1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
|
From 991de68ce07cb83f442547160e30a63806e69e27 Mon Sep 17 00:00:00 2001
From: James Carter <jwcart2@tycho.nsa.gov>
Date: Wed, 2 Nov 2016 10:12:25 -0400
Subject: [PATCH] libsepol/cil: Exit with an error for an unknown map
permission
Nicholas Iooss discovered that using an unknown permission with a
map class will cause a segfault.
CIL will only give a warning when it fails to resolve an unknown
permission to support the use of policy module packages that use
permissions that don't exit on the current system. When resolving
the unknown map class permission an empty list is used to represent
the unknown permission. When it is evaluated later the list is
assumed to be a permission and a segfault occurs.
There is no reason to allow unknown class map permissions because
the class maps and permissions are defined by the policy.
Exit with an error when failing to resolve a class map permission.
Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
---
libsepol/cil/src/cil_resolve_ast.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
index ec547d38125d..7fe4a74d322f 100644
--- a/libsepol/cil/src/cil_resolve_ast.c
+++ b/libsepol/cil/src/cil_resolve_ast.c
@@ -106,7 +106,7 @@ static struct cil_name * __cil_insert_name(struct cil_db *db, hashtab_key_t key,
return name;
}
-static int __cil_resolve_perms(symtab_t *class_symtab, symtab_t *common_symtab, struct cil_list *perm_strs, struct cil_list **perm_datums)
+static int __cil_resolve_perms(symtab_t *class_symtab, symtab_t *common_symtab, struct cil_list *perm_strs, struct cil_list **perm_datums, enum cil_flavor class_flavor)
{
int rc = SEPOL_ERR;
struct cil_list_item *curr;
@@ -116,7 +116,7 @@ static int __cil_resolve_perms(symtab_t *class_symtab, symtab_t *common_symtab,
cil_list_for_each(curr, perm_strs) {
if (curr->flavor == CIL_LIST) {
struct cil_list *sub_list;
- rc = __cil_resolve_perms(class_symtab, common_symtab, curr->data, &sub_list);
+ rc = __cil_resolve_perms(class_symtab, common_symtab, curr->data, &sub_list, class_flavor);
if (rc != SEPOL_OK) {
cil_log(CIL_ERR, "Failed to resolve permission list\n");
goto exit;
@@ -132,6 +132,10 @@ static int __cil_resolve_perms(symtab_t *class_symtab, symtab_t *common_symtab,
}
if (rc != SEPOL_OK) {
struct cil_list *empty_list;
+ if (class_flavor == CIL_MAP_CLASS) {
+ cil_log(CIL_ERR, "Failed to resolve permission %s for map class\n", (char*)curr->data);
+ goto exit;
+ }
cil_log(CIL_WARN, "Failed to resolve permission %s\n", (char*)curr->data);
/* Use an empty list to represent unknown perm */
cil_list_init(&empty_list, perm_strs->flavor);
@@ -170,7 +174,7 @@ int cil_resolve_classperms(struct cil_tree_node *current, struct cil_classperms
cp->class = class;
- rc = __cil_resolve_perms(&class->perms, common_symtab, cp->perm_strs, &cp->perms);
+ rc = __cil_resolve_perms(&class->perms, common_symtab, cp->perm_strs, &cp->perms, FLAVOR(datum));
if (rc != SEPOL_OK) {
goto exit;
}
--
2.10.2
|
