c59879b8aa
Rebase on upstream commit 32611aea6543
See
$ cd SELinuxProject/selinux
$ git log --pretty=oneline libsepol-3.2..32611aea6543 -- libsepol
75 lines
2.9 KiB
Diff
75 lines
2.9 KiB
Diff
From 0d6e95cfb24fd0bc5405ecea0b3ebac3462b5312 Mon Sep 17 00:00:00 2001
|
|
From: James Carter <jwcart2@gmail.com>
|
|
Date: Thu, 6 May 2021 13:05:36 -0400
|
|
Subject: [PATCH] libsepol/cil: Fix name resolution involving inherited blocks
|
|
|
|
When resolving a name in a block that has been inherited. First,
|
|
a search is done in the parent namespaces (if any) of the
|
|
blockinherit rule with the exception of the global namespace. If
|
|
the name is not found, then a search is done in the namespaces of
|
|
the original block (starting with that block's namespace) with
|
|
the exception of the global namespace. Finally, if it still has
|
|
not been found, the global namespace is searched.
|
|
|
|
This does not work if a declaration is in the block being
|
|
inherited.
|
|
|
|
For example:
|
|
(block b
|
|
(typeattribute a)
|
|
(allow a self (CLASS (PERM)))
|
|
)
|
|
(blockinherit b)
|
|
|
|
This will result in a policy with the following identical allow
|
|
rules:
|
|
(allow b.a self (CLASS (PERM)))
|
|
(allow b.a self (CLASS (PERM)))
|
|
rather than the expected:
|
|
(allow b.a self (CLASS (PERM)))
|
|
(allow a self (CLASS (PERM)))
|
|
This is because when the typeattribute is copied while resolving
|
|
the inheritance, the new datum is added to the global namespace
|
|
and, since that is searched last, the typeattribute in block b is
|
|
found first.
|
|
|
|
This behavior means that no declaration that is inherited into the
|
|
global namespace will actually be used.
|
|
|
|
Instead, if the name is not found in the parent namespaces (if any)
|
|
where the blockinherit is located with the exception of the global
|
|
namespace, start the next search in the namespace of the parent of
|
|
the original block (instead of the original block itself). Now if
|
|
a declaration is inherited from the original block, the new
|
|
declaration will be used. This behavior seems to be the originally
|
|
intended behavior because there is a comment in the code that says,
|
|
"Continue search in original block's parent".
|
|
|
|
This issue was found by secilc-fuzzer. If the original block
|
|
is made to be abstract, then the type attribute declaration
|
|
in the original block is not in the policy and a segfault
|
|
occurs when creating the binary because the copied allow rule
|
|
refers to a non-existent type attribute.
|
|
|
|
Signed-off-by: James Carter <jwcart2@gmail.com>
|
|
---
|
|
libsepol/cil/src/cil_resolve_ast.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
|
|
index 5368ae80ede9..5684b8da0f76 100644
|
|
--- a/libsepol/cil/src/cil_resolve_ast.c
|
|
+++ b/libsepol/cil/src/cil_resolve_ast.c
|
|
@@ -4182,7 +4182,7 @@ static int __cil_resolve_name_with_parents(struct cil_tree_node *node, char *nam
|
|
rc = __cil_resolve_name_with_parents(node->parent, name, sym_index, datum);
|
|
if (rc != SEPOL_OK) {
|
|
/* Continue search in original block's parent */
|
|
- rc = __cil_resolve_name_with_parents(NODE(inherit->block), name, sym_index, datum);
|
|
+ rc = __cil_resolve_name_with_parents(NODE(inherit->block)->parent, name, sym_index, datum);
|
|
goto exit;
|
|
}
|
|
}
|
|
--
|
|
2.32.0
|
|
|