From: James Carter <jwcart2@gmail.com>
To: selinux@vger.kernel.org
Cc: James Carter <jwcart2@gmail.com>
Subject: [PATCH 3/3] libsepol/cil: Do not resolve names to declarations in abstract blocks
Date: Wed, 5 Jan 2022 16:16:02 -0500 [thread overview]
Message-ID: <20220105211602.359300-3-jwcart2@gmail.com> (raw)
In-Reply-To: <20220105211602.359300-1-jwcart2@gmail.com>
Since abstract blocks will not appear in the final policy, do not
resolve names to a declaration inside one.
When resolving blockabstract rules, they must be collected in a list
and processed at the end of the pass because if a parent block is
marked as abstract, then a blockabstract rule for a sub-block will
fail to resolve.
Found by oss-fuzz (#42981)
Signed-off-by: James Carter <jwcart2@gmail.com>
---
libsepol/cil/src/cil_resolve_ast.c | 24 ++++++++++++++++++++----
1 file changed, 20 insertions(+), 4 deletions(-)
diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
index 0288b7dc..73115c55 100644
--- a/libsepol/cil/src/cil_resolve_ast.c
+++ b/libsepol/cil/src/cil_resolve_ast.c
@@ -65,6 +65,7 @@ struct cil_args_resolve {
struct cil_list *sensitivityorder_lists;
struct cil_list *in_list_before;
struct cil_list *in_list_after;
+ struct cil_list *abstract_blocks;
};
static struct cil_name * __cil_insert_name(struct cil_db *db, hashtab_key_t key, struct cil_tree_node *ast_node)
@@ -2397,6 +2398,7 @@ int cil_resolve_blockabstract(struct cil_tree_node *current, void *extra_args)
struct cil_blockabstract *abstract = current->data;
struct cil_symtab_datum *block_datum = NULL;
struct cil_tree_node *block_node = NULL;
+ struct cil_args_resolve *args = extra_args;
int rc = SEPOL_ERR;
rc = cil_resolve_name(current, abstract->block_str, CIL_SYM_BLOCKS, extra_args, &block_datum);
@@ -2411,7 +2413,7 @@ int cil_resolve_blockabstract(struct cil_tree_node *current, void *extra_args)
goto exit;
}
- cil_mark_subtree_abstract(block_node);
+ cil_list_append(args->abstract_blocks, CIL_NODE, block_node);
return SEPOL_OK;
@@ -4097,6 +4099,7 @@ int cil_resolve_ast(struct cil_db *db, struct cil_tree_node *current)
extra_args.sensitivityorder_lists = NULL;
extra_args.in_list_before = NULL;
extra_args.in_list_after = NULL;
+ extra_args.abstract_blocks = NULL;
cil_list_init(&extra_args.to_destroy, CIL_NODE);
cil_list_init(&extra_args.sidorder_lists, CIL_LIST_ITEM);
@@ -4106,6 +4109,7 @@ int cil_resolve_ast(struct cil_db *db, struct cil_tree_node *current)
cil_list_init(&extra_args.sensitivityorder_lists, CIL_LIST_ITEM);
cil_list_init(&extra_args.in_list_before, CIL_IN);
cil_list_init(&extra_args.in_list_after, CIL_IN);
+ cil_list_init(&extra_args.abstract_blocks, CIL_NODE);
for (pass = CIL_PASS_TIF; pass < CIL_PASS_NUM; pass++) {
extra_args.pass = pass;
@@ -4129,6 +4133,13 @@ int cil_resolve_ast(struct cil_db *db, struct cil_tree_node *current)
cil_list_destroy(&extra_args.in_list_after, CIL_FALSE);
}
+ if (pass == CIL_PASS_BLKABS) {
+ struct cil_list_item *item;
+ cil_list_for_each(item, extra_args.abstract_blocks) {
+ cil_mark_subtree_abstract(item->data);
+ }
+ }
+
if (pass == CIL_PASS_BLKIN_LINK) {
rc = cil_check_for_bad_inheritance(current);
if (rc != SEPOL_OK) {
@@ -4247,6 +4258,7 @@ exit:
cil_list_destroy(&extra_args.to_destroy, CIL_FALSE);
cil_list_destroy(&extra_args.in_list_before, CIL_FALSE);
cil_list_destroy(&extra_args.in_list_after, CIL_FALSE);
+ cil_list_destroy(&extra_args.abstract_blocks, CIL_FALSE);
return rc;
}
@@ -4268,9 +4280,13 @@ static int __cil_resolve_name_with_parents(struct cil_tree_node *node, char *nam
case CIL_ROOT:
goto exit;
break;
- case CIL_BLOCK:
- symtab = &((struct cil_block*)node->data)->symtab[sym_index];
- rc = cil_symtab_get_datum(symtab, name, datum);
+ case CIL_BLOCK: {
+ struct cil_block *block = node->data;
+ if (!block->is_abstract) {
+ symtab = &block->symtab[sym_index];
+ rc = cil_symtab_get_datum(symtab, name, datum);
+ }
+ }
break;
case CIL_BLOCKINHERIT: {
struct cil_blockinherit *inherit = node->data;
--
2.31.1
next prev parent reply other threads:[~2022-01-05 21:16 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-05 21:16 [PATCH 1/3] libsepol/cil: Do not copy blockabstracts when inheriting a block James Carter
2022-01-05 21:16 ` [PATCH 2/3] libsepol/cil: Mark as abstract all sub-blocks of an abstract block James Carter
2022-01-05 21:16 ` James Carter [this message]
2022-02-07 18:55 ` [PATCH 1/3] libsepol/cil: Do not copy blockabstracts when inheriting a block James Carter
2022-02-11 19:48 ` James Carter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220105211602.359300-3-jwcart2@gmail.com \
--to=jwcart2@gmail.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.