On Wed, 15 Jun 2022 at 20:18, James Carter <jwcart2@xxxxxxxxx> wrote: > > On Fri, Jun 10, 2022 at 11:12 AM Christian Göttsche > <cgzones@xxxxxxxxxxxxxx> wrote: > > > > A require statement for a class permission adds that permission to the > > class representation for the current module. In case the resulting > > class would have more than the supported amount of 32 permissions > > assigned the resulting binary module will fail to load at link-time > > without an informative error message (since [1]). > > > > Bail out if adding a permission would result in a class having more then s/then/than/ > > the supported amount of 32 permissions assigned. > > > > [1]: https://github.com/SELinuxProject/selinux/commit/97af65f69644a3233d073ae93980a0d2e51f42e1 > > > > Closes: https://github.com/SELinuxProject/selinux/issues/356 > > Reported-by: Julie Pichon > > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> > > Acked-by: James Carter <jwcart2@xxxxxxxxx> > > > --- > > checkpolicy/module_compiler.c | 8 ++++++++ > > 1 file changed, 8 insertions(+) > > > > diff --git a/checkpolicy/module_compiler.c b/checkpolicy/module_compiler.c > > index 129650fa..3188af89 100644 > > --- a/checkpolicy/module_compiler.c > > +++ b/checkpolicy/module_compiler.c > > @@ -851,6 +851,14 @@ int require_class(int pass) > > free(perm_id); > > return -1; > > } > > + if (datum->permissions.nprim >= PERM_SYMTAB_SIZE) { > > + yyerror2("Class %s would have too many permissions " > > + "to fit in an access vector with permission %s", > > + policydbp->p_class_val_to_name[datum->s.value - 1], > > + perm_id); > > + free(perm_id); > > + return -1; > > + } > > allocated = 1; > > if ((perm = malloc(sizeof(*perm))) == NULL) { > > yyerror("Out of memory!"); > > -- > > 2.36.1 > >
