Re: [PATCH] libsepol: ignore writing invalid polcaps in fuzzer

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Nov 1, 2023 at 12:39 PM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> Kernel policies with unsupported policy capabilities enabled can
> currently be parsed, since they result just in a bit set inside an
> ebitmap.  Writing such a loaded policy into the traditional language or
> CIL will fail however, since unsupported policy capabilities can not
> be converted into names.
>
> This currently affects the fuzzer, since it generates such policies and
> then fails to write them.
>
> Ignore writing invalid policy capabilities only for the fuzzer.  Thus
> users can still use old libsepol versions to analyze (but not write)
> policies with new policy capabilities, since capabilities can be
> introduced without a new policy version.
>
> Reported-by: oss-fuzz (issue 60573)
>
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> ---
>  libsepol/src/kernel_to_cil.c  | 4 ++++
>  libsepol/src/kernel_to_conf.c | 4 ++++
>  2 files changed, 8 insertions(+)
>
> diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
> index 8fcc385d..f94d67f5 100644
> --- a/libsepol/src/kernel_to_cil.c
> +++ b/libsepol/src/kernel_to_cil.c
> @@ -1198,9 +1198,13 @@ static int write_polcap_rules_to_cil(FILE *out, struct policydb *pdb)
>         ebitmap_for_each_positive_bit(&pdb->policycaps, node, i) {
>                 name = sepol_polcap_getname(i);
>                 if (name == NULL) {
> +#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
> +                       continue;
> +#else
>                         ERR(NULL, "Unknown policy capability id: %i", i);
>                         rc = -1;
>                         goto exit;
> +#endif
>                 }
>
>                 rc = strs_create_and_add(strs, "(policycap %s)", 1, name);
> diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
> index b0ae16d9..a752667c 100644
> --- a/libsepol/src/kernel_to_conf.c
> +++ b/libsepol/src/kernel_to_conf.c
> @@ -1181,9 +1181,13 @@ static int write_polcap_rules_to_conf(FILE *out, struct policydb *pdb)
>         ebitmap_for_each_positive_bit(&pdb->policycaps, node, i) {
>                 name = sepol_polcap_getname(i);
>                 if (name == NULL) {
> +#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
> +                       continue;
> +#else
>                         ERR(NULL, "Unknown policy capability id: %i", i);
>                         rc = -1;
>                         goto exit;
> +#endif
>                 }
>
>                 rc = strs_create_and_add(strs, "policycap %s;", 1, name);
> --
> 2.42.0
>

I don't understand this patch. The fuzzer is generating an invalid
policy, so, of course, there is an error. The kernel has to be
conservative because an older kernel might have to deal with a policy
generated by a newer userspace. We do not guarantee that an older
userspace can handle a new policy. Nothing in the userspace allows
invalid policy capabilities. These two functions are following the
example of checkpolicy and secilc and giving an error for an invalid
policy capability. I am not going to make an exception for the fuzzer.
Jim




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux