|
 |
71cd55 |
From 8470058934e89d1876b8e034d1ea818bde62b994 Mon Sep 17 00:00:00 2001
|
|
|
71cd55 |
From: James Carter <jwcart2@gmail.com>
|
|
|
71cd55 |
Date: Mon, 12 Jul 2021 09:50:38 -0400
|
|
|
71cd55 |
Subject: [PATCH] libsepol/cil: Fix handling category sets in an expression
|
|
|
71cd55 |
|
|
|
71cd55 |
There are two problems that need to be addressed when resolving an
|
|
|
71cd55 |
expression with category sets.
|
|
|
71cd55 |
|
|
|
71cd55 |
1. Only expand anonymous category sets in an expression.
|
|
|
71cd55 |
|
|
|
71cd55 |
Commit 982ec302b67f3c7f8df667dadb67352b1e4a6d18 (libsepol/cil:
|
|
|
71cd55 |
Account for anonymous category sets in an expression) attempted to
|
|
|
71cd55 |
properly handle anonymous category sets when resolving category
|
|
|
71cd55 |
expressions. Unfortunately, it did not check whether a category set
|
|
|
71cd55 |
was actually an anonymous category set and expanded all category
|
|
|
71cd55 |
sets in an expression. If a category set refers to itself in the
|
|
|
71cd55 |
expression, then everything from the name of the category set to the
|
|
|
71cd55 |
end of the expression is ignored.
|
|
|
71cd55 |
|
|
|
71cd55 |
For example, the rule "(categoryset cs (c0 cs c1 c2))", would be
|
|
|
71cd55 |
equivalent to the rule "(categoryset cs (c0))" as everything from
|
|
|
71cd55 |
"cs" to the end would be dropped. The secilc-fuzzer found that the
|
|
|
71cd55 |
rule "(categoryset cat (not cat))" would cause a segfault since
|
|
|
71cd55 |
"(not)" is not a valid expression and it is assumed to be valid
|
|
|
71cd55 |
during later evaluation because syntax checking has already been
|
|
|
71cd55 |
done.
|
|
|
71cd55 |
|
|
|
71cd55 |
Instead, check whether or not the category set is anonymous before
|
|
|
71cd55 |
expanding it when resolving an expression.
|
|
|
71cd55 |
|
|
|
71cd55 |
2. Category sets cannot be used in a category range
|
|
|
71cd55 |
|
|
|
71cd55 |
A category range can be used to specify a large number of categories.
|
|
|
71cd55 |
The range "(range c0 c1023)" refers to 1024 categories. Only categories
|
|
|
71cd55 |
and category aliases can be used in a range. Determining if an
|
|
|
71cd55 |
identifier is a category, an alias, or a set can only be done after
|
|
|
71cd55 |
resolving the identifer.
|
|
|
71cd55 |
|
|
|
71cd55 |
Keep track of the current operator as an expression is being resolved
|
|
|
71cd55 |
and if the expression involves categories and a category set is
|
|
|
71cd55 |
encountered, then return an error if the expression is a category
|
|
|
71cd55 |
range.
