Re: [PATCH 2/5] libsepol/cil: Fix syntax checking of defaultrange rule

James Carter <jwcart2@xxxxxxxxx> · Mon, 21 Jun 2021 10:03:34 -0400

On Sat, Jun 19, 2021 at 9:36 AM Nicolas Iooss <nicolas.iooss@xxxxxxx> wrote:
>
> On Mon, Jun 14, 2021 at 5:05 PM James Carter <jwcart2@xxxxxxxxx> wrote:
> >
> > The syntax array that cil_gen_defaultrange() called __cil_verify_syntax()
> > with was wrong. It had the range (which should be low, high, or low-high)
> > as optional when it is not.
> >
> > Use the correct syntax array to check the syntax of the defaultrange rule.
> >
> > Signed-off-by: James Carter <jwcart2@xxxxxxxxx>
> > ---
> >  libsepol/cil/src/cil_build_ast.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
> > index 71f14e20..a5f617d8 100644
> > --- a/libsepol/cil/src/cil_build_ast.c
> > +++ b/libsepol/cil/src/cil_build_ast.c
> > @@ -5862,7 +5862,7 @@ int cil_gen_defaultrange(struct cil_tree_node *parse_current, struct cil_tree_no
> >                 CIL_SYN_STRING,
> >                 CIL_SYN_STRING | CIL_SYN_LIST,
> >                 CIL_SYN_STRING,
> > -               CIL_SYN_STRING | CIL_SYN_END,
> > +               CIL_SYN_STRING,
> >                 CIL_SYN_END
> >         };
> >         int syntax_len = sizeof(syntax)/sizeof(*syntax);
> > --
> > 2.26.3
>
> Hello,
> This patch will break selinux-testsuite with:
>
> /usr/sbin/semodule -i test_policy/test_policy.pp test_mlsconstrain.cil
> test_overlay_defaultrange.cil test_userfaultfd.cil test_add_levels.cil
> test_glblub.cil
> Invalid syntax
> Bad defaultrange declaration at
> /var/lib/selinux/targeted/tmp/modules/400/test_glblub/cil:1
> Failed to build AST
> /usr/sbin/semodule: Failed!
>
> ... because it currently uses, in
> https://github.com/SELinuxProject/selinux-testsuite/blob/0b78a9d433e8c4f956d18dc0db901f0a1a58c003/policy/test_glblub.cil
> :
>
>     (defaultrange db_table glblub)
>
> If I understand the commit message correctly, a range (low, high or
> low-high) has to be added to this statement. I am not familiar with
> glbulb and do not know how the testsuite should be modified. Could the
> policy used by the testsuite be fixed before applying this patch?
>

No, the policy is correct. I forgot about glbulb and misread the
source code. I will have to check the syntax in a different way.

Thanks,
Jim

> Cheers,
> Nicolas
>
> (PS : I was quite busy last month but now I have some time again to
> catch up with SELinux patches :) )
>