From e8c7a2ba151e73d554bb9e7f188ac1afd68b86e7 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Fri, 21 Oct 2022 10:56:53 +0200
Subject: [PATCH] libsepol-3.4-3

- Fix validation of user declarations in modules

Users are allowed to be declared in modules. Modules do not get expanded
leaving the `struct user_datum` members `exp_range` and `exp_dfltlevel`
empty.
Do no validate the expanded range and level for modular polices.

Resolves: rhbz#2136212
---
 ...idation-of-user-declarations-in-modu.patch | 76 +++++++++++++++++++
 libsepol.spec                                 |  6 +-
 2 files changed, 81 insertions(+), 1 deletion(-)
 create mode 100644 0003-libsepol-fix-validation-of-user-declarations-in-modu.patch

diff --git a/0003-libsepol-fix-validation-of-user-declarations-in-modu.patch b/0003-libsepol-fix-validation-of-user-declarations-in-modu.patch
new file mode 100644
index 0000000..5de40ed
--- /dev/null
+++ b/0003-libsepol-fix-validation-of-user-declarations-in-modu.patch
@@ -0,0 +1,76 @@
+From 39b5a1e0cb5d24109c9d8ddc980022ad6474ef1a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Tue, 7 Jun 2022 17:01:45 +0200
+Subject: [PATCH] libsepol: fix validation of user declarations in modules
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Content-type: text/plain
+
+Users are allowed to be declared in modules. Modules do not get expanded
+leaving the `struct user_datum` members `exp_range` and `exp_dfltlevel`
+empty.
+Do no validate the expanded range and level for modular polices.
+
+Reported-by: bauen1 <j2468h@gmail.com>
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ libsepol/src/policydb_validate.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
+index da18282bafc8..99d4eb7f670e 100644
+--- a/libsepol/src/policydb_validate.c
++++ b/libsepol/src/policydb_validate.c
+@@ -18,7 +18,7 @@ typedef struct validate {
+ typedef struct map_arg {
+ 	validate_t *flavors;
+ 	sepol_handle_t *handle;
+-	int mls;
++	policydb_t *policy;
+ } map_arg_t;
+ 
+ static int create_gap_ebitmap(char **val_to_name, uint32_t nprim, ebitmap_t *gaps)
+@@ -571,7 +571,7 @@ static int validate_mls_range(mls_range_t *range, validate_t *sens, validate_t *
+ 	return -1;
+ }
+ 
+-static int validate_user_datum(sepol_handle_t *handle, user_datum_t *user, validate_t flavors[], int mls)
++static int validate_user_datum(sepol_handle_t *handle, user_datum_t *user, validate_t flavors[], policydb_t *p)
+ {
+ 	if (validate_value(user->s.value, &flavors[SYM_USERS]))
+ 		goto bad;
+@@ -581,9 +581,9 @@ static int validate_user_datum(sepol_handle_t *handle, user_datum_t *user, valid
+ 		goto bad;
+ 	if (validate_mls_semantic_level(&user->dfltlevel, &flavors[SYM_LEVELS], &flavors[SYM_CATS]))
+ 		goto bad;
+-	if (mls && validate_mls_range(&user->exp_range, &flavors[SYM_LEVELS], &flavors[SYM_CATS]))
++	if (p->mls && p->policy_type != POLICY_MOD && validate_mls_range(&user->exp_range, &flavors[SYM_LEVELS], &flavors[SYM_CATS]))
+ 		goto bad;
+-	if (mls && validate_mls_level(&user->exp_dfltlevel, &flavors[SYM_LEVELS], &flavors[SYM_CATS]))
++	if (p->mls && p->policy_type != POLICY_MOD && validate_mls_level(&user->exp_dfltlevel, &flavors[SYM_LEVELS], &flavors[SYM_CATS]))
+ 		goto bad;
+ 	if (user->bounds && validate_value(user->bounds, &flavors[SYM_USERS]))
+ 		goto bad;
+@@ -599,7 +599,7 @@ static int validate_user_datum_wrapper(__attribute__((unused)) hashtab_key_t k,
+ {
+ 	map_arg_t *margs = args;
+ 
+-	return validate_user_datum(margs->handle, d, margs->flavors, margs->mls);
++	return validate_user_datum(margs->handle, d, margs->flavors, margs->policy);
+ }
+ 
+ static int validate_bool_datum(sepol_handle_t *handle, cond_bool_datum_t *boolean, validate_t flavors[])
+@@ -689,7 +689,7 @@ static int validate_datum(__attribute__ ((unused))hashtab_key_t k, hashtab_datum
+ 
+ static int validate_datum_array_entries(sepol_handle_t *handle, policydb_t *p, validate_t flavors[])
+ {
+-	map_arg_t margs = { flavors, handle, p->mls };
++	map_arg_t margs = { flavors, handle, p };
+ 
+ 	if (hashtab_map(p->p_commons.table, validate_common_datum_wrapper, &margs))
+ 		goto bad;
+-- 
+2.37.3
+
diff --git a/libsepol.spec b/libsepol.spec
index 049bfc9..9303754 100644
--- a/libsepol.spec
+++ b/libsepol.spec
@@ -1,7 +1,7 @@
 Summary: SELinux binary policy manipulation library
 Name: libsepol
 Version: 3.4
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: LGPLv2+
 Source0: https://github.com/SELinuxProject/selinux/releases/download/3.4/libsepol-3.4.tar.gz
 URL: https://github.com/SELinuxProject/selinux/wiki
@@ -12,6 +12,7 @@ URL: https://github.com/SELinuxProject/selinux/wiki
 # Patch list start
 Patch0001: 0001-libsepol-Bring-back-POLICYDB_CAPABILITY_-constants.patch
 Patch0002: 0002-libsepol-cil-restore-error-on-context-rule-conflicts.patch
+Patch0003: 0003-libsepol-fix-validation-of-user-declarations-in-modu.patch
 # Patch list end
 BuildRequires: make
 BuildRequires: gcc
@@ -108,6 +109,9 @@ rm -rf ${RPM_BUILD_ROOT}%{_mandir}/ru/man8
 %{_mandir}/man8/chkcon.8.gz
 
 %changelog
+* Fri Oct 21 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-3
+- Fix validation of user declarations in modules (#2136212)
+
 * Wed Oct 12 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-2
 - Restore error on context rule conflicts (#2127399)