topjohnwu/selinux
1
0
Fork 0
mirror of https://github.com/topjohnwu/selinux.git synced 2024-11-30 15:00:22 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
0d6e95cfb2
selinux/libsepol
History
James Carter 0d6e95cfb2 libsepol/cil: Fix name resolution involving inherited blocks 
When resolving a name in a block that has been inherited. First,
a search is done in the parent namespaces (if any) of the
blockinherit rule with the exception of the global namespace. If
the name is not found, then a search is done in the namespaces of
the original block (starting with that block's namespace)  with
the exception of the global namespace. Finally, if it still has
not been found, the global namespace is searched.

This does not work if a declaration is in the block being
inherited.

For example:
  (block b
    (typeattribute a)
    (allow a self (CLASS (PERM)))
  )
  (blockinherit b)

This will result in a policy with the following identical allow
rules:
  (allow b.a self (CLASS (PERM)))
  (allow b.a self (CLASS (PERM)))
rather than the expected:
  (allow b.a self (CLASS (PERM)))
  (allow a self (CLASS (PERM)))
This is because when the typeattribute is copied while resolving
the inheritance, the new datum is added to the global namespace
and, since that is searched last, the typeattribute in block b is
found first.

This behavior means that no declaration that is inherited into the
global namespace will actually be used.

Instead, if the name is not found in the parent namespaces (if any)
where the blockinherit is located with the exception of the global
namespace, start the next search in the namespace of the parent of
the original block (instead of the original block itself). Now if
a declaration is inherited from the original block, the new
declaration will be used. This behavior seems to be the originally
intended behavior because there is a comment in the code that says,
"Continue search in original block's parent".

This issue was found by secilc-fuzzer. If the original block
is made to be abstract, then the type attribute declaration
in the original block is not in the policy and a segfault
occurs when creating the binary because the copied allow rule
refers to a non-existent type attribute.

Signed-off-by: James Carter <jwcart2@gmail.com>
2021-05-31 12:38:15 +02:00
..
cil libsepol/cil: Fix name resolution involving inherited blocks 2021-05-31 12:38:15 +02:00
include libsepol: Create function ebitmap_highest_set_bit() 2021-02-19 16:30:11 +01:00
man selinux: Update manpages after removing legacy boolean and user code 2019-07-29 23:46:47 +02:00
src libsepol: use checked arithmetic builtin to perform safe addition 2021-04-30 21:09:36 +02:00
tests libsepol/tests: drop ncurses dependency 2020-05-04 10:31:44 +02:00
utils libsepol: build: follow standard semantics for DESTDIR and PREFIX 2018-02-14 15:59:36 +01:00
.gitignore libsepol: build cil into libsepol 2014-08-26 08:03:31 -04:00
COPYING initial import from svn trunk revision 2950 2008-08-19 15:30:36 -04:00
Makefile libsepol: build cil into libsepol 2014-08-26 08:03:31 -04:00
VERSION Update VERSIONs to 3.2 for release. 2021-03-04 16:42:59 +01:00