On Mon, Oct 11, 2021 at 12:41 PM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> Reject loading a policy with invalid default targets so that all
> following code, e.g. the different output modes, do not need to handle
> unsupported ones.
>
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> ---
> libsepol/src/policydb.c | 37 +++++++++++++++++++++++++++++++++++++
> 1 file changed, 37 insertions(+)
>
> diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
> index 980af059..5e8b4a3f 100644
> --- a/libsepol/src/policydb.c
> +++ b/libsepol/src/policydb.c
> @@ -2313,8 +2313,37 @@ static int class_read(policydb_t * p, hashtab_t h, struct policy_file *fp)
> if (rc < 0)
> goto bad;
> cladatum->default_user = le32_to_cpu(buf[0]);
> + switch (cladatum->default_user) {
> + case 0:
> + case DEFAULT_SOURCE:
> + case DEFAULT_TARGET:
> + break;
> + default:
> + goto bad;
> + }
> cladatum->default_role = le32_to_cpu(buf[1]);
> + switch (cladatum->default_role) {
> + case 0:
> + case DEFAULT_SOURCE:
> + case DEFAULT_TARGET:
> + break;
> + default:
> + goto bad;
> + }
> cladatum->default_range = le32_to_cpu(buf[2]);
> + switch (cladatum->default_range) {
> + case 0:
> + case DEFAULT_SOURCE_LOW:
> + case DEFAULT_SOURCE_HIGH:
> + case DEFAULT_SOURCE_LOW_HIGH:
> + case DEFAULT_TARGET_LOW:
> + case DEFAULT_TARGET_HIGH:
> + case DEFAULT_TARGET_LOW_HIGH:
> + case DEFAULT_GLBLUB:
> + break;
> + default:
> + goto bad;
> + }
> }
>
> if ((p->policy_type == POLICY_KERN &&
> @@ -2325,6 +2354,14 @@ static int class_read(policydb_t * p, hashtab_t h, struct policy_file *fp)
> if (rc < 0)
> goto bad;
> cladatum->default_type = le32_to_cpu(buf[0]);
> + switch (cladatum->default_type) {
> + case 0:
> + case DEFAULT_SOURCE:
> + case DEFAULT_TARGET:
> + break;
> + default:
> + goto bad;
> + }
> }
>
> if (hashtab_insert(h, key, cladatum))
> --
> 2.33.0
>
Same comment as for patch 14, I would like to see this in
policydb_validate.c and checked when validating the policydb.
Thanks,
Jim
