1. 13 May, 2021 1 commit
    • James Carter's avatar
      libsepol/cil: Check for self-referential loops in sets · 61fbdce6
      James Carter authored
      The secilc-fuzzer found a self-referential loop using category sets.
      Any set declaration in CIL that allows sets in it is susceptible to
      the creation of a self-referential loop. There is a check, but only
      for the name of the set being declared being used in the set
      declaration.
      
      Check for self-refential loops in user, role, and type attributes
      and in category sets. Since all of the sets need to be declared,
      this check has to be done when verifying the CIL db before doing
      the post phase.
      Signed-off-by: default avatarJames Carter <jwcart2@gmail.com>
      61fbdce6
  2. 12 May, 2021 3 commits
    • Ondrej Mosnacek's avatar
      fixfiles: do not exclude /dev and /run in -C mode · 26a4c19e
      Ondrej Mosnacek authored
      I can't think of a good reason why they should be excluded. On the
      contrary, excluding them can cause trouble very easily if some labeling
      rules for these directories change. For example, we changed the label
      for /dev/nvme* from nvme_device_t to fixed_disk_device_t in Fedora
      (updating the allow rules accordingly) and after policy update they
      ended up with an invalid context, causing denials.
      
      Thus, remove /dev and /run from the excludes. While there, also add
      /root to the basic excludes to match the regex that excludes fc rules
      (that should be effectively no functional change).
      
      I did a sanity check on my system by running `restorecon -nv /dev /run`
      and it didn't report any label differences.
      Signed-off-by: default avatarOndrej Mosnacek <omosnace@redhat.com>
      Acked-by: default avatarPetr Lautrbach <plautrba@redhat.com>
      26a4c19e
    • Nicolas Iooss's avatar
      libselinux: silence -Wstringop-overflow warning from gcc 10.3.1 · f1bc162c
      Nicolas Iooss authored
      When building libselinux on Fedora 33 with gcc 10.3.1, the compiler
      reports:
      
          label_file.c: In function ‘lookup_all.isra’:
          label_file.c:940:4: error: ‘strncpy’ specified bound depends on the
          length of the source argument [-Werror=stringop-overflow=]
            940 |    strncpy(clean_key, key, len - 1);
                |    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          label_file.c:927:8: note: length computed here
            927 |  len = strlen(key);
                |        ^~~~~~~~~~~
          cc1: all warnings being treated as errors
      
      As clean_key is the result of malloc(len), there is no issue here. But
      using strncpy can be considered as strange, because the size of the
      string is already known and the NUL terminator is always added later, in
      function ‘lookup_all.isra.
      
      Replace strncpy with memcpy to silence this gcc false-positive warning.
      Signed-off-by: default avatarNicolas Iooss <nicolas.iooss@m4x.org>
      Acked-by: default avatarPetr Lautrbach <plautrba@redhat.com>
      f1bc162c
    • Christian Göttsche's avatar
      libselinux: selinux_check_passwd_access_internal(): respect deny_unknown · a88d2452
      Christian Göttsche authored
      `selinux_check_passwd_access_internal()`, and thereby
      `checkPasswdAccess(3)` and `selinux_check_passwd_access(3)`, does not
      respect the policy defined setting of `deny_unknown`, like
      `selinux_check_access(3)` does.
      This means in case the security class `passwd` is not defined, success
      is returned instead of failure, i.e. permission denied.
      
      Most policies should define the `passwd` class and the two affected
      public functions are marked deprecated.
      
      Align the behavior with `selinux_check_access(3)` and respect
      the deny_unknown setting in case the security class is not defined.
      Signed-off-by: default avatarChristian Göttsche <cgzones@googlemail.com>
      a88d2452
  3. 04 May, 2021 5 commits
    • James Carter's avatar
      libsepol/cil: Return an error if a call argument fails to resolve · d9433692
      James Carter authored
      Return an error if a call argument fails to resolve so that
      the resolution phase stops and returns an error.
      
