On Mon, May 6, 2024 at 1:31 PM Christian Göttsche
<cgoettsche@xxxxxxxxxxxxx> wrote:
>
> From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
>
> The flag RULE_SELF in type rules is only supported in modular policies
> since version 21 (MOD_POLICYDB_VERSION_SELF_TYPETRANS).
>
> Reported-by: oss-fuzz (issue 68731)
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
For these four patches:
Acked-by: James Carter <jwcart2@xxxxxxxxx>
> ---
> libsepol/src/policydb_validate.c | 14 +++++++++++++-
> 1 file changed, 13 insertions(+), 1 deletion(-)
>
> diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
> index e1623172..be3ebe5f 100644
> --- a/libsepol/src/policydb_validate.c
> +++ b/libsepol/src/policydb_validate.c
> @@ -1077,6 +1077,10 @@ static int validate_avrules(sepol_handle_t *handle, const avrule_t *avrule, int
> switch(avrule->flags) {
> case 0:
> case RULE_SELF:
> + if (p->policyvers != POLICY_KERN &&
> + p->policyvers < MOD_POLICYDB_VERSION_SELF_TYPETRANS &&
> + (avrule->specified & AVRULE_TYPE))
> + goto bad;
> break;
> case RULE_NOTSELF:
> switch(avrule->specified) {
> @@ -1503,8 +1507,16 @@ static int validate_filename_trans_rules(sepol_handle_t *handle, const filename_
> goto bad;
>
> /* currently only the RULE_SELF flag can be set */
> - if ((filename_trans->flags & ~RULE_SELF) != 0)
> + switch (filename_trans->flags) {
> + case 0:
> + break;
> + case RULE_SELF:
> + if (p->policyvers != POLICY_KERN && p->policyvers < MOD_POLICYDB_VERSION_SELF_TYPETRANS)
> + goto bad;
> + break;
> + default:
> goto bad;
> + }
> }
>
> return 0;
> --
> 2.43.0
>
>
