Kernel policies with unsupported policy capabilities enabled can
currently be parsed, since they result just in a bit set inside an
ebitmap. Writing such a loaded policy into the traditional language or
CIL will fail however, since the unsupported policy capabilities can not
be converted into a name.
Reject kernel policies with invalid policy capabilities.
Reported-by: oss-fuzz (issue 60573)
Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
---
Alternative to ("libsepol: ignore writing invalid polcaps in fuzzer"):
https://patchwork.kernel.org/project/selinux/patch/20231101163852.177983-1-cgzones@xxxxxxxxxxxxxx/
Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
---
libsepol/src/policydb_validate.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
index 892a0ffd..1acaa74f 100644
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@@ -1,6 +1,7 @@
#include <sepol/policydb/conditional.h>
#include <sepol/policydb/ebitmap.h>
+#include <sepol/policydb/polcaps.h>
#include <sepol/policydb/policydb.h>
#include <sepol/policydb/services.h>
@@ -1522,6 +1523,23 @@ bad:
return -1;
}
+static int validate_policycaps(sepol_handle_t *handle, const policydb_t *p)
+{
+ ebitmap_node_t *node;
+ uint32_t i;
+
+ ebitmap_for_each_positive_bit(&p->policycaps, node, i) {
+ if (!sepol_polcap_getname(i))
+ goto bad;
+ }
+
+ return 0;
+
+bad:
+ ERR(handle, "Invalid policy capability");
+ return -1;
+}
+
static void validate_array_destroy(validate_t flavors[])
{
unsigned int i;
@@ -1544,6 +1562,9 @@ int policydb_validate(sepol_handle_t *handle, const policydb_t *p)
if (validate_properties(handle, p))
goto bad;
+ if (validate_policycaps(handle, p))
+ goto bad;
+
if (p->policy_type == POLICY_KERN) {
if (validate_avtab(handle, &p->te_avtab, p, flavors))
goto bad;
--
2.42.0