      This problem was found by the secilc-fuzzer.
      Signed-off-by: default avatarJames Carter <jwcart2@gmail.com>
      d9433692
    • James Carter's avatar
      libsepol/cil: Check datum in ordered list for expected flavor · d438b6cf
      James Carter authored
      The secilc-fuzzer found an out of bounds memory access occurs
      when building the binary policy if a map class is included in a
      classorder statement.
      
      The order statements in CIL (sidorder, classorder, categoryorder,
      and sensitivityorder) are used to specify an ordering for sids,
      classes, categories, and sensitivities. When the order statments
      are resolved and merged, only in the case of the category order
      list is the datum resolved checked to see if it is the expected
      flavor.
      
      When resolving the sid, class, and sensitivity order statements,
      check that each name resolved to a datum of the expected flavor
      and return an error if it does not.
      Signed-off-by: default avatarJames Carter <jwcart2@gmail.com>
      d438b6cf
    • James Carter's avatar
      libsepol/cil: Detect degenerate inheritance and exit with an error · 74d00a8d
      James Carter authored
      A CIL policy with inheritance of the form
      ...
      (blockinherit ba)
      (block ba
        (block b1
          (blockinherit bb)
        )
        (block bb
          (block b2
            (blockinherit bc)
          )
          (block bc
            (block b3
              (blockinherit bd)
            )
            (block bd
              (block b4
                (blockinherit be)
              )
              (block be
              ...
      will require creating 2^depth copies of the block at the bottom of
      the inheritance chain. This pattern can quickly consume all the
      memory of the system compiling this policy.
      
      The depth of the inheritance chain can be found be walking the
      tree up through the parents and noting how many of the parent
      blocks have been inherited. The number of times a block will be
      copied is found by counting the list of nodes in the "bi_nodes"
      list of the block. To minimize legitimate policies from being
      falsely detected as being degenerate, both the depth and breadth
      (number of copies) are checked and an error is given only if both
      exceed the limits (depth >= 12 and breadth >= 4096).
      
      This problem was found by the secilc-fuzzer.
      Signed-off-by: default avatarJames Carter <jwcart2@gmail.com>
      74d00a8d
    • James Carter's avatar
      libsepol/cil: Fix instances where an error returns SEPOL_OK · 5681c627
      James Carter authored
      There are six instances when the CIL policy is being built or
      resolved where an error can be detected, but SEPOL_OK is returned
      instead of SEPOL_ERR. This causes the policy compiler to continue
      when it should exit with an error.
      
      Return SEPOL_ERR in these cases, so the compiler exits with an
      error.
      
      Two of the instances were found by the secilc-fuzzer.
      Signed-off-by: default avatarJames Carter <jwcart2@gmail.com>
      5681c627
    • James Carter's avatar
      libsepol/cil: Properly reset an anonymous classperm set · 2d2c76fc
      James Carter authored
      In struct cil_classperms_set, the "set" field is a pointer to a
      struct cil_classpermission. Normally the classpermission is created
      in a classpermissionset rule with a name declared in a
      classpermission rule and stored in a symbol table. Commit c49a8ea0
      ("libsepol/cil: cil_reset_classperms_set() should not reset
      classpermission") fixed the resetting of classperms sets by setting
      the "set" field to NULL rather than resetting the classpermission
      that it pointed to.
      
      But this fix mixed the special case where an anonymous classperm
      set is passed as an argument to a call. In this case the
      classpermission is not named and not stored in a symtab, it is
      created just for the classperms set and its classperms list needs
      to be reset.
      
      Reset the classperms list if the classperms set is anonymous (which
      is when the datum name is NULL).
      Signed-off-by: default avatarJames Carter <jwcart2@gmail.com>
      2d2c76fc
  4. 30 Apr, 2021 2 commits
  5. 21 Apr, 2021 3 commits
    • James Carter's avatar
      secilc: Create the new program called secil2tree to write out CIL AST · d0a07a7f
      James Carter authored
      secil2tree is the SELinux CIL AST writer. It calls the cil functions
      cil_write_parse_ast(), cil_write_build_ast(), or cil_write_resolve_ast()
      to write out the parse tree, the CIL AST after the build phase, or the
      CIL AST after the resolve phase.
      Signed-off-by: default avatarJames Carter <jwcart2@gmail.com>
      d0a07a7f
    • James Carter's avatar
      libsepol/cil: Add functions to make use of cil_write_ast() · 86ec04cf
      James Carter authored
      Add the functions cil_write_parse_ast(), cil_write_build_ast(),
      and cil_write_resolve_ast() that can be used outside of libsepol.
      
      These functions take a FILE pointer and CIL db, do the CIL build
      through the desired phase, and then call cil_write_ast() to write
      the CIL AST at that point.
      Signed-off-by: default avatarJames Carter <jwcart2@gmail.com>
      86ec04cf
    • James Carter's avatar
      libsepol/cil: Create functions to write the CIL AST · 0b31424a
      James Carter authored
      The function cil_print_tree() has existed in cil_tree.c since the
      beginning of the development of CIL and secilc. Unfortunately, it
      used cil_log() at log level CIL_INFO to print out the AST and
      has suffered greatly from bit rot.
      
      Move the functions to write the CIL AST to cil_write_ast.c, update
      the functions, and write the AST to the FILE pointer passed in as
      an argument.
      
      The function cil_write_ast() supports writing the CIL AST at three
      different phases of the compiling a CIL policy. After parsing has
      been done and the parse tree has been created, after the CIL AST
      has been built, and after the CIL AST has been resolved.
      Signed-off-by: default avatarJames Carter <jwcart2@gmail.com>
      0b31424a
  6. 20 Apr, 2021 1 commit
  7. 19 Apr, 2021 23 commits
    • James Carter's avatar
      secilc/docs: Update the CIL documentation for various blocks · bad0a746
      James Carter authored
      Update the documentation for macros, booleans, booleanifs, tunables,
      tunableifs, blocks, blockabstracts, blockinherits, and optionals to
      tell where these statements can be used and, for those that have
      blocks, what statements are not allowed in them.
      Signed-off-by: default avatarJames Carter <jwcart2@gmail.com>
      bad0a746
    • James Carter's avatar
      libsepol/cil: Use CIL_ERR for error messages in cil_compile() · 8314076c
      James Carter authored
      In cil_compile(), CIL_INFO is being used as the priority for
      error messages. This can make it difficult to tell when the error
      occurred.
      
      Instead, use CIL_ERR as the priority for the error messages in
      cil_compile().
      Signed-off-by: default avatarJames Carter <jwcart2@gmail.com>
      8314076c
    • James Carter's avatar
      libsepol/cil: Make invalid statement error messages consistent · ca339eb4
      James Carter authored
      Use a consistent style for the error messages when an invalid
      statement is found within tunableif, in-statement, block, macro,
      optional, and booleanif blocks.
      Signed-off-by: default avatarJames Carter <jwcart2@gmail.com>
      ca339eb4
    • James Carter's avatar
      libsepol/cil: Do not allow tunable declarations in in-statements · ea34dbf0
      James Carter authored
      Since tunableifs are resolved before in-statements, do not allow
      tuanble declarations in in-statements.
      
      Since in-statements are the first flavor of statement that causes
      part of the AST to be copied to another part, there is no need to
      check the in-statements when resolving the AST.
      Signed-off-by: default avatarJames Carter <jwcart2@gmail.com>
      ea34dbf0
    • James Carter's avatar
      libsepol/cil: Sync checks for invalid rules in macros · f38b7ea3
      James Carter authored
      When resolving the AST, tunable and in-statements are not considered
      to be invalid in macros. This is inconsistent with the checks when
      building the AST.
      
      Add checks to make tunable and in-statments invalid in macros when
      resolving the AST.
      Signed-off-by: default avatarJames Carter <jwcart2@gmail.com>
      f38b7ea3
    • James Carter's avatar
      libsepol/cil: Check for statements not allowed in optional blocks · 340f0eb7
      James Carter authored
      While there are some checks for invalid statements in an optional
      block when resolving the AST, there are no checks when building the
      AST.
      
      OSS-Fuzz found the following policy which caused a null dereference
      in cil_tree_get_next_path().
        (blockinherit b3)
        (sid SID)
        (sidorder(SID))
        (optional o
          (ibpkeycon :(1 0)s)
          (block b3
            (filecon""block())
            (filecon""block())))
      
      The problem is that the blockinherit copies block b3 before
      the optional block is disabled. When the optional is disabled,
      block b3 is deleted along with everything else in the optional.
      Later, when filecon statements with the same path are found an
      error message is produced and in trying to find out where the block
      was copied from, the reference to the deleted block is used. The
      error handling code assumes (rightly) that if something was copied
      from a block then that block should still exist.
      
      It is clear that in-statements, blocks, and macros cannot be in an
      optional, because that allows nodes to be copied from the optional
      block to somewhere outside even though the optional could be disabled
      later. When optionals are disabled the AST is reset and the
      resolution is restarted at the point of resolving macro calls, so
      anything resolved before macro calls will never be re-resolved.
      This includes tunableifs, in-statements, blockinherits,
      blockabstracts, and macro definitions. Tunable declarations also
      cannot be in an optional block because they are needed to resolve
      tunableifs. It should be fine to allow blockinherit statements in
      an optional, because that is copying nodes from outside the optional
      to the optional and if the optional is later disabled, everything
      will be deleted anyway.
      
      Check and quit with an error if a tunable declaration, in-statement,
      block, blockabstract, or macro definition is found within an
      optional when either building or resolving the AST.
      Signed-off-by: default avatarJames Carter <jwcart2@gmail.com>
      340f0eb7
    • James Carter's avatar
      libsepol/cil: Sync checks for invalid rules in booleanifs · 8a74c05b
      James Carter authored
      When building the AST, typemember rules in a booleanif block will
      be incorrectly called invalid. They are allowed in the kernel
      policy and should be allowed in CIL.
      
      When resolving the AST, if a neverallow rule is copied into a
      booleanif block, it will not be considered an invalid rule, even
      though this is not allowed in the kernel policy.
      
      Update the booleanif checks to allow typemember rules and to not
      allow neverallow rules in booleanifs. Also use the same form of
      conditional for the checks when building and resolving the AST.
      Signed-off-by: default avatarJames Carter <jwcart2@gmail.com>
      8a74c05b
    • James Carter's avatar
      libsepol/cil: Reorder checks for invalid rules when resolving AST · ef533c8f
      James Carter authored
      Reorder checks for invalid rules in the blocks of tunableifs,
      in-statements, macros, and booleanifs when resolving the AST for
      consistency.
      
      Order the checks in the same order the blocks will be resolved in,
      so tuanbleif, in-statement, macro, booleanif, and then non-block
      rules.
      Signed-off-by: default avatarJames Carter <jwcart2@gmail.com>
      ef533c8f
    • James Carter's avatar
      libsepol/cil: Use AST to track blocks and optionals when resolving · 525f0312
      James Carter authored
      When resolving the AST, block and optional stacks are used to
      determine if the current rule being resolved is in a block or
      an optional. There is no need to do this since the parent node
      pointers can be used when exiting a block or an optional to
      determine if resolution is still within a block or an optional.
      
      When entering either a block or an optional, update the appropriate
      tree node pointer. When finished with the last child of a block or
      optional, set the appropriate pointer to NULL. If a parent of the
      same kind is found when the parent node pointers are followed back
      to the root node, then set the pointer to that tree node.
      Signed-off-by: default avatarJames Carter <jwcart2@gmail.com>
      525f0312
    • James Carter's avatar
      libsepol/cil: Create new first child helper function for building AST · ab90cb46
      James Carter authored
      In order to find statements not allowed in tunableifs, in-statements,
      macros, and booleanifs, there are tree node pointers that point to
      each of these kinds of statements when its block is being parsed.
      If the pointer is non-NULL, then the rule being parsed is in the block
      of that kind of statement.
      
      The tree node pointers were being updated at the wrong point which
      prevented an invalid statement from being found if it was the first
      statement in the block of a tunableif, in-statement, macro, or
      booleanif.
      
      Create a first child helper function for walking the parse tree and
      in that function set the appropriate tree node pointer if the
      current AST node is a tunableif, in-statement, macro, or booleanif.
      This also makes the code symmetrical with the last child helper
      where the tree node pointers are set to NULL.
      Signed-off-by: default avatarJames Carter <jwcart2@gmail.com>
      ab90cb46
    • James Carter's avatar
      libsepol/cil: Cleanup build AST helper functions · f043078f
      James Carter authored
      Since parse_current, finished, and extra_args can never be NULL,
      remove the useless check and directly assign local variables from
      extra_args.
      Signed-off-by: default avatarJames Carter <jwcart2@gmail.com>
      f043078f
    • James Carter's avatar
      libsepol/cil: Reorder checks for invalid rules when building AST · 69bfe64c
      James Carter authored
      Reorder checks for invalid rules in the blocks of tunableifs,
      in-statements, macros, and booleanifs when building the AST for
      consistency.
      
      Order the checks in the same order the blocks will be resolved in,
      so tuanbleif, in-statement, macro, booleanif, and then non-block
      rules.
      Signed-off-by: default avatarJames Carter <jwcart2@gmail.com>
      69bfe64c
    • James Carter's avatar
      libsepol/cil: Move check for the shadowing of macro parameters · e65cf030
      James Carter authored
      In cil_gen_node(), after the declaration is added to the symbol
      table, if the parent is a macro, then a check is made to ensure
      the declaration does not shadow any of the macro's parameters.
      This check also needs to be done when copying the AST.
      
      Move the check for the shadowing of macro parameters to its own
      function, cil_verify_decl_does_not_shadow_macro_parameter(), and
      refactor cil_gen_node() and __cil_copy_node_helper() to use the
      new function.
      Signed-off-by: default avatarJames Carter <jwcart2@gmail.com>
      e65cf030
    • James Carter's avatar
      libsepol/cil: Create function cil_add_decl_to_symtab() and refactor · 0d4e568a
      James Carter authored
      The functionality of adding a declaration to a symbol table is also
      needed in __cil_copy_node_helper() and not just cil_gen_node().
      
      Create a new function called cil_add_decl_to_symtab() to add a
      declaration to a symtab and refactor cil_gen_node() and
      __cil_copy_node_helper() to use the new function.
      
      By using the new function, __cil_copy_node_helper() will now allow
      duplicate declarations when appropriate.
      Signed-off-by: default avatarJames Carter <jwcart2@gmail.com>
      0d4e568a
    • James Carter's avatar
      libsepol/cil: Refactor helper function for cil_gen_node() · 63ce05ba
      James Carter authored
      Change the name of cil_is_datum_multiple_decl() to
      cil_allow_multiple_decls() and make it static. The new function
      takes the CIL db and the flavors of the old and new datum as
      arguments. Also, put all of the logic of determining if multiple
      declarations are allowed into the new function. Finally, update
      the call from cil_gen_node().
      Signed-off-by: default avatarJames Carter <jwcart2@gmail.com>
      63ce05ba
    • James Carter's avatar
      libsepol/cil: Allow permission expressions when using map classes · 22fb6f47
      James Carter authored
      The following policy will cause a segfault:
        (class CLASS (PERM))
        (class C (P1 P2 P3))
        (classorder (CLASS C))
        (sid SID)
        (sidorder (SID))
        (user USER)
        (role ROLE)
        (type TYPE)
        (category CAT)
        (categoryorder (CAT))
        (sensitivity SENS)
        (sensitivityorder (SENS))
        (sensitivitycategory SENS (CAT))
        (allow TYPE self (CLASS (PERM)))
        (roletype ROLE TYPE)
        (userrole USER ROLE)
        (userlevel USER (SENS))
        (userrange USER ((SENS)(SENS (CAT))))
        (sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))
      
        (classmap CM (PM1 PM2 PM3))
        (classmapping CM PM1 (C (P1)))
        (classmapping CM PM2 (C (P2)))
        (classmapping CM PM3 (C (P3)))
        (allow TYPE self (CM (and (all) (not PM2))))
      
      The problem is that, while permission expressions are allowed for
      normal classes, map classes are expected to only have permission
      lists and no check is done to verify that only a permission list
      is being used.
      
      When the above policy is parsed, the "and" and "all" are seen as
      expression operators, but when the map permissions are converted to
      normal class and permissions, the permission expression is assumed
      to be a list of datums and since the operators are not datums a
      segfault is the result.
      
      There is no reason to limit map classes to only using a list of
      permissions and, in fact, it would be better to be able to use them
      in the same way normal classes are used.
      
      Allow permissions expressions to be used for map classes by first
      evaluating the permission expression and then converting the
      resulting list to normal classes and permissions.
      Signed-off-by: default avatarJames Carter <jwcart2@gmail.com>
      22fb6f47
    • James Carter's avatar
      libsepol/cil: Exit with an error if declaration name is a reserved word · 532469a2
      James Carter authored
      When CIL parses sets or conditional expressions, any identifier that
      matches an operator name will always be taken as an operator. If a
      declaration has the same name as an operator, then there is the
      possibility of causing either confusion or a syntax error if it is
      used in an expression. The potential for problems is much greater
      than any possible advantage in allowing a declaration to share the
      name of a reserved word.
      
      Create a new function, __cil_is_reserved_name() that is called when
      an identifier is declared and its name is being validated. In this
      function, check if the declaration has the same name as a reserved
      word for an expression operator that can be used with the identifer's
      flavor and exit with an error if it does.
      
      Also, move the check for types, type aliases, and type attributes
      matching the reserved word "self" to this new function.
      
      Finally, change the name of the function __cil_verify_name() to
      cil_verify_name(), since this function is neither static nor a
      helper function.
      Signed-off-by: default avatarJames Carter <jwcart2@gmail.com>
      532469a2
    • James Carter's avatar
      libsepol/cil: More strict verification of constraint leaf expressions · e978e769
      James Carter authored
      In constraint expressions u1, u3, r1, r3, t1, and t3 are never
      allowed on the right side of an expression, but there were no checks
      to verify that they were not used on the right side. The result was
      that the expression "(eq t1 t1)" would be silently turned into
      "(eq t1 t2)" when the binary policy was created.
      
      Verify that u1, u3, r1, r3, t1, and t3 are not used on the right
      side of a constraint expression.
      Signed-off-by: default avatarJames Carter <jwcart2@gmail.com>
      e978e769
    • James Carter's avatar
      libsepol/cil: Set class field to NULL when resetting struct cil_classperms · a7a80ef5
      James Carter authored
      The class field of a struct cil_classperms points to the class looked
      up in the symbol table, so that field should be set to NULL when
      the cil_classperms is reset.
      
      Set the class field to NULL when resetting the struct cil_classperms.
      Signed-off-by: default avatarJames Carter <jwcart2@gmail.com>
      a7a80ef5
    • James Carter's avatar
      libsepol/cil: cil_reset_classperms_set() should not reset classpermission · c49a8ea0
      James Carter authored
      In struct cil_classperms_set, the set field is a pointer to a
      struct cil_classpermission which is looked up in the symbol table.
      Since the cil_classperms_set does not create the cil_classpermission,
      it should not reset it.
      
      Set the set field to NULL instead of resetting the classpermission
      that it points to.
      Signed-off-by: default avatarJames Carter <jwcart2@gmail.com>
      c49a8ea0
    • James Carter's avatar
      libsepol/cil: Destroy classperm list when resetting map perms · 2d35fcc7
      James Carter authored
      Map perms share the same struct as regular perms, but only the
      map perms use the classperms field. This field is a pointer to a
      list of classperms that is created and added to when resolving
      classmapping rules, so the map permission doesn't own any of the
      data in the list and this list should be destroyed when the AST is
      reset.
      
      When resetting a perm, destroy the classperms list without destroying
      the data in the list.
      Signed-off-by: default avatarJames Carter <jwcart2@gmail.com>
      2d35fcc7
    • James Carter's avatar
      libsepol/cil: Destroy classperms list when resetting classpermission · f34d3d30
      James Carter authored
      Nicolas Iooss reports:
        A few months ago, OSS-Fuzz found a crash in the CIL compiler, which
        got reported as
        https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28648 (the title
        is misleading, or is caused by another issue that conflicts with the
        one I report in this message). Here is a minimized CIL policy which
        reproduces the issue:
      
        (class CLASS (PERM))
        (classorder (CLASS))
        (sid SID)
        (sidorder (SID))
        (user USER)
        (role ROLE)
        (type TYPE)
        (category CAT)
        (categoryorder (CAT))
        (sensitivity SENS)
        (sensitivityorder (SENS))
        (sensitivitycategory SENS (CAT))
        (allow TYPE self (CLASS (PERM)))
        (roletype ROLE TYPE)
        (userrole USER ROLE)
        (userlevel USER (SENS))
        (userrange USER ((SENS)(SENS (CAT))))
        (sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))
      
        (classpermission CLAPERM)
      
        (optional OPT
            (roletype nonexistingrole nonexistingtype)
            (classpermissionset CLAPERM (CLASS (PERM)))
        )
      
        The CIL policy fuzzer (which mimics secilc built with clang Address
        Sanitizer) reports:
      
        ==36541==ERROR: AddressSanitizer: heap-use-after-free on address
        0x603000004f98 at pc 0x56445134c842 bp 0x7ffe2a256590 sp
        0x7ffe2a256588
        READ of size 8 at 0x603000004f98 thread T0
            #0 0x56445134c841 in __cil_verify_classperms
        /selinux/libsepol/src/../cil/src/cil_verify.c:1620:8
            #1 0x56445134a43e in __cil_verify_classpermission
        /selinux/libsepol/src/../cil/src/cil_verify.c:1650:9
            #2 0x56445134a43e in __cil_pre_verify_helper
        /selinux/libsepol/src/../cil/src/cil_verify.c:1715:8
            #3 0x5644513225ac in cil_tree_walk_core
        /selinux/libsepol/src/../cil/src/cil_tree.c:272:9
            #4 0x564451322ab1 in cil_tree_walk
        /selinux/libsepol/src/../cil/src/cil_tree.c:316:7
            #5 0x5644513226af in cil_tree_walk_core
        /selinux/libsepol/src/../cil/src/cil_tree.c:284:9
            #6 0x564451322ab1 in cil_tree_walk
        /selinux/libsepol/src/../cil/src/cil_tree.c:316:7
            #7 0x5644512b88fd in cil_pre_verify
        /selinux/libsepol/src/../cil/src/cil_post.c:2510:7
            #8 0x5644512b88fd in cil_post_process
        /selinux/libsepol/src/../cil/src/cil_post.c:2524:7
            #9 0x5644511856ff in cil_compile
        /selinux/libsepol/src/../cil/src/cil.c:564:7
      
      The classperms list of a classpermission rule is created and filled
      in when classpermissionset rules are processed, so it doesn't own any
      part of the list and shouldn't retain any of it when it is reset.
      
      Destroy the classperms list (without destroying the data in it)  when
      resetting a classpermission rule.
      Reported-by: default avatarNicolas Iooss <nicolas.iooss@m4x.org>
      Signed-off-by: default avatarJames Carter <jwcart2@gmail.com>
      f34d3d30
    • James Carter's avatar
      libsepol/cil: Fix out-of-bound read of file context pattern ending with "\" · e13c8162
      James Carter authored
      Based on patch by Nicolas Iooss, who writes:
        OSS-Fuzz found a Heap-buffer-overflow in the CIL compiler when trying
        to compile the following policy:
      
          (sid SID)
          (sidorder(SID))
          (filecon "\" any ())
          (filecon "" any ())
      
        When cil_post_fc_fill_data() processes "\", it goes beyond the NUL
        terminator of the string. Fix this by returning when '\0' is read
        after a backslash.
      
      To be consistent with the function compute_diffdata() in
      refpolicy/support/fc_sort.py, also increment str_len in this case.
      
      Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28484Reported-by: default avatarNicolas Iooss <nicolas.iooss@m4x.org>
      Signed-off-by: default avatarJames Carter <jwcart2@gmail.com>
      e13c8162
  8. 14 Apr, 2021 1 commit
  9. 29 Mar, 2021 1 commit