On Tue, Sep 8, 2020 at 9:50 AM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > > On Tue, Sep 8, 2020 at 9:46 AM Stephen Smalley > <stephen.smalley.work@xxxxxxxxx> wrote: > > > > On Fri, Sep 4, 2020 at 8:49 AM Stephen Smalley > > <stephen.smalley.work@xxxxxxxxx> wrote: > > > > > > On Thu, Sep 3, 2020 at 2:19 PM James Carter <jwcart2@xxxxxxxxx> wrote: > > > > > > > > CIL was not correctly determining the depth of constraint expressions > > > > which prevented it from giving an error when the max depth was exceeded. > > > > This allowed invalid policy binaries with constraint expressions exceeding > > > > the max depth to be created. > > > > > > > > Correctly calculate the depth of constraint expressions when building > > > > the AST and give an error when the max depth is exceeded. > > > > > > > > Reported-by: Jonathan Hettwer <j2468h@xxxxxxxxx> > > > > Signed-off-by: James Carter <jwcart2@xxxxxxxxx> > > > > > > The fix for conditional boolean expression depth checking can be a > > > separate patch. For this one, > > > > > > Acked-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx> > > > > Actually, this breaks selinux-testsuite. Will have to look into why. > > /usr/sbin/semodule -i test_policy/test_policy.pp test_mlsconstrain.cil > > test_overlay_defaultrange.cil test_add_levels.cil test_glblub.cil > > Max depth of 4 exceeded for constraint expression > > Bad expression tree for constraint > > Bad constrain declaration at > > /var/lib/selinux/targeted/tmp/modules/100/base/cil:919 > > Here is the failing cil module: > $ cat policy/test_mlsconstrain.cil > (mlsconstrain (peer (recv)) (or (dom l1 l2) (and (neq t1 > mcs_constrained_type) (neq t2 mcs_constrained_type)))) > (mlsconstrain (packet (recv)) (or (dom l1 l2) (and (neq t1 > mcs_constrained_type) (neq t2 mcs_constrained_type)))) > > Maybe an off-by-one in your depth checking? The following policy, which should be equivalent, works fine. (class CLASS (PERM)) (class C1a (P1)) (class C1b (P1)) (classorder (CLASS C1a C1b)) (sid SID) (sidorder (SID)) (user USER) (role ROLE) (type TYPE) (category CAT) (categoryorder (CAT)) (sensitivity SENS) (sensitivityorder (SENS)) (sensitivitycategory SENS (CAT)) (allow TYPE self (CLASS (PERM))) (roletype ROLE TYPE) (userrole USER ROLE) (userlevel USER (SENS)) (userrange USER ((SENS)(SENS (CAT)))) (sidcontext SID (USER ROLE TYPE ((SENS)(SENS)))) (type T1a) (type T1b) (type T1c) (type T1d) (type T1e) (type T1f) (type T1g) (type T1h) (type T1i) (type T1j) (type T1k) (type T1l) (typeattribute A1a) (typeattributeset A1a (T1a T1b T1c T1d T1e T1f T1g T1h T1i T1j T1k T1l)) (mlsconstrain (C1a (P1)) (or (dom l1 l2) (and (neq t1 A1a) (neq t2 A1a)))) (mlsconstrain (C1b (P1)) (or (dom l1 l2) (and (neq t1 A1a) (neq t2 A1a)))) I'll have to see what is going on in the testsuite. Jim
