[RFC,14/35] libsepol: reject invalid fsuse types

Message ID	20211011162533.53404-15-cgzones@googlemail.com (mailing list archive)
State	Changes Requested
Headers	show Return-Path: <selinux-owner@kernel.org> From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com> To: selinux@vger.kernel.org Subject: [RFC PATCH 14/35] libsepol: reject invalid fsuse types Date: Mon, 11 Oct 2021 18:25:12 +0200 Message-Id: <20211011162533.53404-15-cgzones@googlemail.com> In-Reply-To: <20211011162533.53404-1-cgzones@googlemail.com> References: <20211011162533.53404-1-cgzones@googlemail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	libsepol: add fuzzer for reading binary policies \| expand [RFC,00/35] libsepol: add fuzzer for reading binary policies [RFC,01/35] cifuzz: enable report-unreproducible-crashes [RFC,02/35] cifuzz: use the default runtime of 600 seconds [RFC,03/35] libsepol/fuzz: silence secilc-fuzzer [RFC,04/35] libsepol: add libfuzz based fuzzer for reading binary policies [RFC,05/35] libsepol/fuzz: limit element sizes for fuzzing [RFC,06/35] libsepol: use logging framework in conditional.c [RFC,07/35] libsepol: use logging framework in ebitmap.c [RFC,08/35] libsepol: use mallocarray wrapper to avoid overflows [RFC,09/35] libsepol: use reallocarray wrapper to avoid overflows [RFC,10/35] libsepol: add checks for read sizes [RFC,11/35] libsepol: enforce avtab item limit [RFC,12/35] libsepol: clean memory on conditional read failure [RFC,13/35] libsepol: validate MLS levels [RFC,14/35] libsepol: reject invalid fsuse types [RFC,15/35] libsepol: reject invalid default targets [RFC,16/35] libsepol: validate expanded user range and level [RFC,17/35] libsepol: validate types [RFC,18/35] libsepol: use size_t for indexes in strs helpers [RFC,19/35] libsepol: reject abnormal huge sid ids [RFC,20/35] libsepol: do not crash on class gaps [RFC,21/35] libsepol: do not crash on user gaps [RFC,22/35] libsepol: validate permission count of classes [RFC,23/35] libsepol: resolve log message mismatch [RFC,24/35] libsepol: zero member before potential dereference [RFC,25/35] libsepol: validate avtab types [RFC,26/35] libsepol: validate constraint expression operators and attributes [RFC,27/35] libsepol: validate type of avtab type rules [RFC,28/35] libsepol: validate ocontexts [RFC,29/35] libsepol: validate genfs contexts [RFC,30/35] libsepol: validate permissive types [RFC,31/35] libsepol: validate policy properties [RFC,32/35] libsepol: do not underflow on short format arguments [RFC,33/35] libsepol: validate categories [RFC,34/35] libsepol: use correct size for initial string list [RFC,35/35] libsepol: do not create a string list with initial size zero

Message ID

20211011162533.53404-15-cgzones@googlemail.com (mailing list archive)

State

Changes Requested

Headers

From: =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>
To: selinux@vger.kernel.org
Subject: [RFC PATCH 14/35] libsepol: reject invalid fsuse types
Date: Mon, 11 Oct 2021 18:25:12 +0200
Message-Id: <20211011162533.53404-15-cgzones@googlemail.com>
In-Reply-To: <20211011162533.53404-1-cgzones@googlemail.com>
References: <20211011162533.53404-1-cgzones@googlemail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

libsepol: add fuzzer for reading binary policies | expand

Commit Message

Christian Göttsche Oct. 11, 2021, 4:25 p.m. UTC

Reject loading a policy with invalid fsuse declarations, except xattr,
trans and task, so that all following code, e.g. the different output
modes, do not need to handle unsupported ones.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 libsepol/src/policydb.c | 9 +++++++++
 1 file changed, 9 insertions(+)

Comments

James Carter Oct. 18, 2021, 7:57 p.m. UTC | #1

On Mon, Oct 11, 2021 at 12:41 PM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> Reject loading a policy with invalid fsuse declarations, except xattr,
> trans and task, so that all following code, e.g. the different output
> modes, do not need to handle unsupported ones.
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> ---
>  libsepol/src/policydb.c | 9 +++++++++
>  1 file changed, 9 insertions(+)
>
> diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
> index 70b503e1..980af059 100644
> --- a/libsepol/src/policydb.c
> +++ b/libsepol/src/policydb.c
> @@ -48,6 +48,7 @@
>  #include <sepol/policydb/expand.h>
>  #include <sepol/policydb/conditional.h>
>  #include <sepol/policydb/avrule_block.h>
> +#include <sepol/policydb/services.h>
>  #include <sepol/policydb/util.h>
>
>  #include "kernel_to_common.h"
> @@ -3099,6 +3100,14 @@ static int ocontext_read_selinux(const struct policydb_compat_info *info,
>                                 if (rc < 0)
>                                         return -1;
>                                 c->v.behavior = le32_to_cpu(buf[0]);
> +                               switch (c->v.behavior) {
> +                               case SECURITY_FS_USE_XATTR:
> +                               case SECURITY_FS_USE_TRANS:
> +                               case SECURITY_FS_USE_TASK:
> +                                       break;
> +                               default:
> +                                       return -1;
> +                               }
>                                 len = le32_to_cpu(buf[1]);
>                                 if (zero_or_saturated(len))
>                                         return -1;
> --
> 2.33.0
>

I think that I would prefer this to be in policydb_validate.c
somewhere. Eventually it would be nice to call validate_policydb() on
a policydb before writing it as well as after reading it.

Thanks,
Jim

diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index 70b503e1..980af059 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -48,6 +48,7 @@ 
 #include <sepol/policydb/expand.h>
 #include <sepol/policydb/conditional.h>
 #include <sepol/policydb/avrule_block.h>
+#include <sepol/policydb/services.h>
 #include <sepol/policydb/util.h>
 
 #include "kernel_to_common.h"
@@ -3099,6 +3100,14 @@  static int ocontext_read_selinux(const struct policydb_compat_info *info,
 				if (rc < 0)
 					return -1;
 				c->v.behavior = le32_to_cpu(buf[0]);
+				switch (c->v.behavior) {
+				case SECURITY_FS_USE_XATTR:
+				case SECURITY_FS_USE_TRANS:
+				case SECURITY_FS_USE_TASK:
+					break;
+				default:
+					return -1;
+				}
 				len = le32_to_cpu(buf[1]);
 				if (zero_or_saturated(len))
 					return -1;

[RFC,14/35] libsepol: reject invalid fsuse types

Commit Message

Comments

Patch