Am Mi., 10. März 2021 um 20:30 Uhr schrieb James Carter <jwcart2@xxxxxxxxx>: > > When creating the kernel binary policy, role attributes in constraint > expressions are not expanded. This causes the constraint expression > to refer to a non-existent role in the kernel policy. This can lead > to a segfault when converting the binary policy back to conf or CIL > source or when using policy tools such as seinfo. > > Expand role attributes in constraint expressions when creating the > kernel binary policy. Thanks for the quick fix. Tested role attribute constraints with bare 3.2, leading to setfiles failing with `libsepol.validate_constraint_nodes: Invalid constraint expr`. Works fine with this patch. Also seinfo does not crash on the newly generated policy anymore. Tested-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> > > Reported-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> > Signed-off-by: James Carter <jwcart2@xxxxxxxxx> > --- > libsepol/src/expand.c | 35 +++++++++++++++++++++++++++++++++++ > 1 file changed, 35 insertions(+) > > diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c > index eac7e450..2d9cb566 100644 > --- a/libsepol/src/expand.c > +++ b/libsepol/src/expand.c > @@ -71,6 +71,38 @@ static int map_ebitmap(ebitmap_t * src, ebitmap_t * dst, uint32_t * map) > return 0; > } > > +static int ebitmap_expand_roles(policydb_t *p, ebitmap_t *roles) > +{ > + ebitmap_node_t *node; > + unsigned int bit; > + role_datum_t *role; > + ebitmap_t tmp; > + > + ebitmap_init(&tmp); > + ebitmap_for_each_positive_bit(roles, node, bit) { > + role = p->role_val_to_struct[bit]; > + assert(role); > + if (role->flavor != ROLE_ATTRIB) { > + if (ebitmap_set_bit(&tmp, bit, 1)) { > + ebitmap_destroy(&tmp); > + return -1; > + } > + } else { > + if (ebitmap_union(&tmp, &role->roles)) { > + ebitmap_destroy(&tmp); > + return -1; > + } > + } > + } > + ebitmap_destroy(roles); > + if (ebitmap_cpy(roles, &tmp)) { > + ebitmap_destroy(&tmp); > + return -1; > + } > + ebitmap_destroy(&tmp); > + return 0; > +} > + > static int type_copy_callback(hashtab_key_t key, hashtab_datum_t datum, > void *data) > { > @@ -333,6 +365,9 @@ static int constraint_node_clone(constraint_node_t ** dst, > if (map_ebitmap(&expr->names, &new_expr->names, state->rolemap)) { > goto out_of_mem; > } > + if (ebitmap_expand_roles(state->out, &new_expr->names)) { > + goto out_of_mem; > + } > } else if (new_expr->attr & CEXPR_USER) { > if (map_ebitmap(&expr->names, &new_expr->names, state->usermap)) { > goto out_of_mem; > -- > 2.26.2 >