From 814af5606460eac001e6c50504206d9e646c4eb9 Mon Sep 17 00:00:00 2001 From: Andreas Grapentin Date: Sat, 3 Feb 2018 16:13:09 +0100 Subject: pcr/libsepol: updated to 2.7 --- ...l-Use-an-empty-list-to-represent-an-unkno.patch | 47 ---------------------- 1 file changed, 47 deletions(-) delete mode 100644 pcr/libsepol/0003-libsepol-cil-Use-an-empty-list-to-represent-an-unkno.patch (limited to 'pcr/libsepol/0003-libsepol-cil-Use-an-empty-list-to-represent-an-unkno.patch') diff --git a/pcr/libsepol/0003-libsepol-cil-Use-an-empty-list-to-represent-an-unkno.patch b/pcr/libsepol/0003-libsepol-cil-Use-an-empty-list-to-represent-an-unkno.patch deleted file mode 100644 index 04b527a4b..000000000 --- a/pcr/libsepol/0003-libsepol-cil-Use-an-empty-list-to-represent-an-unkno.patch +++ /dev/null @@ -1,47 +0,0 @@ -From e7fe9afb6e072c9e769586718060607ef7535c80 Mon Sep 17 00:00:00 2001 -From: James Carter -Date: Tue, 18 Oct 2016 14:20:24 -0400 -Subject: [PATCH] libsepol/cil: Use an empty list to represent an unknown - permission - -Nicolas Iooss found while fuzzing secilc with AFL that the statement -"(classpermissionset CPERM (CLASS (and unknow PERM)))" will cause a -segfault. - -In order to support a policy module package using a permission that -does not exist on the system it is loaded on, CIL will only give a -warning when it fails to resolve an unknown permission. CIL itself will -just ignore the unknown permission. This means that an expression like -"(and UNKNOWN p1)" will look like "(and p1)" to CIL, but, since syntax -checking has already been done, CIL won't know that the expression is not -well-formed. When the expression is evaluated a segfault will occur -because all expressions are assumed to be well-formed at evaluation time. - -Use an empty list to represent an unknown permission so that expressions -will continue to be well-formed and expression evaluation will work but -the unknown permission will still be ignored. - -Signed-off-by: James Carter ---- - libsepol/cil/src/cil_resolve_ast.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c -index c40354572ce7..f3f3e92739a3 100644 ---- a/libsepol/cil/src/cil_resolve_ast.c -+++ b/libsepol/cil/src/cil_resolve_ast.c -@@ -131,7 +131,11 @@ static int __cil_resolve_perms(symtab_t *class_symtab, symtab_t *common_symtab, - } - } - if (rc != SEPOL_OK) { -+ struct cil_list *empty_list; - cil_log(CIL_WARN, "Failed to resolve permission %s\n", (char*)curr->data); -+ /* Use an empty list to represent unknown perm */ -+ cil_list_init(&empty_list, perm_strs->flavor); -+ cil_list_append(*perm_datums, CIL_LIST, empty_list); - } else { - cil_list_append(*perm_datums, CIL_DATUM, perm_datum); - } --- -2.10.2 - -- cgit v1.2.3