diff options
author | Luke Shumaker <lukeshu@sbcglobal.net> | 2017-02-03 13:02:37 -0500 |
---|---|---|
committer | Luke Shumaker <lukeshu@sbcglobal.net> | 2017-02-03 13:02:37 -0500 |
commit | d9fecb8ab0f52272fd4785fe6f15e6855b2f6008 (patch) | |
tree | c519942cea1525634351674f609cfc0fcefceaa7 /pcr/libsepol/0003-libsepol-cil-Use-an-empty-list-to-represent-an-unkno.patch | |
parent | b7f02b9741f313a6d6b96c1829d45fe09a39d0de (diff) | |
download | abslibre-d9fecb8ab0f52272fd4785fe6f15e6855b2f6008.tar.gz abslibre-d9fecb8ab0f52272fd4785fe6f15e6855b2f6008.tar.bz2 abslibre-d9fecb8ab0f52272fd4785fe6f15e6855b2f6008.zip |
add pcr/libsepol
Diffstat (limited to 'pcr/libsepol/0003-libsepol-cil-Use-an-empty-list-to-represent-an-unkno.patch')
-rw-r--r-- | pcr/libsepol/0003-libsepol-cil-Use-an-empty-list-to-represent-an-unkno.patch | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/pcr/libsepol/0003-libsepol-cil-Use-an-empty-list-to-represent-an-unkno.patch b/pcr/libsepol/0003-libsepol-cil-Use-an-empty-list-to-represent-an-unkno.patch new file mode 100644 index 000000000..04b527a4b --- /dev/null +++ b/pcr/libsepol/0003-libsepol-cil-Use-an-empty-list-to-represent-an-unkno.patch @@ -0,0 +1,47 @@ +From e7fe9afb6e072c9e769586718060607ef7535c80 Mon Sep 17 00:00:00 2001 +From: James Carter <jwcart2@tycho.nsa.gov> +Date: Tue, 18 Oct 2016 14:20:24 -0400 +Subject: [PATCH] libsepol/cil: Use an empty list to represent an unknown + permission + +Nicolas Iooss found while fuzzing secilc with AFL that the statement +"(classpermissionset CPERM (CLASS (and unknow PERM)))" will cause a +segfault. + +In order to support a policy module package using a permission that +does not exist on the system it is loaded on, CIL will only give a +warning when it fails to resolve an unknown permission. CIL itself will +just ignore the unknown permission. This means that an expression like +"(and UNKNOWN p1)" will look like "(and p1)" to CIL, but, since syntax +checking has already been done, CIL won't know that the expression is not +well-formed. When the expression is evaluated a segfault will occur +because all expressions are assumed to be well-formed at evaluation time. + +Use an empty list to represent an unknown permission so that expressions +will continue to be well-formed and expression evaluation will work but +the unknown permission will still be ignored. + +Signed-off-by: James Carter <jwcart2@tycho.nsa.gov> +--- + libsepol/cil/src/cil_resolve_ast.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c +index c40354572ce7..f3f3e92739a3 100644 +--- a/libsepol/cil/src/cil_resolve_ast.c ++++ b/libsepol/cil/src/cil_resolve_ast.c +@@ -131,7 +131,11 @@ static int __cil_resolve_perms(symtab_t *class_symtab, symtab_t *common_symtab, + } + } + if (rc != SEPOL_OK) { ++ struct cil_list *empty_list; + cil_log(CIL_WARN, "Failed to resolve permission %s\n", (char*)curr->data); ++ /* Use an empty list to represent unknown perm */ ++ cil_list_init(&empty_list, perm_strs->flavor); ++ cil_list_append(*perm_datums, CIL_LIST, empty_list); + } else { + cil_list_append(*perm_datums, CIL_DATUM, perm_datum); + } +-- +2.10.2 + |