diff mbox series

[RFC,29/35] libsepol: validate genfs contexts

Message ID 20211011162533.53404-30-cgzones@googlemail.com (mailing list archive)
State Changes Requested
Headers show
Series libsepol: add fuzzer for reading binary policies | expand

Commit Message

Christian Göttsche Oct. 11, 2021, 4:25 p.m. UTC 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 libsepol/src/policydb_validate.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

Comments

James Carter Oct. 14, 2021, 2:10 p.m. UTC | #1 
On Mon, Oct 11, 2021 at 12:41 PM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> ---
>  libsepol/src/policydb_validate.c | 21 +++++++++++++++++++++
>  1 file changed, 21 insertions(+)
>
> diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
> index 5c06e6f4..63fd935c 100644
> --- a/libsepol/src/policydb_validate.c
> +++ b/libsepol/src/policydb_validate.c
> @@ -712,6 +712,25 @@ bad:
>         return -1;
>  }
>
> +static int validate_genfs(sepol_handle_t *handle, policydb_t *p, validate_t flavors[])
> +{
> +       genfs_t *genfs;
> +       ocontext_t *octx;
> +
> +       for (genfs = p->genfs; genfs; genfs = genfs->next) {
> +               for (octx = genfs->head; octx; octx = octx->next) {
> +                       if (validate_context(&octx->context[0], flavors, p->mls))
> +                               goto bad;
> +               }
> +       }
> +
> +       return 0;
> +
> +bad:
> +       ERR(handle, "Invalid genfs");
> +       return -1;
> +}
> +
>  /*
>   * Functions to validate a module policydb
>   */
> @@ -898,6 +917,8 @@ int validate_policydb(sepol_handle_t *handle, policydb_t *p)
>                         goto bad;
>                 if (validate_ocontexts(handle, p, flavors))
>                         goto bad;
> +               if (validate_genfs(handle, p, flavors))
> +                       goto bad;
>                 if (p->policyvers >= POLICYDB_VERSION_FILENAME_TRANS)
>                         if (validate_filename_trans_hashtab(handle, p->filename_trans, flavors))
>                                 goto bad;
> --
> 2.33.0
>

Like ocontexts, genfs rules can be in base modules.
Jim
diff mbox series

Patch

diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
index 5c06e6f4..63fd935c 100644
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@@ -712,6 +712,25 @@  bad:
 	return -1;
 }
 
+static int validate_genfs(sepol_handle_t *handle, policydb_t *p, validate_t flavors[])
+{
+	genfs_t *genfs;
+	ocontext_t *octx;
+
+	for (genfs = p->genfs; genfs; genfs = genfs->next) {
+		for (octx = genfs->head; octx; octx = octx->next) {
+			if (validate_context(&octx->context[0], flavors, p->mls))
+				goto bad;
+		}
+	}
+
+	return 0;
+
+bad:
+	ERR(handle, "Invalid genfs");
+	return -1;
+}
+
 /*
  * Functions to validate a module policydb
  */
@@ -898,6 +917,8 @@  int validate_policydb(sepol_handle_t *handle, policydb_t *p)
 			goto bad;
 		if (validate_ocontexts(handle, p, flavors))
 			goto bad;
+		if (validate_genfs(handle, p, flavors))
+			goto bad;
 		if (p->policyvers >= POLICYDB_VERSION_FILENAME_TRANS)
 			if (validate_filename_trans_hashtab(handle, p->filename_trans, flavors))
 				goto bad;