| Message ID | 20210614150546.512001-3-jwcart2@gmail.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | Another round of secilc-fuzzer problems fixed | expand |
On Mon, Jun 14, 2021 at 5:05 PM James Carter <jwcart2@gmail.com> wrote: > > The syntax array that cil_gen_defaultrange() called __cil_verify_syntax() > with was wrong. It had the range (which should be low, high, or low-high) > as optional when it is not. > > Use the correct syntax array to check the syntax of the defaultrange rule. > > Signed-off-by: James Carter <jwcart2@gmail.com> > --- > libsepol/cil/src/cil_build_ast.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c > index 71f14e20..a5f617d8 100644 > --- a/libsepol/cil/src/cil_build_ast.c > +++ b/libsepol/cil/src/cil_build_ast.c > @@ -5862,7 +5862,7 @@ int cil_gen_defaultrange(struct cil_tree_node *parse_current, struct cil_tree_no > CIL_SYN_STRING, > CIL_SYN_STRING | CIL_SYN_LIST, > CIL_SYN_STRING, > - CIL_SYN_STRING | CIL_SYN_END, > + CIL_SYN_STRING, > CIL_SYN_END > }; > int syntax_len = sizeof(syntax)/sizeof(*syntax); > -- > 2.26.3 Hello, This patch will break selinux-testsuite with: /usr/sbin/semodule -i test_policy/test_policy.pp test_mlsconstrain.cil test_overlay_defaultrange.cil test_userfaultfd.cil test_add_levels.cil test_glblub.cil Invalid syntax Bad defaultrange declaration at /var/lib/selinux/targeted/tmp/modules/400/test_glblub/cil:1 Failed to build AST /usr/sbin/semodule: Failed! ... because it currently uses, in https://github.com/SELinuxProject/selinux-testsuite/blob/0b78a9d433e8c4f956d18dc0db901f0a1a58c003/policy/test_glblub.cil : (defaultrange db_table glblub) If I understand the commit message correctly, a range (low, high or low-high) has to be added to this statement. I am not familiar with glbulb and do not know how the testsuite should be modified. Could the policy used by the testsuite be fixed before applying this patch? Cheers, Nicolas (PS : I was quite busy last month but now I have some time again to catch up with SELinux patches :) )
On Sat, Jun 19, 2021 at 9:36 AM Nicolas Iooss <nicolas.iooss@m4x.org> wrote: > > On Mon, Jun 14, 2021 at 5:05 PM James Carter <jwcart2@gmail.com> wrote: > > > > The syntax array that cil_gen_defaultrange() called __cil_verify_syntax() > > with was wrong. It had the range (which should be low, high, or low-high) > > as optional when it is not. > > > > Use the correct syntax array to check the syntax of the defaultrange rule. > > > > Signed-off-by: James Carter <jwcart2@gmail.com> > > --- > > libsepol/cil/src/cil_build_ast.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c > > index 71f14e20..a5f617d8 100644 > > --- a/libsepol/cil/src/cil_build_ast.c > > +++ b/libsepol/cil/src/cil_build_ast.c > > @@ -5862,7 +5862,7 @@ int cil_gen_defaultrange(struct cil_tree_node *parse_current, struct cil_tree_no > > CIL_SYN_STRING, > > CIL_SYN_STRING | CIL_SYN_LIST, > > CIL_SYN_STRING, > > - CIL_SYN_STRING | CIL_SYN_END, > > + CIL_SYN_STRING, > > CIL_SYN_END > > }; > > int syntax_len = sizeof(syntax)/sizeof(*syntax); > > -- > > 2.26.3 > > Hello, > This patch will break selinux-testsuite with: > > /usr/sbin/semodule -i test_policy/test_policy.pp test_mlsconstrain.cil > test_overlay_defaultrange.cil test_userfaultfd.cil test_add_levels.cil > test_glblub.cil > Invalid syntax > Bad defaultrange declaration at > /var/lib/selinux/targeted/tmp/modules/400/test_glblub/cil:1 > Failed to build AST > /usr/sbin/semodule: Failed! > > ... because it currently uses, in > https://github.com/SELinuxProject/selinux-testsuite/blob/0b78a9d433e8c4f956d18dc0db901f0a1a58c003/policy/test_glblub.cil > : > > (defaultrange db_table glblub) > > If I understand the commit message correctly, a range (low, high or > low-high) has to be added to this statement. I am not familiar with > glbulb and do not know how the testsuite should be modified. Could the > policy used by the testsuite be fixed before applying this patch? > No, the policy is correct. I forgot about glbulb and misread the source code. I will have to check the syntax in a different way. Thanks, Jim > Cheers, > Nicolas > > (PS : I was quite busy last month but now I have some time again to > catch up with SELinux patches :) ) >
diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c index 71f14e20..a5f617d8 100644 --- a/libsepol/cil/src/cil_build_ast.c +++ b/libsepol/cil/src/cil_build_ast.c @@ -5862,7 +5862,7 @@ int cil_gen_defaultrange(struct cil_tree_node *parse_current, struct cil_tree_no CIL_SYN_STRING, CIL_SYN_STRING | CIL_SYN_LIST, CIL_SYN_STRING, - CIL_SYN_STRING | CIL_SYN_END, + CIL_SYN_STRING, CIL_SYN_END }; int syntax_len = sizeof(syntax)/sizeof(*syntax);
The syntax array that cil_gen_defaultrange() called __cil_verify_syntax() with was wrong. It had the range (which should be low, high, or low-high) as optional when it is not. Use the correct syntax array to check the syntax of the defaultrange rule. Signed-off-by: James Carter <jwcart2@gmail.com> --- libsepol/cil/src/cil_build_ast.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)