|
|
|
71cd55 |
|
|
|
71cd55 |
Signed-off-by: James Carter <jwcart2@gmail.com>
|
|
|
71cd55 |
---
|
|
|
71cd55 |
libsepol/cil/src/cil_resolve_ast.c | 28 +++++++++++++++++++++-------
|
|
|
71cd55 |
1 file changed, 21 insertions(+), 7 deletions(-)
|
|
|
71cd55 |
|
|
|
71cd55 |
diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
|
|
|
71cd55 |
index 145d4e7452dd..180073247617 100644
|
|
|
71cd55 |
--- a/libsepol/cil/src/cil_resolve_ast.c
|
|
|
71cd55 |
+++ b/libsepol/cil/src/cil_resolve_ast.c
|
|
|
71cd55 |
@@ -3228,6 +3228,7 @@ int cil_resolve_expr(enum cil_flavor expr_type, struct cil_list *str_expr, struc
|
|
|
71cd55 |
struct cil_symtab_datum *res_datum = NULL;
|
|
|
71cd55 |
enum cil_sym_index sym_index = CIL_SYM_UNKNOWN;
|
|
|
71cd55 |
struct cil_list *datum_sub_expr;
|
|
|
71cd55 |
+ enum cil_flavor op = CIL_NONE;
|
|
|
71cd55 |
|
|
|
71cd55 |
switch (str_expr->flavor) {
|
|
|
71cd55 |
case CIL_BOOL:
|
|
|
71cd55 |
@@ -3263,14 +3264,24 @@ int cil_resolve_expr(enum cil_flavor expr_type, struct cil_list *str_expr, struc
|
|
|
71cd55 |
}
|
|
|
71cd55 |
if (sym_index == CIL_SYM_CATS && NODE(res_datum)->flavor == CIL_CATSET) {
|
|
|
71cd55 |
struct cil_catset *catset = (struct cil_catset *)res_datum;
|
|
|
71cd55 |
- if (!catset->cats->datum_expr) {
|
|
|
71cd55 |
- rc = cil_resolve_expr(expr_type, catset->cats->str_expr, &catset->cats->datum_expr, parent, extra_args);
|
|
|
71cd55 |
- if (rc != SEPOL_OK) {
|
|
|
71cd55 |
- goto exit;
|
|
|
71cd55 |
+ if (op == CIL_RANGE) {
|
|
|
71cd55 |
+ cil_tree_log(parent, CIL_ERR, "Category set not allowed in category range");
|
|
|
71cd55 |
+ rc = SEPOL_ERR;
|
|
|
71cd55 |
+ goto exit;
|
|
|
71cd55 |
+ }
|
|
|
71cd55 |
+ if (!res_datum->name) {
|
|
|
71cd55 |
+ /* Anonymous category sets need to be resolved when encountered */
|
|
|
71cd55 |
+ if (!catset->cats->datum_expr) {
|
|
|
71cd55 |
+ rc = cil_resolve_expr(expr_type, catset->cats->str_expr, &catset->cats->datum_expr, parent, extra_args);
|
|
|
71cd55 |
+ if (rc != SEPOL_OK) {
|
|
|
71cd55 |
+ goto exit;
|
|
|
71cd55 |
+ }
|
|
|
71cd55 |
}
|
|
|
71cd55 |
+ cil_copy_list(catset->cats->datum_expr, &datum_sub_expr);
|
|
|
71cd55 |
+ cil_list_append(*datum_expr, CIL_LIST, datum_sub_expr);
|
|
|
71cd55 |
+ } else {
|
|
|
71cd55 |
+ cil_list_append(*datum_expr, CIL_DATUM, res_datum);
|
|
|
71cd55 |
}
|
|
|
71cd55 |
- cil_copy_list(catset->cats->datum_expr, &datum_sub_expr);
|
|
|
71cd55 |
- cil_list_append(*datum_expr, CIL_LIST, datum_sub_expr);
|
|
|
71cd55 |
} else {
|
|
|
71cd55 |
if (sym_index == CIL_SYM_TYPES && (expr_type == CIL_CONSTRAIN || expr_type == CIL_VALIDATETRANS)) {
|
|
|
71cd55 |
cil_type_used(res_datum, CIL_ATTR_CONSTRAINT);
|
|
|
71cd55 |
@@ -3287,9 +3298,12 @@ int cil_resolve_expr(enum cil_flavor expr_type, struct cil_list *str_expr, struc
|
|
|
71cd55 |
break;
|
|
|
71cd55 |
}
|
|
|
71cd55 |
default:
|
|
|
71cd55 |
+ if (curr->flavor == CIL_OP) {
|
|
|
71cd55 |
+ op = (enum cil_flavor)(uintptr_t)curr->data;
|
|
|
71cd55 |
+ }
|
|
|
71cd55 |
cil_list_append(*datum_expr, curr->flavor, curr->data);
|
|
|
71cd55 |
break;
|
|
|
71cd55 |
- }
|
|
|
71cd55 |
+ }
|
|
|
71cd55 |
}
|
|
|
71cd55 |
return SEPOL_OK;
|
|
|
71cd55 |
|
|
|
71cd55 |
--
|
|
|
71cd55 |
2.32.0
|
|
|
71cd55 |
|