Christian Göttsche <cgzones@xxxxxxxxxxxxxx> writes: > On Wed, 15 Jun 2022 at 20:18, James Carter <jwcart2@xxxxxxxxx> wrote: >> >> On Fri, Jun 10, 2022 at 11:12 AM Christian Göttsche >> <cgzones@xxxxxxxxxxxxxx> wrote: >> > >> > A require statement for a class permission adds that permission to the >> > class representation for the current module. In case the resulting >> > class would have more than the supported amount of 32 permissions >> > assigned the resulting binary module will fail to load at link-time >> > without an informative error message (since [1]). >> > >> > Bail out if adding a permission would result in a class having more then > > s/then/than/ Merged, thanks! >> > the supported amount of 32 permissions assigned. >> > >> > [1]: https://github.com/SELinuxProject/selinux/commit/97af65f69644a3233d073ae93980a0d2e51f42e1 >> > >> > Closes: https://github.com/SELinuxProject/selinux/issues/356 >> > Reported-by: Julie Pichon >> > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> >> >> Acked-by: James Carter <jwcart2@xxxxxxxxx> >> >> > --- >> > checkpolicy/module_compiler.c | 8 ++++++++ >> > 1 file changed, 8 insertions(+) >> > >> > diff --git a/checkpolicy/module_compiler.c b/checkpolicy/module_compiler.c >> > index 129650fa..3188af89 100644 >> > --- a/checkpolicy/module_compiler.c >> > +++ b/checkpolicy/module_compiler.c >> > @@ -851,6 +851,14 @@ int require_class(int pass) >> > free(perm_id); >> > return -1; >> > } >> > + if (datum->permissions.nprim >= PERM_SYMTAB_SIZE) { >> > + yyerror2("Class %s would have too many permissions " >> > + "to fit in an access vector with permission %s", >> > + policydbp->p_class_val_to_name[datum->s.value - 1], >> > + perm_id); >> > + free(perm_id); >> > + return -1; >> > + } >> > allocated = 1; >> > if ((perm = malloc(sizeof(*perm))) == NULL) { >> > yyerror("Out of memory!"); >> > -- >> > 2.36.1 >> >
