Re: [PATCH 2/2] libsepol: Check kernel to CIL and Conf functions for supported versions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Mar 11, 2021 at 4:41 PM James Carter <jwcart2@xxxxxxxxx> wrote:
>
> For policy versions between 20 and 23, attributes exist in the
> policy, but only in the type_attr_map. This means that there are
> gaps in both the type_val_to_struct and p_type_val_to_name arrays
> and policy rules can refer to those gaps which can lead to NULL
> dereferences when using sepol_kernel_policydb_to_conf() and
> sepol_kernel_policydb_to_cil().
>
> This can be seen with the following policy:
>   class CLASS1
>   sid SID1
>   class CLASS1 { PERM1 }
>   attribute TYPE_ATTR1;
>   type TYPE1;
>   typeattribute TYPE1 TYPE_ATTR1;
>   allow TYPE_ATTR1 self : CLASS1 PERM1;
>   role ROLE1;
>   role ROLE1 types TYPE1;
>   user USER1 roles ROLE1;
>   sid SID1 USER1:ROLE1:TYPE1
>
> Compile the policy:
>   checkpolicy -c 23 -o policy.bin policy.conf
> Converting back to a policy.conf causes a segfault:
>   checkpolicy -F -b -o policy.bin.conf policy.bin
>
> Have both sepol_kernel_policydb_to_conf() and
> sepol_kernel_policydb_to_cil() exit with an error if the kernel
> policy version is between 20 and 23.
>
> Signed-off-by: James Carter <jwcart2@xxxxxxxxx>

For this patch: Acked-by: Nicolas Iooss <nicolas.iooss@xxxxxxx>

(for the first one, I reported a regression in "checkpolicy -V")

Thanks,
Nicolas

> ---
>  libsepol/src/kernel_to_cil.c  | 12 ++++++++++++
>  libsepol/src/kernel_to_conf.c | 12 ++++++++++++
>  2 files changed, 24 insertions(+)
>
> diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
> index a146ac51..edfebeaf 100644
> --- a/libsepol/src/kernel_to_cil.c
> +++ b/libsepol/src/kernel_to_cil.c
> @@ -3164,6 +3164,18 @@ int sepol_kernel_policydb_to_cil(FILE *out, struct policydb *pdb)
>                 goto exit;
>         }
>
> +       if (pdb->policyvers >= POLICYDB_VERSION_AVTAB && pdb->policyvers <= POLICYDB_VERSION_PERMISSIVE) {
> +               /*
> +                * For policy versions between 20 and 23, attributes exist in the policy,
> +                * but only in the type_attr_map. This means that there are gaps in both
> +                * the type_val_to_struct and p_type_val_to_name arrays and policy rules
> +                * can refer to those gaps.
> +                */
> +               sepol_log_err("Writing policy versions between 20 and 23 as CIL is not supported");
> +               rc = -1;
> +               goto exit;
> +       }
> +
>         rc = constraint_rules_to_strs(pdb, mls_constraints, non_mls_constraints);
>         if (rc != 0) {
>                 goto exit;
> diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
> index a22f196d..ea58a026 100644
> --- a/libsepol/src/kernel_to_conf.c
> +++ b/libsepol/src/kernel_to_conf.c
> @@ -3041,6 +3041,18 @@ int sepol_kernel_policydb_to_conf(FILE *out, struct policydb *pdb)
>                 goto exit;
>         }
>
> +       if (pdb->policyvers >= POLICYDB_VERSION_AVTAB && pdb->policyvers <= POLICYDB_VERSION_PERMISSIVE) {
> +               /*
> +                * For policy versions between 20 and 23, attributes exist in the policy,
> +                * but only in the type_attr_map. This means that there are gaps in both
> +                * the type_val_to_struct and p_type_val_to_name arrays and policy rules
> +                * can refer to those gaps.
> +                */
> +               sepol_log_err("Writing policy versions between 20 and 23 as a policy.conf is not supported");
> +               rc = -1;
> +               goto exit;
> +       }
> +
>         rc = constraint_rules_to_strs(pdb, mls_constraints, non_mls_constraints);
>         if (rc != 0) {
>                 goto exit;
> --
> 2.26.2
>




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux