forked from SELinuxProject/selinux
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
libsepol/cil: Fix class permission verification in CIL
Before the CIL post processing phase (where expressions are evaluated, various ebitmaps are set, etc) there is a pre-verification where checks are made to find self references or loops in bounds, attribute sets, and class permissions. The class permission checking is faulty in two ways. First, it does not check for the use of "all" in a permission expression for a class that has no permissions. An error will still be generated later and secilc will exit cleanly, but without an error message that explains the problem. Second, it does not properly handle lists in permission expressions. For example, "(C ((P)))" is a legitimate class permission. The permissions expression contains one item that is a list containing one permission. This permission expression will be properly evaluated. Unfortunately, the class permission verification assumes that each item in the permission expression is either an operator or a permission datum and a segmenation fault will occur. Refactor the class permission checking to give a proper error when "all" is used in a permission expression for a class that has no permissions and so that it can handle lists in permission expressions. Also, check for the actual flavor of each item in the permission expression and return an error if an unexpected flavor is found. The failure to properly handle lists in permission expressions was found by oss-fuzz (#58085). Signed-off-by: James Carter <jwcart2@gmail.com>
- Loading branch information
Showing
1 changed file
with
114 additions
and
53 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters