On Thu, Mar 11, 2021 at 4:41 PM James Carter <jwcart2@xxxxxxxxx> wrote: > > For policy versions between 20 and 23, attributes exist in the > policy, but only in the type_attr_map. This means that there are > gaps in both the type_val_to_struct and p_type_val_to_name arrays > and policy rules can refer to those gaps which can lead to NULL > dereferences when using sepol_kernel_policydb_to_conf() and > sepol_kernel_policydb_to_cil(). > > This can be seen with the following policy: > class CLASS1 > sid SID1 > class CLASS1 { PERM1 } > attribute TYPE_ATTR1; > type TYPE1; > typeattribute TYPE1 TYPE_ATTR1; > allow TYPE_ATTR1 self : CLASS1 PERM1; > role ROLE1; > role ROLE1 types TYPE1; > user USER1 roles ROLE1; > sid SID1 USER1:ROLE1:TYPE1 > > Compile the policy: > checkpolicy -c 23 -o policy.bin policy.conf > Converting back to a policy.conf causes a segfault: > checkpolicy -F -b -o policy.bin.conf policy.bin > > Have both sepol_kernel_policydb_to_conf() and > sepol_kernel_policydb_to_cil() exit with an error if the kernel > policy version is between 20 and 23. > > Signed-off-by: James Carter <jwcart2@xxxxxxxxx> For this patch: Acked-by: Nicolas Iooss <nicolas.iooss@xxxxxxx> (for the first one, I reported a regression in "checkpolicy -V") Thanks, Nicolas > --- > libsepol/src/kernel_to_cil.c | 12 ++++++++++++ > libsepol/src/kernel_to_conf.c | 12 ++++++++++++ > 2 files changed, 24 insertions(+) > > diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c > index a146ac51..edfebeaf 100644 > --- a/libsepol/src/kernel_to_cil.c > +++ b/libsepol/src/kernel_to_cil.c > @@ -3164,6 +3164,18 @@ int sepol_kernel_policydb_to_cil(FILE *out, struct policydb *pdb) > goto exit; > } > > + if (pdb->policyvers >= POLICYDB_VERSION_AVTAB && pdb->policyvers <= POLICYDB_VERSION_PERMISSIVE) { > + /* > + * For policy versions between 20 and 23, attributes exist in the policy, > + * but only in the type_attr_map. This means that there are gaps in both > + * the type_val_to_struct and p_type_val_to_name arrays and policy rules > + * can refer to those gaps. > + */ > + sepol_log_err("Writing policy versions between 20 and 23 as CIL is not supported"); > + rc = -1; > + goto exit; > + } > + > rc = constraint_rules_to_strs(pdb, mls_constraints, non_mls_constraints); > if (rc != 0) { > goto exit; > diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c > index a22f196d..ea58a026 100644 > --- a/libsepol/src/kernel_to_conf.c > +++ b/libsepol/src/kernel_to_conf.c > @@ -3041,6 +3041,18 @@ int sepol_kernel_policydb_to_conf(FILE *out, struct policydb *pdb) > goto exit; > } > > + if (pdb->policyvers >= POLICYDB_VERSION_AVTAB && pdb->policyvers <= POLICYDB_VERSION_PERMISSIVE) { > + /* > + * For policy versions between 20 and 23, attributes exist in the policy, > + * but only in the type_attr_map. This means that there are gaps in both > + * the type_val_to_struct and p_type_val_to_name arrays and policy rules > + * can refer to those gaps. > + */ > + sepol_log_err("Writing policy versions between 20 and 23 as a policy.conf is not supported"); > + rc = -1; > + goto exit; > + } > + > rc = constraint_rules_to_strs(pdb, mls_constraints, non_mls_constraints); > if (rc != 0) { > goto exit; > -- > 2.26.2 >