On Wed, Mar 10, 2021 at 9:16 PM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> Am Mi., 10. März 2021 um 20:30 Uhr schrieb James Carter <jwcart2@xxxxxxxxx>:
> >
> > When creating the kernel binary policy, role attributes in constraint
> > expressions are not expanded. This causes the constraint expression
> > to refer to a non-existent role in the kernel policy. This can lead
> > to a segfault when converting the binary policy back to conf or CIL
> > source or when using policy tools such as seinfo.
> >
> > Expand role attributes in constraint expressions when creating the
> > kernel binary policy.
>
>
> Thanks for the quick fix.
> Tested role attribute constraints with bare 3.2, leading to setfiles
> failing with `libsepol.validate_constraint_nodes: Invalid constraint
> expr`.
> Works fine with this patch.
> Also seinfo does not crash on the newly generated policy anymore.
>
> Tested-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
>
>
> >
> > Reported-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> > Signed-off-by: James Carter <jwcart2@xxxxxxxxx>
Acked-by: Nicolas Iooss <nicolas.iooss@xxxxxxx>
Thanks,
Nicolas
> > ---
> > libsepol/src/expand.c | 35 +++++++++++++++++++++++++++++++++++
> > 1 file changed, 35 insertions(+)
> >
> > diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
> > index eac7e450..2d9cb566 100644
> > --- a/libsepol/src/expand.c
> > +++ b/libsepol/src/expand.c
> > @@ -71,6 +71,38 @@ static int map_ebitmap(ebitmap_t * src, ebitmap_t * dst, uint32_t * map)
> > return 0;
> > }
> >
> > +static int ebitmap_expand_roles(policydb_t *p, ebitmap_t *roles)
> > +{
> > + ebitmap_node_t *node;
> > + unsigned int bit;
> > + role_datum_t *role;
> > + ebitmap_t tmp;
> > +
> > + ebitmap_init(&tmp);
> > + ebitmap_for_each_positive_bit(roles, node, bit) {
> > + role = p->role_val_to_struct[bit];
> > + assert(role);
> > + if (role->flavor != ROLE_ATTRIB) {
> > + if (ebitmap_set_bit(&tmp, bit, 1)) {
> > + ebitmap_destroy(&tmp);
> > + return -1;
> > + }
> > + } else {
> > + if (ebitmap_union(&tmp, &role->roles)) {
> > + ebitmap_destroy(&tmp);
> > + return -1;
> > + }
> > + }
> > + }
> > + ebitmap_destroy(roles);
> > + if (ebitmap_cpy(roles, &tmp)) {
> > + ebitmap_destroy(&tmp);
> > + return -1;
> > + }
> > + ebitmap_destroy(&tmp);
> > + return 0;
> > +}
> > +
> > static int type_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
> > void *data)
> > {
> > @@ -333,6 +365,9 @@ static int constraint_node_clone(constraint_node_t ** dst,
> > if (map_ebitmap(&expr->names, &new_expr->names, state->rolemap)) {
> > goto out_of_mem;
> > }
> > + if (ebitmap_expand_roles(state->out, &new_expr->names)) {
> > + goto out_of_mem;
> > + }
> > } else if (new_expr->attr & CEXPR_USER) {
> > if (map_ebitmap(&expr->names, &new_expr->names, state->usermap)) {
> > goto out_of_mem;
> > --
> > 2.26.2
> >
