Re: [PATCH 2/2] checkpolicy: warn on bogus IP address or netmask in nodecon statement

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Nov 30, 2021 at 4:50 PM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> Warn if the netmask is not contiguous or the address has host bits set,
> e.g.:
>
>     127.0.0.0 255.255.245.0
>     127.0.0.1 255.255.255.0
>
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>

Acked-by: James Carter <jwcart2@xxxxxxxxx>

> ---
>  checkpolicy/policy_define.c | 50 +++++++++++++++++++++++++++++++++++++
>  1 file changed, 50 insertions(+)
>
> diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
> index d3eb6111..b2ae3263 100644
> --- a/checkpolicy/policy_define.c
> +++ b/checkpolicy/policy_define.c
> @@ -5290,6 +5290,14 @@ int define_ipv4_node_context()
>                 goto out;
>         }
>
> +       if (mask.s_addr != 0 && ((~mask.s_addr + 1) & ~mask.s_addr) != 0) {
> +               yywarn("ipv4 mask is not contiguous");
> +       }
> +
> +       if ((~mask.s_addr & addr.s_addr) != 0) {
> +               yywarn("host bits in ipv4 address set");
> +       }
> +
>         newc = malloc(sizeof(ocontext_t));
>         if (!newc) {
>                 yyerror("out of memory");
> @@ -5325,6 +5333,40 @@ out:
>         return rc;
>  }
>
> +static int ipv6_is_mask_contiguous(const struct in6_addr *mask)
> +{
> +       int filled = 1;
> +       unsigned i;
> +
> +       for (i = 0; i < 16; i++) {
> +               if ((((~mask->s6_addr[i] & 0xFF) + 1) & (~mask->s6_addr[i] & 0xFF)) != 0) {
> +                       return 0;
> +               }
> +               if (!filled && mask->s6_addr[i] != 0) {
> +                       return 0;
> +               }
> +
> +               if (filled && mask->s6_addr[i] != 0xFF) {
> +                       filled = 0;
> +               }
> +       }
> +
> +       return 1;
> +}
> +
> +static int ipv6_has_host_bits_set(const struct in6_addr *addr, const struct in6_addr *mask)
> +{
> +       unsigned i;
> +
> +       for (i = 0; i < 16; i++) {
> +               if ((addr->s6_addr[i] & ~mask->s6_addr[i]) != 0) {
> +                       return 1;
> +               }
> +       }
> +
> +       return 0;
> +}
> +
>  int define_ipv6_node_context(void)
>  {
>         char *id;
> @@ -5376,6 +5418,14 @@ int define_ipv6_node_context(void)
>                 goto out;
>         }
>
> +       if (!ipv6_is_mask_contiguous(&mask)) {
> +               yywarn("ipv6 mask is not contiguous");
> +       }
> +
> +       if (ipv6_has_host_bits_set(&addr, &mask)) {
> +               yywarn("host bits in ipv6 address set");
> +       }
> +
>         newc = malloc(sizeof(ocontext_t));
>         if (!newc) {
>                 yyerror("out of memory");
> --
> 2.34.1
>
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux