On Wed, Mar 10, 2021 at 9:16 PM Christian Göttsche <cgzones@xxxxxxxxxxxxxx> wrote: > > Am Mi., 10. März 2021 um 20:30 Uhr schrieb James Carter <jwcart2@xxxxxxxxx>: > > > > When creating the kernel binary policy, role attributes in constraint > > expressions are not expanded. This causes the constraint expression > > to refer to a non-existent role in the kernel policy. This can lead > > to a segfault when converting the binary policy back to conf or CIL > > source or when using policy tools such as seinfo. > > > > Expand role attributes in constraint expressions when creating the > > kernel binary policy. > > > Thanks for the quick fix. > Tested role attribute constraints with bare 3.2, leading to setfiles > failing with `libsepol.validate_constraint_nodes: Invalid constraint > expr`. > Works fine with this patch. > Also seinfo does not crash on the newly generated policy anymore. > > Tested-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> > > > > > > Reported-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> > > Signed-off-by: James Carter <jwcart2@xxxxxxxxx> Acked-by: Nicolas Iooss <nicolas.iooss@xxxxxxx> Thanks, Nicolas > > --- > > libsepol/src/expand.c | 35 +++++++++++++++++++++++++++++++++++ > > 1 file changed, 35 insertions(+) > > > > diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c > > index eac7e450..2d9cb566 100644 > > --- a/libsepol/src/expand.c > > +++ b/libsepol/src/expand.c > > @@ -71,6 +71,38 @@ static int map_ebitmap(ebitmap_t * src, ebitmap_t * dst, uint32_t * map) > > return 0; > > } > > > > +static int ebitmap_expand_roles(policydb_t *p, ebitmap_t *roles) > > +{ > > + ebitmap_node_t *node; > > + unsigned int bit; > > + role_datum_t *role; > > + ebitmap_t tmp; > > + > > + ebitmap_init(&tmp); > > + ebitmap_for_each_positive_bit(roles, node, bit) { > > + role = p->role_val_to_struct[bit]; > > + assert(role); > > + if (role->flavor != ROLE_ATTRIB) { > > + if (ebitmap_set_bit(&tmp, bit, 1)) { > > + ebitmap_destroy(&tmp); > > + return -1; > > + } > > + } else { > > + if (ebitmap_union(&tmp, &role->roles)) { > > + ebitmap_destroy(&tmp); > > + return -1; > > + } > > + } > > + } > > + ebitmap_destroy(roles); > > + if (ebitmap_cpy(roles, &tmp)) { > > + ebitmap_destroy(&tmp); > > + return -1; > > + } > > + ebitmap_destroy(&tmp); > > + return 0; > > +} > > + > > static int type_copy_callback(hashtab_key_t key, hashtab_datum_t datum, > > void *data) > > { > > @@ -333,6 +365,9 @@ static int constraint_node_clone(constraint_node_t ** dst, > > if (map_ebitmap(&expr->names, &new_expr->names, state->rolemap)) { > > goto out_of_mem; > > } > > + if (ebitmap_expand_roles(state->out, &new_expr->names)) { > > + goto out_of_mem; > > + } > > } else if (new_expr->attr & CEXPR_USER) { > > if (map_ebitmap(&expr->names, &new_expr->names, state->usermap)) { > > goto out_of_mem; > > -- > > 2.26.2 > >