.cil test_add_levels.cil test_glblub.cil > > Max depth of 4 exceeded for constraint expression > > Bad expression tree for constraint > > Bad constrain declaration at > > /var/lib/selinux/targeted/tmp/modules/100/base/cil:919 > > Here is the failing cil module: > $ cat policy/test_mlsconstrain.cil > (mlsconstrain (peer (recv)) (or (dom l1 l2) (and (neq t1 > mcs_constrained_type) (neq t2 mcs_constrained_type)))) > (mlsconstrain (packet (recv)) (or (dom l1 l2) (and (neq t1 > mcs_constrained_type) (neq t2 mcs_constrained_type)))) > > Maybe an off-by-one in your depth checking? Actually, the depth computation logic doesn't seem consistent with checkpolicy's define_constraint().