On Fri, Jun 10, 2022 at 11:12 AM Christian Göttsche <cgzones@xxxxxxxxxxxxxx> wrote: > > A require statement for a class permission adds that permission to the > class representation for the current module. In case the resulting > class would have more than the supported amount of 32 permissions > assigned the resulting binary module will fail to load at link-time > without an informative error message (since [1]). > > Bail out if adding a permission would result in a class having more then > the supported amount of 32 permissions assigned. > > [1]: https://github.com/SELinuxProject/selinux/commit/97af65f69644a3233d073ae93980a0d2e51f42e1 > > Closes: https://github.com/SELinuxProject/selinux/issues/356 > Reported-by: Julie Pichon > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> Acked-by: James Carter <jwcart2@xxxxxxxxx> > --- > checkpolicy/module_compiler.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/checkpolicy/module_compiler.c b/checkpolicy/module_compiler.c > index 129650fa..3188af89 100644 > --- a/checkpolicy/module_compiler.c > +++ b/checkpolicy/module_compiler.c > @@ -851,6 +851,14 @@ int require_class(int pass) > free(perm_id); > return -1; > } > + if (datum->permissions.nprim >= PERM_SYMTAB_SIZE) { > + yyerror2("Class %s would have too many permissions " > + "to fit in an access vector with permission %s", > + policydbp->p_class_val_to_name[datum->s.value - 1], > + perm_id); > + free(perm_id); > + return -1; > + } > allocated = 1; > if ((perm = malloc(sizeof(*perm))) == NULL) { > yyerror("Out of memory!"); > -- > 2.36.1 >
