Re: [PATCH 3/3] libsepol: more strict validation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Nov 1, 2023 at 12:39 PM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> Ensure the ibendport port is not 0 (similar to the kernel).
>
> More general depth test for boolean expressions.
>
> Ensure the boolean id is not set for logic operators.
>
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>

Acked-by: James Carter <jwcart2@xxxxxxxxx>

> ---
>  libsepol/src/policydb_validate.c | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
> index c6a66fb3..0e4805ef 100644
> --- a/libsepol/src/policydb_validate.c
> +++ b/libsepol/src/policydb_validate.c
> @@ -1002,13 +1002,15 @@ static int validate_cond_expr(sepol_handle_t *handle, const struct cond_expr *ex
>                 case COND_BOOL:
>                         if (validate_value(expr->boolean, boolean))
>                                 goto bad;
> -                       if (depth == (COND_EXPR_MAXDEPTH - 1))
> +                       if (depth >= (COND_EXPR_MAXDEPTH - 1))
>                                 goto bad;
>                         depth++;
>                         break;
>                 case COND_NOT:
>                         if (depth < 0)
>                                 goto bad;
> +                       if (expr->boolean != 0)
> +                               goto bad;
>                         break;
>                 case COND_OR:
>                 case COND_AND:
> @@ -1017,6 +1019,8 @@ static int validate_cond_expr(sepol_handle_t *handle, const struct cond_expr *ex
>                 case COND_NEQ:
>                         if (depth < 1)
>                                 goto bad;
> +                       if (expr->boolean != 0)
> +                               goto bad;
>                         depth--;
>                         break;
>                 default:
> @@ -1199,6 +1203,8 @@ static int validate_ocontexts(sepol_handle_t *handle, const policydb_t *p, valid
>                                                 goto bad;
>                                         break;
>                                 case OCON_IBENDPORT:
> +                                       if (octx->u.ibendport.port == 0)
> +                                               goto bad;
>                                         if (!octx->u.ibendport.dev_name)
>                                                 goto bad;
>                                         break;
> --
> 2.42.0
>




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux