[1/4] libsepol: reject self flag in type rules in old policies

Commit Message

Christian Göttsche May 6, 2024, 5:31 p.m. UTC

From: Christian Göttsche <cgzones@googlemail.com>

The flag RULE_SELF in type rules is only supported in modular policies
since version 21 (MOD_POLICYDB_VERSION_SELF_TYPETRANS).

Reported-by: oss-fuzz (issue 68731)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 libsepol/src/policydb_validate.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

Comments

James Carter May 8, 2024, 6:50 p.m. UTC | #1

On Mon, May 6, 2024 at 1:31 PM Christian Göttsche
<cgoettsche@seltendoof.de> wrote:
>
> From: Christian Göttsche <cgzones@googlemail.com>
>
> The flag RULE_SELF in type rules is only supported in modular policies
> since version 21 (MOD_POLICYDB_VERSION_SELF_TYPETRANS).
>
> Reported-by: oss-fuzz (issue 68731)
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

For these four patches:
Acked-by: James Carter <jwcart2@gmail.com>

> ---
>  libsepol/src/policydb_validate.c | 14 +++++++++++++-
>  1 file changed, 13 insertions(+), 1 deletion(-)
>
> diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
> index e1623172..be3ebe5f 100644
> --- a/libsepol/src/policydb_validate.c
> +++ b/libsepol/src/policydb_validate.c
> @@ -1077,6 +1077,10 @@ static int validate_avrules(sepol_handle_t *handle, const avrule_t *avrule, int
>                 switch(avrule->flags) {
>                 case 0:
>                 case RULE_SELF:
> +                       if (p->policyvers != POLICY_KERN &&
> +                           p->policyvers < MOD_POLICYDB_VERSION_SELF_TYPETRANS &&
> +                           (avrule->specified & AVRULE_TYPE))
> +                               goto bad;
>                         break;
>                 case RULE_NOTSELF:
>                         switch(avrule->specified) {
> @@ -1503,8 +1507,16 @@ static int validate_filename_trans_rules(sepol_handle_t *handle, const filename_
>                         goto bad;
>
>                 /* currently only the RULE_SELF flag can be set */
> -               if ((filename_trans->flags & ~RULE_SELF) != 0)
> +               switch (filename_trans->flags) {
> +               case 0:
> +                       break;
> +               case RULE_SELF:
> +                       if (p->policyvers != POLICY_KERN && p->policyvers < MOD_POLICYDB_VERSION_SELF_TYPETRANS)
> +                               goto bad;
> +                       break;
> +               default:
>                         goto bad;
> +               }
>         }
>
>         return 0;
> --
> 2.43.0
>
>

James Carter May 24, 2024, 1:49 p.m. UTC | #2

On Wed, May 8, 2024 at 2:50 PM James Carter <jwcart2@gmail.com> wrote:
>
> On Mon, May 6, 2024 at 1:31 PM Christian Göttsche
> <cgoettsche@seltendoof.de> wrote:
> >
> > From: Christian Göttsche <cgzones@googlemail.com>
> >
> > The flag RULE_SELF in type rules is only supported in modular policies
> > since version 21 (MOD_POLICYDB_VERSION_SELF_TYPETRANS).
> >
> > Reported-by: oss-fuzz (issue 68731)
> > Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
>
> For these four patches:
> Acked-by: James Carter <jwcart2@gmail.com>
>

These four patches have been merged.
Thanks,
Jim

> > ---
> >  libsepol/src/policydb_validate.c | 14 +++++++++++++-
> >  1 file changed, 13 insertions(+), 1 deletion(-)
> >
> > diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
> > index e1623172..be3ebe5f 100644
> > --- a/libsepol/src/policydb_validate.c
> > +++ b/libsepol/src/policydb_validate.c
> > @@ -1077,6 +1077,10 @@ static int validate_avrules(sepol_handle_t *handle, const avrule_t *avrule, int
> >                 switch(avrule->flags) {
> >                 case 0:
> >                 case RULE_SELF:
> > +                       if (p->policyvers != POLICY_KERN &&
> > +                           p->policyvers < MOD_POLICYDB_VERSION_SELF_TYPETRANS &&
> > +                           (avrule->specified & AVRULE_TYPE))
> > +                               goto bad;
> >                         break;
> >                 case RULE_NOTSELF:
> >                         switch(avrule->specified) {
> > @@ -1503,8 +1507,16 @@ static int validate_filename_trans_rules(sepol_handle_t *handle, const filename_
> >                         goto bad;
> >
> >                 /* currently only the RULE_SELF flag can be set */
> > -               if ((filename_trans->flags & ~RULE_SELF) != 0)
> > +               switch (filename_trans->flags) {
> > +               case 0:
> > +                       break;
> > +               case RULE_SELF:
> > +                       if (p->policyvers != POLICY_KERN && p->policyvers < MOD_POLICYDB_VERSION_SELF_TYPETRANS)
> > +                               goto bad;
> > +                       break;
> > +               default:
> >                         goto bad;
> > +               }
> >         }
> >
> >         return 0;
> > --
> > 2.43.0
> >
> >

Patch

diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
index e1623172..be3ebe5f 100644
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@@ -1077,6 +1077,10 @@  static int validate_avrules(sepol_handle_t *handle, const avrule_t *avrule, int
 		switch(avrule->flags) {
 		case 0:
 		case RULE_SELF:
+			if (p->policyvers != POLICY_KERN &&
+			    p->policyvers < MOD_POLICYDB_VERSION_SELF_TYPETRANS &&
+			    (avrule->specified & AVRULE_TYPE))
+				goto bad;
 			break;
 		case RULE_NOTSELF:
 			switch(avrule->specified) {
@@ -1503,8 +1507,16 @@  static int validate_filename_trans_rules(sepol_handle_t *handle, const filename_
 			goto bad;
 
 		/* currently only the RULE_SELF flag can be set */
-		if ((filename_trans->flags & ~RULE_SELF) != 0)
+		switch (filename_trans->flags) {
+		case 0:
+			break;
+		case RULE_SELF:
+			if (p->policyvers != POLICY_KERN && p->policyvers < MOD_POLICYDB_VERSION_SELF_TYPETRANS)
+				goto bad;
+			break;
+		default:
 			goto bad;
+		}
 	}
 
 	return 0;