| Message ID | 20220610150637.21133-1-cgzones@googlemail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | checkpolicy: error out if required permission would exceed limit | expand |
On Fri, Jun 10, 2022 at 11:12 AM Christian Göttsche <cgzones@googlemail.com> wrote: > > A require statement for a class permission adds that permission to the > class representation for the current module. In case the resulting > class would have more than the supported amount of 32 permissions > assigned the resulting binary module will fail to load at link-time > without an informative error message (since [1]). > > Bail out if adding a permission would result in a class having more then > the supported amount of 32 permissions assigned. > > [1]: https://github.com/SELinuxProject/selinux/commit/97af65f69644a3233d073ae93980a0d2e51f42e1 > > Closes: https://github.com/SELinuxProject/selinux/issues/356 > Reported-by: Julie Pichon > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com> > --- > checkpolicy/module_compiler.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/checkpolicy/module_compiler.c b/checkpolicy/module_compiler.c > index 129650fa..3188af89 100644 > --- a/checkpolicy/module_compiler.c > +++ b/checkpolicy/module_compiler.c > @@ -851,6 +851,14 @@ int require_class(int pass) > free(perm_id); > return -1; > } > + if (datum->permissions.nprim >= PERM_SYMTAB_SIZE) { > + yyerror2("Class %s would have too many permissions " > + "to fit in an access vector with permission %s", > + policydbp->p_class_val_to_name[datum->s.value - 1], > + perm_id); > + free(perm_id); > + return -1; > + } > allocated = 1; > if ((perm = malloc(sizeof(*perm))) == NULL) { > yyerror("Out of memory!"); > -- > 2.36.1 >
On Wed, 15 Jun 2022 at 20:18, James Carter <jwcart2@gmail.com> wrote: > > On Fri, Jun 10, 2022 at 11:12 AM Christian Göttsche > <cgzones@googlemail.com> wrote: > > > > A require statement for a class permission adds that permission to the > > class representation for the current module. In case the resulting > > class would have more than the supported amount of 32 permissions > > assigned the resulting binary module will fail to load at link-time > > without an informative error message (since [1]). > > > > Bail out if adding a permission would result in a class having more then s/then/than/ > > the supported amount of 32 permissions assigned. > > > > [1]: https://github.com/SELinuxProject/selinux/commit/97af65f69644a3233d073ae93980a0d2e51f42e1 > > > > Closes: https://github.com/SELinuxProject/selinux/issues/356 > > Reported-by: Julie Pichon > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > > Acked-by: James Carter <jwcart2@gmail.com> > > > --- > > checkpolicy/module_compiler.c | 8 ++++++++ > > 1 file changed, 8 insertions(+) > > > > diff --git a/checkpolicy/module_compiler.c b/checkpolicy/module_compiler.c > > index 129650fa..3188af89 100644 > > --- a/checkpolicy/module_compiler.c > > +++ b/checkpolicy/module_compiler.c > > @@ -851,6 +851,14 @@ int require_class(int pass) > > free(perm_id); > > return -1; > > } > > + if (datum->permissions.nprim >= PERM_SYMTAB_SIZE) { > > + yyerror2("Class %s would have too many permissions " > > + "to fit in an access vector with permission %s", > > + policydbp->p_class_val_to_name[datum->s.value - 1], > > + perm_id); > > + free(perm_id); > > + return -1; > > + } > > allocated = 1; > > if ((perm = malloc(sizeof(*perm))) == NULL) { > > yyerror("Out of memory!"); > > -- > > 2.36.1 > >
Christian Göttsche <cgzones@googlemail.com> writes: > On Wed, 15 Jun 2022 at 20:18, James Carter <jwcart2@gmail.com> wrote: >> >> On Fri, Jun 10, 2022 at 11:12 AM Christian Göttsche >> <cgzones@googlemail.com> wrote: >> > >> > A require statement for a class permission adds that permission to the >> > class representation for the current module. In case the resulting >> > class would have more than the supported amount of 32 permissions >> > assigned the resulting binary module will fail to load at link-time >> > without an informative error message (since [1]). >> > >> > Bail out if adding a permission would result in a class having more then > > s/then/than/ Merged, thanks! >> > the supported amount of 32 permissions assigned. >> > >> > [1]: https://github.com/SELinuxProject/selinux/commit/97af65f69644a3233d073ae93980a0d2e51f42e1 >> > >> > Closes: https://github.com/SELinuxProject/selinux/issues/356 >> > Reported-by: Julie Pichon >> > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> >> >> Acked-by: James Carter <jwcart2@gmail.com> >> >> > --- >> > checkpolicy/module_compiler.c | 8 ++++++++ >> > 1 file changed, 8 insertions(+) >> > >> > diff --git a/checkpolicy/module_compiler.c b/checkpolicy/module_compiler.c >> > index 129650fa..3188af89 100644 >> > --- a/checkpolicy/module_compiler.c >> > +++ b/checkpolicy/module_compiler.c >> > @@ -851,6 +851,14 @@ int require_class(int pass) >> > free(perm_id); >> > return -1; >> > } >> > + if (datum->permissions.nprim >= PERM_SYMTAB_SIZE) { >> > + yyerror2("Class %s would have too many permissions " >> > + "to fit in an access vector with permission %s", >> > + policydbp->p_class_val_to_name[datum->s.value - 1], >> > + perm_id); >> > + free(perm_id); >> > + return -1; >> > + } >> > allocated = 1; >> > if ((perm = malloc(sizeof(*perm))) == NULL) { >> > yyerror("Out of memory!"); >> > -- >> > 2.36.1 >> >
diff --git a/checkpolicy/module_compiler.c b/checkpolicy/module_compiler.c index 129650fa..3188af89 100644 --- a/checkpolicy/module_compiler.c +++ b/checkpolicy/module_compiler.c @@ -851,6 +851,14 @@ int require_class(int pass) free(perm_id); return -1; } + if (datum->permissions.nprim >= PERM_SYMTAB_SIZE) { + yyerror2("Class %s would have too many permissions " + "to fit in an access vector with permission %s", + policydbp->p_class_val_to_name[datum->s.value - 1], + perm_id); + free(perm_id); + return -1; + } allocated = 1; if ((perm = malloc(sizeof(*perm))) == NULL) { yyerror("Out of memory!");
A require statement for a class permission adds that permission to the class representation for the current module. In case the resulting class would have more than the supported amount of 32 permissions assigned the resulting binary module will fail to load at link-time without an informative error message (since [1]). Bail out if adding a permission would result in a class having more then the supported amount of 32 permissions assigned. [1]: https://github.com/SELinuxProject/selinux/commit/97af65f69644a3233d073ae93980a0d2e51f42e1 Closes: https://github.com/SELinuxProject/selinux/issues/356 Reported-by: Julie Pichon Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- checkpolicy/module_compiler.c | 8 ++++++++ 1 file changed, 8 insertions(+)