From patchwork Tue Oct 18 18:58:44 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: James Carter <jwcart2@tycho.nsa.gov>
X-Patchwork-Id: 9382795
Return-Path: <selinux-bounces@tycho.nsa.gov>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	5FC02600CA for <patchwork-selinux@patchwork.kernel.org>;
	Tue, 18 Oct 2016 18:59:05 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 513E829690
	for <patchwork-selinux@patchwork.kernel.org>;
	Tue, 18 Oct 2016 18:59:05 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 4453129708; Tue, 18 Oct 2016 18:59:05 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from emsm-gh1-uea11.nsa.gov (smtp.nsa.gov [8.44.101.9])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 91B1C29690
	for <patchwork-selinux@patchwork.kernel.org>;
	Tue, 18 Oct 2016 18:59:04 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="5.31,362,1473120000";
   d="scan'208";a="16826"
IronPort-PHdr: =?us-ascii?q?9a23=3AZhF4JB8AYlCXd/9uRHKM819IXTAuvvDOBiVQ1KB9?=
	=?us-ascii?q?1ugcTK2v8tzYMVDF4r011RmSDN+dtq4P0rCK+4nbGkU4qa6bt34DdJEeHzQksu?=
	=?us-ascii?q?4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2WVTerzWI4CIIHV2nbEwu?=
	=?us-ascii?q?d76zR9KZ1p7rn8mJuLTrKz1SgzS8Zb4gZD6Xli728vcsvI15N6wqwQHIqHYbM8?=
	=?us-ascii?q?5fxGdvOE7B102kvpT4wYRnuxh0l7phspQYEPayQ6NtVrFcDTI7I0gp9cbrsl/F?=
	=?us-ascii?q?VgLJ6XwCAUsMlR8dIQHA4QqydZ7rribg/r5/xyKTJ9GsZawlUjSlqaFwQVnnjz?=
	=?us-ascii?q?lRZG1xy33elsEl1PETmxmmvREqhtSMbQ=3D=3D?=
X-IPAS-Result: =?us-ascii?q?A2FGBQDibwZY/wHyM5BcHAEBBAEBCgEBGAEFAQsBgxEBAQE?=
	=?us-ascii?q?BAR2BRA+6cCWFe4IPTAEBAQEBAQEBAgECXyeCMgQDEwWCEQIEAQIkExQgDgMJA?=
	=?us-ascii?q?QEXKQgIAwEtFREOCwUYBIgxw3ePKxEBaIUTBYEhAYcUh0aKCgKJLoZYAooAhXW?=
	=?us-ascii?q?Qe1RGhR9WhXl4gSgBAQE?=
Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1])
	by emsm-gh1-uea11.nsa.gov with ESMTP; 18 Oct 2016 18:59:01 +0000
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u9IIwxFc022271;
	Tue, 18 Oct 2016 14:58:59 -0400
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	u9IIvWR0189950 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Tue, 18 Oct 2016 14:57:32 -0400
Received: from moss-lions.infosec.tycho.ncsc.mil (moss-lions [192.168.25.4])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id
	u9IIvVjb022041
	for <selinux@tycho.nsa.gov>; Tue, 18 Oct 2016 14:57:31 -0400
From: James Carter <jwcart2@tycho.nsa.gov>
To: selinux@tycho.nsa.gov
Subject: [PATCH 3/7] libsepol/cil: Use an empty list to represent an unknown
	permission
Date: Tue, 18 Oct 2016 14:58:44 -0400
Message-Id: <1476817128-16108-4-git-send-email-jwcart2@tycho.nsa.gov>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1476817128-16108-1-git-send-email-jwcart2@tycho.nsa.gov>
References: <1476817128-16108-1-git-send-email-jwcart2@tycho.nsa.gov>
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
MIME-Version: 1.0
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Virus-Scanned: ClamAV using ClamSMTP

Nicolas Looss found while fuzzing secilc with AFL that the statement
"(classpermissionset CPERM (CLASS (and unknow PERM)))" will cause a
segfault.

In order to support a policy module package using a permission that
does not exist on the system it is loaded on, CIL will only give a
warning when it fails to resolve an unknown permission. CIL itself will
just ignore the unknown permission. This means that an expression like
"(and UNKNOWN p1)" will look like "(and p1)" to CIL, but, since syntax
checking has already been done, CIL won't know that the expression is not
well-formed. When the expression is evaluated a segfault will occur
because all expressions are assumed to be well-formed at evaluation time.

Use an empty list to represent an unknown permission so that expressions
will continue to be well-formed and expression evaluation will work but
the unknown permission will still be ignored.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
---
 libsepol/cil/src/cil_resolve_ast.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
index c403545..f3f3e92 100644
--- a/libsepol/cil/src/cil_resolve_ast.c
+++ b/libsepol/cil/src/cil_resolve_ast.c
@@ -131,7 +131,11 @@ static int __cil_resolve_perms(symtab_t *class_symtab, symtab_t *common_symtab,
 				}
 			}
 			if (rc != SEPOL_OK) {
+				struct cil_list *empty_list;
 				cil_log(CIL_WARN, "Failed to resolve permission %s\n", (char*)curr->data);
+				/* Use an empty list to represent unknown perm */
+				cil_list_init(&empty_list, perm_strs->flavor);
+				cil_list_append(*perm_datums, CIL_LIST, empty_list);
 			} else {
 				cil_list_append(*perm_datums, CIL_DATUM, perm_datum);
 			}