On Wed, May 8, 2024 at 2:50 PM James Carter <jwcart2@xxxxxxxxx> wrote:
>
> On Mon, May 6, 2024 at 1:31 PM Christian Göttsche
> <cgoettsche@xxxxxxxxxxxxx> wrote:
> >
> > From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> >
> > The flag RULE_SELF in type rules is only supported in modular policies
> > since version 21 (MOD_POLICYDB_VERSION_SELF_TYPETRANS).
> >
> > Reported-by: oss-fuzz (issue 68731)
> > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
>
> For these four patches:
> Acked-by: James Carter <jwcart2@xxxxxxxxx>
>
These four patches have been merged.
Thanks,
Jim
> > ---
> > libsepol/src/policydb_validate.c | 14 +++++++++++++-
> > 1 file changed, 13 insertions(+), 1 deletion(-)
> >
> > diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
> > index e1623172..be3ebe5f 100644
> > --- a/libsepol/src/policydb_validate.c
> > +++ b/libsepol/src/policydb_validate.c
> > @@ -1077,6 +1077,10 @@ static int validate_avrules(sepol_handle_t *handle, const avrule_t *avrule, int
> > switch(avrule->flags) {
> > case 0:
> > case RULE_SELF:
> > + if (p->policyvers != POLICY_KERN &&
> > + p->policyvers < MOD_POLICYDB_VERSION_SELF_TYPETRANS &&
> > + (avrule->specified & AVRULE_TYPE))
> > + goto bad;
> > break;
> > case RULE_NOTSELF:
> > switch(avrule->specified) {
> > @@ -1503,8 +1507,16 @@ static int validate_filename_trans_rules(sepol_handle_t *handle, const filename_
> > goto bad;
> >
> > /* currently only the RULE_SELF flag can be set */
> > - if ((filename_trans->flags & ~RULE_SELF) != 0)
> > + switch (filename_trans->flags) {
> > + case 0:
> > + break;
> > + case RULE_SELF:
> > + if (p->policyvers != POLICY_KERN && p->policyvers < MOD_POLICYDB_VERSION_SELF_TYPETRANS)
> > + goto bad;
> > + break;
> > + default:
> > goto bad;
> > + }
> > }
> >
> > return 0;
> > --
> > 2.43.0
> >
> >
