From: Nicolas Iooss <nicolas.iooss@m4x.org>
To: James Carter <jwcart2@gmail.com>
Cc: SElinux list <selinux@vger.kernel.org>
Subject: Re: [PATCH 2/5] libsepol/cil: Fix syntax checking of defaultrange rule
Date: Sat, 19 Jun 2021 15:36:07 +0200 [thread overview]
Message-ID: <CAJfZ7=kHN7b9LoHDrRwkORUNNDS-q8OsVyh21TLe0JHdbEBvyQ@mail.gmail.com> (raw)
In-Reply-To: <20210614150546.512001-3-jwcart2@gmail.com>
On Mon, Jun 14, 2021 at 5:05 PM James Carter <jwcart2@gmail.com> wrote:
>
> The syntax array that cil_gen_defaultrange() called __cil_verify_syntax()
> with was wrong. It had the range (which should be low, high, or low-high)
> as optional when it is not.
>
> Use the correct syntax array to check the syntax of the defaultrange rule.
>
> Signed-off-by: James Carter <jwcart2@gmail.com>
> ---
> libsepol/cil/src/cil_build_ast.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
> index 71f14e20..a5f617d8 100644
> --- a/libsepol/cil/src/cil_build_ast.c
> +++ b/libsepol/cil/src/cil_build_ast.c
> @@ -5862,7 +5862,7 @@ int cil_gen_defaultrange(struct cil_tree_node *parse_current, struct cil_tree_no
> CIL_SYN_STRING,
> CIL_SYN_STRING | CIL_SYN_LIST,
> CIL_SYN_STRING,
> - CIL_SYN_STRING | CIL_SYN_END,
> + CIL_SYN_STRING,
> CIL_SYN_END
> };
> int syntax_len = sizeof(syntax)/sizeof(*syntax);
> --
> 2.26.3
Hello,
This patch will break selinux-testsuite with:
/usr/sbin/semodule -i test_policy/test_policy.pp test_mlsconstrain.cil
test_overlay_defaultrange.cil test_userfaultfd.cil test_add_levels.cil
test_glblub.cil
Invalid syntax
Bad defaultrange declaration at
/var/lib/selinux/targeted/tmp/modules/400/test_glblub/cil:1
Failed to build AST
/usr/sbin/semodule: Failed!
... because it currently uses, in
https://github.com/SELinuxProject/selinux-testsuite/blob/0b78a9d433e8c4f956d18dc0db901f0a1a58c003/policy/test_glblub.cil
:
(defaultrange db_table glblub)
If I understand the commit message correctly, a range (low, high or
low-high) has to be added to this statement. I am not familiar with
glbulb and do not know how the testsuite should be modified. Could the
policy used by the testsuite be fixed before applying this patch?
Cheers,
Nicolas
(PS : I was quite busy last month but now I have some time again to
catch up with SELinux patches :) )
next prev parent reply other threads:[~2021-06-19 13:43 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-14 15:05 [PATCH 0/5] Another round of secilc-fuzzer problems fixed James Carter
2021-06-14 15:05 ` [PATCH 1/5] libsepol/cil: Properly check for loops in sets James Carter
2021-06-19 14:20 ` Nicolas Iooss
2021-06-14 15:05 ` [PATCH 2/5] libsepol/cil: Fix syntax checking of defaultrange rule James Carter
2021-06-19 13:36 ` Nicolas Iooss [this message]
2021-06-21 14:03 ` James Carter
2021-06-14 15:05 ` [PATCH 3/5] libsepol/cil: Check for empty list when marking neverallow attributes James Carter
2021-06-19 14:21 ` Nicolas Iooss
2021-06-14 15:05 ` [PATCH 4/5] libsepol/cil: Reduce the initial symtab sizes for blocks James Carter
2021-06-19 14:22 ` Nicolas Iooss
2021-06-14 15:05 ` [PATCH 5/5] libsepol/cil: Improve degenerate inheritance check James Carter
2021-06-19 14:02 ` Nicolas Iooss
2021-06-21 14:18 ` James Carter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAJfZ7=kHN7b9LoHDrRwkORUNNDS-q8OsVyh21TLe0JHdbEBvyQ@mail.gmail.com' \
--to=nicolas.iooss@m4x.org \
--cc=jwcart2@gmail.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.