Re: [PATCH] libsepol: Expand role attributes in constraint expressions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am Mi., 10. März 2021 um 20:30 Uhr schrieb James Carter <jwcart2@xxxxxxxxx>:
>
> When creating the kernel binary policy, role attributes in constraint
> expressions are not expanded. This causes the constraint expression
> to refer to a non-existent role in the kernel policy. This can lead
> to a segfault when converting the binary policy back to conf or CIL
> source or when using policy tools such as seinfo.
>
> Expand role attributes in constraint expressions when creating the
> kernel binary policy.


Thanks for the quick fix.
Tested role attribute constraints with bare 3.2, leading to setfiles
failing with `libsepol.validate_constraint_nodes: Invalid constraint
expr`.
Works fine with this patch.
Also seinfo does not crash on the newly generated policy anymore.

Tested-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>


>
> Reported-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> Signed-off-by: James Carter <jwcart2@xxxxxxxxx>
> ---
>  libsepol/src/expand.c | 35 +++++++++++++++++++++++++++++++++++
>  1 file changed, 35 insertions(+)
>
> diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
> index eac7e450..2d9cb566 100644
> --- a/libsepol/src/expand.c
> +++ b/libsepol/src/expand.c
> @@ -71,6 +71,38 @@ static int map_ebitmap(ebitmap_t * src, ebitmap_t * dst, uint32_t * map)
>         return 0;
>  }
>
> +static int ebitmap_expand_roles(policydb_t *p, ebitmap_t *roles)
> +{
> +       ebitmap_node_t *node;
> +       unsigned int bit;
> +       role_datum_t *role;
> +       ebitmap_t tmp;
> +
> +       ebitmap_init(&tmp);
> +       ebitmap_for_each_positive_bit(roles, node, bit) {
> +               role = p->role_val_to_struct[bit];
> +               assert(role);
> +               if (role->flavor != ROLE_ATTRIB) {
> +                       if (ebitmap_set_bit(&tmp, bit, 1)) {
> +                               ebitmap_destroy(&tmp);
> +                               return -1;
> +                       }
> +               } else {
> +                       if (ebitmap_union(&tmp, &role->roles)) {
> +                               ebitmap_destroy(&tmp);
> +                               return -1;
> +                       }
> +               }
> +       }
> +       ebitmap_destroy(roles);
> +       if (ebitmap_cpy(roles, &tmp)) {
> +               ebitmap_destroy(&tmp);
> +               return -1;
> +       }
> +       ebitmap_destroy(&tmp);
> +       return 0;
> +}
> +
>  static int type_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
>                               void *data)
>  {
> @@ -333,6 +365,9 @@ static int constraint_node_clone(constraint_node_t ** dst,
>                                         if (map_ebitmap(&expr->names, &new_expr->names, state->rolemap)) {
>                                                 goto out_of_mem;
>                                         }
> +                                       if (ebitmap_expand_roles(state->out, &new_expr->names)) {
> +                                               goto out_of_mem;
> +                                       }
>                                 } else if (new_expr->attr & CEXPR_USER) {
>                                         if (map_ebitmap(&expr->names, &new_expr->names, state->usermap)) {
>                                                 goto out_of_mem;
> --
> 2.26.2
>




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux