Check the permission bitset in normal constraints is not empty and has
no invalid bits set.
Check the names and type_names members are empty in case they are not
used.
Check the operator and attribute type are not set for simple expression
types.
Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
---
libsepol/src/policydb_validate.c | 43 +++++++++++++++++++++++++++++---
1 file changed, 39 insertions(+), 4 deletions(-)
diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
index 0650f4d1..41822e61 100644
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@@ -130,6 +130,21 @@ bad:
return -1;
}
+static int validate_empty_type_set(type_set_t *type_set)
+{
+ if (!ebitmap_is_empty(&type_set->types))
+ goto bad;
+ if (!ebitmap_is_empty(&type_set->negset))
+ goto bad;
+ if (type_set->flags != 0)
+ goto bad;
+
+ return 0;
+
+bad:
+ return -1;
+}
+
static int validate_role_set(role_set_t *role_set, validate_t *role)
{
if (validate_ebitmap(&role_set->roles, role))
@@ -176,23 +191,37 @@ bad:
return -1;
}
-static int validate_constraint_nodes(sepol_handle_t *handle, constraint_node_t *cons, validate_t flavors[])
+static int validate_constraint_nodes(sepol_handle_t *handle, unsigned int nperms, constraint_node_t *cons, validate_t flavors[])
{
constraint_expr_t *cexp;
for (; cons; cons = cons->next) {
+ if (nperms > 0 && cons->permissions == 0)
+ goto bad;
+ if (nperms > 0 && nperms != PERM_SYMTAB_SIZE && cons->permissions >= (UINT32_C(1) << nperms))
+ goto bad;
+
for (cexp = cons->expr; cexp; cexp = cexp->next) {
if (cexp->attr & CEXPR_USER) {
if (validate_ebitmap(&cexp->names, &flavors[SYM_USERS]))
goto bad;
+ if (validate_empty_type_set(cexp->type_names))
+ goto bad;
} else if (cexp->attr & CEXPR_ROLE) {
if (validate_ebitmap(&cexp->names, &flavors[SYM_ROLES]))
goto bad;
+ if (validate_empty_type_set(cexp->type_names))
+ goto bad;
} else if (cexp->attr & CEXPR_TYPE) {
if (validate_ebitmap(&cexp->names, &flavors[SYM_TYPES]))
goto bad;
if (validate_type_set(cexp->type_names, &flavors[SYM_TYPES]))
goto bad;
+ } else {
+ if (!ebitmap_is_empty(&cexp->names))
+ goto bad;
+ if (validate_empty_type_set(cexp->type_names))
+ goto bad;
}
if (cexp->expr_type == CEXPR_ATTR || cexp->expr_type == CEXPR_NAMES) {
@@ -236,6 +265,12 @@ static int validate_constraint_nodes(sepol_handle_t *handle, constraint_node_t *
default:
goto bad;
}
+
+ if (cexp->op != 0)
+ goto bad;
+
+ if (cexp->attr != 0)
+ goto bad;
}
}
}
@@ -251,11 +286,11 @@ static int validate_class_datum(sepol_handle_t *handle, class_datum_t *class, va
{
if (validate_value(class->s.value, &flavors[SYM_CLASSES]))
goto bad;
- if (validate_constraint_nodes(handle, class->constraints, flavors))
+ if (class->permissions.nprim > PERM_SYMTAB_SIZE)
goto bad;
- if (validate_constraint_nodes(handle, class->validatetrans, flavors))
+ if (validate_constraint_nodes(handle, class->permissions.nprim, class->constraints, flavors))
goto bad;
- if (class->permissions.nprim > PERM_SYMTAB_SIZE)
+ if (validate_constraint_nodes(handle, 0, class->validatetrans, flavors))
goto bad;
switch (class->default_user) {
--
2.34.1
