diff mbox series

[3/3] libsepol: more strict validation

Message ID 20231101163830.177769-3-cgzones@googlemail.com (mailing list archive)
State Accepted
Commit d2d24b933178
Headers show
Series [1/3] libsepol: validate default type of transition is not an attribute | expand

Commit Message

Christian Göttsche Nov. 1, 2023, 4:38 p.m. UTC
Ensure the ibendport port is not 0 (similar to the kernel).

More general depth test for boolean expressions.

Ensure the boolean id is not set for logic operators.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 libsepol/src/policydb_validate.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

Comments

James Carter Nov. 2, 2023, 7:29 p.m. UTC | #1
On Wed, Nov 1, 2023 at 12:39 PM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> Ensure the ibendport port is not 0 (similar to the kernel).
>
> More general depth test for boolean expressions.
>
> Ensure the boolean id is not set for logic operators.
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

Acked-by: James Carter <jwcart2@gmail.com>

> ---
>  libsepol/src/policydb_validate.c | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
> index c6a66fb3..0e4805ef 100644
> --- a/libsepol/src/policydb_validate.c
> +++ b/libsepol/src/policydb_validate.c
> @@ -1002,13 +1002,15 @@ static int validate_cond_expr(sepol_handle_t *handle, const struct cond_expr *ex
>                 case COND_BOOL:
>                         if (validate_value(expr->boolean, boolean))
>                                 goto bad;
> -                       if (depth == (COND_EXPR_MAXDEPTH - 1))
> +                       if (depth >= (COND_EXPR_MAXDEPTH - 1))
>                                 goto bad;
>                         depth++;
>                         break;
>                 case COND_NOT:
>                         if (depth < 0)
>                                 goto bad;
> +                       if (expr->boolean != 0)
> +                               goto bad;
>                         break;
>                 case COND_OR:
>                 case COND_AND:
> @@ -1017,6 +1019,8 @@ static int validate_cond_expr(sepol_handle_t *handle, const struct cond_expr *ex
>                 case COND_NEQ:
>                         if (depth < 1)
>                                 goto bad;
> +                       if (expr->boolean != 0)
> +                               goto bad;
>                         depth--;
>                         break;
>                 default:
> @@ -1199,6 +1203,8 @@ static int validate_ocontexts(sepol_handle_t *handle, const policydb_t *p, valid
>                                                 goto bad;
>                                         break;
>                                 case OCON_IBENDPORT:
> +                                       if (octx->u.ibendport.port == 0)
> +                                               goto bad;
>                                         if (!octx->u.ibendport.dev_name)
>                                                 goto bad;
>                                         break;
> --
> 2.42.0
>
diff mbox series

Patch

diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
index c6a66fb3..0e4805ef 100644
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@@ -1002,13 +1002,15 @@  static int validate_cond_expr(sepol_handle_t *handle, const struct cond_expr *ex
 		case COND_BOOL:
 			if (validate_value(expr->boolean, boolean))
 				goto bad;
-			if (depth == (COND_EXPR_MAXDEPTH - 1))
+			if (depth >= (COND_EXPR_MAXDEPTH - 1))
 				goto bad;
 			depth++;
 			break;
 		case COND_NOT:
 			if (depth < 0)
 				goto bad;
+			if (expr->boolean != 0)
+				goto bad;
 			break;
 		case COND_OR:
 		case COND_AND:
@@ -1017,6 +1019,8 @@  static int validate_cond_expr(sepol_handle_t *handle, const struct cond_expr *ex
 		case COND_NEQ:
 			if (depth < 1)
 				goto bad;
+			if (expr->boolean != 0)
+				goto bad;
 			depth--;
 			break;
 		default:
@@ -1199,6 +1203,8 @@  static int validate_ocontexts(sepol_handle_t *handle, const policydb_t *p, valid
 						goto bad;
 					break;
 				case OCON_IBENDPORT:
+					if (octx->u.ibendport.port == 0)
+						goto bad;
 					if (!octx->u.ibendport.dev_name)
 						goto bad;
 					break;