|
 |
212ad1 |
From d6863cc6e4f472444a7944c9ea95333e587efd73 Mon Sep 17 00:00:00 2001
|
|
|
212ad1 |
From: James Carter <jwcart2@gmail.com>
|
|
|
212ad1 |
Date: Thu, 8 Apr 2021 13:32:14 -0400
|
|
|
212ad1 |
Subject: [PATCH] libsepol/cil: Allow permission expressions when using map
|
|
|
212ad1 |
classes
|
|
|
212ad1 |
|
|
|
212ad1 |
The following policy will cause a segfault:
|
|
|
212ad1 |
(class CLASS (PERM))
|
|
|
212ad1 |
(class C (P1 P2 P3))
|
|
|
212ad1 |
(classorder (CLASS C))
|
|
|
212ad1 |
(sid SID)
|
|
|
212ad1 |
(sidorder (SID))
|
|
|
212ad1 |
(user USER)
|
|
|
212ad1 |
(role ROLE)
|
|
|
212ad1 |
(type TYPE)
|
|
|
212ad1 |
(category CAT)
|
|
|
212ad1 |
(categoryorder (CAT))
|
|
|
212ad1 |
(sensitivity SENS)
|
|
|
212ad1 |
(sensitivityorder (SENS))
|
|
|
212ad1 |
(sensitivitycategory SENS (CAT))
|
|
|
212ad1 |
(allow TYPE self (CLASS (PERM)))
|
|
|
212ad1 |
(roletype ROLE TYPE)
|
|
|
212ad1 |
(userrole USER ROLE)
|
|
|
212ad1 |
(userlevel USER (SENS))
|
|
|
212ad1 |
(userrange USER ((SENS)(SENS (CAT))))
|
|
|
212ad1 |
(sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))
|
|
|
212ad1 |
|
|
|
212ad1 |
(classmap CM (PM1 PM2 PM3))
|
|
|
212ad1 |
(classmapping CM PM1 (C (P1)))
|
|
|
212ad1 |
(classmapping CM PM2 (C (P2)))
|
|
|
212ad1 |
(classmapping CM PM3 (C (P3)))
|
|
|
212ad1 |
(allow TYPE self (CM (and (all) (not PM2))))
|
|
|
212ad1 |
|
|
|
212ad1 |
The problem is that, while permission expressions are allowed for
|
|
|
212ad1 |
normal classes, map classes are expected to only have permission
|
|
|
212ad1 |
lists and no check is done to verify that only a permission list
|
|
|
212ad1 |
is being used.
|
|
|
212ad1 |
|
|
|
212ad1 |
When the above policy is parsed, the "and" and "all" are seen as
|
|
|
212ad1 |
expression operators, but when the map permissions are converted to
|
|
|
212ad1 |
normal class and permissions, the permission expression is assumed
|
|
|
212ad1 |
to be a list of datums and since the operators are not datums a
|
|
|
212ad1 |
segfault is the result.
|
|
|
212ad1 |
|
|
|
212ad1 |
There is no reason to limit map classes to only using a list of
|
|
|
212ad1 |
permissions and, in fact, it would be better to be able to use them
|
|
|
212ad1 |
in the same way normal classes are used.
|
|
|
212ad1 |
|
|
|
212ad1 |
Allow permissions expressions to be used for map classes by first
|
|
|
212ad1 |
evaluating the permission expression and then converting the
|
|
|
212ad1 |
resulting list to normal classes and permissions.
|
|
|
212ad1 |
|
|
|
212ad1 |
Signed-off-by: James Carter <jwcart2@gmail.com>
|
|
|
212ad1 |
---
|
|
|
212ad1 |
libsepol/cil/src/cil_post.c | 4 ++++
|
|
|
212ad1 |
1 file changed, 4 insertions(+)
|
|
|
212ad1 |
|
|
|
212ad1 |
diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c
|
|
|
212ad1 |
index bdeaa7c6..a820d5ba 100644
|
|
|
212ad1 |
--- a/libsepol/cil/src/cil_post.c
|
|
|
212ad1 |
+++ b/libsepol/cil/src/cil_post.c
|
|
|
212ad1 |
@@ -2138,6 +2138,10 @@ static int __evaluate_classperms_list(struct cil_list *classperms, struct cil_db
|
|
|
212ad1 |
}
|
|
|
212ad1 |
} else { /* MAP */
|
|
|
212ad1 |
struct cil_list_item *i = NULL;
|
|
|
212ad1 |
+ rc = __evaluate_classperms(cp, db);
|
|
|
212ad1 |
+ if (rc != SEPOL_OK) {
|
|
|
212ad1 |
+ goto exit;
|
|
|
212ad1 |
+ }
|
|
|
212ad1 |
cil_list_for_each(i, cp->perms) {
|
|
|
212ad1 |
struct cil_perm *cmp = i->data;
|
|
|
212ad1 |
rc = __evaluate_classperms_list(cmp->classperms, db);
|
|
|
212ad1 |
--
|
|
|
212ad1 |
2.30.2
|
|
|
212ad1 |
|